/// <summary> /// Open a properly configured <see cref="HMAC"/> conforming to the scheme /// identified by <paramref name="aeMac"/>. /// </summary> /// <param name="aeMac">The message authentication mode to open.</param> /// <param name="keyMac">The key data.</param> /// <returns> /// An HMAC object with the proper key, or <c>null</c> on unknown algorithms. /// </returns> private static HMAC GetMac(AeMac aeMac, byte[] keyMac) { HMAC hmac; switch (aeMac) { case AeMac.HMACSHA256: hmac = new HMACSHA256(); break; case AeMac.HMACSHA384: hmac = new HMACSHA384(); break; case AeMac.HMACSHA512: hmac = new HMACSHA512(); break; default: //An algorithm we don't understand throw new CryptographicException("Invalid Mac algorithm"); } hmac.Key = keyMac; return(hmac); }
public static byte[] Decrypt(byte[] keyEnc, byte[] keyMac, byte[] cipherText) { if (keyEnc == null) { throw new ArgumentNullException(nameof(keyEnc)); } if (keyMac == null) { throw new ArgumentNullException(nameof(keyMac)); } if (keyEnc.Length < 32) { throw new ArgumentOutOfRangeException( nameof(keyEnc), "Encryption Key must be at least 256 bits (32 bytes)"); } if (keyMac.Length < 32) { throw new ArgumentOutOfRangeException( nameof(keyMac), "Mac Key must be at least 256 bits (32 bytes)"); } if (cipherText == null) { throw new ArgumentNullException(nameof(cipherText)); } // The format of this message is assumed to be public, so there's no harm in // saying ahead of time that the message makes no sense. if (cipherText.Length < 2) { throw new CryptographicException(); } // Use the message algorithm headers to determine what cipher algorithm and // MAC algorithm are going to be used. Since the same Key Derivation // Functions (KDFs) are being used in Decrypt as Encrypt, the keys are also // the same. AeCipher aeCipher = (AeCipher)cipherText[0]; AeMac aeMac = (AeMac)cipherText[1]; using (SymmetricAlgorithm cipher = GetCipher(aeCipher, keyEnc)) using (HMAC tagGenerator = GetMac(aeMac, keyMac)) { int blockSizeInBytes = cipher.BlockSize / 8; int tagSizeInBytes = tagGenerator.HashSize / 8; int headerSizeInBytes = 2; int tagOffset = headerSizeInBytes; int ivOffset = tagOffset + tagSizeInBytes; int cipherTextOffset = ivOffset + blockSizeInBytes; int cipherTextLength = cipherText.Length - cipherTextOffset; int minLen = cipherTextOffset + blockSizeInBytes; // Again, the minimum length is still assumed to be public knowledge, // nothing has leaked out yet. The minimum length couldn't just be calculated // without reading the header. if (cipherText.Length < minLen) { throw new CryptographicException(); } // It's very important that the MAC be calculated and verified before // proceeding to decrypt the ciphertext, as this prevents any sort of // information leaking out to an attacker. // // Don't include the tag in the calculation, though. var data = new byte[cipherText.Length - tagSizeInBytes]; // First, everything before the tag (the cipher and MAC algorithm ids) Buffer.BlockCopy(cipherText, 0, data, 0, tagOffset); // Skip the data before the tag and the tag, then read everything that remains. Buffer.BlockCopy(cipherText, (tagOffset + tagSizeInBytes), data, tagOffset, cipherText.Length - (tagOffset + tagSizeInBytes)); tagGenerator.AppendData(data); byte[] generatedTag = tagGenerator.GetHashAndReset(); byte[] expectedPayload = new byte[tagSizeInBytes]; Buffer.BlockCopy(cipherText, tagOffset, expectedPayload, 0, tagSizeInBytes); if (!CryptographicEquals( generatedTag, 0, cipherText, tagOffset, tagSizeInBytes)) { // Assuming every tampered message (of the same length) took the same // amount of time to process, we can now safely say // "this data makes no sense" without giving anything away. throw new CryptographicException("Mismatch in signed data"); } // Restore the IV into the symmetricAlgorithm instance. byte[] iv = new byte[blockSizeInBytes]; Buffer.BlockCopy(cipherText, ivOffset, iv, 0, iv.Length); cipher.IV = iv; using (ICryptoTransform decryptor = cipher.CreateDecryptor()) { return(Transform( decryptor, cipherText, cipherTextOffset, cipherTextLength)); } } }