예제 #1
0
        public byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
        {
            Validate.AnArray(inputBuffer, inputOffset, inputCount);

            // AONT the message
            byte[] messageAONT = moAONT.Encode(inputBuffer, inputOffset, inputCount);

            // Get MAC of the output of the AONT
            byte[] macMessageAONT = moMAC.ComputeHash(messageAONT);

            // Encrypt the head of the AONT message using the Symmetric Cipher
            moCipher.BlockSize = macMessageAONT.Length * 8;
            moCipher.IV        = macMessageAONT;
            byte[] cipheredHeadOfMessageAONT = moCipher.CreateEncryptor().TransformFinalBlock(messageAONT, 0, mKey.Length);
            // Replace the head of the AONT message with the encrypted head
            Buffer.BlockCopy(cipheredHeadOfMessageAONT, 0, messageAONT, 0, cipheredHeadOfMessageAONT.Length);

            // Copy the MAC and ciphered data to the ciphertext
            byte[] ciphertext = new byte[macMessageAONT.Length + messageAONT.Length];
            Buffer.BlockCopy(macMessageAONT, 0, ciphertext, 0, macMessageAONT.Length);
            Buffer.BlockCopy(messageAONT, 0, ciphertext, macMessageAONT.Length, messageAONT.Length);

            return(ciphertext);
        }
예제 #2
0
        public byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
        {
            #region Validation
            Validate.AnArray(inputBuffer, inputOffset, inputCount);
            #endregion

            // Set the padding to always be 1 byte
            byte[] padding = new byte[] { 1 };
            // Increase the padding if the input if AONT message length isn't enough to create 1 byte parts
            if (moAONT.outputLengthForInputLength(inputCount) < (2 * miTotalPairsCount))
            {
                int paddingBytes = (2 * miTotalPairsCount) - moAONT.outputLengthForInputLength(inputCount);
                if (paddingBytes > 255)
                {
                    throw new Exception("Unable to pad message as parameters have caused more than 255 padding bytes to be required");
                }
                padding = new byte[paddingBytes];
                for (int i = 0; i < paddingBytes; i++)
                {
                    padding[i] = (byte)paddingBytes;
                }
            }


            // If the message length is odd, then set a flag to copy the last byte of AONT(m) straight to the ciphertext
            bool bMsgLengthOdd = false;
            if ((inputCount + padding.Length) % 2 != 0)
            {
                bMsgLengthOdd = true;
            }

            // Copy the message + padding
            byte[] message = new byte[inputCount + padding.Length];
            Buffer.BlockCopy(inputBuffer, inputOffset, message, 0, inputCount);
            Buffer.BlockCopy(padding, 0, message, inputCount, padding.Length);

            // All Or Nothing Transform the message
            byte[] encodedMessage = moAONT.Encode(message);
            //string hex = BitConverter.ToString(encodedMessage);
            //Console.WriteLine("AONT Message: " + hex.Replace("-", "") + " (length = " + encodedMessage.Length + ")");

            // For an odd length message we will copy the last byte straight to the ciphertext, so for the purpose of processing we ignore this byte
            int encodedMessageLength = bMsgLengthOdd ? encodedMessage.Length - 1 : encodedMessage.Length;

            // Determine the size of each message part (except for perhaps the last
            int partSize = getMaxPartSize(encodedMessageLength, 2 * miTotalPairsCount);

            // Generate the MAC seed
            byte[] seedMAC = new byte[miTotalPairsCount / 8];
            (new RNGCryptoServiceProvider()).GetBytes(seedMAC);

            // Allocate space for a buffer to calculate the HMAC on
            byte[] bufferHMAC = new byte[seedMAC.Length + 1 + 2 * partSize];    // We will HMAC the HMAC seed, the index and the 2 parts

            // Copy the HMAC seed to the HMAC buffer
            Buffer.BlockCopy(seedMAC, 0, bufferHMAC, 0, seedMAC.Length);

            // Allocate space for the MAC bits
            byte[] bitsMAC = new byte[miTotalPairsCount / 8];

            // Allocate space for the ciphertext = Length of Encrypt-then MAC + HMAC seed + MAC bits + encoded message length
            byte[] ciphertext = new byte[moMAC.HashSize / 8 + seedMAC.Length + bitsMAC.Length + encodedMessageLength + (bMsgLengthOdd?1:0)];
            // For an odd length message copy the last encoded byte directly to the ciphertext
            if (bMsgLengthOdd)
            {
                ciphertext[ciphertext.Length - 1] = encodedMessage[encodedMessage.Length - 1];
            }

            // Note where to write the swapped parts
            int ciphertextOffset = moMAC.HashSize / 8 + seedMAC.Length + bitsMAC.Length;
            // Offset into the encodedMessage
            int offset = 0;

            for (int i = 0; i < miTotalPairsCount; i++)
            {
                bufferHMAC[seedMAC.Length] = (byte)i;
                // Make a copy of the 2 parts in the correct order
                Buffer.BlockCopy(encodedMessage, offset, bufferHMAC, seedMAC.Length + 1, 2 * partSize);
                // Calculate the MAC of the 2 parts in the correct order
                byte[] oMACUnswapped = moMAC.ComputeHash(bufferHMAC);
                // Make a copy of the 2 parts in the swapped order
                Buffer.BlockCopy(encodedMessage, offset + partSize, bufferHMAC, seedMAC.Length + 1, partSize);
                Buffer.BlockCopy(encodedMessage, offset, bufferHMAC, seedMAC.Length + 1 + partSize, partSize);
                // Calculate the MAC of the 2 parts in the swapped order
                byte[] oMACSwapped = moMAC.ComputeHash(bufferHMAC);

                // Find the location of the first bit difference of the MACs
                bool found = false;
                for (byte j = 0; j < oMACUnswapped.Length; j++)
                {
                    if (oMACSwapped[j] != oMACUnswapped[j])
                    {
                        for (byte k = 0; k < 8; k++)
                        {
                            Boolean bUnSwappedBitSet = ((oMACUnswapped[j] & ((byte)1 << k)) > 0);
                            Boolean bSwappedBitSet   = ((oMACSwapped[j] & ((byte)1 << k)) > 0);
                            if (bUnSwappedBitSet != bSwappedBitSet)
                            {
                                // Record the value of the bit from the unswapped MAC
                                byte bitValue = bUnSwappedBitSet ? (byte)1 : (byte)0;
                                bitsMAC[i / 8] |= (byte)(bitValue << (7 - (i % 8)));
                                found           = true;
                                break;
                            }
                        }
                    }
                    if (found)
                    {
                        break;
                    }
                }
                if (!found)
                {
                    // Either the parts were identical, or we found a hash collision(!).  We allow this case under the assumption that it won't happen
                    // very often and that although it reduces the overall security, it won't reduce it much.
                }

                // Copy to ciphertext
                Buffer.BlockCopy(moRandOrd.Swap(encodedMessage, offset, 2 * partSize), 0, ciphertext, ciphertextOffset, 2 * partSize);
                ciphertextOffset += (2 * partSize);

                offset += (2 * partSize);

                partSize = getNextPartSize(encodedMessageLength, offset, (i + 1) * 2, 2 * miTotalPairsCount);

                // If the partSize changes we need to alter the size of bufferHMAC
                if (bufferHMAC.Length != (seedMAC.Length + 1 + 2 * partSize))
                {
                    bufferHMAC = new byte[seedMAC.Length + 1 + 2 * partSize];
                }
            }

            // Prepend the HMAC seed
            Buffer.BlockCopy(seedMAC, 0, ciphertext, moMAC.HashSize / 8, seedMAC.Length);

            // Prepend the bits from the MACs
            Buffer.BlockCopy(bitsMAC, 0, ciphertext, moMAC.HashSize / 8 + seedMAC.Length, bitsMAC.Length);

            // Prepend Encrypt-then-MAC construction to the beginning of the ciphertext
            byte[] EtM = moMAC.ComputeHash(ciphertext, moMAC.HashSize / 8, ciphertext.Length - (moMAC.HashSize / 8));
            Buffer.BlockCopy(EtM, 0, ciphertext, 0, EtM.Length);

            return(ciphertext);
        }