// TODO: Parametrize on cipher! // TODO: Factor out shared code between Encrypt and Decrypt! // TODO: Validate parameters better! public static byte[] Decrypt(SjclAes aes, byte[] ciphertext, byte[] iv, byte[] adata, int tagLength) { var ivLength = iv.Length; if (ivLength < 7) { throw new CryptoException("IV must be at least 7 bytes long"); } var plaintextLength = ciphertext.Length - tagLength; var ciphertextOnly = ciphertext.Take(plaintextLength).ToArray(); var tag = new SjclQuad(ciphertext, plaintextLength); var inputLengthLength = ComputeLengthLength(plaintextLength); if (inputLengthLength < 15 - ivLength) { inputLengthLength = 15 - ivLength; } iv = iv.Take(15 - inputLengthLength).ToArray(); var plaintextWithTag = ApplyCtr(aes, ciphertextOnly, iv, tag, tagLength, inputLengthLength); var expectedTag = ComputeTag(aes, plaintextWithTag.Text, iv, adata, tagLength, inputLengthLength); var expectedTagBytes = expectedTag.ToBytes().Take(tagLength); var actualTagBytes = plaintextWithTag.Tag.ToBytes().Take(tagLength); if (!actualTagBytes.SequenceEqual(expectedTagBytes)) { throw new CryptoException("CCM tag doesn't match"); } return(plaintextWithTag.Text); }
internal static SjclQuad[] ToQuads(uint[] abcds) { if (abcds.Length % 4 != 0) { throw new ArgumentException("Length must be a multiple of 4", "abcds"); } var quads = new SjclQuad[abcds.Length / 4]; for (var i = 0; i < quads.Length; ++i) { quads[i] = new SjclQuad(abcds, i * 4); } return(quads); }
internal static SjclQuad ComputeTag(SjclAes aes, byte[] plaintext, byte[] iv, byte[] adata, int tagLength, int plaintextLengthLength) { if (tagLength % 2 != 0 || tagLength < 4 || tagLength > 16) { throw new CryptoException("Tag must be 4, 8, 10, 12, 14 or 16 bytes long"); } // flags + iv + plaintext-length var tag = new SjclQuad(iv, -1); var flags = (adata.Length > 0 ? 0x40 : 0) | ((tagLength - 2) << 2) | (plaintextLengthLength - 1); tag.SetByte(0, (byte)flags); // Append plaintext length for (var i = 0; i < plaintextLengthLength; ++i) { tag.SetByte(15 - i, (byte)(plaintext.Length >> i * 8)); } tag = aes.Encrypt(tag); var adataLength = adata.Length; if (adataLength > 0) { var adataWithLength = EncodeAdataLength(adataLength).Concat(adata).ToArray(); for (var i = 0; i < adataWithLength.Length; i += 16) { tag = aes.Encrypt(tag ^ new SjclQuad(adataWithLength, i)); } } for (var i = 0; i < plaintext.Length; i += 16) { tag = aes.Encrypt(tag ^ new SjclQuad(plaintext, i)); } return(tag); }
internal static CtrResult ApplyCtr(SjclAes aes, byte[] plaintext, byte[] iv, SjclQuad tag, int tagLength, int plaintextLengthLength) { // plaintextLength + iv var ctr = new SjclQuad(iv, -1); ctr.SetByte(0, (byte)(plaintextLengthLength - 1)); // Encrypt the tag var encryptedTag = tag ^ aes.Encrypt(ctr); // Encrypt the plaintext var ciphertext = new byte[plaintext.Length]; for (var i = 0; i < plaintext.Length; i += 16) { ++ctr.D; var block = new SjclQuad(plaintext, i) ^ aes.Encrypt(ctr); Array.Copy(block.ToBytes(), 0, ciphertext, i, Math.Min(16, plaintext.Length - i)); } return(new CtrResult(ciphertext, encryptedTag)); }
private SjclQuad Crypt(SjclQuad input, bool encrypting) { var key = encrypting ? _encryptionKey : _decryptionKey; var a = input[0] ^ key[0]; var b = input[encrypting ? 1 : 3] ^ key[1]; var c = input[2] ^ key[2]; var d = input[encrypting ? 3 : 1] ^ key[3]; var innerRoundCount = key.Length / 4 - 2; var keyIndex = 4; var table = encrypting ? EncodeTable : DecodeTable; var sbox = encrypting ? SboxTable : InverseSboxTable; var output = new SjclQuad(0, 0, 0, 0); // Inner rounds for (var i = 0; i < innerRoundCount; i++) { var a2 = (table[0, (a >> 24)]) ^ (table[1, (b >> 16) & 255]) ^ (table[2, (c >> 8) & 255]) ^ (table[3, (d) & 255]) ^ (key[keyIndex]); var b2 = (table[0, (b >> 24)]) ^ (table[1, (c >> 16) & 255]) ^ (table[2, (d >> 8) & 255]) ^ (table[3, (a) & 255]) ^ (key[keyIndex + 1]); var c2 = (table[0, (c >> 24)]) ^ (table[1, (d >> 16) & 255]) ^ (table[2, (a >> 8) & 255]) ^ (table[3, (b) & 255]) ^ (key[keyIndex + 2]); var d2 = (table[0, (d >> 24)]) ^ (table[1, (a >> 16) & 255]) ^ (table[2, (b >> 8) & 255]) ^ (table[3, (c) & 255]) ^ (key[keyIndex + 3]); a = a2; b = b2; c = c2; d = d2; keyIndex += 4; } // Last round for (var i = 0; i < 4; i++) { var index = encrypting ? i : 3 & -i; output[index] = ((uint)sbox[(a >> 24)] << 24) ^ ((uint)sbox[(b >> 16) & 255] << 16) ^ ((uint)sbox[(c >> 8) & 255] << 8) ^ ((uint)sbox[(d) & 255]) ^ (key[keyIndex]); var t = a; a = b; b = c; c = d; d = t; ++keyIndex; } return(output); }
public SjclQuad Decrypt(SjclQuad ciphertext) { return(Crypt(ciphertext, false)); }
public SjclQuad Encrypt(SjclQuad plaintext) { return(Crypt(plaintext, true)); }
public CtrResult(byte[] text, SjclQuad tag) { Text = text; Tag = tag; }