public void ShouldCallRandomFunction()
{
Mock <IRandom800_90> mock = new Mock <IRandom800_90>();
mock
.Setup(s => s.GetRandomBitString(It.IsAny <int>()))
.Returns(new BitString(1));
EntropyProvider subject = new EntropyProvider(mock.Object);
var result = subject.GetEntropy(1);
mock.Verify(v => v.GetRandomBitString(It.IsAny <int>()), Times.Once, nameof(mock.Object.GetRandomBitString));
}
public override PaddingResult Pad(int nlen, BitString message)
{
var emBits = nlen - 1;
var mHash = Sha.HashMessage(message).Digest;
var emLen = emBits.CeilingDivide(8);
// All byte values
if (emLen < mHash.BitLength / 8 + SaltLength + 2)
{
return(new PaddingResult("Encoding error"));
}
var salt = EntropyProvider.GetEntropy(SaltLength * 8);
var mPrime = BitString.Zeroes(64);
mPrime = BitString.ConcatenateBits(mPrime, mHash);
mPrime = BitString.ConcatenateBits(mPrime, salt);
var H = Sha.HashMessage(mPrime).Digest;
// All bit values
var PS = BitString.Zeroes(emLen * 8 - SaltLength * 8 - H.BitLength - 2 * 8);
var DB = PS.GetDeepCopy();
DB = BitString.ConcatenateBits(DB, ZeroOne);
DB = BitString.ConcatenateBits(DB, salt);
// All bit values
var dbMask = Mask.Mask(H, (emLen * 8) - H.BitLength - (1 * 8));
var maskedDB = BitString.XOR(DB, dbMask);
// Set leftmost bits to 0
for (var i = 0; i < 8 * emLen - emBits; i++)
{
maskedDB.Set(maskedDB.BitLength - i - 1, false);
}
// ERROR: split maskedDB into two chunks and insert hashed message in the middle
var firstChunkMask = maskedDB.GetMostSignificantBits(maskedDB.BitLength - 8);
var secondChunkMask = maskedDB.GetLeastSignificantBits(8);
var EM = firstChunkMask.GetDeepCopy();
EM = BitString.ConcatenateBits(EM, H);
EM = BitString.ConcatenateBits(EM, secondChunkMask);
EM = BitString.ConcatenateBits(EM, Bc);
return(new PaddingResult(EM));
}
protected override void GenerateKasKeyNonceInformation()
{
if (DomainParameters == null)
{
GenerateDomainParameters();
}
StaticKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
// DKM Nonce required when party U and KdfNoKc or KdfKc
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode != KasMode.NoKdfNoKc)
{
try
{
DkmNonce = EntropyProvider.GetEntropy(new BitString(DomainParameters.Q).BitLength / 2);
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
// When party V, KC, Bilateral, generate ephemeral nonce
// When party V, KC, Unilateral, and the recipient of key confirmation, ephemeral nonce
// Otherwise, no ephemeral nonce.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV &&
SchemeParameters.KasMode == KasMode.KdfKc)
{
if (SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Bilateral ||
(
SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Unilateral &&
SchemeParameters.KeyConfirmationRole == KeyConfirmationRole.Recipient
)
)
{
EphemeralNonce = EntropyProvider.GetEntropy(new BitString(DomainParameters.P).BitLength);
}
}
// when party U and KdfNoKc, a NoKeyConfirmationNonce is needed.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode == KasMode.KdfNoKc)
{
NoKeyConfirmationNonce = EntropyProvider.GetEntropy(128);
}
}
protected override void GenerateKasKeyNonceInformation()
{
if (DomainParameters == null)
{
GenerateDomainParameters();
}
EphemeralKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
// when party U and KdfNoKc, a NoKeyConfirmationNonce is needed.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode == KasMode.KdfNoKc)
{
NoKeyConfirmationNonce = EntropyProvider.GetEntropy(128);
}
}
public override PaddingResult Pad(int nlen, BitString message)
{
var emBits = nlen - 1;
var mHash = Sha.HashMessage(message).Digest;
var emLen = emBits.CeilingDivide(8);
// All byte values
if (emLen < mHash.BitLength / 8 + SaltLength + 2)
{
return(new PaddingResult("Encoding error"));
}
var salt = EntropyProvider.GetEntropy(SaltLength * 8);
var mPrime = BitString.Zeroes(64);
mPrime = BitString.ConcatenateBits(mPrime, mHash);
mPrime = BitString.ConcatenateBits(mPrime, salt);
var H = Sha.HashMessage(mPrime).Digest;
// All bit values
var PS = BitString.Zeroes(emLen * 8 - SaltLength * 8 - H.BitLength - 2 * 8);
var DB = PS.GetDeepCopy();
DB = BitString.ConcatenateBits(DB, ZeroOne);
DB = BitString.ConcatenateBits(DB, salt);
// All bit values
var dbMask = Mask.Mask(H, (emLen * 8) - H.BitLength - (1 * 8));
var maskedDB = BitString.XOR(DB, dbMask);
// Set leftmost bits to 0
for (var i = 0; i < 8 * emLen - emBits; i++)
{
maskedDB.Set(maskedDB.BitLength - i - 1, false);
}
var EM = maskedDB.GetDeepCopy();
EM = BitString.ConcatenateBits(EM, H);
EM = BitString.ConcatenateBits(EM, new BitString("4C")); // ERROR: should be 'BC'
return(new PaddingResult(EM));
}
protected override void GenerateKasKeyNonceInformation()
{
if (DomainParameters == null)
{
GenerateDomainParameters();
}
StaticKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
var curveAttributes = CurveAttributesHelper.GetCurveAttribute(DomainParameters.CurveE.CurveName);
// DKM Nonce required when party U and KdfNoKc/KdfKc
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode != KasMode.NoKdfNoKc)
{
DkmNonce = EntropyProvider.GetEntropy(curveAttributes.DegreeOfPolynomial.ValueToMod(BitString.BITSINBYTE));
}
// When party V, KC, Bilateral, generate ephemeral nonce
// When party V, KC, Unilateral, and the recipient of key confirmation, ephemeral nonce
// Otherwise, no ephemeral nonce.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV &&
SchemeParameters.KasMode == KasMode.KdfKc)
{
if (SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Bilateral ||
(
SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Unilateral &&
SchemeParameters.KeyConfirmationRole == KeyConfirmationRole.Recipient
)
)
{
EphemeralNonce = EntropyProvider.GetEntropy(curveAttributes.DegreeOfPolynomial.ValueToMod(BitString.BITSINBYTE));
}
}
// when party U and KdfNoKc, a NoKeyConfirmationNonce is needed.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode == KasMode.KdfNoKc)
{
NoKeyConfirmationNonce = EntropyProvider.GetEntropy(128);
}
}
protected override void GenerateKasKeyNonceInformation()
{
if (DomainParameters == null)
{
GenerateDomainParameters();
}
StaticKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
// Only party U generates an ephemeral key
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
EphemeralKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
}
// When party V, KC, Bilateral, generate ephemeral nonce
// When party V, KC, Unilateral, and the recipient of key confirmation, ephemeral nonce
// Otherwise, no ephemeral nonce.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV &&
SchemeParameters.KasMode == KasMode.KdfKc)
{
if (SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Bilateral ||
(
SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Unilateral &&
SchemeParameters.KeyConfirmationRole == KeyConfirmationRole.Recipient
)
)
{
EphemeralNonce = EntropyProvider.GetEntropy(new BitString(DomainParameters.P).BitLength);
}
}
// when party U and KdfNoKc, a NoKeyConfirmationNonce is needed.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode == KasMode.KdfNoKc)
{
NoKeyConfirmationNonce = EntropyProvider.GetEntropy(128);
}
}
protected override void BuildKeyingMaterialThisParty(IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
// Create a key of L length, wrap it with the other parties public key.
var keyToEncodeEncrypt = EntropyProvider.GetEntropy(SchemeParameters.KasAlgoAttributes.L);
var kts = _ktsFactory.Get(_ktsParameter.KtsHashAlg);
BitString fixedInfo = null;
if (!string.IsNullOrEmpty(_ktsParameter.AssociatedDataPattern))
{
ThisPartyKeyingMaterial = _thisPartyKeyingMaterialBuilder.Build(
SchemeParameters.KasAlgoAttributes.Scheme,
SchemeParameters.KasMode,
SchemeParameters.KeyAgreementRole,
SchemeParameters.KeyConfirmationRole,
SchemeParameters.KeyConfirmationDirection
);
fixedInfo = GetFixedInfo(otherPartyKeyingMaterial);
}
var c = kts.Encrypt(otherPartyKeyingMaterial.Key.PubKey, keyToEncodeEncrypt, fixedInfo).SharedSecretZ;
thisPartyKeyingMaterialBuilder.WithK(keyToEncodeEncrypt);
thisPartyKeyingMaterialBuilder.WithC(c);
break;
case KeyAgreementRole.ResponderPartyV:
// Key should have been set outside the scope of the kas instance
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)}");
}
}
protected override void BuildKeyingMaterialThisParty(IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
// Note party ID should have been set on the builder outside of the scope of kas.
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
// Create random Z, encrypt with IUT public key to arrive at C
var rsaSveResult = _rsaSve.Generate(otherPartyKeyingMaterial.Key.PubKey);
thisPartyKeyingMaterialBuilder.WithZ(rsaSveResult.SharedSecretZ);
thisPartyKeyingMaterialBuilder.WithC(rsaSveResult.Ciphertext);
break;
case KeyAgreementRole.ResponderPartyV:
// Provides public key and nonce. Public key should have been set on the builder outside the scope of the kas instance.
thisPartyKeyingMaterialBuilder.WithDkmNonce(
EntropyProvider.GetEntropy(SchemeParameters.KasAlgoAttributes.Modulo));
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)} for building keying material.");
}
}