public byte[] DecryptData(EncryptedPacket encryptedPacket, NewRSA rsaParams,
NewDigitalSignature digitalSignature)
{
var decryptedSessionKey =
rsaParams.Decrypt(encryptedPacket.EncryptedSessionKey);
byte[] newHMAC = ComputeHMACSha256(
Combine(encryptedPacket.EncryptedData, encryptedPacket.Iv),
decryptedSessionKey);
if (!Compare(encryptedPacket.SignatureHMAC, newHMAC))
{
throw new CryptographicException(
"HMAC for decryption does not match encrypted packet.");
}
if (!digitalSignature.VerifySignature(
encryptedPacket.Signature,
encryptedPacket.SignatureHMAC))
{
throw new CryptographicException(
"Digital Signature can not be verified.");
}
var decryptedData = _aes.Decrypt(encryptedPacket.EncryptedData,
decryptedSessionKey,
encryptedPacket.Iv,
encryptedPacket.Tag,
null);
return(decryptedData);
}
public EncryptedPacket EncryptData(byte[] original, NewRSA rsaParams,
NewDigitalSignature digitalSignature)
{
// Create AES session key.
var sessionKey = _aes.GenerateRandomNumber(32);
var encryptedPacket = new EncryptedPacket {
Iv = _aes.GenerateRandomNumber(12)
};
// Encrypt data with AES-GCM
(byte[] ciphereText, byte[] tag)encrypted =
_aes.Encrypt(original, sessionKey, encryptedPacket.Iv, null);
encryptedPacket.EncryptedData = encrypted.ciphereText;
encryptedPacket.Tag = encrypted.tag;
encryptedPacket.EncryptedSessionKey = rsaParams.Encrypt(sessionKey);
encryptedPacket.SignatureHMAC =
ComputeHMACSha256(
Combine(encryptedPacket.EncryptedData, encryptedPacket.Iv),
sessionKey);
encryptedPacket.Signature =
digitalSignature.SignData(encryptedPacket.SignatureHMAC);
return(encryptedPacket);
}
