/// <summary> /// Decrypts the key and HMAC concatenation (<see cref="OmemoMessage.cipherText"/>) with the given <paramref name="session"/>. /// </summary> /// <param name="authMsg">The <see cref="OmemoAuthenticatedMessage"/> containing the key and HMAC.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> that should be used for decryption.</param> /// <returns>key || HMAC</returns> private byte[] DecryptKeyHmacForDevice(OmemoAuthenticatedMessage authMsg, OmemoSessionModel session) { OmemoMessage msg = new OmemoMessage(authMsg.OMEMO_MESSAGE); byte[] plainText = TrySkippedMessageKeys(msg, authMsg.HMAC, session); if (!(plainText is null)) { return(plainText); } if (session.dhR is null || !msg.DH.Equals(session.dhR.pubKey)) { SkipMessageKeys(session, msg.PN); session.InitDhRatchet(msg); } SkipMessageKeys(session, msg.N); // If no receive chain has been initialized yet, initialize it now. // This happens in case we received a key exchange message with a new session and now would like to send our first message. if (session.ckR is null) { session.InitReceiverKeyChain(); } byte[] mk = LibSignalUtils.KDF_CK(session.ckR, 0x01); session.ckR = LibSignalUtils.KDF_CK(session.ckR, 0x02); ++session.nR; return(DecryptKeyHmacForDevice(mk, msg, authMsg.HMAC, session.assData)); }
/// <summary> /// Decrypts the key and HMAC concatenation (<see cref="OmemoMessage.cipherText"/>) with the given <paramref name="session"/>. /// </summary> /// <param name="authMsg">The <see cref="OmemoAuthenticatedMessage"/> containing the key and HMAC.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> that should be used for decryption.</param> /// <returns>key || HMAC</returns> public byte[] DecryptKeyHmacForDevice(OmemoAuthenticatedMessage authMsg, OmemoSessionModel session) { OmemoMessage msg = new OmemoMessage(authMsg.OMEMO_MESSAGE); byte[] plainText = TrySkippedMessageKeys(msg, authMsg.HMAC, session); if (!(plainText is null)) { return(plainText); } if (session.dhR is null || !msg.DH.Equals(session.dhR)) { SkipMessageKeys(session, msg.PN); session.InitDhRatchet(msg); } SkipMessageKeys(session, msg.N); byte[] mk = LibSignalUtils.KDF_CK(session.ckR, 0x01); Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(session.ckR) + ": " + CryptoUtils.ToHexString(session.ckR)); session.ckR = LibSignalUtils.KDF_CK(session.ckR, 0x02); ++session.nR; byte[] result = DecryptKeyHmacForDevice(mk, msg, authMsg.HMAC, session.assData); // Update the session state: if (session.state == SessionState.SEND) { session.state = SessionState.READY; } Logger.Trace("[" + nameof(DecryptKeyHmacForDevice) + "] " + nameof(session.state) + ": " + session.state); return(result); }
/// <summary> /// Skippes receiving message keys <paramref name="until"/>. /// </summary> /// <param name="session">The <see cref="OmemoSessionModel"/> the keys should be skipped for.</param> /// <param name="until">Until which key should be skipped.</param> private void SkipMessageKeys(OmemoSessionModel session, uint until) { if (session.nR + OmemoSessionModel.MAX_SKIP < until) { throw new OmemoException("Failed to decrypt. Would skip to many message keys from " + session.nR + " to " + until + ", which is more than " + OmemoSessionModel.MAX_SKIP + '.'); } if (!(session.ckR is null)) { while (session.nR < until) { byte[] mk = LibSignalUtils.KDF_CK(session.ckR, 0x01); session.ckR = LibSignalUtils.KDF_CK(session.ckR, 0x02); session.MK_SKIPPED.SetMessageKey(session.dhR.pubKey, session.nR, mk); ++session.nR; } } }
/// <summary> /// Encrypts the given key and HMAC concatenation and returns the result. /// </summary> /// <param name="keyHmac">The key, HMAC concatenation result.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> between the sender and receiver.</param> /// <param name="assData">Encode(IK_A) || Encode(IK_B) => Concatenation of Alices and Bobs public part of their identity key.</param> private OmemoAuthenticatedMessage EncryptKeyHmacForDevices(byte[] keyHmac, OmemoSessionModel session, byte[] assData) { byte[] mk = LibSignalUtils.KDF_CK(session.ckS, 0x01); session.ckS = LibSignalUtils.KDF_CK(session.ckS, 0x02); OmemoMessage omemoMessage = new OmemoMessage(session); ++session.nS; // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(mk, new byte[32], "OMEMO Message Key Material", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); omemoMessage.cipherText = CryptoUtils.Aes256CbcEncrypt(encKey, iv, keyHmac); byte[] omemoMessageBytes = omemoMessage.ToByteArray(); byte[] hmacInput = CryptoUtils.Concat(assData, omemoMessageBytes); byte[] hmacResult = CryptoUtils.HmacSha256(authKey, hmacInput); byte[] hmacTruncated = CryptoUtils.Truncate(hmacResult, 16); return(new OmemoAuthenticatedMessage(hmacTruncated, omemoMessageBytes)); }
/// <summary> /// Skippes receiving message keys <paramref name="until"/>. /// </summary> /// <param name="session">The <see cref="OmemoSessionModel"/> the keys should be skipped for.</param> /// <param name="until">Until which key should be skipped.</param> private void SkipMessageKeys(OmemoSessionModel session, uint until) { if (session.nR + OmemoSessionModel.MAX_SKIP < until) { throw new OmemoException("Failed to decrypt. Would skip to many message keys from " + session.nR + " to " + until + ", which is more than " + OmemoSessionModel.MAX_SKIP + '.'); } if (!(session.ckR is null)) { while (session.nR < until) { byte[] mk = LibSignalUtils.KDF_CK(session.ckR, 0x01); Logger.Trace($"[{nameof(SkipMessageKeys)}] {nameof(mk)} - {session.nR}: {CryptoUtils.ToHexString(mk)}"); session.ckR = LibSignalUtils.KDF_CK(session.ckR, 0x02); session.MK_SKIPPED.SetMessageKey(session.dhR, session.nR, mk); ++session.nR; } } }
/// <summary> /// Encrypts the given key and HMAC concatenation and returns the result. /// </summary> /// <param name="keyHmac">The key, HMAC concatenation result.</param> /// <param name="session">The <see cref="OmemoSessionModel"/> between the sender and receiver.</param> /// <param name="assData">Encode(IK_A) || Encode(IK_B) => Concatenation of Alices and Bobs public part of their identity key.</param> private OmemoAuthenticatedMessage EncryptKeyHmacForDevices(byte[] keyHmac, OmemoSessionModel session, byte[] assData) { byte[] mk = LibSignalUtils.KDF_CK(session.ckS, 0x01); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(session.ckS) + ": " + CryptoUtils.ToHexString(session.ckS)); session.ckS = LibSignalUtils.KDF_CK(session.ckS, 0x02); OmemoMessage omemoMessage = new OmemoMessage(session); ++session.nS; // 32 byte (256 bit) of salt. Initialized with 0s. byte[] hkdfOutput = CryptoUtils.HkdfSha256(mk, new byte[32], "OMEMO Message Key Material", 80); CryptoUtils.SplitKey(hkdfOutput, out byte[] encKey, out byte[] authKey, out byte[] iv); omemoMessage.cipherText = CryptoUtils.Aes256CbcEncrypt(encKey, iv, keyHmac); byte[] omemoMessageBytes = omemoMessage.ToByteArray(); byte[] hmacInput = CryptoUtils.Concat(assData, omemoMessageBytes); byte[] hmacResult = CryptoUtils.HmacSha256(authKey, hmacInput); byte[] hmacTruncated = CryptoUtils.Truncate(hmacResult, 16); // Update the session state: if (session.state == SessionState.RECEIVED) { session.state = SessionState.READY; } // Debug trace output: Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(mk) + ": " + CryptoUtils.ToHexString(mk)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(assData) + ": " + CryptoUtils.ToHexString(assData)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hkdfOutput) + ": " + CryptoUtils.ToHexString(hkdfOutput)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(encKey) + ": " + CryptoUtils.ToHexString(encKey)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(authKey) + ": " + CryptoUtils.ToHexString(authKey)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(iv) + ": " + CryptoUtils.ToHexString(iv)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacInput) + ": " + CryptoUtils.ToHexString(hmacInput)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacResult) + ": " + CryptoUtils.ToHexString(hmacResult)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(hmacTruncated) + ": " + CryptoUtils.ToHexString(hmacTruncated)); Logger.Trace("[" + nameof(EncryptKeyHmacForDevices) + "] " + nameof(session.state) + ": " + session.state); return(new OmemoAuthenticatedMessage(hmacTruncated, omemoMessageBytes)); }