/// <summary> /// Decrypts the key and HMAC concatenation (<see cref="OmemoMessage.cipherText"/>) with the given <paramref name="mk"/> and returns the result. /// </summary> /// <param name="mk">The message key that should be used for decryption.</param> /// <param name="msg">The <see cref="OmemoMessage"/> containing the key and HMAC concatenation (<see cref="OmemoMessage.cipherText"/>).</param> /// <param name="msgHmac">The HMAC of the <paramref name="msg"/>.</param> /// <param name="assData">Encode(IK_A) || Encode(IK_B) => Concatenation of Alices and Bobs public part of their identity key.</param> /// <returns>key || HMAC</returns> private byte[] DecryptKeyHmacForDevice(byte[] mk, OmemoMessage msg, byte[] msgHmac, byte[] assData) { // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(mk, new byte[32], "OMEMO Message Key Material", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); byte[] hmacInput = CryptoUtils.Concat(assData, msg.ToByteArray()); byte[] hmacResult = CryptoUtils.HmacSha256(authKey, hmacInput); byte[] hmacTruncated = CryptoUtils.Truncate(hmacResult, 16); // Debug trace output: Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(mk) + ": " + CryptoUtils.ToHexString(mk)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(msgHmac) + ": " + CryptoUtils.ToHexString(msgHmac)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(assData) + ": " + CryptoUtils.ToHexString(assData)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(hkdfOutput) + ": " + CryptoUtils.ToHexString(hkdfOutput)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(encKey) + ": " + CryptoUtils.ToHexString(encKey)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(authKey) + ": " + CryptoUtils.ToHexString(authKey)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(iv) + ": " + CryptoUtils.ToHexString(iv)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(hmacInput) + ": " + CryptoUtils.ToHexString(hmacInput)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(hmacResult) + ": " + CryptoUtils.ToHexString(hmacResult)); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(hmacTruncated) + ": " + CryptoUtils.ToHexString(hmacTruncated)); if (!hmacTruncated.SequenceEqual(msgHmac)) { throw new OmemoException("Failed to decrypt. HMAC of OmemoMessage does not match."); } return(CryptoUtils.Aes256CbcDecrypt(encKey, iv, msg.cipherText)); }
//--------------------------------------------------------Set-, Get- Methods:---------------------------------------------------------\\ #region --Set-, Get- Methods-- #endregion //--------------------------------------------------------Misc Methods:---------------------------------------------------------------\\ #region --Misc Methods (Public)-- /// <summary> /// Encrypts the given plaintext message and returns the result. /// </summary> /// <param name="msg">The plain text message to encrypt.</param> /// <returns>A tuple consisting out of the cipher text and key-HMAC combination (Tuple[cipherText, keyHmac]).</returns> public Tuple <byte[], byte[]> EncryptMessasge(byte[] msg) { byte[] key = KeyHelper.GenerateSymetricKey(); // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(key, new byte[32], "OMEMO Payload", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); byte[] cipherText = CryptoUtils.Aes256CbcEncrypt(encKey, iv, msg); byte[] hmac = CryptoUtils.HmacSha256(authKey, cipherText); hmac = CryptoUtils.Truncate(hmac, 16); byte[] keyHmac = CryptoUtils.Concat(key, hmac); return(new Tuple <byte[], byte[]>(cipherText, keyHmac)); }
/// <summary> /// Encrypts the given key and HMAC concatenation and returns the result. /// </summary> /// <param name="keyHmac">The key, HMAC concatenation result.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> between the sender and receiver.</param> /// <param name="assData">Encode(IK_A) || Encode(IK_B) => Concatenation of Alices and Bobs public part of their identity key.</param> private OmemoAuthenticatedMessage EncryptKeyHmacForDevices(byte[] keyHmac, OmemoSessionModel session, byte[] assData) { byte[] mk = LibSignalUtils.KDF_CK(session.ckS, 0x01); session.ckS = LibSignalUtils.KDF_CK(session.ckS, 0x02); OmemoMessage omemoMessage = new OmemoMessage(session); ++session.nS; // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(mk, new byte[32], "OMEMO Message Key Material", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); omemoMessage.cipherText = CryptoUtils.Aes256CbcEncrypt(encKey, iv, keyHmac); byte[] omemoMessageBytes = omemoMessage.ToByteArray(); byte[] hmacInput = CryptoUtils.Concat(assData, omemoMessageBytes); byte[] hmacResult = CryptoUtils.HmacSha256(authKey, hmacInput); byte[] hmacTruncated = CryptoUtils.Truncate(hmacResult, 16); return(new OmemoAuthenticatedMessage(hmacTruncated, omemoMessageBytes)); }
/// <summary> /// Tries to decrypt the given <paramref name="cipherContent"/>. /// </summary> /// <param name="authMsg">The <see cref="OmemoAuthenticatedMessage"/> that should be used for decrypting the <paramref name="cipherContent"/>.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> that should be used for decryption.</param> /// <param name="cipherContent">The cipher text that should be decrypted.</param> /// <returns>On success the plain text for the given <paramref name="cipherContent"/>.</returns> public byte[] DecryptMessage(OmemoAuthenticatedMessage authMsg, OmemoSessionModel session, byte[] cipherContent) { byte[] keyHmac = DecryptKeyHmacForDevice(authMsg, session); byte[] key = new byte[32]; Buffer.BlockCopy(keyHmac, 0, key, 0, key.Length); byte[] hmacRef = new byte[16]; Buffer.BlockCopy(keyHmac, key.Length, hmacRef, 0, hmacRef.Length); // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(key, new byte[32], "OMEMO Payload", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); byte[] hmac = CryptoUtils.HmacSha256(authKey, cipherContent); hmac = CryptoUtils.Truncate(hmac, 16); if (!hmacRef.SequenceEqual(hmac)) { throw new OmemoException("Failed to decrypt. HMAC does not match."); } return(CryptoUtils.Aes256CbcDecrypt(encKey, iv, cipherContent)); }
/// <summary> /// Encrypts the given key and HMAC concatenation and returns the result. /// </summary> /// <param name="keyHmac">The key, HMAC concatenation result.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> between the sender and receiver.</param> /// <param name="assData">Encode(IK_A) || Encode(IK_B) => Concatenation of Alices and Bobs public part of their identity key.</param> private OmemoAuthenticatedMessage EncryptKeyHmacForDevices(byte[] keyHmac, OmemoSessionModel session, byte[] assData) { byte[] mk = LibSignalUtils.KDF_CK(session.ckS, 0x01); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(session.ckS) + ": " + CryptoUtils.ToHexString(session.ckS)); session.ckS = LibSignalUtils.KDF_CK(session.ckS, 0x02); OmemoMessage omemoMessage = new OmemoMessage(session); ++session.nS; // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(mk, new byte[32], "OMEMO Message Key Material", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); omemoMessage.cipherText = CryptoUtils.Aes256CbcEncrypt(encKey, iv, keyHmac); byte[] omemoMessageBytes = omemoMessage.ToByteArray(); byte[] hmacInput = CryptoUtils.Concat(assData, omemoMessageBytes); byte[] hmacResult = CryptoUtils.HmacSha256(authKey, hmacInput); byte[] hmacTruncated = CryptoUtils.Truncate(hmacResult, 16); // Update the session state: if (session.state == SessionState.RECEIVED) { session.state = SessionState.READY; } // Debug trace output: Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(mk) + ": " + CryptoUtils.ToHexString(mk)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(assData) + ": " + CryptoUtils.ToHexString(assData)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hkdfOutput) + ": " + CryptoUtils.ToHexString(hkdfOutput)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(encKey) + ": " + CryptoUtils.ToHexString(encKey)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(authKey) + ": " + CryptoUtils.ToHexString(authKey)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(iv) + ": " + CryptoUtils.ToHexString(iv)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacInput) + ": " + CryptoUtils.ToHexString(hmacInput)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacResult) + ": " + CryptoUtils.ToHexString(hmacResult)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacTruncated) + ": " + CryptoUtils.ToHexString(hmacTruncated)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(session.state) + ": " + session.state); return(new OmemoAuthenticatedMessage(hmacTruncated, omemoMessageBytes)); }