public KasIfcResult ComputeResult(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
if (!_isThisPartyKeyingMaterialInitialized)
{
InitializeThisPartyKeyingMaterial(otherPartyKeyingMaterial);
}
// When running in NoKdfNoKc mode for KAS SSC, keyToTransport is `z`, otherwise it is `dkm`.
var keyToTransport = GetKeyingMaterial(otherPartyKeyingMaterial);
var keyingMaterialPartyU = SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU
? ThisPartyKeyingMaterial
: otherPartyKeyingMaterial;
var keyingMaterialPartyV = SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV
? ThisPartyKeyingMaterial
: otherPartyKeyingMaterial;
// No key confirmation, return the whole key
if (_keyConfirmationFactory == null)
{
return(new KasIfcResult(keyingMaterialPartyU, keyingMaterialPartyV, keyToTransport));
}
var keyConfirmationKey = keyToTransport.GetMostSignificantBits(_macParameters.KeyLength);
var keyConfirmationResult = KeyConfirmation(otherPartyKeyingMaterial, keyConfirmationKey);
return(new KasIfcResult(
keyingMaterialPartyU, keyingMaterialPartyV,
keyToTransport, keyConfirmationKey, keyConfirmationResult.MacData, keyConfirmationResult.Mac));
}
public KasIfcResult(IIfcSecretKeyingMaterial keyingMaterialPartyU,
IIfcSecretKeyingMaterial keyingMaterialPartyV,
BitString dkm)
{
KeyingMaterialPartyU = keyingMaterialPartyU;
KeyingMaterialPartyV = keyingMaterialPartyV;
Dkm = dkm;
}
/// <summary>
/// Performs key confirmation using both parties contributions to the key establishment.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other parties contributions to the scheme.</param>
/// <param name="keyToTransport">The key that was derived in the KAS or KTS scheme.</param>
/// <returns></returns>
private ComputeKeyMacResult KeyConfirmation(IIfcSecretKeyingMaterial otherPartyKeyingMaterial, BitString keyToTransport)
{
var keyConfParam = GetKeyConfirmationParameters(otherPartyKeyingMaterial, keyToTransport);
var keyConfirmation = _keyConfirmationFactory.GetInstance(keyConfParam);
return(keyConfirmation.ComputeMac());
}
protected override void BuildKeyingMaterialThisParty(IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
// Note party ID should have been set on the builder outside of the scope of kas.
// Public key should have been set on the builder outside the scope of the kas instance.
// Create random Z, encrypt with IUT public key to arrive at C.
var rsaSveResult = _rsaSve.Generate(otherPartyKeyingMaterial.Key.PubKey);
thisPartyKeyingMaterialBuilder.WithZ(rsaSveResult.SharedSecretZ);
thisPartyKeyingMaterialBuilder.WithC(rsaSveResult.Ciphertext);
}
/// <summary>
/// Constructor used to create result for KAS-IFC with key confirmation.
/// </summary>
/// <param name="dkm">The derived keying material minus any bits used for the macKey.</param>
/// <param name="macKey">The macKey that is used for keyConfirmation, taken from most significant bits of the derivedKey.</param>
/// <param name="macData">The data that is plugged into the message parameter of a mac function.</param>
/// <param name="tag">The resulting tag of H(macKey, macData).</param>
public KasIfcResult(
IIfcSecretKeyingMaterial keyingMaterialPartyU,
IIfcSecretKeyingMaterial keyingMaterialPartyV,
BitString dkm, BitString macKey, BitString macData, BitString tag)
{
KeyingMaterialPartyU = keyingMaterialPartyU;
KeyingMaterialPartyV = keyingMaterialPartyV;
Dkm = dkm;
MacKey = macKey;
MacData = macData;
Tag = tag;
}
protected override BitString GetEphemeralDataFromKeyContribution(IIfcSecretKeyingMaterial secretKeyingMaterial,
KeyAgreementRole keyAgreementRole, bool excludeEphemeralData)
{
// KAS1 Party U C
// KAS1 Party V NV
if (keyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
return(secretKeyingMaterial.C);
}
return(secretKeyingMaterial.DkmNonce);
}
protected override BitString GetKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
BitString zU = null;
BitString zV = null;
BitString initiatorData = null;
BitString responderData = null;
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
zU = ThisPartyKeyingMaterial.Z;
// When party U, recover zV from cV
var recoverV = _rsaSve.Recover(ThisPartyKeyingMaterial.Key, otherPartyKeyingMaterial.C);
zV = recoverV.SharedSecretZ;
initiatorData = ThisPartyKeyingMaterial.C;
responderData = otherPartyKeyingMaterial.C;
break;
case KeyAgreementRole.ResponderPartyV:
zV = ThisPartyKeyingMaterial.Z;
// When party V, recover zU from cU
var recoverU = _rsaSve.Recover(ThisPartyKeyingMaterial.Key, otherPartyKeyingMaterial.C);
zU = recoverU.SharedSecretZ;
initiatorData = otherPartyKeyingMaterial.C;
responderData = ThisPartyKeyingMaterial.C;
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)}");
}
var z = zU.ConcatenateBits(zV);
// Don't run the KDF if NoKdfNoKc, return Z directly, for SSC tests
if (SchemeParameters.KasMode == KasMode.NoKdfNoKc)
{
return(z);
}
_kdfParameter.Z = z;
_kdfParameter.SetEphemeralData(initiatorData, responderData);
var fixedInfo = GetFixedInfo(otherPartyKeyingMaterial);
return(_kdfParameter.AcceptKdf(_kdfVisitor, fixedInfo).DerivedKey);
}
public void InitializeThisPartyKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
_isThisPartyKeyingMaterialInitialized = true;
BuildKeyingMaterialThisParty(_thisPartyKeyingMaterialBuilder, otherPartyKeyingMaterial);
_thisPartyKeyingMaterial = _thisPartyKeyingMaterialBuilder.Build(
SchemeParameters.KasAlgoAttributes.Scheme,
SchemeParameters.KasMode,
SchemeParameters.KeyAgreementRole,
SchemeParameters.KeyConfirmationRole,
SchemeParameters.KeyConfirmationDirection
);
}
protected override BitString GetKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
BitString initiatorData = null;
BitString responderData = null;
BitString z = null;
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
z = ThisPartyKeyingMaterial.Z;
initiatorData = ThisPartyKeyingMaterial.C;
responderData = otherPartyKeyingMaterial.DkmNonce;
break;
case KeyAgreementRole.ResponderPartyV:
// In this instance, party V recovers the Z value chosen by party U, utilizing party V's RSA private key.
var thisPartyKeyPair = ThisPartyKeyingMaterial.Key;
z = _rsaSve.Recover(thisPartyKeyPair, otherPartyKeyingMaterial.C).SharedSecretZ;
initiatorData = otherPartyKeyingMaterial.C;
responderData = ThisPartyKeyingMaterial.DkmNonce;
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)}");
}
// Don't run the KDF if NoKdfNoKc, return Z directly, for SSC tests
if (SchemeParameters.KasMode == KasMode.NoKdfNoKc)
{
return(z);
}
_kdfParameter.Z = z;
_kdfParameter.SetEphemeralData(initiatorData, responderData);
var fixedInfo = GetFixedInfo(otherPartyKeyingMaterial);
return(_kdfParameter.AcceptKdf(_kdfVisitor, fixedInfo).DerivedKey);
}
/// <summary>
/// Get the FixedInfo BitString for use in KDFs and KTS.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other party keying material</param>
/// <param name="excludeEphemeralData">Should the ephemeral data be excluded? (Used for KTS fixed info generation)</param>
/// <returns></returns>
protected BitString GetFixedInfo(IIfcSecretKeyingMaterial otherPartyKeyingMaterial, bool excludeEphemeralData = false)
{
var fixedInfo = _fixedInfoFactory.Get();
var thisPartyFixedInfo = GetPartyFixedInfo(ThisPartyKeyingMaterial, SchemeParameters.KeyAgreementRole, excludeEphemeralData);
var otherPartyRole =
KeyGenerationRequirementsHelper.GetOtherPartyKeyAgreementRole(SchemeParameters.KeyAgreementRole);
var otherPartyFixedInfo = GetPartyFixedInfo(otherPartyKeyingMaterial, otherPartyRole, excludeEphemeralData);
_fixedInfoParameter.SetFixedInfo(
SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU
? thisPartyFixedInfo
: otherPartyFixedInfo,
SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV
? thisPartyFixedInfo
: otherPartyFixedInfo
);
return(fixedInfo.Get(_fixedInfoParameter));
}
protected override BitString GetKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
var kts = _ktsFactory.Get(_ktsParameter.KtsHashAlg);
// Party U has the key, encrypts it with Party V's public key
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
return(ThisPartyKeyingMaterial.K);
}
// Party V has the private key that is used to decrypt the key from party U.
BitString fixedInfo = null;
if (!string.IsNullOrEmpty(_ktsParameter.AssociatedDataPattern))
{
fixedInfo = GetFixedInfo(otherPartyKeyingMaterial, true);
}
var thisPartyKey = ThisPartyKeyingMaterial.Key;
var otherPartyCiphertext = otherPartyKeyingMaterial.C;
return(kts.Decrypt(thisPartyKey, otherPartyCiphertext, fixedInfo).SharedSecretZ);
}
protected override void BuildKeyingMaterialThisParty(IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
// Create a key of L length, wrap it with the other parties public key.
var keyToEncodeEncrypt = EntropyProvider.GetEntropy(SchemeParameters.KasAlgoAttributes.L);
var kts = _ktsFactory.Get(_ktsParameter.KtsHashAlg);
BitString fixedInfo = null;
if (!string.IsNullOrEmpty(_ktsParameter.AssociatedDataPattern))
{
ThisPartyKeyingMaterial = _thisPartyKeyingMaterialBuilder.Build(
SchemeParameters.KasAlgoAttributes.Scheme,
SchemeParameters.KasMode,
SchemeParameters.KeyAgreementRole,
SchemeParameters.KeyConfirmationRole,
SchemeParameters.KeyConfirmationDirection
);
fixedInfo = GetFixedInfo(otherPartyKeyingMaterial);
}
var c = kts.Encrypt(otherPartyKeyingMaterial.Key.PubKey, keyToEncodeEncrypt, fixedInfo).SharedSecretZ;
thisPartyKeyingMaterialBuilder.WithK(keyToEncodeEncrypt);
thisPartyKeyingMaterialBuilder.WithC(c);
break;
case KeyAgreementRole.ResponderPartyV:
// Key should have been set outside the scope of the kas instance
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)}");
}
}
/// <summary>
/// Generate the <see cref="IKeyConfirmationParameters"/> based on the two parties information.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other parties keying information.</param>
/// <param name="keyToTransport">The derived keying material.</param>
/// <returns></returns>
private IKeyConfirmationParameters GetKeyConfirmationParameters(IIfcSecretKeyingMaterial otherPartyKeyingMaterial, BitString keyToTransport)
{
var thisPartyEphemData =
GetEphemeralDataFromKeyContribution(ThisPartyKeyingMaterial, SchemeParameters.KeyAgreementRole, false);
var otherPartyEphemData =
GetEphemeralDataFromKeyContribution(otherPartyKeyingMaterial,
KeyGenerationRequirementsHelper.GetOtherPartyKeyAgreementRole(SchemeParameters.KeyAgreementRole),
false);
return(new KeyConfirmationParameters(
SchemeParameters.KeyAgreementRole,
SchemeParameters.KeyConfirmationRole,
SchemeParameters.KeyConfirmationDirection,
_macParameters.MacType,
_macParameters.KeyLength,
_macParameters.MacLength,
ThisPartyKeyingMaterial.PartyId,
otherPartyKeyingMaterial.PartyId,
thisPartyEphemData,
otherPartyEphemData,
keyToTransport
));
}
protected override void BuildKeyingMaterialThisParty(IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
// Note party ID should have been set on the builder outside of the scope of kas.
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
// Create random Z, encrypt with IUT public key to arrive at C
var rsaSveResult = _rsaSve.Generate(otherPartyKeyingMaterial.Key.PubKey);
thisPartyKeyingMaterialBuilder.WithZ(rsaSveResult.SharedSecretZ);
thisPartyKeyingMaterialBuilder.WithC(rsaSveResult.Ciphertext);
break;
case KeyAgreementRole.ResponderPartyV:
// Provides public key and nonce. Public key should have been set on the builder outside the scope of the kas instance.
thisPartyKeyingMaterialBuilder.WithDkmNonce(
EntropyProvider.GetEntropy(SchemeParameters.KasAlgoAttributes.Modulo));
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)} for building keying material.");
}
}
public void InitializeThisPartyKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
Scheme.InitializeThisPartyKeyingMaterial(otherPartyKeyingMaterial);
}
/// <summary>
/// Get the <see cref="PartyFixedInfo"/> as it pertains to the provided <see cref="IIfcSecretKeyingMaterial"/>
/// for the specified <see cref="KeyAgreementRole"/>.
/// </summary>
/// <param name="secretKeyingMaterial">The secret keying material for the party.</param>
/// <param name="keyAgreementRole">The parties key agreement role.</param>
/// <param name="excludeEphemeralData">Should the ephemeral data be excluded? (Used for KTS fixed info generation)</param>
/// <returns></returns>
private PartyFixedInfo GetPartyFixedInfo(IIfcSecretKeyingMaterial secretKeyingMaterial, KeyAgreementRole keyAgreementRole, bool excludeEphemeralData)
{
return(new PartyFixedInfo(secretKeyingMaterial.PartyId, GetEphemeralDataFromKeyContribution(secretKeyingMaterial, keyAgreementRole, excludeEphemeralData)));
}
public ISchemeIfcBuilder WithThisPartyKeyingMaterial(IIfcSecretKeyingMaterial value)
{
_thisPartyKeyingMaterial = value;
return(this);
}
/// <summary> /// Creates/Gets/Recovers a key for a KAS/KTS scheme. /// </summary> /// <param name="otherPartyKeyingMaterial"></param> /// <returns></returns> protected abstract BitString GetKeyingMaterial(IIfcSecretKeyingMaterial otherPartyKeyingMaterial);
/// <summary> /// The ephemeral data can be composed of any of C, CU, CV, NV, depending on the party, and scheme /// /// Scheme Party Ephemeral Data /// KAS1 Party U C /// KAS1 Party V NV /// KAS2 Party U CU /// KAS2 Party V CV /// KTS Party U C /// KTS Party V null /// </summary> /// <param name="secretKeyingMaterial">a party's secret keying material</param> /// <param name="keyAgreementRole">a party's key agreement role</param> /// <param name="excludeEphemeralData">Should the ephemeral data be excluded? (Used for KTS fixed info generation)</param> /// <returns></returns> protected abstract BitString GetEphemeralDataFromKeyContribution(IIfcSecretKeyingMaterial secretKeyingMaterial, KeyAgreementRole keyAgreementRole, bool excludeEphemeralData);
protected abstract void BuildKeyingMaterialThisParty(
IIfcSecretKeyingMaterialBuilder thisPartyKeyingMaterialBuilder,
IIfcSecretKeyingMaterial otherPartyKeyingMaterial);
protected override BitString GetEphemeralDataFromKeyContribution(IIfcSecretKeyingMaterial secretKeyingMaterial,
KeyAgreementRole keyAgreementRole, bool excludeEphemeralData)
{
return(secretKeyingMaterial.C);
}
public KasIfcResult ComputeResult(IIfcSecretKeyingMaterial otherPartyKeyingMaterial)
{
return(Scheme.ComputeResult(otherPartyKeyingMaterial));
}
