private byte[] SendInitializationRequest(State state) { // message format: // nonce(16), pubkey(32), ecdh(32), padding(...), signature(64), mac(12) if (!(state is ClientState clientState)) { throw new InvalidOperationException("Only the client can send init request."); } // 16 bytes nonce clientState.InitializationNonce = RandomNumberGenerator.Generate(InitializationNonceSize); // get the public key var pubkey = Signature.GetPublicKey(); // generate new ECDH keypair for init message and root key IKeyAgreement clientEcdh = KeyAgreementFactory.GenerateNew(); clientState.LocalEcdhForInit = clientEcdh; // nonce(16), <pubkey(32), ecdh(32), signature(64)>, mac(12) var initializationMessageSize = InitializationNonceSize + EcNumSize * 4 + MacSize; var messageSize = Math.Max(Configuration.MinimumMessageSize, initializationMessageSize); var initializationMessageSizeWithSignature = messageSize - MacSize; var initializationMessageSizeWithoutSignature = messageSize - MacSize - SignatureSize; var signatureOffset = messageSize - MacSize - SignatureSize; var message = new byte[messageSize]; Array.Copy(clientState.InitializationNonce, 0, message, 0, InitializationNonceSize); Array.Copy(pubkey, 0, message, InitializationNonceSize, EcNumSize); Array.Copy(clientEcdh.GetPublicKey(), 0, message, InitializationNonceSize + EcNumSize, EcNumSize); // sign the message var digest = Digest.ComputeDigest(message, 0, initializationMessageSizeWithoutSignature); Array.Copy(Signature.Sign(digest), 0, message, signatureOffset, SignatureSize); // encrypt the message with the application key var cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), clientState.InitializationNonce); var encryptedPayload = cipher.Process(message, InitializationNonceSize, initializationMessageSizeWithSignature - InitializationNonceSize); Array.Copy(encryptedPayload, 0, message, InitializationNonceSize, initializationMessageSizeWithSignature - InitializationNonceSize); // calculate mac var Mac = new Poly(AesFactory); Mac.Init(Configuration.ApplicationKey, clientState.InitializationNonce, MacSize); Mac.Process(message, 0, initializationMessageSizeWithSignature); var mac = Mac.Compute(); Array.Copy(mac, 0, message, initializationMessageSizeWithSignature, MacSize); return(message); }
public void Encrypt_L256_WithSalt_Test() { var key = AesFactory.GenerateKey(AesTypes.Aes256); var function = AesFactory.Create(AesTypes.Aes256, key); var cryptoVal0 = function.Encrypt("实现中华民族伟大复兴的中国梦", "12345678"); var cryptoVal1 = function.Decrypt(cryptoVal0.CipherData, "12345678"); cryptoVal1.GetOriginalDataDescriptor().GetString().ShouldBe("实现中华民族伟大复兴的中国梦"); var cryptoVal2 = function.Decrypt(BaseConv.ToBase64(cryptoVal0.CipherData), "12345678", CipherTextTypes.Base64Text); cryptoVal2.GetOriginalDataDescriptor().GetString().ShouldBe("实现中华民族伟大复兴的中国梦"); }
public static void Aes_0_Encrypt_WithInput_WithPassword() { var aesFactory = AesFactory.GetInstance(); Assert.NotNull(aesFactory); var aes = aesFactory.Get(); Assert.NotNull(aes); const string plain = "data"; const string password = "******"; var inputInBytes = Encoding.UTF8.GetBytes(plain); var outputInBytes = aes.Encrypt(inputInBytes, password); Assert.NotNull(outputInBytes); }
//non-standard public override byte[] EncryptValue(byte[] pBuff) { IBlockCipher ibc = AesFactory.GetAes(true); StreamCtx _aes = null; if (mode == CipherMode.CBC) { _aes = StreamCipher.MakeStreamCtx(ibc, key, iv, StreamCipher.Mode.CBC); } else { _aes = StreamCipher.MakeStreamCtx(ibc, key, iv, StreamCipher.Mode.ECB); } byte[] cBuff = StreamCipher.Encode(_aes, pBuff, StreamCipher.ENCRYPT); return(cBuff); }
public void Aes_0_Encrypt_WithEmptyInput_WithPassword() { var aesFactory = AesFactory.GetInstance(); Assert.NotNull(aesFactory); var aes = aesFactory.Get(); Assert.NotNull(aes); const string plain = ""; const string password = "******"; var inputInBytes = Encoding.UTF8.GetBytes(plain); var outputInBytes = aes.Encrypt(inputInBytes, password); Assert.NotNull(outputInBytes); var outputInHex = Util.Convert.ToHexString(outputInBytes); _output.WriteLine("outputInHex: " + outputInHex); }
public static void Aes_1_Decrypt_WithPassword() { var aesFactory = AesFactory.GetInstance(); Assert.NotNull(aesFactory); var aesEncryptor = aesFactory.Get(); Assert.NotNull(aesEncryptor); const string plain = "test data"; const string password = "******"; var plainInBytes = Encoding.UTF8.GetBytes(plain); var encryptedInBytes = aesEncryptor.Encrypt(plainInBytes, password); Assert.NotNull(encryptedInBytes); var aesDecryptor = aesFactory.Get(); Assert.NotEqual(aesDecryptor, aesEncryptor); var decryptedInBytes = aesDecryptor.Decrypt(encryptedInBytes, password); var decrypted = Encoding.UTF8.GetString(decryptedInBytes); Assert.Equal(plain, decrypted); }
static void Main(string[] args) { string unencrypted = "This is an unencrypted text, to be encrypted by AES"; Environment.SetEnvironmentVariable(AesSettings.AesSettingsEnvPath, "Configs\\AesSettings.json"); IAesFactory aesFactory = new AesFactory(); // ECB encryption IEncryptorFactory factory = aesFactory.CreateFactory(EncryptModeEnum.ECB); Encrypt("UnencryptedFile.txt", "EncryptedFile.txt", factory); // ECB decryption Decrypt("EncryptedFile.txt", "DecryptedFile.txt", factory); var decrypted = factory.Decrypt(factory.Encrypt(unencrypted)); if (!unencrypted.Equals(decrypted)) { throw new Exception("Encrypt and Decrypt not succeeded"); } // CBC encryption factory = aesFactory.CreateFactory(EncryptModeEnum.CBC); Encrypt("UnencryptedFile.txt", "EncryptedCBCFile.txt", factory); // CBC decryption Decrypt("EncryptedCBCFile.txt", "DecryptedCBCFile.txt", factory); decrypted = factory.Decrypt(factory.Encrypt(unencrypted)); if (!unencrypted.Equals(decrypted)) { throw new Exception("Encrypt and Decrypt not succeeded"); } // CTR encryption factory = aesFactory.CreateFactory(EncryptModeEnum.CTR); Encrypt("UnencryptedFile.txt", "EncryptedCTRFile.txt", factory); // CTR decryption Decrypt("EncryptedCTRFile.txt", "DecryptedCTRFile.txt", factory); decrypted = factory.Decrypt(factory.Encrypt(unencrypted)); if (!unencrypted.Equals(decrypted)) { throw new Exception("Encrypt and Decrypt not succeeded"); } // GCM encryption string ad = "ThisIsMyAuthenticatedDataWhatEverIWantAndHowLongIWant"; byte[] aad = KeyHelper.GetKey(ad, ad.Length); factory = aesFactory.CreateFactory(EncryptModeEnum.GCM, aad); Encrypt("UnencryptedFile.txt", "EncryptedGCMFile.txt", factory); // GCM decryption Decrypt("EncryptedGCMFile.txt", "DecryptedGCMFile.txt", factory); // Cannot use the following way in a networking environment // When I encrypt I save the generated Tag in the factory // The decryption process then uses this Tag to authenticate the decryption decrypted = factory.Decrypt(factory.Encrypt(unencrypted)); if (!unencrypted.Equals(decrypted)) { throw new Exception("Encrypt and Decrypt not succeeded"); } // Networking example GcmEncryptorFactory gcmFactory = factory as GcmEncryptorFactory; string gcmEncrypted = factory.Encrypt(unencrypted); string gcmTag = gcmFactory.Tag; GcmEncryptorFactory remoteGcmFactory = aesFactory.CreateFactory(EncryptModeEnum.GCM, aad) as GcmEncryptorFactory; remoteGcmFactory.Tag = gcmTag; decrypted = remoteGcmFactory.Decrypt(gcmEncrypted); if (!unencrypted.Equals(decrypted)) { throw new Exception("Encrypt and Decrypt not succeeded"); } }
public static void Default_0_GetInstance() { var aesFactory = AesFactory.GetInstance(); Assert.NotNull(aesFactory); }
private byte[] DeconstructMessage(State state, byte[] payload, byte[] headerKey, EcdhRatchetStep ratchetUsed, bool usedNextHeaderKey) { if (state == null) { throw new ArgumentNullException(nameof(state)); } if (payload == null) { throw new ArgumentNullException(nameof(payload)); } if (headerKey == null) { throw new ArgumentNullException(nameof(headerKey)); } var messageSize = payload.Length; var encryptedNonce = new ArraySegment <byte>(payload, 0, NonceSize); // decrypt the nonce var headerEncryptionNonce = new ArraySegment <byte>(payload, payload.Length - MacSize - HeaderIVSize, HeaderIVSize); var hcipher = new AesCtrMode(GetHeaderKeyCipher(headerKey), headerEncryptionNonce); var decryptedNonce = hcipher.Process(encryptedNonce); CheckNonce(headerEncryptionNonce); // get the ecdh bit var hasEcdh = (decryptedNonce[0] & 0b1000_0000) != 0; decryptedNonce[0] &= 0b0111_1111; // extract ecdh if needed var step = BigEndianBitConverter.ToInt32(decryptedNonce); if (hasEcdh) { var clientEcdhPublic = new ArraySegment <byte>(hcipher.Process(new ArraySegment <byte>(payload, NonceSize, EcNumSize))); if (ratchetUsed == null) { // an override header key was used. // this means we have to initialize the ratchet if (!(state is ServerState serverState)) { throw new InvalidOperationException("Only the server can initialize a ratchet."); } ratchetUsed = EcdhRatchetStep.InitializeServer(KeyDerivation, Digest, serverState.LocalEcdhRatchetStep0, serverState.RootKey, clientEcdhPublic, serverState.LocalEcdhRatchetStep1, serverState.FirstReceiveHeaderKey, serverState.FirstSendHeaderKey); serverState.Ratchets.Add(ratchetUsed); } else { if (usedNextHeaderKey) { // perform ecdh ratchet IKeyAgreement newEcdh = KeyAgreementFactory.GenerateNew(); // this is the hottest line in the deconstruct process: EcdhRatchetStep newRatchet = ratchetUsed.Ratchet(KeyDerivation, Digest, clientEcdhPublic, newEcdh); state.Ratchets.Add(newRatchet); ratchetUsed = newRatchet; } } } // get the inner payload key from the receive chain if (ratchetUsed == null) { throw new InvalidOperationException("An override header key was used but the message did not contain ECDH parameters"); } (var key, var _) = ratchetUsed.ReceivingChain.RatchetForReceiving(KeyDerivation, step); CheckNonce(key); // get the encrypted payload var payloadOffset = hasEcdh ? NonceSize + EcNumSize : NonceSize; var encryptedPayload = new ArraySegment <byte>(payload, payloadOffset, messageSize - payloadOffset - MacSize); // decrypt the inner payload var icipher = new AesCtrMode(AesFactory.GetAes(true, key), decryptedNonce); var decryptedInnerPayload = icipher.Process(encryptedPayload); return(decryptedInnerPayload); }
private byte[] ConstructMessage(ArraySegment <byte> message, bool includeEcdh, EcdhRatchetStep step) { if (message == null) { throw new ArgumentNullException(nameof(message)); } // message format: // <nonce (4)>, <payload, padding>, mac(12) // <nonce (4), ecdh (32)>, <payload, padding>, mac(12) // get the payload key and nonce (var payloadKey, var messageNumber) = step.SendingChain.RatchetForSending(KeyDerivation); var nonce = BigEndianBitConverter.GetBytes(messageNumber); // make sure the first bit is not set as we use that bit to indicate // the presence of new ECDH parameters if ((nonce[0] & 0b1000_0000) != 0) { throw new InvalidOperationException($"The message number is too big. Cannot encrypt more than {((uint)1 << 31) - 1} messages without exchanging keys"); } // calculate some sizes var headerSize = NonceSize + (includeEcdh ? EcNumSize : 0); var overhead = headerSize + MacSize; var messageSize = message.Count; var maxMessageSize = Configuration.MaximumMessageSize - overhead; var minPayloadSize = Configuration.MinimumMessageSize - overhead; // build the payload: <payload, padding> ArraySegment <byte> payload; if (messageSize < minPayloadSize) { payload = new ArraySegment <byte>(new byte[minPayloadSize]); Array.Copy(message.Array, message.Offset, payload.Array, 0, message.Count); } else if (messageSize > maxMessageSize) { throw new InvalidOperationException("The message doesn't fit inside the MTU"); } else { payload = message; } // encrypt the payload var icipher = new AesCtrMode(AesFactory.GetAes(true, payloadKey), nonce); var encryptedPayload = icipher.Process(payload); // build the header: <nonce(4), ecdh(32)?> var header = new byte[headerSize]; Array.Copy(nonce, header, NonceSize); if (includeEcdh) { var ratchetPublicKey = step.GetPublicKey(); Array.Copy(ratchetPublicKey, 0, header, nonce.Length, ratchetPublicKey.Length); // set the has ecdh bit header[0] |= 0b1000_0000; } else { // clear the has ecdh bit header[0] &= 0b0111_1111; } // encrypt the header using the header key and using the // last 16 bytes of the message as the nonce. var headerEncryptionNonce = new ArraySegment <byte>(encryptedPayload, encryptedPayload.Length - HeaderIVSize, HeaderIVSize); var hcipher = new AesCtrMode(GetHeaderKeyCipher(step.SendHeaderKey), headerEncryptionNonce); var encryptedHeader = hcipher.Process(header); // mac the message: <header>, <payload>, mac(12) // the mac uses the header encryption derived key (all 32 bytes) var Mac = new Poly(AesFactory); var maciv = new byte[16]; var epl = encryptedPayload.Length; var ehl = encryptedHeader.Length; if (ehl < maciv.Length) { Array.Copy(encryptedHeader, maciv, ehl); Array.Copy(encryptedPayload, 0, maciv, ehl, 16 - ehl); } else { Array.Copy(encryptedHeader, maciv, maciv.Length); } Mac.Init(step.SendHeaderKey, maciv, MacSize); Mac.Process(encryptedHeader); Mac.Process(encryptedPayload); var mac = Mac.Compute(); // construct the resulting message var result = new byte[ehl + epl + mac.Length]; Array.Copy(encryptedHeader, 0, result, 0, ehl); Array.Copy(encryptedPayload, 0, result, ehl, epl); Array.Copy(mac, 0, result, ehl + epl, mac.Length); return(result); }
private void ReceiveInitializationResponse(State state, byte[] data) { if (!(state is ClientState clientState)) { throw new InvalidOperationException("Only the client can receive an init response."); } var messageSize = data.Length; var macOffset = messageSize - MacSize; var headerIvOffset = macOffset - HeaderIVSize; var headerSize = InitializationNonceSize + EcNumSize; var payloadSize = messageSize - headerSize - MacSize; // decrypt header var cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), data, headerIvOffset, HeaderIVSize); var decryptedHeader = cipher.Process(data, 0, headerSize); Array.Copy(decryptedHeader, 0, data, 0, headerSize); // new nonce(16), ecdh pubkey(32), <nonce(16), server pubkey(32), // new ecdh pubkey(32) x2, signature(64)>, mac(12) var nonce = new ArraySegment <byte>(data, 0, InitializationNonceSize); var rootEcdhKey = new ArraySegment <byte>(data, InitializationNonceSize, EcNumSize); var encryptedPayload = new ArraySegment <byte>(data, headerSize, payloadSize); CheckNonce(nonce); // decrypt payload IKeyAgreement rootEcdh = clientState.LocalEcdhForInit; var rootPreKey = rootEcdh.DeriveKey(rootEcdhKey); rootPreKey = Digest.ComputeDigest(rootPreKey); cipher = new AesCtrMode(AesFactory.GetAes(true, rootPreKey), nonce); var decryptedPayload = cipher.Process(encryptedPayload); Array.Copy(decryptedPayload, 0, data, headerSize, payloadSize); // extract some goodies var oldNonce = new ArraySegment <byte>(data, headerSize, InitializationNonceSize); var serverPubKey = new ArraySegment <byte>(data, headerSize + InitializationNonceSize, EcNumSize); var remoteRatchetEcdh0 = new ArraySegment <byte>(data, headerSize + InitializationNonceSize + EcNumSize, EcNumSize); var remoteRatchetEcdh1 = new ArraySegment <byte>(data, headerSize + InitializationNonceSize + EcNumSize * 2, EcNumSize); // make sure the nonce sent back by the server (which is encrypted and signed) // matches the nonce we sent previously if (!oldNonce.Matches(clientState.InitializationNonce)) { throw new InvalidOperationException("Nonce did not match"); } // verify that the signature matches IVerifier verifier = VerifierFactory.Create(serverPubKey); if (!verifier.VerifySignedMessage(Digest, new ArraySegment <byte>(data, 0, payloadSize + headerSize))) { throw new InvalidOperationException("The signature was invalid"); } // keep the server public key around clientState.ServerPublicKey = serverPubKey.ToArray(); // store the new nonce we got from the server clientState.InitializationNonce = nonce.ToArray(); Log.Verbose($"storing iniitlizaionta nonce: {Log.ShowBytes(nonce)}"); // we now have enough information to construct our double ratchet IKeyAgreement localStep0EcdhRatchet = KeyAgreementFactory.GenerateNew(); IKeyAgreement localStep1EcdhRatchet = KeyAgreementFactory.GenerateNew(); // initialize client root key and ecdh ratchet var genKeys = KeyDerivation.GenerateKeys(rootPreKey, clientState.InitializationNonce, 3, 32); var rootKey = genKeys[0]; var receiveHeaderKey = genKeys[1]; var sendHeaderKey = genKeys[2]; clientState.Ratchets.Add(EcdhRatchetStep.InitializeClient(KeyDerivation, Digest, rootKey, remoteRatchetEcdh0, remoteRatchetEcdh1, localStep0EcdhRatchet, receiveHeaderKey, sendHeaderKey, localStep1EcdhRatchet)); clientState.LocalEcdhForInit = null; }
private byte[] SendInitializationResponse(State state, ArraySegment <byte> initializationNonce, ArraySegment <byte> remoteEcdhForInit) { // message format: // new nonce(16), ecdh pubkey(32), // <nonce from init request(16), server pubkey(32), // new ecdh pubkey(32) x2, Padding(...), signature(64)>, mac(12) = 236 bytes if (!(state is ServerState serverState)) { throw new InvalidOperationException("Only the server can send init response."); } // generate a nonce and new ecdh parms var serverNonce = RandomNumberGenerator.Generate(InitializationNonceSize); serverState.NextInitializationNonce = serverNonce; IKeyAgreement rootPreEcdh = KeyAgreementFactory.GenerateNew(); var rootPreEcdhPubkey = rootPreEcdh.GetPublicKey(); // generate server ECDH for root key and root key var rootPreKey = rootPreEcdh.DeriveKey(remoteEcdhForInit); rootPreKey = Digest.ComputeDigest(rootPreKey); var genKeys = KeyDerivation.GenerateKeys(rootPreKey, serverNonce, 3, EcNumSize); serverState.RootKey = genKeys[0]; serverState.FirstSendHeaderKey = genKeys[1]; serverState.FirstReceiveHeaderKey = genKeys[2]; // generate two server ECDH. One for ratchet 0 sending key and one for the next // this is enough for the server to generate a receiving chain key and sending // chain key as soon as the client sends a sending chain key IKeyAgreement serverEcdhRatchet0 = KeyAgreementFactory.GenerateNew(); serverState.LocalEcdhRatchetStep0 = serverEcdhRatchet0; IKeyAgreement serverEcdhRatchet1 = KeyAgreementFactory.GenerateNew(); serverState.LocalEcdhRatchetStep1 = serverEcdhRatchet1; var minimumMessageSize = InitializationNonceSize * 2 + EcNumSize * 6 + MacSize; var entireMessageSize = Math.Max(Configuration.MinimumMessageSize, minimumMessageSize); var macOffset = entireMessageSize - MacSize; var entireMessageWithoutMacOrSignatureSize = macOffset - SignatureSize; var encryptedPayloadOffset = InitializationNonceSize + EcNumSize; var encryptedPayloadSize = macOffset - encryptedPayloadOffset; // construct the message var message = new byte[entireMessageSize]; Array.Copy(serverNonce, 0, message, 0, InitializationNonceSize); Array.Copy(rootPreEcdhPubkey, 0, message, InitializationNonceSize, EcNumSize); // construct the to-be-encrypted part var rre0 = serverEcdhRatchet0.GetPublicKey(); var rre1 = serverEcdhRatchet1.GetPublicKey(); Array.Copy(initializationNonce.Array, initializationNonce.Offset, message, encryptedPayloadOffset, InitializationNonceSize); Array.Copy(Signature.GetPublicKey(), 0, message, encryptedPayloadOffset + InitializationNonceSize, EcNumSize); Array.Copy(rre0, 0, message, encryptedPayloadOffset + InitializationNonceSize + EcNumSize, EcNumSize); Array.Copy(rre1, 0, message, encryptedPayloadOffset + InitializationNonceSize + EcNumSize * 2, EcNumSize); // sign the message var digest = Digest.ComputeDigest(message, 0, entireMessageWithoutMacOrSignatureSize); Array.Copy(Signature.Sign(digest), 0, message, entireMessageWithoutMacOrSignatureSize, SignatureSize); // encrypt the message var cipher = new AesCtrMode(AesFactory.GetAes(true, rootPreKey), serverNonce); var encryptedPayload = cipher.Process(message, encryptedPayloadOffset, encryptedPayloadSize); Array.Copy(encryptedPayload, 0, message, encryptedPayloadOffset, encryptedPayloadSize); // encrypt the header cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), encryptedPayload, encryptedPayloadSize - HeaderIVSize, HeaderIVSize); var encryptedHeader = cipher.Process(message, 0, encryptedPayloadOffset); Array.Copy(encryptedHeader, 0, message, 0, encryptedPayloadOffset); // calculate mac var Mac = new Poly(AesFactory); Mac.Init(Configuration.ApplicationKey, encryptedHeader, 0, InitializationNonceSize, MacSize); Mac.Process(message, 0, macOffset); var mac = Mac.Compute(); Array.Copy(mac, 0, message, macOffset, MacSize); return(message); }
private IAes GetHeaderKeyCipher(byte[] key) => AesFactory.GetAes(true, key);