protected override BitString GetEphemeralDataFromKeyContribution(ISecretKeyingMaterial secretKeyingMaterial)
{
if (secretKeyingMaterial.EphemeralKeyPair != null)
{
var domainParam = (EccDomainParameters)secretKeyingMaterial.DomainParameters;
var exactLength = CurveAttributesHelper.GetCurveAttribute(domainParam.CurveE.CurveName).DegreeOfPolynomial;;
var ephemKey = (EccKeyPair)secretKeyingMaterial.EphemeralKeyPair;
if (ephemKey.PublicQ.X != 0)
{
return(BitString.ConcatenateBits(
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.X, exactLength),
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.Y, exactLength)
));
}
}
if (secretKeyingMaterial.EphemeralNonce != null && secretKeyingMaterial.EphemeralNonce?.BitLength != 0)
{
return(secretKeyingMaterial.EphemeralNonce);
}
return(secretKeyingMaterial.DkmNonce);
}
/// <inheritdoc />
protected override BitString GetEphemeralKeyOrNonce(EccKeyPair ephemeralPublicKey, BitString ephemeralNonce, BitString dkmNonce)
{
if (ephemeralPublicKey?.PublicQ != null && ephemeralPublicKey.PublicQ?.X != 0)
{
var exactLength = CurveAttributesHelper.GetCurveAttribute(DomainParameters.CurveE.CurveName).DegreeOfPolynomial;
return(BitString.ConcatenateBits(
SharedSecretZHelper.FormatEccSharedSecretZ(ephemeralPublicKey.PublicQ.X, exactLength),
SharedSecretZHelper.FormatEccSharedSecretZ(ephemeralPublicKey.PublicQ.Y, exactLength)
));
}
if (ephemeralNonce != null && ephemeralNonce?.BitLength != 0)
{
return(ephemeralNonce);
}
return(dkmNonce);
}
protected override void GenerateKasKeyNonceInformation()
{
if (DomainParameters == null)
{
GenerateDomainParameters();
}
StaticKeyPair = Dsa.GenerateKeyPair(DomainParameters).KeyPair;
var curveAttributes = CurveAttributesHelper.GetCurveAttribute(DomainParameters.CurveE.CurveName);
// DKM Nonce required when party U and KdfNoKc/KdfKc
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode != KasMode.NoKdfNoKc)
{
DkmNonce = EntropyProvider.GetEntropy(curveAttributes.DegreeOfPolynomial.ValueToMod(BitString.BITSINBYTE));
}
// When party V, KC, Bilateral, generate ephemeral nonce
// When party V, KC, Unilateral, and the recipient of key confirmation, ephemeral nonce
// Otherwise, no ephemeral nonce.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.ResponderPartyV &&
SchemeParameters.KasMode == KasMode.KdfKc)
{
if (SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Bilateral ||
(
SchemeParameters.KeyConfirmationDirection == KeyConfirmationDirection.Unilateral &&
SchemeParameters.KeyConfirmationRole == KeyConfirmationRole.Recipient
)
)
{
EphemeralNonce = EntropyProvider.GetEntropy(curveAttributes.DegreeOfPolynomial.ValueToMod(BitString.BITSINBYTE));
}
}
// when party U and KdfNoKc, a NoKeyConfirmationNonce is needed.
if (SchemeParameters.KeyAgreementRole == KeyAgreementRole.InitiatorPartyU &&
SchemeParameters.KasMode == KasMode.KdfNoKc)
{
NoKeyConfirmationNonce = EntropyProvider.GetEntropy(128);
}
}
public SharedSecretResponse GenerateSharedSecretZ(
EccDomainParameters domainParameters,
EccKeyPair dA,
EccKeyPair qB
)
{
var p = domainParameters.CurveE.Multiply(qB.PublicQ, dA.PrivateD);
p = domainParameters.CurveE.Multiply(p, domainParameters.CurveE.CofactorH);
if (p.Infinity)
{
return(new SharedSecretResponse("Point is infinity"));
}
var curveAttributes = CurveAttributesHelper.GetCurveAttribute(domainParameters.CurveE.CurveName);
BitString z = SharedSecretZHelper.FormatEccSharedSecretZ(p.X, curveAttributes.DegreeOfPolynomial);
return(new SharedSecretResponse(z));
}
