private void Decrypt() { if (m_pbData.Length == 0) { return; } if (m_mp == PbMemProt.ProtectedMemory) { ProtectedMemory.Unprotect(m_pbData, MemoryProtectionScope.SameProcess); } else if (m_mp == PbMemProt.ChaCha20) { byte[] pbIV = new byte[12]; MemUtil.UInt64ToBytesEx((ulong)m_lID, pbIV, 4); using (ChaCha20Cipher c = new ChaCha20Cipher(g_pbKey32, pbIV, true)) { c.Decrypt(m_pbData, 0, m_pbData.Length); } } else if (m_mp == PbMemProt.ExtCrypt) { m_fExtCrypt(m_pbData, PbCryptFlags.Decrypt, m_lID); } else { Debug.Assert(m_mp == PbMemProt.None); } m_mp = PbMemProt.None; }
private void Encrypt() { Debug.Assert(m_mp == PbMemProt.None); // Nothing to do if caller didn't request protection if (!m_bProtected) { return; } // ProtectedMemory.Protect throws for data size == 0 if (m_pbData.Length == 0) { return; } PbCryptDelegate f = g_fExtCrypt; if (f != null) { f(m_pbData, PbCryptFlags.Encrypt, m_lID); m_fExtCrypt = f; m_mp = PbMemProt.ExtCrypt; return; } if (ProtectedBinary.ProtectedMemorySupported) { #if NETSTANDARD2_0 m_pbData = CryptoUtil.EncryptBytesAES(m_pbData, CryptoUtil.SharedSecret); #else ProtectedMemory.Protect(m_pbData, MemoryProtectionScope.SameProcess); #endif m_mp = PbMemProt.ProtectedMemory; return; } byte[] pbKey32 = g_pbKey32; if (pbKey32 == null) { pbKey32 = CryptoRandom.Instance.GetRandomBytes(32); byte[] pbUpd = Interlocked.Exchange <byte[]>(ref g_pbKey32, pbKey32); if (pbUpd != null) { pbKey32 = pbUpd; } } byte[] pbIV = new byte[12]; MemUtil.UInt64ToBytesEx((ulong)m_lID, pbIV, 4); using (ChaCha20Cipher c = new ChaCha20Cipher(pbKey32, pbIV, true)) { c.Encrypt(m_pbData, 0, m_pbData.Length); } m_mp = PbMemProt.ChaCha20; }
/// <summary> /// Creates a cipher instance (<see cref="ChaCha20Cipher"/> or <see cref="Salsa20Cipher"/> (KeePass older as 2.35)) with the nonce and the pin as key. /// </summary> /// <param name="pin">The pin to use as key.</param> /// <param name="nonce">The nonce to use as IV.</param> /// <returns>The cipher instance.</returns> private static CtrBlockCipher CreateCipher(byte[] pin, byte[] nonce) { Contract.Requires(pin != null); Contract.Requires(nonce != null); Contract.Ensures(Contract.Result <ChaCha20Cipher>() != null); var key = new byte[32]; using (var h = new SHA512Managed()) { var hashBytes = h.ComputeHash(pin); Array.Copy(hashBytes, key, 32); MemUtil.ZeroByteArray(hashBytes); } CtrBlockCipher cipher; if (nonce.Length == 12 /*>= KeePass 2.35*/) { cipher = new ChaCha20Cipher(key, nonce, false); } else { cipher = new Salsa20Cipher(key, nonce); } MemUtil.ZeroByteArray(key); return(cipher); }
private void Encrypt() { Debug.Assert(m_mp == PbMemProt.None); // Nothing to do if caller didn't request protection if (!m_bProtected) { return; } // ProtectedMemory.Protect throws for data size == 0 if (m_pbData.Length == 0) { return; } PbCryptDelegate f = g_fExtCrypt; if (f != null) { f(m_pbData, PbCryptFlags.Encrypt, m_lID); m_fExtCrypt = f; m_mp = PbMemProt.ExtCrypt; return; } #if !KPCLib // ProtectedMemory is not supported on Android, iOS and UWP if (ProtectedBinary.ProtectedMemorySupported) { ProtectedMemory.Protect(m_pbData, MemoryProtectionScope.SameProcess); m_mp = PbMemProt.ProtectedMemory; return; } #endif // KPCLib byte[] pbKey32 = g_pbKey32; if (pbKey32 == null) { pbKey32 = GetRandom32(); byte[] pbUpd = Interlocked.Exchange <byte[]>(ref g_pbKey32, pbKey32); if (pbUpd != null) { pbKey32 = pbUpd; } } byte[] pbIV = new byte[12]; MemUtil.UInt64ToBytesEx((ulong)m_lID, pbIV, 4); using (ChaCha20Cipher c = new ChaCha20Cipher(pbKey32, pbIV, true)) { c.Encrypt(m_pbData, 0, m_pbData.Length); } m_mp = PbMemProt.ChaCha20; }
private void Decrypt() { if (m_pbData.Length == 0) { return; } if (m_mp == PbMemProt.ProtectedMemory) { #if NETSTANDARD2_0 var unprotectedData = CryptoUtil.UnprotectData(m_pbData, null, DataProtectionScope.CurrentUser); Array.Clear(m_pbData, 0, m_pbData.Length); m_pbData = unprotectedData; #else ProtectedMemory.Unprotect(m_pbData, MemoryProtectionScope.SameProcess); #endif } else if (m_mp == PbMemProt.ChaCha20) { byte[] pbIV = new byte[12]; MemUtil.UInt64ToBytesEx((ulong)m_lID, pbIV, 4); using (ChaCha20Cipher c = new ChaCha20Cipher(g_pbKey32, pbIV, true)) { c.Decrypt(m_pbData, 0, m_pbData.Length); } } else if (m_mp == PbMemProt.ExtCrypt) { m_fExtCrypt(m_pbData, PbCryptFlags.Decrypt, m_lID); } else { Debug.Assert(m_mp == PbMemProt.None); } m_mp = PbMemProt.None; }
public ISingleCipherTransform GetCipherTransformer() { if (m_SymAlgo == SymAlgoCode.AES256 || m_SymAlgo == SymAlgoCode.ThreeDES || m_SymAlgo == SymAlgoCode.Twofish) { SymmetricAlgorithm SymAlgo; if (m_SymAlgo == SymAlgoCode.ThreeDES) { SymAlgo = new TripleDESCryptoServiceProvider { BlockSize = 64, IV = m_IV, KeySize = 192, Key = m_Key, Mode = CipherMode.CBC, Padding = PaddingMode.None }; } else if (m_SymAlgo == SymAlgoCode.AES256) { SymAlgo = new RijndaelManaged { BlockSize = 128, IV = m_IV, KeySize = 256, Key = m_Key, Mode = CipherMode.CBC, Padding = PaddingMode.None } } ; else { SymAlgo = new TwofishManaged { BlockSize = 128, IV = m_IV, KeySize = 256, Key = m_Key, Mode = CipherMode.CBC, Padding = PaddingMode.None } }; return(new CryptoTransformer(SymAlgo)); } else if (m_SymAlgo == SymAlgoCode.ChaCha20 || m_SymAlgo == SymAlgoCode.Salsa20) { CtrBlockCipher c; if (m_SymAlgo == SymAlgoCode.ChaCha20) { c = new ChaCha20Cipher(m_Key, m_IV); } else { c = new Salsa20Cipher(m_Key, m_IV); } return(new CtrBlockCipherTransformer(c)); } throw new SecurityException("Invalid Algorithm"); }
public void TestChacha20Cipher() { // ====================================================== // Test vector from RFC 7539, section 2.3.2 var pbKey = new byte[32]; for (var i = 0; i < 32; ++i) { pbKey[i] = (byte)i; } var pbIV = new byte[12]; pbIV[3] = 0x09; pbIV[7] = 0x4A; var pbExpc = new byte[] { 0x10, 0xF1, 0xE7, 0xE4, 0xD1, 0x3B, 0x59, 0x15, 0x50, 0x0F, 0xDD, 0x1F, 0xA3, 0x20, 0x71, 0xC4, 0xC7, 0xD1, 0xF4, 0xC7, 0x33, 0xC0, 0x68, 0x03, 0x04, 0x22, 0xAA, 0x9A, 0xC3, 0xD4, 0x6C, 0x4E, 0xD2, 0x82, 0x64, 0x46, 0x07, 0x9F, 0xAA, 0x09, 0x14, 0xC2, 0xD7, 0x05, 0xD9, 0x8B, 0x02, 0xA2, 0xB5, 0x12, 0x9C, 0xD1, 0xDE, 0x16, 0x4E, 0xB9, 0xCB, 0xD0, 0x83, 0xE8, 0xA2, 0x50, 0x3C, 0x4E }; var pb = new byte[64]; using (var chaCha20Cipher1 = new ChaCha20Cipher(pbKey, pbIV)) { chaCha20Cipher1.Seek(64, SeekOrigin.Begin); // Skip first block chaCha20Cipher1.Encrypt(pb, 0, pb.Length); Assert.That(MemUtil.ArraysEqual(pb, pbExpc), Is.True); } #if DEBUG // ====================================================== // Test vector from RFC 7539, section 2.4.2 pbIV[3] = 0; pb = StrUtil.Utf8.GetBytes("Ladies and Gentlemen of the clas" + @"s of '99: If I could offer you only one tip for " + @"the future, sunscreen would be it."); pbExpc = new byte[] { 0x6E, 0x2E, 0x35, 0x9A, 0x25, 0x68, 0xF9, 0x80, 0x41, 0xBA, 0x07, 0x28, 0xDD, 0x0D, 0x69, 0x81, 0xE9, 0x7E, 0x7A, 0xEC, 0x1D, 0x43, 0x60, 0xC2, 0x0A, 0x27, 0xAF, 0xCC, 0xFD, 0x9F, 0xAE, 0x0B, 0xF9, 0x1B, 0x65, 0xC5, 0x52, 0x47, 0x33, 0xAB, 0x8F, 0x59, 0x3D, 0xAB, 0xCD, 0x62, 0xB3, 0x57, 0x16, 0x39, 0xD6, 0x24, 0xE6, 0x51, 0x52, 0xAB, 0x8F, 0x53, 0x0C, 0x35, 0x9F, 0x08, 0x61, 0xD8, 0x07, 0xCA, 0x0D, 0xBF, 0x50, 0x0D, 0x6A, 0x61, 0x56, 0xA3, 0x8E, 0x08, 0x8A, 0x22, 0xB6, 0x5E, 0x52, 0xBC, 0x51, 0x4D, 0x16, 0xCC, 0xF8, 0x06, 0x81, 0x8C, 0xE9, 0x1A, 0xB7, 0x79, 0x37, 0x36, 0x5A, 0xF9, 0x0B, 0xBF, 0x74, 0xA3, 0x5B, 0xE6, 0xB4, 0x0B, 0x8E, 0xED, 0xF2, 0x78, 0x5E, 0x42, 0x87, 0x4D }; var pb64 = new byte[64]; using (var chaCha20Cipher2 = new ChaCha20Cipher(pbKey, pbIV)) { chaCha20Cipher2.Encrypt(pb64, 0, pb64.Length); // Skip first block chaCha20Cipher2.Encrypt(pb, 0, pb.Length); Assert.That(MemUtil.ArraysEqual(pb, pbExpc), Is.True); } // ====================================================== // Test vector from RFC 7539, appendix A.2 #2 Array.Clear(pbKey, 0, pbKey.Length); pbKey[31] = 1; Array.Clear(pbIV, 0, pbIV.Length); pbIV[11] = 2; pb = StrUtil.Utf8.GetBytes("Any submission to the IETF inten" + "ded by the Contributor for publication as all or" + " part of an IETF Internet-Draft or RFC and any s" + "tatement made within the context of an IETF acti" + "vity is considered an \"IETF Contribution\". Such " + "statements include oral statements in IETF sessi" + "ons, as well as written and electronic communica" + "tions made at any time or place, which are addressed to"); pbExpc = MemUtil.HexStringToByteArray( "A3FBF07DF3FA2FDE4F376CA23E82737041605D9F4F4F57BD8CFF2C1D4B7955EC" + "2A97948BD3722915C8F3D337F7D370050E9E96D647B7C39F56E031CA5EB6250D" + "4042E02785ECECFA4B4BB5E8EAD0440E20B6E8DB09D881A7C6132F420E527950" + "42BDFA7773D8A9051447B3291CE1411C680465552AA6C405B7764D5E87BEA85A" + "D00F8449ED8F72D0D662AB052691CA66424BC86D2DF80EA41F43ABF937D3259D" + "C4B2D0DFB48A6C9139DDD7F76966E928E635553BA76C5C879D7B35D49EB2E62B" + "0871CDAC638939E25E8A1E0EF9D5280FA8CA328B351C3C765989CBCF3DAA8B6C" + "CC3AAF9F3979C92B3720FC88DC95ED84A1BE059C6499B9FDA236E7E818B04B0B" + "C39C1E876B193BFE5569753F88128CC08AAA9B63D1A16F80EF2554D7189C411F" + "5869CA52C5B83FA36FF216B9C1D30062BEBCFD2DC5BCE0911934FDA79A86F6E6" + "98CED759C3FF9B6477338F3DA4F9CD8514EA9982CCAFB341B2384DD902F3D1AB" + "7AC61DD29C6F21BA5B862F3730E37CFDC4FD806C22F221"); using (var msEnc = new MemoryStream()) { using (var chaCha20Stream = new ChaCha20Stream(msEnc, true, pbKey, pbIV)) { var r = CryptoRandom.NewWeakRandom(); r.NextBytes(pb64); chaCha20Stream.Write(pb64, 0, pb64.Length); // Skip first block var p = 0; while (p < pb.Length) { var cb = r.Next(1, pb.Length - p + 1); chaCha20Stream.Write(pb, p, cb); p += cb; } Debug.Assert(p == pb.Length); } var pbEnc0 = msEnc.ToArray(); var pbEnc = MemUtil.Mid(pbEnc0, 64, pbEnc0.Length - 64); Assert.That(MemUtil.ArraysEqual(pbEnc, pbExpc), Is.True); using var msCT = new MemoryStream(pbEnc0, false); using var cDec = new ChaCha20Stream(msCT, false, pbKey, pbIV); var pbPT = MemUtil.Read(cDec, pbEnc0.Length); Assert.That(cDec.ReadByte(), Is.LessThan(0)); Assert.That(MemUtil.ArraysEqual(MemUtil.Mid(pbPT, 0, 64), pb64), Is.True); Assert.That(MemUtil.ArraysEqual(MemUtil.Mid(pbPT, 64, pbEnc.Length), pb), Is.True); } // ====================================================== // Test vector TC8 from RFC draft by J. Strombergson: // https://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-01 pbKey = new byte[] { 0xC4, 0x6E, 0xC1, 0xB1, 0x8C, 0xE8, 0xA8, 0x78, 0x72, 0x5A, 0x37, 0xE7, 0x80, 0xDF, 0xB7, 0x35, 0x1F, 0x68, 0xED, 0x2E, 0x19, 0x4C, 0x79, 0xFB, 0xC6, 0xAE, 0xBE, 0xE1, 0xA6, 0x67, 0x97, 0x5D }; // The first 4 bytes are set to zero and a large counter // is used; this makes the RFC 7539 version of ChaCha20 // compatible with the original specification by // D. J. Bernstein. pbIV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x1A, 0xDA, 0x31, 0xD5, 0xCF, 0x68, 0x82, 0x21 }; pb = new byte[128]; pbExpc = new byte[] { 0xF6, 0x3A, 0x89, 0xB7, 0x5C, 0x22, 0x71, 0xF9, 0x36, 0x88, 0x16, 0x54, 0x2B, 0xA5, 0x2F, 0x06, 0xED, 0x49, 0x24, 0x17, 0x92, 0x30, 0x2B, 0x00, 0xB5, 0xE8, 0xF8, 0x0A, 0xE9, 0xA4, 0x73, 0xAF, 0xC2, 0x5B, 0x21, 0x8F, 0x51, 0x9A, 0xF0, 0xFD, 0xD4, 0x06, 0x36, 0x2E, 0x8D, 0x69, 0xDE, 0x7F, 0x54, 0xC6, 0x04, 0xA6, 0xE0, 0x0F, 0x35, 0x3F, 0x11, 0x0F, 0x77, 0x1B, 0xDC, 0xA8, 0xAB, 0x92, 0xE5, 0xFB, 0xC3, 0x4E, 0x60, 0xA1, 0xD9, 0xA9, 0xDB, 0x17, 0x34, 0x5B, 0x0A, 0x40, 0x27, 0x36, 0x85, 0x3B, 0xF9, 0x10, 0xB0, 0x60, 0xBD, 0xF1, 0xF8, 0x97, 0xB6, 0x29, 0x0F, 0x01, 0xD1, 0x38, 0xAE, 0x2C, 0x4C, 0x90, 0x22, 0x5B, 0xA9, 0xEA, 0x14, 0xD5, 0x18, 0xF5, 0x59, 0x29, 0xDE, 0xA0, 0x98, 0xCA, 0x7A, 0x6C, 0xCF, 0xE6, 0x12, 0x27, 0x05, 0x3C, 0x84, 0xE4, 0x9A, 0x4A, 0x33, 0x32 }; using var c = new ChaCha20Cipher(pbKey, pbIV, true); c.Decrypt(pb, 0, pb.Length); Assert.That(MemUtil.ArraysEqual(pb, pbExpc), Is.True); #endif }
/// <summary> /// Construct a new cryptographically secure random stream object. /// </summary> /// <param name="a">Algorithm to use.</param> /// <param name="pbKey">Initialization key. Must not be <c>null</c> and /// must contain at least 1 byte.</param> public CryptoRandomStream(CrsAlgorithm a, byte[] pbKey) { if (pbKey == null) { Debug.Assert(false); throw new ArgumentNullException("pbKey"); } int cbKey = pbKey.Length; if (cbKey <= 0) { Debug.Assert(false); // Need at least one byte throw new ArgumentOutOfRangeException("pbKey"); } m_crsAlgorithm = a; if (a == CrsAlgorithm.ChaCha20) { byte[] pbKey32 = new byte[32]; byte[] pbIV12 = new byte[12]; using (SHA512Managed h = new SHA512Managed()) { byte[] pbHash = h.ComputeHash(pbKey); Array.Copy(pbHash, pbKey32, 32); Array.Copy(pbHash, 32, pbIV12, 0, 12); MemUtil.ZeroByteArray(pbHash); } m_chacha20 = new ChaCha20Cipher(pbKey32, pbIV12, true); } else if (a == CrsAlgorithm.Salsa20) { byte[] pbKey32 = CryptoUtil.HashSha256(pbKey); byte[] pbIV8 = new byte[8] { 0xE8, 0x30, 0x09, 0x4B, 0x97, 0x20, 0x5D, 0x2A }; // Unique constant m_salsa20 = new Salsa20Cipher(pbKey32, pbIV8); } else if (a == CrsAlgorithm.ArcFourVariant) { // Fill the state linearly m_pbState = new byte[256]; for (int w = 0; w < 256; ++w) { m_pbState[w] = (byte)w; } unchecked { byte j = 0, t; int inxKey = 0; for (int w = 0; w < 256; ++w) // Key setup { j += (byte)(m_pbState[w] + pbKey[inxKey]); t = m_pbState[0]; // Swap entries m_pbState[0] = m_pbState[j]; m_pbState[j] = t; ++inxKey; if (inxKey >= cbKey) { inxKey = 0; } } } GetRandomBytes(512); // Increases security, see cryptanalysis } else // Unknown algorithm { Debug.Assert(false); throw new ArgumentOutOfRangeException("a"); } }