private static CryptographicKey DeriveKey(CryptographicKey key) { using (var hmac = new HMACSHA512(key.GetKeyMaterial())) { GetKeyDerivationParameters(out var label, out var context); var derivedKey = DeriveKeyImpl(hmac, label, context, key.KeyLength); return(new CryptographicKey(derivedKey)); } }
private static byte[] Unprotect(byte[] protectedData, CryptographicKey decryptionKey, CryptographicKey validationKey, CryptoAlgorithmFactory cryptoAlgorithmFactory) { // The entire operation is wrapped in a 'checked' block because any overflows should be treated as failures. checked { // We want to check that the input is in the form: // protectedData := IV || Enc(Kenc, IV, clearData) || Sign(Kval, IV || Enc(Kenc, IV, clearData)) // Definitions used in this method: // encryptedPayload := Enc(Kenc, IV, clearData) // signature := Sign(Kval, IV || encryptedPayload) // These SymmetricAlgorithm instances are single-use; we wrap it in a 'using' block. using (var decryptionAlgorithm = cryptoAlgorithmFactory.GetEncryptionAlgorithm()) { decryptionAlgorithm.Key = decryptionKey.GetKeyMaterial(); // These KeyedHashAlgorithm instances are single-use; we wrap it in a 'using' block. using (var validationAlgorithm = cryptoAlgorithmFactory.GetValidationAlgorithm()) { validationAlgorithm.Key = validationKey.GetKeyMaterial(); // First, we need to verify that protectedData is even long enough to contain // the required components (IV, encryptedPayload, signature). var ivByteCount = decryptionAlgorithm.BlockSize / 8; // IV length is equal to the block size var signatureByteCount = validationAlgorithm.HashSize / 8; var encryptedPayloadByteCount = protectedData.Length - ivByteCount - signatureByteCount; if (encryptedPayloadByteCount <= 0) { // protectedData doesn't meet minimum length requirements return(null); } // If that check passes, we need to detect payload tampering. // Compute the signature over the IV and encrypted payload // computedSignature := Sign(Kval, IV || encryptedPayload) var computedSignature = validationAlgorithm.ComputeHash(protectedData, 0, ivByteCount + encryptedPayloadByteCount); if (!BuffersAreEqual( buffer1: protectedData, buffer1Offset: ivByteCount + encryptedPayloadByteCount, buffer1Count: signatureByteCount, buffer2: computedSignature, buffer2Offset: 0, buffer2Count: computedSignature.Length)) { // the computed signature didn't match the incoming signature, which is a sign of payload tampering return(null); } // At this point, we're certain that we generated the signature over this payload, // so we can go ahead with decryption. // Populate the IV from the incoming stream var iv = new byte[ivByteCount]; Buffer.BlockCopy(protectedData, 0, iv, 0, iv.Length); decryptionAlgorithm.IV = iv; // Write the decrypted payload to the memory stream. using (var memStream = new MemoryStream()) { using (var decryptor = decryptionAlgorithm.CreateDecryptor()) { using (var cryptoStream = new CryptoStream(memStream, decryptor, CryptoStreamMode.Write)) { cryptoStream.Write(protectedData, ivByteCount, encryptedPayloadByteCount); cryptoStream.FlushFinalBlock(); // At this point // memStream := clearData var clearData = memStream.ToArray(); return(clearData); } } } } } } }