public void ThrowWhenDecryptingLessThanSixtyFiveBytes(byte[] ciphertext)
{
DataEncryptionKey encryptionKey = new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey);
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, EncryptionType.Deterministic);
Assert.Throws <ArgumentException>(() => encryptionAlgorithm.Decrypt(ciphertext));
}
public void ThrowWhenDecryptionAnInvalidAuthenticationTag()
{
byte[] invalidAuthTag = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65 };
DataEncryptionKey encryptionKey = new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey);
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, EncryptionType.Deterministic);
Assert.Throws <CryptographicException>(() => encryptionAlgorithm.Decrypt(invalidAuthTag));
}
/// <summary>
/// Initializes a new instance of MdeEncryptionAlgorithm.
/// Uses <see cref="AeadAes256CbcHmac256EncryptionAlgorithm"/> which implements authenticated encryption algorithm with associated data as described
/// <see href="http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05">here</see> .
/// More specifically this implements AEAD_AES_256_CBC_HMAC_SHA256 algorithm.
/// </summary>
/// <param name="dataEncryptionKey"> Data Encryption Key </param>
/// <param name="encryptionType"> Encryption type </param>
public MdeEncryptionAlgorithm(
Data.Encryption.Cryptography.DataEncryptionKey dataEncryptionKey,
Data.Encryption.Cryptography.EncryptionType encryptionType)
{
this.mdeAeadAes256CbcHmac256EncryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(
dataEncryptionKey,
encryptionType);
}
public void ReturnNullWhenDecryptingNull()
{
DataEncryptionKey encryptionKey = new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey);
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, EncryptionType.Deterministic);
byte[] plaintext = encryptionAlgorithm.Decrypt(null);
Assert.Null(plaintext);
}
/// <summary>
/// Initializes a new instance of MdeEncryptionAlgorithm.
/// Uses <see cref="AeadAes256CbcHmac256EncryptionAlgorithm"/> which implements authenticated encryption algorithm with associated data as described
/// <see href="http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05">here</see> .
/// More specifically this implements AEAD_AES_256_CBC_HMAC_SHA256 algorithm.
/// </summary>
/// <param name="dekProperties"> Data Encryption Key properties</param>
/// <param name="encryptionType"> Encryption type </param>
/// <param name="encryptionKeyStoreProvider"> EncryptionKeyStoreProvider for wrapping and unwrapping </param>
public MdeEncryptionAlgorithm(
DataEncryptionKeyProperties dekProperties,
Data.Encryption.Cryptography.EncryptionType encryptionType,
EncryptionKeyStoreProvider encryptionKeyStoreProvider,
TimeSpan?cacheTimeToLive)
{
if (dekProperties == null)
{
throw new ArgumentNullException(nameof(dekProperties));
}
if (encryptionKeyStoreProvider == null)
{
throw new ArgumentNullException(nameof(encryptionKeyStoreProvider));
}
KeyEncryptionKey keyEncryptionKey = KeyEncryptionKey.GetOrCreate(
dekProperties.EncryptionKeyWrapMetadata.Name,
dekProperties.EncryptionKeyWrapMetadata.Value,
encryptionKeyStoreProvider);
ProtectedDataEncryptionKey protectedDataEncryptionKey;
if (cacheTimeToLive.HasValue)
{
// no caching
if (cacheTimeToLive.Value == TimeSpan.Zero)
{
protectedDataEncryptionKey = new ProtectedDataEncryptionKey(
dekProperties.Id,
keyEncryptionKey,
dekProperties.WrappedDataEncryptionKey);
}
else
{
protectedDataEncryptionKey = ProtectedDataEncryptionKey.GetOrCreate(
dekProperties.Id,
keyEncryptionKey,
dekProperties.WrappedDataEncryptionKey);
protectedDataEncryptionKey.TimeToLive = cacheTimeToLive.Value;
}
}
else
{
protectedDataEncryptionKey = ProtectedDataEncryptionKey.GetOrCreate(
dekProperties.Id,
keyEncryptionKey,
dekProperties.WrappedDataEncryptionKey);
}
this.mdeAeadAes256CbcHmac256EncryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(
protectedDataEncryptionKey,
encryptionType);
}
internal static IEnumerable <byte[]> Encrypt(this IEnumerable source, EncryptionSettings settings)
{
DataProtector encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(settings.DataEncryptionKey, settings.EncryptionType);
ISerializer serializer = settings.GetSerializer();
foreach (var item in source)
{
byte[] serializedData = serializer.Serialize(item);
yield return(encryptionAlgorithm.Encrypt(serializedData));
}
}
public void EncryptToSameCiphertextWhenDeterministicEncryptionTypeSelected(DataEncryptionKey encryptionKey)
{
EncryptionType encryptionType = EncryptionType.Deterministic;
byte[] serializedPlaintext = new byte[] { 1, 2, 3, 4, 5 };
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, encryptionType);
byte[] ciphertext1 = encryptionAlgorithm.Encrypt(serializedPlaintext);
byte[] ciphertext2 = encryptionAlgorithm.Encrypt(serializedPlaintext);
byte[] ciphertext3 = encryptionAlgorithm.Encrypt(serializedPlaintext);
Assert.Equal(ciphertext1, ciphertext2);
Assert.Equal(ciphertext2, ciphertext3);
Assert.Equal(ciphertext1, ciphertext3);
}
public void EncryptToDifferentCiphertextWhenRandomizedEncryptionTypeSelected(DataEncryptionKey encryptionKey)
{
EncryptionType encryptionType = EncryptionType.Randomized;
byte[] serializedPlaintext = new byte[] { 1, 2, 3, 4, 5 };
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, encryptionType);
byte[] ciphertext1 = encryptionAlgorithm.Encrypt(serializedPlaintext);
byte[] ciphertext2 = encryptionAlgorithm.Encrypt(serializedPlaintext);
byte[] ciphertext3 = encryptionAlgorithm.Encrypt(serializedPlaintext);
Assert.NotEqual(ciphertext1, ciphertext2);
Assert.NotEqual(ciphertext2, ciphertext3);
Assert.NotEqual(ciphertext1, ciphertext3);
}
internal static EncryptionSettings Create(
EncryptionSettings settingsForKey,
EncryptionType encryptionType)
{
return(new EncryptionSettings()
{
ClientEncryptionKeyId = settingsForKey.ClientEncryptionKeyId,
DataEncryptionKey = settingsForKey.DataEncryptionKey,
EncryptionType = encryptionType,
EncryptionSettingTimeToLive = settingsForKey.EncryptionSettingTimeToLive,
AeadAes256CbcHmac256EncryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(
settingsForKey.DataEncryptionKey,
encryptionType),
});
}
internal static IList Decrypt(this IEnumerable source, EncryptionSettings settings)
{
DataProtector encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(settings.DataEncryptionKey, settings.EncryptionType);
ISerializer serializer = settings.GetSerializer();
Type type = serializer.GetType().BaseType.GetGenericArguments()[0];
IList list = (IList)Activator.CreateInstance(typeof(List <>).MakeGenericType(type));
foreach (var item in source)
{
byte[] plaintextData = encryptionAlgorithm.Decrypt((byte[])item);
list.Add(serializer.Deserialize(plaintextData));
}
return(list);
}
public void CacheEncryptionAlgorithmsCorrectlyWhenCallingGetOrCreate()
{
DataEncryptionKey key1 = new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey);
DataEncryptionKey key2 = new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey);
DataEncryptionKey key3 = new ProtectedDataEncryptionKey("Not_EK", keyEncryptionKey, encryptedDataEncryptionKey);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm1 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key1, EncryptionType.Deterministic);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm2 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key2, EncryptionType.Deterministic);
Assert.Same(algorithm1, algorithm2);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm3 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key1, EncryptionType.Deterministic);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm4 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key2, EncryptionType.Randomized);
Assert.NotSame(algorithm3, algorithm4);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm5 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key1, EncryptionType.Randomized);
AeadAes256CbcHmac256EncryptionAlgorithm algorithm6 = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(key3, EncryptionType.Randomized);
Assert.NotSame(algorithm5, algorithm6);
}
public void EncryptAndDecryptToTheSameValue <T>(T originalPlaintext, Serializer <T> serializer)
{
DataEncryptionKey[] keys =
{
new ProtectedDataEncryptionKey("EK", keyEncryptionKey, encryptedDataEncryptionKey),
new PlaintextDataEncryptionKey("EK", plaintextEncryptionKeyBytes)
};
foreach (DataEncryptionKey encryptionKey in keys)
{
EncryptionType encryptionType = (EncryptionType)random.Next(1, 2);
AeadAes256CbcHmac256EncryptionAlgorithm encryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(encryptionKey, encryptionType);
byte[] serializedPlaintext = serializer.Serialize(originalPlaintext);
byte[] ciphhertext = encryptionAlgorithm.Encrypt(serializedPlaintext);
byte[] decryptedPlaintext = encryptionAlgorithm.Decrypt(ciphhertext);
T actualPlaintext = serializer.Deserialize(decryptedPlaintext);
Assert.Equal(originalPlaintext, actualPlaintext);
}
}
