/// <summary> /// Open a properly configured <see cref="SymmetricAlgorithm"/> conforming to the /// scheme identified by <paramref name="aeCipher"/>. /// </summary> /// <param name="aeCipher">The cipher mode to open.</param> /// <param name="keyEnc">The key data.</param> /// <returns> /// A SymmetricAlgorithm object with the right key, cipher mode, and padding /// mode; or <c>null</c> on unknown algorithms. /// </returns> private static SymmetricAlgorithm GetCipher(AeCipher aeCipher, byte[] keyEnc) { SymmetricAlgorithm symmetricAlgorithm; switch (aeCipher) { case AeCipher.Aes256CbcPkcs7: symmetricAlgorithm = Aes.Create(); // While 256-bit, CBC, and PKCS7 are all the default values for these // properties, being explicit helps comprehension more than it hurts // performance. symmetricAlgorithm.KeySize = 256; symmetricAlgorithm.Mode = CipherMode.CBC; symmetricAlgorithm.Padding = PaddingMode.PKCS7; break; default: // An algorithm we don't understand throw new CryptographicException("Invalid Cipher algorithm"); } symmetricAlgorithm.Key = keyEnc; return(symmetricAlgorithm); }
public static byte[] Decrypt(byte[] keyEnc, byte[] keyMac, byte[] cipherText) { if (keyEnc == null) { throw new ArgumentNullException(nameof(keyEnc)); } if (keyMac == null) { throw new ArgumentNullException(nameof(keyMac)); } if (keyEnc.Length < 32) { throw new ArgumentOutOfRangeException( nameof(keyEnc), "Encryption Key must be at least 256 bits (32 bytes)"); } if (keyMac.Length < 32) { throw new ArgumentOutOfRangeException( nameof(keyMac), "Mac Key must be at least 256 bits (32 bytes)"); } if (cipherText == null) { throw new ArgumentNullException(nameof(cipherText)); } // The format of this message is assumed to be public, so there's no harm in // saying ahead of time that the message makes no sense. if (cipherText.Length < 2) { throw new CryptographicException(); } // Use the message algorithm headers to determine what cipher algorithm and // MAC algorithm are going to be used. Since the same Key Derivation // Functions (KDFs) are being used in Decrypt as Encrypt, the keys are also // the same. AeCipher aeCipher = (AeCipher)cipherText[0]; AeMac aeMac = (AeMac)cipherText[1]; using (SymmetricAlgorithm cipher = GetCipher(aeCipher, keyEnc)) using (HMAC tagGenerator = GetMac(aeMac, keyMac)) { int blockSizeInBytes = cipher.BlockSize / 8; int tagSizeInBytes = tagGenerator.HashSize / 8; int headerSizeInBytes = 2; int tagOffset = headerSizeInBytes; int ivOffset = tagOffset + tagSizeInBytes; int cipherTextOffset = ivOffset + blockSizeInBytes; int cipherTextLength = cipherText.Length - cipherTextOffset; int minLen = cipherTextOffset + blockSizeInBytes; // Again, the minimum length is still assumed to be public knowledge, // nothing has leaked out yet. The minimum length couldn't just be calculated // without reading the header. if (cipherText.Length < minLen) { throw new CryptographicException(); } // It's very important that the MAC be calculated and verified before // proceeding to decrypt the ciphertext, as this prevents any sort of // information leaking out to an attacker. // // Don't include the tag in the calculation, though. var data = new byte[cipherText.Length - tagSizeInBytes]; // First, everything before the tag (the cipher and MAC algorithm ids) Buffer.BlockCopy(cipherText, 0, data, 0, tagOffset); // Skip the data before the tag and the tag, then read everything that remains. Buffer.BlockCopy(cipherText, (tagOffset + tagSizeInBytes), data, tagOffset, cipherText.Length - (tagOffset + tagSizeInBytes)); tagGenerator.AppendData(data); byte[] generatedTag = tagGenerator.GetHashAndReset(); byte[] expectedPayload = new byte[tagSizeInBytes]; Buffer.BlockCopy(cipherText, tagOffset, expectedPayload, 0, tagSizeInBytes); if (!CryptographicEquals( generatedTag, 0, cipherText, tagOffset, tagSizeInBytes)) { // Assuming every tampered message (of the same length) took the same // amount of time to process, we can now safely say // "this data makes no sense" without giving anything away. throw new CryptographicException("Mismatch in signed data"); } // Restore the IV into the symmetricAlgorithm instance. byte[] iv = new byte[blockSizeInBytes]; Buffer.BlockCopy(cipherText, ivOffset, iv, 0, iv.Length); cipher.IV = iv; using (ICryptoTransform decryptor = cipher.CreateDecryptor()) { return(Transform( decryptor, cipherText, cipherTextOffset, cipherTextLength)); } } }