public void SecondChainRatchetTest()
{
byte[] rk = rng.Generate(32);
byte[] rhk = rng.Generate(32);
byte[] shk = rng.Generate(32);
var skey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey3 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey3 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
byte[] spub1 = skey1.GetPublicKey();
byte[] spub2 = skey2.GetPublicKey();
byte[] spub3 = skey3.GetPublicKey();
byte[] cpub1 = ckey1.GetPublicKey();
byte[] cpub2 = ckey2.GetPublicKey();
byte[] cpub3 = ckey2.GetPublicKey();
var secdhstep1 = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub1, skey2, rhk, shk);
var cecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, shk, rhk, ckey2);
var secdhstep2 = secdhstep1.Ratchet(kdf, digest,
cpub2, skey3);
// and the server sends back
var cecdhstep3 = cecdhsteps[1].Ratchet(kdf, digest,
spub3, ckey3);
var serverkeys = secdhstep2.SendingChain.RatchetForSending(kdf);
var clientkeys = cecdhstep3.ReceivingChain.RatchetForReceiving(kdf, serverkeys.generation);
Assert.Equal(serverkeys.key, clientkeys.key);
}
public void InitialChainSymmetryTest1()
{
byte[] rk = rng.Generate(32);
byte[] rhk = rng.Generate(32);
byte[] shk = rng.Generate(32);
var skey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
byte[] spub1 = skey1.GetPublicKey();
byte[] spub2 = skey2.GetPublicKey();
byte[] cpub1 = ckey1.GetPublicKey();
byte[] cpub2 = ckey2.GetPublicKey();
var secdhstep = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub1, skey2, rhk, shk);
var cecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, shk, rhk, ckey2);
// the initialized client can send to the server
var clientkeys = cecdhsteps[0].SendingChain.RatchetForSending(kdf);
var serverkeys = secdhstep.ReceivingChain.RatchetForReceiving(kdf, clientkeys.generation);
Assert.Equal(clientkeys.key, serverkeys.key);
}
public void InitialChainRatchetTest()
{
byte[] rk = rng.Generate(32);
byte[] rhk = rng.Generate(32);
byte[] shk = rng.Generate(32);
var skey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey3 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
byte[] spub1 = skey1.GetPublicKey();
byte[] spub2 = skey2.GetPublicKey();
byte[] spub3 = skey3.GetPublicKey();
byte[] cpub1 = ckey1.GetPublicKey();
byte[] cpub2 = ckey2.GetPublicKey();
var secdhstep1 = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub1, skey2, rhk, shk);
var cecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, shk, rhk, ckey2);
// client sends new ECDH to server
var secdhstep2 = secdhstep1.Ratchet(kdf, digest,
cpub2, skey3);
// which means the client now can send using its latest step
var clientkeys = cecdhsteps[1].SendingChain.RatchetForSending(kdf);
var serverkeys = secdhstep2.ReceivingChain.RatchetForReceiving(kdf, clientkeys.generation);
Assert.Equal(clientkeys.key, serverkeys.key);
}
public void ReferenceTests(byte[] pri, byte[] pub, byte[] expected)
{
var prik = KeyAgreement.Deserialize(new MemoryStream(pri));
var der = prik.DeriveKey(new ArraySegment <byte>(pub));
Assert.Equal(expected, der);
}
public void setShouldCrypto(Boolean shouldCrypto)
{
_shouldCrypto = shouldCrypto;
if (_shouldCrypto)
{
_keyAgreement = new KeyAgreement();
_keyAgreement.start();
}
}
public void DisposeTest()
{
byte[] priKey = KeyGeneration.GeneratePrivateKey();
var ke = new KeyAgreement(priKey);
ke.Dispose();
Assert.Throws <ObjectDisposedException>(() => ke.GetPublicKey());
Assert.Throws <ObjectDisposedException>(() => ke.DeriveKey(new byte[0]));
}
public void ClientInitializeReferenceTest(byte[] rk, byte[] rhk, byte[] shk, byte[] _ckey1, byte[] _ckey2, byte[] spub1, byte[] spub2, byte[] rckey, byte[] sckey)
{
var ckey1 = new KeyAgreement(_ckey1);
var ckey2 = new KeyAgreement(_ckey2);
var ecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, rhk, shk, ckey2);
Assert.Equal(rckey, ecdhsteps[1].ReceivingChain.ChainKey);
Assert.Equal(sckey, ecdhsteps[0].SendingChain.ChainKey);
}
public void ServerInitializeReferenceTest(byte[] rk, byte[] rhk, byte[] shk, byte[] _skey1, byte[] _skey2, byte[] cpub, byte[] rckey, byte[] sckey)
{
var skey1 = new KeyAgreement(_skey1);
var skey2 = new KeyAgreement(_skey2);
var ecdhstep = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub, skey2, rhk, shk);
Assert.Equal(rckey, ecdhstep.ReceivingChain.ChainKey);
Assert.Equal(sckey, ecdhstep.SendingChain.ChainKey);
}
public void RatchetReferenceTest(byte[] nrk, byte[] rhk, byte[] nrhk, byte[] rck, byte[] shk, byte[] nshk, byte[] sck, byte[] _key, byte[] rpk, byte[] erck)
{
var key = new KeyAgreement(_key);
var step0 = EcdhRatchetStep.Create(key, nrk,
0, rhk, nrhk, rck,
0, shk, nshk, sck);
var step1 = step0.Ratchet(kdf, digest, rpk, new KeyAgreement(KeyGeneration.GeneratePrivateKey()));
Assert.Equal(erck, step1.ReceivingChain.ChainKey);
}
public void RatchetReferenceTest2(byte[] nrk, byte[] rhk, byte[] nrhk, byte[] rck, byte[] shk, byte[] nshk, byte[] sck, byte[] _key, byte[] rpk, byte[] _nkey, byte[] esck)
{
var key = new KeyAgreement(_key);
var nkey = new KeyAgreement(_nkey);
var step0 = EcdhRatchetStep.Create(key, nrk,
0, rhk, nrhk, rck,
0, shk, nshk, sck);
var step1 = step0.Ratchet(kdf, digest, rpk, nkey);
Assert.Equal(esck, step1.SendingChain.ChainKey);
}
public SecureChannelHandshakeKeyExchange(KeyAgreement keyAgreement, SecureChannelHandshakeHello serverHello, SecureChannelHandshakeHello clientHello, byte[] psk)
: base(SecureChannelCode.None)
{
_ephemeralPublicKey = keyAgreement.GetPublicKey();
if (serverHello.Options.HasFlag(SecureChannelOptions.PRE_SHARED_KEY_AUTHENTICATION_REQUIRED))
{
_pskAuth = GetPskAuthValue(serverHello.SupportedCiphers, _ephemeralPublicKey, serverHello.Nonce.Value, clientHello.Nonce.Value, psk);
}
else
{
_pskAuth = new BinaryNumber(new byte[] { });
}
}
public void BasicTest()
{
byte[] priKey1 = KeyGeneration.GeneratePrivateKey();
byte[] priKey2 = KeyGeneration.GeneratePrivateKey();
var ke1 = new KeyAgreement(priKey1);
var ke2 = new KeyAgreement(priKey2);
var pub1 = ke1.GetPublicKey();
var pub2 = ke2.GetPublicKey();
var k1 = ke1.DeriveKey(pub2);
var k2 = ke2.DeriveKey(pub1);
Assert.NotEqual(priKey1, priKey2);
Assert.NotEqual(pub1, pub2);
Assert.Equal(k1, k2);
}
public void InitialChainSymmetryReferenceTest(byte[] rk, byte[] rhk, byte[] shk, byte[] _skey1, byte[] _skey2, byte[] _ckey1, byte[] _ckey2, byte[] rckey, byte[] sckey)
{
var skey1 = new KeyAgreement(_skey1);
var skey2 = new KeyAgreement(_skey2);
var ckey1 = new KeyAgreement(_ckey1);
var ckey2 = new KeyAgreement(_ckey2);
byte[] spub1 = skey1.GetPublicKey();
byte[] spub2 = skey2.GetPublicKey();
byte[] cpub1 = ckey1.GetPublicKey();
byte[] cpub2 = ckey2.GetPublicKey();
var secdhstep = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub1, skey2, rhk, shk);
var cecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, shk, rhk, ckey2);
Assert.Equal(rckey, secdhstep.ReceivingChain.ChainKey);
Assert.Equal(rckey, cecdhsteps[0].SendingChain.ChainKey);
Assert.Equal(sckey, secdhstep.SendingChain.ChainKey);
Assert.Equal(sckey, cecdhsteps[1].ReceivingChain.ChainKey);
}
public void ServerInitializeTest()
{
byte[] rk = rng.Generate(32);
byte[] rhk = rng.Generate(32);
byte[] shk = rng.Generate(32);
var skey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var skey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
byte[] ckey = KeyGeneration.GeneratePrivateKey();
byte[] cpub = KeyGeneration.GetPublicKeyFromPrivateKey(ckey);
var ecdhstep = EcdhRatchetStep.InitializeServer(kdf, digest,
skey1, rk, cpub, skey2, rhk, shk);
Assert.NotNull(ecdhstep);
Assert.NotNull(ecdhstep.NextReceiveHeaderKey);
Assert.NotNull(ecdhstep.NextSendHeaderKey);
Assert.NotNull(ecdhstep.NextRootKey);
Assert.NotNull(ecdhstep.ReceiveHeaderKey);
Assert.NotNull(ecdhstep.ReceivingChain.ChainKey);
Assert.Equal(0, ecdhstep.ReceivingChain.Generation);
Assert.NotNull(ecdhstep.SendingChain.ChainKey);
Assert.Equal(0, ecdhstep.SendingChain.Generation);
}
public void ClientInitializeTest()
{
byte[] rk = rng.Generate(32);
byte[] rhk = rng.Generate(32);
byte[] shk = rng.Generate(32);
var ckey1 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
var ckey2 = new KeyAgreement(KeyGeneration.GeneratePrivateKey());
byte[] skey1 = KeyGeneration.GeneratePrivateKey();
byte[] skey2 = KeyGeneration.GeneratePrivateKey();
byte[] spub1 = KeyGeneration.GetPublicKeyFromPrivateKey(skey1);
byte[] spub2 = KeyGeneration.GetPublicKeyFromPrivateKey(skey2);
var ecdhsteps = EcdhRatchetStep.InitializeClient(kdf, digest,
rk, spub1, spub2, ckey1, rhk, shk, ckey2);
Assert.NotNull(ecdhsteps);
Assert.NotNull(ecdhsteps[0]);
Assert.NotNull(ecdhsteps[1]);
Assert.Null(ecdhsteps[0].NextReceiveHeaderKey);
Assert.Null(ecdhsteps[0].NextSendHeaderKey);
Assert.Null(ecdhsteps[0].NextRootKey);
Assert.Null(ecdhsteps[0].ReceiveHeaderKey);
Assert.Null(ecdhsteps[0].ReceivingChain.ChainKey);
Assert.NotNull(ecdhsteps[0].SendHeaderKey);
Assert.NotNull(ecdhsteps[0].SendingChain.ChainKey);
Assert.Equal(0, ecdhsteps[0].SendingChain.Generation);
Assert.NotNull(ecdhsteps[1].NextReceiveHeaderKey);
Assert.NotNull(ecdhsteps[1].NextSendHeaderKey);
Assert.NotNull(ecdhsteps[1].NextRootKey);
Assert.NotNull(ecdhsteps[1].ReceiveHeaderKey);
Assert.NotNull(ecdhsteps[1].ReceivingChain.ChainKey);
Assert.Equal(0, ecdhsteps[1].ReceivingChain.Generation);
Assert.NotNull(ecdhsteps[1].SendingChain.ChainKey);
Assert.Equal(0, ecdhsteps[1].SendingChain.Generation);
}
protected byte[] GenerateMasterKey(SecureChannelHandshakeHello clientHello, SecureChannelHandshakeHello serverHello, byte[] preSharedKey, KeyAgreement keyAgreement, byte[] otherPartyPublicKey)
{
using (MemoryStream mS = new MemoryStream(128))
{
clientHello.WriteTo(mS);
serverHello.WriteTo(mS);
if (preSharedKey == null)
{
keyAgreement.HmacMessage = mS.ToArray();
}
else
{
keyAgreement.HmacMessage = (new HMACSHA256(preSharedKey)).ComputeHash(mS.ToArray());
}
}
return(keyAgreement.DeriveKeyMaterial(otherPartyPublicKey));
}
// my public key
// your public key
// shared secret key
/// <exception cref="System.Exception"></exception>
public virtual void Init()
{
myKpairGen = KeyPairGenerator.GetInstance("DH");
// myKpairGen=KeyPairGenerator.getInstance("DiffieHellman");
myKeyAgree = KeyAgreement.GetInstance("DH");
}
protected void EnableEncryption(Stream inputStream, SecureChannelHandshakeHello serverHello, SecureChannelHandshakeHello clientHello, KeyAgreement keyAgreement, SecureChannelHandshakeKeyExchange otherPartyKeyExchange)
{
using (MemoryStream mS = new MemoryStream(128))
{
mS.Write(serverHello.Nonce.Value);
mS.Write(clientHello.Nonce.Value);
keyAgreement.HmacKey = mS.ToArray();
}
byte[] masterKey = keyAgreement.DeriveKeyMaterial(otherPartyKeyExchange.EphemeralPublicKey);
switch (serverHello.SupportedCiphers)
{
case SecureChannelCipherSuite.DHE2048_ANON_WITH_AES256_CBC_HMAC_SHA256:
case SecureChannelCipherSuite.DHE2048_RSA2048_WITH_AES256_CBC_HMAC_SHA256:
case SecureChannelCipherSuite.ECDHE256_ANON_WITH_AES256_CBC_HMAC_SHA256:
case SecureChannelCipherSuite.ECDHE256_RSA2048_WITH_AES256_CBC_HMAC_SHA256:
//generating AES IV of 128bit block size using MD5
byte[] eIV;
byte[] dIV;
using (HashAlgorithm hash = HashAlgorithm.Create("MD5"))
{
if (this is SecureChannelServerStream)
{
eIV = hash.ComputeHash(serverHello.Nonce.Value);
dIV = hash.ComputeHash(clientHello.Nonce.Value);
}
else
{
eIV = hash.ComputeHash(clientHello.Nonce.Value);
dIV = hash.ComputeHash(serverHello.Nonce.Value);
}
}
//create encryptor
_encryptionAlgo = Aes.Create();
_encryptionAlgo.Key = masterKey;
_encryptionAlgo.IV = eIV;
_encryptionAlgo.Padding = PaddingMode.None; //padding is managed by secure channel
_encryptionAlgo.Mode = CipherMode.CBC;
_encryptor = _encryptionAlgo.CreateEncryptor();
_authHMACEncrypt = new HMACSHA256(masterKey);
//create decryptor
_decryptionAlgo = Aes.Create();
_decryptionAlgo.Key = masterKey;
_decryptionAlgo.IV = dIV;
_decryptionAlgo.Padding = PaddingMode.None; //padding is managed by secure channel
_decryptionAlgo.Mode = CipherMode.CBC;
_decryptor = _decryptionAlgo.CreateDecryptor();
_authHMACDecrypt = new HMACSHA256(masterKey);
//init variables
_blockSizeBytes = _encryptionAlgo.BlockSize / 8;
_writeBufferPadding = new byte[_blockSizeBytes];
_authHMACSizeBytes = _authHMACEncrypt.HashSize / 8;
break;
default:
throw new SecureChannelException(SecureChannelCode.NoMatchingCipherAvailable, _remotePeerEP, _remotePeerUserId);
}
//init variables
_baseStream = inputStream;
_bytesSent = 0;
_connectedOn = DateTime.UtcNow;
if (_renegotiationTimer == null)
{
if ((_renegotiateAfterBytesSent > 0) || (_renegotiateAfterSeconds > 0))
{
_renegotiationTimer = new Timer(delegate(object state)
{
try
{
if (((_renegotiateAfterBytesSent > 0) && (_bytesSent > _renegotiateAfterBytesSent)) || ((_renegotiateAfterSeconds > 0) && (_connectedOn.AddSeconds(_renegotiateAfterSeconds) < DateTime.UtcNow)))
{
Debug.Write(this.GetType().Name, "Renegotiation triggered");
RenegotiateNow();
}
}
catch (Exception ex)
{
Debug.Write(this.GetType().Name, ex);
}
}, null, RENEGOTIATION_TIMER_INTERVAL, RENEGOTIATION_TIMER_INTERVAL);
}
}
}
void receive_service_auth_message(Channel channel, ref EncKeys keys, KeyPair picoEphemeralKey, Nonce picoNonce, ref IntPtr serviceEphemKey, ref Nonce serviceNonce)
{
Json json = new Json();
PicoBuffer buf = new PicoBuffer(0);
PicoBuffer iv = new PicoBuffer(0);
PicoBuffer cleartext = new PicoBuffer(0);
channel.read(buf);
json.deserialize(buf);
Assert.AreEqual(json.get_decimal("sessionId"), 0);
serviceEphemKey = CryptoSupport.read_base64_string_public_key(json.get_string("serviceEphemPublicKey"));
buf.clear();
Base64.decode(json.get_string("serviceNonce"), buf);
serviceNonce = new Nonce();
serviceNonce.set_buffer(buf);
Base64.decode(json.get_string("iv"), iv);
// Generate shared secrets
PicoBuffer sharedSecret;
IntPtr vEphemPriv;
SigmaKeyDeriv sigmakeyderiv;
sharedSecret = new PicoBuffer(0);
vEphemPriv = picoEphemeralKey.getprivatekey();
KeyAgreement.generate_secret(vEphemPriv, serviceEphemKey, sharedSecret);
sigmakeyderiv = new SigmaKeyDeriv();
sigmakeyderiv.set(sharedSecret, picoNonce, serviceNonce);
sharedSecret.delete();
keys.pMacKey = new PicoBuffer(0);
keys.pEncKey = new PicoBuffer(0);
keys.vMacKey = new PicoBuffer(0);
keys.vEncKey = new PicoBuffer(0);
keys.sharedKey = new PicoBuffer(0);
sigmakeyderiv.get_next_key(keys.pMacKey, 256);
sigmakeyderiv.get_next_key(keys.pEncKey, 128);
sigmakeyderiv.get_next_key(keys.vMacKey, 256);
sigmakeyderiv.get_next_key(keys.vEncKey, 128);
sigmakeyderiv.get_next_key(keys.sharedKey, 128);
sigmakeyderiv.delete();
buf.clear();
Base64.decode(json.get_string("encryptedData"), buf);
CryptoSupport.decrypt(keys.vEncKey, iv, buf, cleartext);
int start = 0;
int next = 0;
PicoBuffer servicePublicKeyBytes = new PicoBuffer(0);
PicoBuffer serviceSignature = new PicoBuffer(0);
PicoBuffer serviceMac = new PicoBuffer(0);
next = cleartext.copy_lengthprepend(start, servicePublicKeyBytes);
IntPtr servicePublicKey = CryptoSupport.read_buffer_public_key(servicePublicKeyBytes);
Assert.IsTrue(next > start);
next = cleartext.copy_lengthprepend(start, serviceSignature);
Assert.IsTrue(next > start);
next = cleartext.copy_lengthprepend(start, serviceMac);
Assert.IsTrue(next > start);
// TODO assert signature
json.delete();
buf.delete();
cleartext.delete();
servicePublicKeyBytes.delete();
serviceSignature.delete();
serviceMac.delete();
}
protected byte[] GenerateMasterKey(SecureChannelPacket.Hello clientHello, SecureChannelPacket.Hello serverHello, string preSharedKey, KeyAgreement keyAgreement, string otherPartyPublicKeyXML)
{
using (MemoryStream mS = new MemoryStream(128))
{
clientHello.WriteTo(mS);
serverHello.WriteTo(mS);
if (string.IsNullOrEmpty(preSharedKey))
{
keyAgreement.HmacMessage = mS.ToArray();
}
else
{
keyAgreement.HmacMessage = (new HMACSHA256(Encoding.UTF8.GetBytes(preSharedKey))).ComputeHash(mS.ToArray());
}
}
return(keyAgreement.DeriveKeyMaterial(otherPartyPublicKeyXML));
}
protected byte[] GenerateMasterKey(SecureChannelPacket.Hello clientHello, SecureChannelPacket.Hello serverHello, string preSharedKey, KeyAgreement keyAgreement, string otherPartyPublicKeyXML)
{
using (MemoryStream mS = new MemoryStream(128))
{
clientHello.WriteTo(mS);
serverHello.WriteTo(mS);
if (string.IsNullOrEmpty(preSharedKey))
keyAgreement.HmacMessage = mS.ToArray();
else
keyAgreement.HmacMessage = (new HMACSHA256(Encoding.UTF8.GetBytes(preSharedKey))).ComputeHash(mS.ToArray());
}
return keyAgreement.DeriveKeyMaterial(otherPartyPublicKeyXML);
}
public IKeyAgreement Deserialize(Stream stream) => KeyAgreement.Deserialize(stream);