private static CryptographicKey DeriveKey(CryptographicKey key)
{
using (var hmac = new HMACSHA512(key.GetKeyMaterial()))
{
GetKeyDerivationParameters(out var label, out var context);
var derivedKey = DeriveKeyImpl(hmac, label, context, key.KeyLength);
return(new CryptographicKey(derivedKey));
}
}
private static byte[] Unprotect(byte[] protectedData, CryptographicKey decryptionKey, CryptographicKey validationKey,
CryptoAlgorithmFactory cryptoAlgorithmFactory)
{
// The entire operation is wrapped in a 'checked' block because any overflows should be treated as failures.
checked
{
// We want to check that the input is in the form:
// protectedData := IV || Enc(Kenc, IV, clearData) || Sign(Kval, IV || Enc(Kenc, IV, clearData))
// Definitions used in this method:
// encryptedPayload := Enc(Kenc, IV, clearData)
// signature := Sign(Kval, IV || encryptedPayload)
// These SymmetricAlgorithm instances are single-use; we wrap it in a 'using' block.
using (var decryptionAlgorithm = cryptoAlgorithmFactory.GetEncryptionAlgorithm())
{
decryptionAlgorithm.Key = decryptionKey.GetKeyMaterial();
// These KeyedHashAlgorithm instances are single-use; we wrap it in a 'using' block.
using (var validationAlgorithm = cryptoAlgorithmFactory.GetValidationAlgorithm())
{
validationAlgorithm.Key = validationKey.GetKeyMaterial();
// First, we need to verify that protectedData is even long enough to contain
// the required components (IV, encryptedPayload, signature).
var ivByteCount = decryptionAlgorithm.BlockSize / 8; // IV length is equal to the block size
var signatureByteCount = validationAlgorithm.HashSize / 8;
var encryptedPayloadByteCount = protectedData.Length - ivByteCount - signatureByteCount;
if (encryptedPayloadByteCount <= 0)
{
// protectedData doesn't meet minimum length requirements
return(null);
}
// If that check passes, we need to detect payload tampering.
// Compute the signature over the IV and encrypted payload
// computedSignature := Sign(Kval, IV || encryptedPayload)
var computedSignature = validationAlgorithm.ComputeHash(protectedData, 0, ivByteCount + encryptedPayloadByteCount);
if (!BuffersAreEqual(
buffer1: protectedData, buffer1Offset: ivByteCount + encryptedPayloadByteCount, buffer1Count: signatureByteCount,
buffer2: computedSignature, buffer2Offset: 0, buffer2Count: computedSignature.Length))
{
// the computed signature didn't match the incoming signature, which is a sign of payload tampering
return(null);
}
// At this point, we're certain that we generated the signature over this payload,
// so we can go ahead with decryption.
// Populate the IV from the incoming stream
var iv = new byte[ivByteCount];
Buffer.BlockCopy(protectedData, 0, iv, 0, iv.Length);
decryptionAlgorithm.IV = iv;
// Write the decrypted payload to the memory stream.
using (var memStream = new MemoryStream())
{
using (var decryptor = decryptionAlgorithm.CreateDecryptor())
{
using (var cryptoStream = new CryptoStream(memStream, decryptor, CryptoStreamMode.Write))
{
cryptoStream.Write(protectedData, ivByteCount, encryptedPayloadByteCount);
cryptoStream.FlushFinalBlock();
// At this point
// memStream := clearData
var clearData = memStream.ToArray();
return(clearData);
}
}
}
}
}
}
}
