/// <summary>
/// Sets up the KDF parameter with the ephemeral data provided by the two parties to be used in the key derivation process.
/// </summary>
/// <param name="kdfParameter">The kdfParameter parameter in which to have its ephemeral data set.</param>
/// <param name="otherPartyKeyingMaterial">The other party keying material.</param>
/// <param name="z">The shared secret z.</param>
private void SetKdfEphemeralData(IKdfParameter kdfParameter, ISecretKeyingMaterial otherPartyKeyingMaterial, BitString z)
{
BitString initiatorData = null;
BitString responderData = null;
kdfParameter.Z = z;
switch (SchemeParameters.KeyAgreementRole)
{
case KeyAgreementRole.InitiatorPartyU:
initiatorData = GetEphemeralDataFromKeyContribution(
ThisPartyKeyingMaterial);
responderData = GetEphemeralDataFromKeyContribution(
otherPartyKeyingMaterial);
break;
case KeyAgreementRole.ResponderPartyV:
initiatorData = GetEphemeralDataFromKeyContribution(
otherPartyKeyingMaterial);
responderData = GetEphemeralDataFromKeyContribution(
ThisPartyKeyingMaterial);
break;
default:
throw new ArgumentException($"Invalid {nameof(SchemeParameters.KeyAgreementRole)}");
}
kdfParameter.SetEphemeralData(initiatorData, responderData);
}
public KeyAgreementResult ComputeResult(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
var z = ComputeSharedSecret(otherPartyKeyingMaterial);
var keyingMaterialPartyU = SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU
? ThisPartyKeyingMaterial
: otherPartyKeyingMaterial;
var keyingMaterialPartyV = SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV
? ThisPartyKeyingMaterial
: otherPartyKeyingMaterial;
if (SchemeParameters.KasMode == KasMode.NoKdfNoKc)
{
return(new KeyAgreementResult(keyingMaterialPartyU, keyingMaterialPartyV, z));
}
var fixedInfo = GetFixedInfo(otherPartyKeyingMaterial);
var dkm = DeriveKey(otherPartyKeyingMaterial, z, fixedInfo);
if (_keyConfirmationFactory == null)
{
return(new KeyAgreementResult(keyingMaterialPartyU, keyingMaterialPartyV, z, fixedInfo, dkm));
}
var keyConfirmationKey = dkm.GetMostSignificantBits(_keyConfirmationParameter.KeyLength);
var keyConfirmationResult = KeyConfirmation(otherPartyKeyingMaterial, keyConfirmationKey);
return(new KeyAgreementResult(
keyingMaterialPartyU, keyingMaterialPartyV, z, fixedInfo, dkm,
keyConfirmationKey, keyConfirmationResult.MacData, keyConfirmationResult.Mac));
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
var domainParameters = (EccDomainParameters)ThisPartyKeyingMaterial.DomainParameters;
// static secret composed of both parties static key parts
var staticSecret = _diffieHellman.GenerateSharedSecretZ(
domainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ;
// differing ephemeralSecret logic depending on key agreement role
BitString ephemeralSecret;
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
ephemeralSecret = _diffieHellman.GenerateSharedSecretZ(
domainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ;
}
else
{
ephemeralSecret = _diffieHellman.GenerateSharedSecretZ(
domainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.EphemeralKeyPair
).SharedSecretZ;
}
// Shared secret is composed (Z_e || Z_s)
return(BitString.ConcatenateBits(ephemeralSecret, staticSecret));
}
protected override BitString GetEphemeralDataFromKeyContribution(ISecretKeyingMaterial secretKeyingMaterial)
{
if (secretKeyingMaterial.EphemeralKeyPair != null)
{
var domainParam = (EccDomainParameters)secretKeyingMaterial.DomainParameters;
var exactLength = CurveAttributesHelper.GetCurveAttribute(domainParam.CurveE.CurveName).DegreeOfPolynomial;;
var ephemKey = (EccKeyPair)secretKeyingMaterial.EphemeralKeyPair;
if (ephemKey.PublicQ.X != 0)
{
return(BitString.ConcatenateBits(
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.X, exactLength),
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.Y, exactLength)
));
}
}
if (secretKeyingMaterial.EphemeralNonce != null && secretKeyingMaterial.EphemeralNonce?.BitLength != 0)
{
return(secretKeyingMaterial.EphemeralNonce);
}
return(secretKeyingMaterial.DkmNonce);
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
// Party U uses both its static and ephemeral keys, and Party V's static public key
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
return(_mqv.GenerateSharedSecretZ(
(EccDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(EccKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ);
}
// Party V uses its static key, and party U's static and ephemeral keys
return(_mqv.GenerateSharedSecretZ(
(EccDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.EphemeralKeyPair
).SharedSecretZ);
}
/// <summary>
/// Performs key confirmation using both parties contributions to the key establishment.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other parties contributions to the scheme.</param>
/// <param name="keyToTransport">The key that was derived in the KAS or KTS scheme.</param>
/// <returns></returns>
private ComputeKeyMacResult KeyConfirmation(ISecretKeyingMaterial otherPartyKeyingMaterial, BitString keyToTransport)
{
var keyConfParam = GetKeyConfirmationParameters(otherPartyKeyingMaterial, keyToTransport);
var keyConfirmation = _keyConfirmationFactory.GetInstance(keyConfParam);
return(keyConfirmation.ComputeMac());
}
/// <summary>
/// Construct the Result for KAS without a KDF or KeyConfirmation (component test)
/// </summary>
/// <param name="secretKeyingMaterialPartyU">The secret keying material for party U.</param>
/// <param name="secretKeyingMaterialPartyV">The secret keying material for party V.</param>
/// <param name="z">The shared secret.</param>
public KeyAgreementResult(ISecretKeyingMaterial secretKeyingMaterialPartyU,
ISecretKeyingMaterial secretKeyingMaterialPartyV,
BitString z)
{
SecretKeyingMaterialPartyU = secretKeyingMaterialPartyU;
SecretKeyingMaterialPartyV = secretKeyingMaterialPartyV;
Z = z;
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
return(_diffieHellman.GenerateSharedSecretZ(
(EccDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ);
}
/// <summary>
/// Construct the Result for KAS without KeyConfirmation
/// </summary>
/// <param name="secretKeyingMaterialPartyU">The secret keying material for party U.</param>
/// <param name="secretKeyingMaterialPartyV">The secret keying material for party V.</param>
/// <param name="z">The shared secret.</param>
/// <param name="fixedInfo">The fixed info used as a KDF input parameter.</param>
/// <param name="dkm">The derived keying material.</param>
public KeyAgreementResult(
ISecretKeyingMaterial secretKeyingMaterialPartyU,
ISecretKeyingMaterial secretKeyingMaterialPartyV,
BitString z,
BitString fixedInfo,
BitString dkm) : this(secretKeyingMaterialPartyU, secretKeyingMaterialPartyV, z)
{
FixedInfo = fixedInfo;
Dkm = dkm;
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
return(_mqv.GenerateSharedSecretZ(
(FfcDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(FfcKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(FfcKeyPair)otherPartyKeyingMaterial.StaticKeyPair,
(FfcKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(FfcKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(FfcKeyPair)otherPartyKeyingMaterial.EphemeralKeyPair
).SharedSecretZ);
}
/// <summary>
/// Construct the Result for KAS using key confirmation.
/// </summary>
/// <param name="secretKeyingMaterialPartyU">The secret keying material for party U.</param>
/// <param name="secretKeyingMaterialPartyV">The secret keying material for party V.</param>
/// <param name="z">The shared secret.</param>
/// <param name="fixedInfo">The fixed info used as a KDF input parameter.</param>
/// <param name="dkm">The derived keying material.</param>
/// <param name="macKey">The key used in a MAC function.</param>
/// <param name="macData">The data used in a MAC function.</param>
/// <param name="tag">The resulting tag of MAC(macKey, macData).</param>
public KeyAgreementResult(ISecretKeyingMaterial secretKeyingMaterialPartyU,
ISecretKeyingMaterial secretKeyingMaterialPartyV,
BitString z,
BitString fixedInfo,
BitString dkm,
BitString macKey,
BitString macData,
BitString tag) : this(secretKeyingMaterialPartyU, secretKeyingMaterialPartyV, z, fixedInfo, dkm)
{
MacKey = macKey;
MacData = macData;
Tag = tag;
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU)
{
return(_diffieHellman.GenerateSharedSecretZ(
(FfcDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(FfcKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(FfcKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ);
}
return(_diffieHellman.GenerateSharedSecretZ(
(FfcDomainParameters)ThisPartyKeyingMaterial.DomainParameters,
(FfcKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(FfcKeyPair)otherPartyKeyingMaterial.EphemeralKeyPair
).SharedSecretZ);
}
/// <summary>
/// Gets the fixed info to be used as an input to a KDF.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other party keying material.</param>
/// <returns></returns>
private BitString GetFixedInfo(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
var fixedInfo = _fixedInfoFactory.Get();
var thisPartyFixedInfo = GetPartyFixedInfo(ThisPartyKeyingMaterial);
var otherPartyFixedInfo = GetPartyFixedInfo(otherPartyKeyingMaterial);
_fixedInfoParameter.SetFixedInfo(
SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU
? thisPartyFixedInfo
: otherPartyFixedInfo,
SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV
? thisPartyFixedInfo
: otherPartyFixedInfo
);
return(fixedInfo.Get(_fixedInfoParameter));
}
protected SchemeBase(
SchemeParameters schemeParameters,
ISecretKeyingMaterial thisPartyKeyingMaterial,
IFixedInfoFactory fixedInfoFactory,
FixedInfoParameter fixedInfoParameter,
IKdfFactory kdfFactory,
IKdfParameter kdfParameter,
IKeyConfirmationFactory keyConfirmationFactory,
MacParameters keyConfirmationParameter)
{
SchemeParameters = schemeParameters;
ThisPartyKeyingMaterial = thisPartyKeyingMaterial;
_fixedInfoFactory = fixedInfoFactory;
_fixedInfoParameter = fixedInfoParameter;
_kdfFactory = kdfFactory;
_kdfParameter = kdfParameter;
_keyConfirmationFactory = keyConfirmationFactory;
_keyConfirmationParameter = keyConfirmationParameter;
}
protected override BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
var domainParameters = (EccDomainParameters)ThisPartyKeyingMaterial.DomainParameters;
var staticSecret = _diffieHellman.GenerateSharedSecretZ(
domainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.StaticKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.StaticKeyPair
).SharedSecretZ;
var ephemeralSecret = _diffieHellman.GenerateSharedSecretZ(
domainParameters,
(EccKeyPair)ThisPartyKeyingMaterial.EphemeralKeyPair,
(EccKeyPair)otherPartyKeyingMaterial.EphemeralKeyPair
).SharedSecretZ;
// Shared secret is composed (Z_e || Z_s)
return(BitString.ConcatenateBits(ephemeralSecret, staticSecret));
}
protected override BitString GetEphemeralDataFromKeyContribution(ISecretKeyingMaterial secretKeyingMaterial)
{
if (secretKeyingMaterial.EphemeralKeyPair != null)
{
var ephemKey = (FfcKeyPair)secretKeyingMaterial.EphemeralKeyPair;
if (ephemKey.PublicKeyY != 0)
{
return(new BitString(ephemKey.PublicKeyY).PadToModulusMsb(32));
}
}
if (secretKeyingMaterial.EphemeralNonce != null && secretKeyingMaterial.EphemeralNonce?.BitLength != 0)
{
return(secretKeyingMaterial.EphemeralNonce);
}
return(secretKeyingMaterial.DkmNonce);
}
protected SchemeBaseEcc(
SchemeParameters schemeParameters,
ISecretKeyingMaterial thisPartyKeyingMaterial,
IFixedInfoFactory fixedInfoFactory,
FixedInfoParameter fixedInfoParameter,
IKdfFactory kdfFactory,
IKdfParameter kdfParameter,
IKeyConfirmationFactory keyConfirmationFactory,
MacParameters keyConfirmationParameter)
: base(
schemeParameters,
thisPartyKeyingMaterial,
fixedInfoFactory,
fixedInfoParameter,
kdfFactory,
kdfParameter,
keyConfirmationFactory,
keyConfirmationParameter)
{
}
/// <summary>
/// Generate the <see cref="IKeyConfirmationParameters"/> based on the two parties information.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other parties keying information.</param>
/// <param name="keyToTransport">The derived keying material.</param>
/// <returns></returns>
private IKeyConfirmationParameters GetKeyConfirmationParameters(ISecretKeyingMaterial otherPartyKeyingMaterial, BitString keyToTransport)
{
var thisPartyEphemData =
GetEphemeralDataFromKeyContribution(ThisPartyKeyingMaterial);
var otherPartyEphemData =
GetEphemeralDataFromKeyContribution(otherPartyKeyingMaterial);
return(new KeyConfirmationParameters(
SchemeParameters.KeyAgreementRole,
SchemeParameters.KeyConfirmationRole,
SchemeParameters.KeyConfirmationDirection,
_keyConfirmationParameter.MacType,
_keyConfirmationParameter.KeyLength,
_keyConfirmationParameter.MacLength,
ThisPartyKeyingMaterial.PartyId,
otherPartyKeyingMaterial.PartyId,
thisPartyEphemData,
otherPartyEphemData,
keyToTransport
));
}
public SchemeEccFullUnified(
SchemeParameters schemeParameters,
ISecretKeyingMaterial thisPartyKeyingMaterial,
IFixedInfoFactory fixedInfoFactory,
FixedInfoParameter fixedInfoParameter,
IKdfFactory kdfFactory,
IKdfParameter kdfParameter,
IKeyConfirmationFactory keyConfirmationFactory,
MacParameters keyConfirmationParameter,
IDiffieHellman <EccDomainParameters, EccKeyPair> diffieHellman)
: base(
schemeParameters,
thisPartyKeyingMaterial,
fixedInfoFactory,
fixedInfoParameter,
kdfFactory,
kdfParameter,
keyConfirmationFactory,
keyConfirmationParameter)
{
_diffieHellman = diffieHellman;
}
public SchemeEccFullMqv(
SchemeParameters schemeParameters,
ISecretKeyingMaterial thisPartyKeyingMaterial,
IFixedInfoFactory fixedInfoFactory,
FixedInfoParameter fixedInfoParameter,
IKdfFactory kdfFactory,
IKdfParameter kdfParameter,
IKeyConfirmationFactory keyConfirmationFactory,
MacParameters keyConfirmationParameter,
IMqv <EccDomainParameters, EccKeyPair> mqv)
: base(
schemeParameters,
thisPartyKeyingMaterial,
fixedInfoFactory,
fixedInfoParameter,
kdfFactory,
kdfParameter,
keyConfirmationFactory,
keyConfirmationParameter)
{
_mqv = mqv;
}
public SchemeFfcDhHybridOneFlow(
SchemeParameters schemeParameters,
ISecretKeyingMaterial thisPartyKeyingMaterial,
IFixedInfoFactory fixedInfoFactory,
FixedInfoParameter fixedInfoParameter,
IKdfFactory kdfFactory,
IKdfParameter kdfParameter,
IKeyConfirmationFactory keyConfirmationFactory,
MacParameters keyConfirmationParameter,
IDiffieHellman <FfcDomainParameters, FfcKeyPair> diffieHellman)
: base(
schemeParameters,
thisPartyKeyingMaterial,
fixedInfoFactory,
fixedInfoParameter,
kdfFactory,
kdfParameter,
keyConfirmationFactory,
keyConfirmationParameter)
{
_diffieHellman = diffieHellman;
}
public ISchemeBuilder WithThisPartyKeyingMaterial(ISecretKeyingMaterial value)
{
_thisPartyKeyingMaterial = value;
return(this);
}
/// <summary>
/// Construct the Result for KAS without a KDF or KeyConfirmation (component test).
/// In this instance the hash of Z is performed to accommodate implementations unable
/// to return Z in the clear
/// </summary>
/// <param name="secretKeyingMaterialPartyU">The secret keying material for party U.</param>
/// <param name="secretKeyingMaterialPartyV">The secret keying material for party V.</param>
/// <param name="z">The shared secret.</param>
/// <param name="hashZ">The hash of the shared secret.</param>
public KeyAgreementResult(ISecretKeyingMaterial secretKeyingMaterialPartyU,
ISecretKeyingMaterial secretKeyingMaterialPartyV,
BitString z, BitString hashZ) : this(secretKeyingMaterialPartyU, secretKeyingMaterialPartyV, z)
{
HashZ = hashZ;
}
/// <summary>
/// Derives a key using a KDF in conjunction with a shared secret Z, and <see cref="ISecretKeyingMaterial"/> from two parties.
/// </summary>
/// <param name="otherPartyKeyingMaterial">The other party keying material.</param>
/// <param name="z">The shared secret.</param>
/// <param name="fixedInfo">The constructed fixed information from ephemeral data provided by each party.</param>
/// <returns>The derived keying material.</returns>
private BitString DeriveKey(ISecretKeyingMaterial otherPartyKeyingMaterial, BitString z, BitString fixedInfo)
{
SetKdfEphemeralData(_kdfParameter, otherPartyKeyingMaterial, z);
return(_kdfFactory.GetKdf().DeriveKey(_kdfParameter, fixedInfo).DerivedKey);
}
/// <summary>
/// Get the <see cref="PartyFixedInfo"/> as it pertains to the provided <see cref="ISecretKeyingMaterial"/>
/// for the specified <see cref="KeyAgreementRole"/>.
/// </summary>
/// <param name="secretKeyingMaterial">The secret keying material for the party.</param>
/// <param name="keyAgreementRole">The parties key agreement role.</param>
/// <returns></returns>
private PartyFixedInfo GetPartyFixedInfo(ISecretKeyingMaterial secretKeyingMaterial)
{
return(new PartyFixedInfo(secretKeyingMaterial.PartyId, GetEphemeralDataFromKeyContribution(secretKeyingMaterial)));
}
/// <summary> /// The ephemeral data provided by a party's secret keying material to be used as a part of fixedInfo construction. /// </summary> /// <param name="secretKeyingMaterial">a party's secret keying material</param> /// <returns>The ephemeral data for a party's contribution to fixedInfo.</returns> protected abstract BitString GetEphemeralDataFromKeyContribution(ISecretKeyingMaterial secretKeyingMaterial);
public KeyAgreementResult ComputeResult(ISecretKeyingMaterial otherPartyKeyingMaterial)
{
return(Scheme.ComputeResult(otherPartyKeyingMaterial));
}
/// <summary> /// Computes a shared secret Z using secret keying material from two parties. /// </summary> /// <param name="otherPartyKeyingMaterial">The other party secret keying material.</param> /// <returns>Shared secret Z.</returns> protected abstract BitString ComputeSharedSecret(ISecretKeyingMaterial otherPartyKeyingMaterial);
