void ICryptoLibrary.DeriveKeysRFC5869_32bytes(byte[] input, byte[] salt, out byte[] key1, out byte[] key2)
{
var hkdf = new HkdfBytesGenerator(new Sha256Digest());
hkdf.Init(new HkdfParameters(input, salt, null));
key1 = new byte[32];
hkdf.GenerateBytes(key1, 0, key1.Length);
key2 = new byte[32];
hkdf.GenerateBytes(key2, 0, key2.Length);
}
public RemoteAttestationKeys(Curve25519KeyPair keyPair, byte[] serverPublicEphemeral, byte[] serverPublicStatic)
{
byte[] ephemeralToEphemeral = Curve25519.getInstance(Curve25519.BEST).calculateAgreement(serverPublicEphemeral, keyPair.getPrivateKey());
byte[] ephemeralToStatic = Curve25519.getInstance(Curve25519.BEST).calculateAgreement(serverPublicStatic, keyPair.getPrivateKey());
byte[] masterSecret = ByteUtil.combine(ephemeralToEphemeral, ephemeralToStatic);
byte[] publicKeys = ByteUtil.combine(keyPair.getPublicKey(), serverPublicEphemeral, serverPublicStatic);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(new HkdfParameters(masterSecret, publicKeys, null));
generator.GenerateBytes(ClientKey, 0, ClientKey.Length);
generator.GenerateBytes(ServerKey, 0, ServerKey.Length);
}
/// <summary>
/// Encrypt the specified data using the specified salt.
///Encrypt uses provided salt, uses master key
///& salt to generate per-data key & nonce with the help of HKDF
///Salt is concatenated to the ciphertext
/// </summary>
/// <returns>The encrypted data bytes.</returns>
/// <param name="data">Data to be encrypted.</param>
public byte[] EncryptWithSalt(byte[] data, byte[] salt)
{
Validation.NotNull(data);
Validation.NotNullOrEmptyByteArray(salt);
var hkdf = new HkdfBytesGenerator(new Sha512Digest());
hkdf.Init(new HkdfParameters(this.key, salt, this.domain));
var keyNonce = new byte[SymKeyLen + SymNonceLen];
hkdf.GenerateBytes(keyNonce, 0, keyNonce.Length);
var cipher = new GcmBlockCipher(new AesEngine());
var keyNonceSlice1 = ((Span <byte>)keyNonce).Slice(0, SymKeyLen);
var keyNonceSlice2 = ((Span <byte>)keyNonce).Slice(SymKeyLen);
var parameters = new AeadParameters(
new KeyParameter(keyNonceSlice1.ToArray()),
SymTagLen * 8,
keyNonceSlice2.ToArray());
cipher.Init(true, parameters);
var cipherText = new byte[cipher.GetOutputSize(data.Length)];
var len = cipher.ProcessBytes(data, 0, data.Length, cipherText, 0);
cipher.DoFinal(cipherText, len);
return(Bytes.Combine(salt, cipherText));
}
// Returns null on HMAC mismatch
public static byte[] DecryptWithMessageKey(byte[] messageKey, byte[] cipherTextWithHmac, byte[] associatedData = null)
{
HkdfParameters parameters = new HkdfParameters(messageKey, ThirtyTwoZeros, MessageProtocolInfo);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] encryptionKey = new byte[32];
byte[] authenticationKey = new byte[32];
byte[] iv = new byte[16];
generator.GenerateBytes(encryptionKey, 0, encryptionKey.Length);
generator.GenerateBytes(authenticationKey, 0, authenticationKey.Length);
generator.GenerateBytes(iv, 0, iv.Length);
return(DecryptWithHmac(new AES256Key(encryptionKey), iv, new AES256Key(authenticationKey), cipherTextWithHmac,
associatedData));
}
private byte[] ComputeHkdf(byte[] ikm)
{
var generator = new HkdfBytesGenerator(new Sha256Digest());
var parameters = new HkdfParameters(ikm, null, HkdfInfo);
generator.Init(parameters);
byte[] output = new byte[_hkdfSize];
generator.GenerateBytes(output, 0, _hkdfSize);
return(output);
}
// Returns a tuple of (new root key, new chain key)
public static (byte[], byte[]) RatchetRootKey(byte[] rootKey, byte[] dhOutput)
{
HkdfParameters parameters = new HkdfParameters(dhOutput, rootKey, RkRatchetProtocolInfo);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] newRootKey = new byte[rootKey.Length];
generator.GenerateBytes(newRootKey, 0, newRootKey.Length);
HkdfParameters parameters2 = new HkdfParameters(dhOutput, rootKey, CkRatchetProtocolInfo);
generator.Init(parameters2);
byte[] newChainKey = new byte[rootKey.Length];
generator.GenerateBytes(newChainKey, 0, newChainKey.Length);
return(newRootKey, newChainKey);
}
/// <summary>
/// Performs HKDF-SHA-256 on the given data and derives <paramref name="numberOfBytes"/> of data.
/// </summary>
/// <param name="data">The data HKDF-SHA-256 should be performed on.</param>
/// <param name="numberOfBytes">How many bytes should be derived.</param>
public static byte[] HkdfSha256(byte[] data, byte[] salt, string info, int numberOfBytes)
{
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
byte[] infoBytes = Encoding.ASCII.GetBytes(info);
generator.Init(new HkdfParameters(data, salt, infoBytes));
byte[] result = new byte[numberOfBytes];
generator.GenerateBytes(result, 0, result.Length);
return(result);
}
// currently useless, just keep api same, again
public static Span <byte> HKDF(int keylen, Span <byte> master, Span <byte> salt, Span <byte> info)
{
byte[] ret = new byte[keylen];
IDigest degist = new Sha1Digest();
HkdfParameters parameters = new HkdfParameters(master.ToArray(), salt.ToArray(), info.ToArray());
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(degist);
hkdf.Init(parameters);
hkdf.GenerateBytes(ret, 0, keylen);
return(ret.AsSpan());
}
public static byte[] HKDF(int keylen, byte[] master, byte[] salt, byte[] info)
{
byte[] ret = new byte[keylen];
IDigest degist = new Sha1Digest();
HkdfParameters parameters = new HkdfParameters(master, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(degist);
hkdf.Init(parameters);
hkdf.GenerateBytes(ret, 0, keylen);
return(ret);
}
private byte[] DeriveKey(string serviceAccountId)
{
var generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(HkdfParameters.SkipExtractParameters(mKey, Encoding.UTF8.GetBytes(serviceAccountId)));
var derivedKey = new byte[derivedKeySize];
generator.GenerateBytes(derivedKey, 0, derivedKeySize);
return(derivedKey);
}
public static IEnumerable <byte> GenerateAesKey(string sharedKey, IEnumerable <byte> salt)
{
var hkdfBytesGenerator = new HkdfBytesGenerator(new Sha256Digest());
var hkdfParameters = new HkdfParameters(GetByteFromBase64(sharedKey).ToArray(),
salt.ToArray(),
null);
hkdfBytesGenerator.Init(hkdfParameters);
var aesKey = new byte[32];
hkdfBytesGenerator.GenerateBytes(aesKey, 0, 32);
return(aesKey);
}
private static byte[] GeneratePrivateKeyBytes(int numBytes, byte[] masterKeyBytes, long keyIntervalNumber, int counter)
{
var keyIntervalBytes = BitConverter.GetBytes(keyIntervalNumber);
var counterBytes = BitConverter.GetBytes(counter);
var ikm = masterKeyBytes;
var salt = keyIntervalBytes.Concat(counterBytes).ToArray();
var hkdf = new HkdfBytesGenerator(new Sha256Digest());
var hParams = new HkdfParameters(ikm, salt, null);
hkdf.Init(hParams);
byte[] keyBytes = new byte[numBytes];
hkdf.GenerateBytes(keyBytes, 0, numBytes);
return(keyBytes);
}
public static byte[] X3DhKdf(byte[] input, byte[] info)
{
byte[] ikm = ThirtyTwoFFs.Concat(input).ToArray();
HkdfParameters parameters = new HkdfParameters(ikm, ThirtyTwoZeros, info);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] output = new byte[256 / 8];
generator.GenerateBytes(output, 0, output.Length);
return(output);
}
/// <summary>
/// Maps arrays of bytes to an integer less than curve's N parameter
/// </summary>
private BigInteger HashZ(byte[] domain, params byte[][] datas)
{
var hash = this.tupleHash.Sum(domain, datas);
var hkdf = new HkdfBytesGenerator(new Sha512tDigest(256));
hkdf.Init(new HkdfParameters(hash, domain, Encoding.UTF8.GetBytes("TupleKDF")));
var result = new byte[32];
BigInteger z;
do
{
hkdf.GenerateBytes(result, 0, result.Length);
z = new BigInteger(1, result);
}while (z.CompareTo(this.curveParams.N) >= 0);
return(z);
}
/// <summary>
/// Decrypts the M value for specified password.
/// </summary>
public byte[] DecryptM(SecretKey skC, byte[] pwd, byte[] nC, byte[] t1, byte[] c1)
{
var t1Point = this.curve.DecodePoint(t1);
var c1Point = this.curve.DecodePoint(c1);
var hc1Point = this.HashToPoint(dhc1, nC, pwd);
var minusY = this.curveParams.N.Neg(skC.Value);
var mPoint = t1Point.Add(c1Point.Negate()).Add(hc1Point.Multiply(minusY)).Multiply(skC.Value.ModInverse(this.curveParams.N));
var hkdf = new HkdfBytesGenerator(new Sha512tDigest(256));
hkdf.Init(new HkdfParameters(mPoint.GetEncoded(), null, Encoding.UTF8.GetBytes("Secret")));
var key = new byte[32];
hkdf.GenerateBytes(key, 0, key.Length);
return(key);
}
public void HkdfGenerateBytes_Should_GenerateExpectedValue()
{
var expectedValue =
"0F097707AAB66A4CD5FCC79CEB96FB4B99DE2E73DF09295E" +
"CFF6F6CC7C1DCF169D51B62999BC206487800E8DD451518FA6C50F5C053B8B780208BE7164D3A7F2";
var arr1 = new byte[] { 0x00, 0x01, 0x02 };
var arr2 = new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 };
var arr3 = new byte[] { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28 };
var domain = Bytes.FromString("My Tuple App");
var sha512 = new SHA512Helper();
var key = sha512.ComputeHash(null, arr1, arr2, arr3);
var hkdf = new HkdfBytesGenerator(new Sha512Digest());
var phe = new PheCrypto();
hkdf.Init(new HkdfParameters(key, domain, Domains.KdfInfoZ));
var resultValue = new byte[64];
hkdf.GenerateBytes(resultValue, 0, resultValue.Length);
Assert.Equal(expectedValue, Bytes.ToString(resultValue, StringEncoding.HEX).ToUpper());
}
/// <summary>
/// Decrypt the specified cipherText.
///Decrypt extracts 32 byte salt, derives key & nonce and
///decrypts ciphertext with the help of HKDF
/// </summary>
/// <returns>The decrypted data bytes.</returns>
/// <param name="cipherText">Encrypted data to be decrypted.</param>
public byte[] Decrypt(byte[] cipherText)
{
Validation.NotNullOrEmptyByteArray(cipherText);
if (cipherText.Length < (SymSaltLen + SymTagLen))
{
throw new ArgumentException("Invalid ciphertext length.");
}
var salt = ((Span <byte>)cipherText).Slice(0, SymSaltLen).ToArray();
var hkdf = new HkdfBytesGenerator(new Sha512Digest());
hkdf.Init(new HkdfParameters(this.key, salt, this.domain));
var keyNonce = new byte[SymKeyLen + SymNonceLen];
hkdf.GenerateBytes(keyNonce, 0, keyNonce.Length);
var cipher = new GcmBlockCipher(new AesEngine());
var keyNonceSlice1 = ((Span <byte>)keyNonce).Slice(0, SymKeyLen);
var keyNonceSlice2 = ((Span <byte>)keyNonce).Slice(SymKeyLen);
var parameters = new AeadParameters(new KeyParameter(keyNonceSlice1.ToArray()), SymTagLen * 8, keyNonceSlice2.ToArray());
cipher.Init(false, parameters);
var cipherTextExceptSalt = ((Span <byte>)cipherText).Slice(SymSaltLen).ToArray();
var plainText = new byte[cipher.GetOutputSize(cipherTextExceptSalt.Length)];
var len = cipher.ProcessBytes(cipherTextExceptSalt, 0, cipherTextExceptSalt.Length, plainText, 0);
cipher.DoFinal(plainText, len);
return(plainText);
}
public override void PerformTest()
{
{
// === A.1. Test Case 1 - Basic test case with SHA-256 ===
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = Hex.Decode("000102030405060708090a0b0c");
byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(1, okm, Hex.Decode(
"3cb25f25faacd57a90434f64d0362f2a" +
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +
"34007208d5b887185865"));
}
// === A.2. Test Case 2 - Test with SHA-256 and longer inputs/outputs
// ===
{
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+ "101112131415161718191a1b1c1d1e1f"
+ "202122232425262728292a2b2c2d2e2f"
+ "303132333435363738393a3b3c3d3e3f"
+ "404142434445464748494a4b4c4d4e4f");
byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+ "707172737475767778797a7b7c7d7e7f"
+ "808182838485868788898a8b8c8d8e8f"
+ "909192939495969798999a9b9c9d9e9f"
+ "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+ "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+ "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+ "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+ "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
int l = 82;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(2, okm, Hex.Decode(
"b11e398dc80327a1c8e7f78c596a4934" +
"4f012eda2d4efad8a050cc4c19afa97c" +
"59045a99cac7827271cb41c65e590e09" +
"da3275600c2f09b8367793a9aca3db71" +
"cc30c58179ec3e87c14c01d5c1f3434f" +
"1d87"));
}
{
// === A.3. Test Case 3 - Test with SHA-256 and zero-length
// salt/info ===
// setting salt to an empty byte array means that the salt is set to
// HashLen zero valued bytes
// setting info to null generates an empty byte array as info
// structure
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = new byte[0];
byte[] info = null;
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(3, okm, Hex.Decode(
"8da4e775a563c18f715f802a063c5a31" +
"b8a11f5c5ee1879ec3454e5f3c738d2d" +
"9d201395faa4b61a96c8"));
}
{
// === A.4. Test Case 4 - Basic test case with SHA-1 ===
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = Hex.Decode("000102030405060708090a0b0c");
byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(4, okm, Hex.Decode(
"085a01ea1b10f36933068b56efa5ad81" +
"a4f14b822f5b091568a9cdd4f155fda2" +
"c22e422478d305f3f896"));
}
// === A.5. Test Case 5 - Test with SHA-1 and longer inputs/outputs ===
{
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+ "101112131415161718191a1b1c1d1e1f"
+ "202122232425262728292a2b2c2d2e2f"
+ "303132333435363738393a3b3c3d3e3f"
+ "404142434445464748494a4b4c4d4e4f");
byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+ "707172737475767778797a7b7c7d7e7f"
+ "808182838485868788898a8b8c8d8e8f"
+ "909192939495969798999a9b9c9d9e9f"
+ "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+ "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+ "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+ "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+ "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
int l = 82;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(5, okm, Hex.Decode(
"0bd770a74d1160f7c9f12cd5912a06eb" +
"ff6adcae899d92191fe4305673ba2ffe" +
"8fa3f1a4e5ad79f3f334b3b202b2173c" +
"486ea37ce3d397ed034c7f9dfeb15c5e" +
"927336d0441f4c4300e2cff0d0900b52" +
"d3b4"));
}
{
// === A.6. Test Case 6 - Test with SHA-1 and zero-length salt/info
// ===
// setting salt to null should generate a new salt of HashLen zero
// valued bytes
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = null;
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(6, okm, Hex.Decode(
"0ac1af7002b3d761d1e55298da9d0506" +
"b9ae52057220a306e07b6b87e8df21d0" +
"ea00033de03984d34918"));
}
{
// === A.7. Test Case 7 - Test with SHA-1, salt not provided,
// zero-length info ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 6 in all ways bar the IKM value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
byte[] salt = null;
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(7, okm, Hex.Decode(
"2c91117204d745f3500d636a62f64f0a" +
"b3bae548aa53d423b0d1f27ebba6f5e5" +
"673a081d70cce7acfc48"));
}
{
// === A.101. Additional Test Case - Test with SHA-1, skipping extract
// zero-length info ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 7 in all ways bar the IKM value
// which is set to the PRK value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(101, okm, Hex.Decode(
"2c91117204d745f3500d636a62f64f0a" +
"b3bae548aa53d423b0d1f27ebba6f5e5" +
"673a081d70cce7acfc48"));
}
{
// === A.102. Additional Test Case - Test with SHA-1, maximum output ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 7 in all ways bar the IKM value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
byte[] info = new byte[0];
int l = 255 * hash.GetDigestSize();
byte[] okm = new byte[l];
HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
int zeros = 0;
for (int i = 0; i < hash.GetDigestSize(); i++)
{
if (okm[i] == 0)
{
zeros++;
}
}
if (zeros == hash.GetDigestSize())
{
Fail("HKDF failed generator test " + 102);
}
}
}