summaryrefslogtreecommitdiff
path: root/src/org/noreply/fancydress/crypto/CryptoPrimitives.java
blob: 820dbcb5c10711463d4ecc32addb374dd247e7b2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
/* $Id$ */
package org.noreply.fancydress.crypto;

import java.security.SecureRandom;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.params.KeyParameter;
import org.noreply.fancydress.misc.Util;

/**
 * This class implements all cryptographic primitives that are needed for a
 * type III implementation.
 */
public class CryptoPrimitives {
	/**
	 * length (in octets) of a symmetric AES-128 key.
	 */
	public static final int KEY_LEN = 16;
	/**
	 * length (in octets) of our SPRP (LIONESS) key.
	 */
	public static final int SPRP_KEY_LEN = 20;
	/**
	 * length (in octets) of our hash function's (SHA-1) output.
	 */
	public static final int HASH_LEN = 20;

	/**
	 * A secure pseudo random number generator.
	 */
	public static SecureRandom secureRandom = new SecureRandom();
	/**
	 * Our SHA-1 Digest.
	 */
	public static SHA1Digest digest = new SHA1Digest();
	/**
	 * The AES Engine used for symmetric operations.
	 */
	public static AESEngine aes_cipher = new AESEngine();

	/**
	 * XOR two octet arrays.
	 *
	 * @param a octet array 1
	 * @param b octet array 2
	 * @return an octet array of equal length where x[i] = a[i] XOR b[i] for all i
	 * @throws IllegalArgumentException if a and b do not have the same length
	 */
	public static byte[] xor(byte[] a, byte[] b) {
		if (a.length != b.length)
			throw new IllegalArgumentException("Arguments to xor must have the same length");
		byte[] result = new byte[a.length];
		for (int i=0; i<a.length; i++)
			result[i] = (byte) (a[i] ^ b[i]);
		return(result);
	}
	/**
	 * Get <code>n</code> random octets from our secure pseudo random number generator.
	 *
	 * @param n number of octets
	 * @return an octet array of n octets of your fines randomness
	 */
	public static byte[] rand(int n) {
		byte[] result = new byte[n];
		secureRandom.nextBytes(result);
		return(result);
	}
	/**
	 * Get <code>n</code> octets of zeroes.
	 *
	 * @param n number of octets
	 * @return an octet array of n octets of zeroes
	 */
	public static byte[] zero(int n) {
		byte[] result = new byte[n];
		return(result);
	}
	/**
	 * Hash the message provided in <code>m</code>.
	 *
	 * @param m a message
	 * @return the SHA-1 hash of <code>m</code>
	 */
	public static byte[] hash(byte[] m) {
		digest.update(m, 0, m.length);
		byte[] result = new byte[HASH_LEN];
		digest.doFinal(result, 0);
		return(result);
	}
	/**
	 * Hash the result of the concatenation of <code>m1</code> and <code>m2</code>.
	 *
	 * @param m1 message 1
	 * @param m2 message 2
	 * @return the SHA-1 hash of <code>m1 + m2</code>
	 */
	public static byte[] hash(byte[] m1, byte[] m2) {
		digest.update(m1, 0, m1.length);
		digest.update(m2, 0, m2.length);
		byte[] result = new byte[HASH_LEN];
		digest.doFinal(result, 0);
		return(result);
	}
	/**
	 * Hash the result of the concatenation of <code>m1</code>, <code>m2</code> and <code>m3</code>.
	 *
	 * @param m1 message 1
	 * @param m2 message 2
	 * @param m3 message 3
	 * @return the SHA-1 hash of <code>m1 + m2 + m3</code>
	 */
	public static byte[] hash(byte[] m1, byte[] m2, byte[] m3) {
		digest.update(m1, 0, m1.length);
		digest.update(m2, 0, m2.length);
		digest.update(m3, 0, m3.length);
		byte[] result = new byte[HASH_LEN];
		digest.doFinal(result, 0);
		return(result);
	}
	/**
	 * Return <code>n</code> "random" octets generated based on key <code>k</code>.
	 *
	 * Generates <code>n</code> "random" octets or a key stream based on
	 * <code>k</code>. The stream is generated by using AES in counter mode
	 * with key <code>k</code>.
	 * 
	 * @param k the key for AES counter mode
	 * @param n number of octets requested
	 * @return a keystream of n octets
	 * @throws IllegalArgumentException if <code>k</code> is not KEY_LEN (=16) octets long.
	 */
	public static byte[] prng(byte[] k, int n) {
		byte[] result = new byte[ n ];
		byte[] block = new byte[ KEY_LEN ];
		byte[] encrypted = new byte[ KEY_LEN ];
		if (k.length != KEY_LEN)
			throw new IllegalArgumentException("Argument k to encrypt must be KEY_LEN bytes");
		KeyParameter params = new KeyParameter(k);
		aes_cipher.init(true, params);
		for (int i=0, p=0; i<n; p++) {
			block[block.length - 1] = (byte) (p & 0xff);
			block[block.length - 2] = (byte) ((p >> 8) & 0xff);
			block[block.length - 3] = (byte) ((p >> 16) & 0xff);
			block[block.length - 4] = (byte) ((p >> 24) & 0xff);

			aes_cipher.processBlock(block, 0, encrypted, 0);
			for (int j=0; j<encrypted.length && i<n; j++, i++)
				result[i] = encrypted[j];
		};
		return(result);
	}
	/**
	 * Encrypt a message <code>m</code> using AES counter mode with key <code>k</code>.
	 *
	 * Returns the result of xor(m, prng(k, len(m))), i.e. the message <code>m</code>
	 * encrypted using AES in counter mode with key <code>k</code>.
	 *
	 * @param k the key for AES counter mode
	 * @param m the message to encrypt
	 * @return the encrypted message. (len(e) == len(m))
	 * @throws IllegalArgumentException if <code>k</code> is not KEY_LEN (=16) octets long.
	 */
	public static byte[] encrypt(byte[] k, byte[] m) {
		byte[] result;
		if (k.length != KEY_LEN)
			throw new IllegalArgumentException("Argument k to encrypt must be KEY_LEN bytes");
		result = xor(m, prng(k, m.length));
		return(result);
	}
	/**
	 * Encrypt a message using our super pseudorandom permutation.
	 *
	 * Encrypt message <code>m</code> using an instance of the LIONESS
	 * super pseudorandom permutation (SPRP).
	 *
	 * This SPRP has the property that any change in the encrypted value
	 * will make the decryption look like random bits
	 *
	 * @param k the key for our SPRP function
	 * @param m the message to encrypt
	 * @return the encrypted message. (len(e) == len(m))
	 * @throws IllegalArgumentException if <code>k</code> is not SPRP_KEY_LEN (=20) octets long
	 * @throws IllegalArgumentException if <code>m</code> is shorter than SPRP_KEY_LEN (=20) octets
	 */
	public static byte[] sprpEncrypt(byte[] k, byte[] m) {
		if (m.length < HASH_LEN)
			throw new IllegalArgumentException("Argument m to sprp_encrypt must be of at least HASH_LEN bytes");
		if (k.length != SPRP_KEY_LEN)
			throw new IllegalArgumentException("Argument k to sprp_encrypt must be SPRP_KEY_LEN bytes");
		byte[] result;
		byte[] k1 = new byte[HASH_LEN];
		byte[] k2 = new byte[HASH_LEN];
		byte[] k3 = new byte[HASH_LEN];
		byte[] k4 = new byte[HASH_LEN];

		System.arraycopy(k, 0, k1, 0, k.length);
		System.arraycopy(k, 0, k2, 0, k.length);
		System.arraycopy(k, 0, k3, 0, k.length);
		System.arraycopy(k, 0, k4, 0, k.length);
		k2[19] = (byte) (k1[19] ^ 0x01);
		k3[19] = (byte) (k1[19] ^ 0x02);
		k4[19] = (byte) (k1[19] ^ 0x03);
		byte[] l = Util.slice(m, 0, HASH_LEN);
		byte[] r = Util.slice(m, HASH_LEN, m.length-HASH_LEN);
		r = encrypt( Util.slice(hash( k1, l, k1), 0, KEY_LEN), r);
		l = xor( l, hash(k2, r, k2 ));
		r = encrypt( Util.slice(hash( k3, l, k3), 0, KEY_LEN), r);
		l = xor( l, hash(k4, r, k4 ));
		result = Util.concat(l, r);
		return(result);
	}
	/**
	 * Encrypt a message using our super pseudorandom permutation.
	 *
	 * The message will be encrypted using a subkey constructed from
	 * <code>k</code> and <code>p</code> (=HASH(k | p)).
	 *
	 * @param k a master key for the SPRP encryption.
	 * @param p a string to build a subkey with.
	 * @param m the message to encrypt
	 * @return the encrypted message. (len(e) == len(m))
	 * @throws IllegalArgumentException if <code>m</code> is shorter than SPRP_KEY_LEN (=20) octets
	 * @see #sprpEncrypt(byte[] k, byte[] m)
	 */
	public static byte[] sprpEncrypt(byte[] k, String p, byte[] m) {
		return sprpEncrypt(hash(k, Util.toOctets(p)) ,m);
	}
	/**
	 * Decrypt a message using our super pseudorandom permutation.
	 *
	 * Decrypt message <code>m</code> using our instance of the LIONESS
	 * super pseudorandom permutation (SPRP).
	 *
	 * @param k the key for our SPRP function
	 * @param m the message to decrypt
	 * @return the encrypted message. (len(e) == len(m))
	 * @throws IllegalArgumentException if <code>k</code> is not SPRP_KEY_LEN (=20) octets long
	 * @throws IllegalArgumentException if <code>m</code> is shorter than SPRP_KEY_LEN (=20) octets
	 * @see #sprpEncrypt(byte[] k, byte[] m)
	 */
	public static byte[] sprpDecrypt(byte[] k, byte[] m) {
		if (m.length < HASH_LEN)
			throw new IllegalArgumentException("Argument m to sprp_decrypt must be of at least HASH_LEN bytes");
		if (k.length != SPRP_KEY_LEN)
			throw new IllegalArgumentException("Argument k to sprp_decrypt must be SPRP_KEY_LEN bytes");
		byte[] result;
		byte[] k1 = new byte[HASH_LEN];
		byte[] k2 = new byte[HASH_LEN];
		byte[] k3 = new byte[HASH_LEN];
		byte[] k4 = new byte[HASH_LEN];

		System.arraycopy(k, 0, k1, 0, k.length);
		System.arraycopy(k, 0, k2, 0, k.length);
		System.arraycopy(k, 0, k3, 0, k.length);
		System.arraycopy(k, 0, k4, 0, k.length);
		k2[19] = (byte) (k1[19] ^ 0x01);
		k3[19] = (byte) (k1[19] ^ 0x02);
		k4[19] = (byte) (k1[19] ^ 0x03);
		byte[] l = Util.slice(m, 0, HASH_LEN);
		byte[] r = Util.slice(m, HASH_LEN, m.length-HASH_LEN);
		l = xor( l, hash(k4, r, k4 ));
		r = encrypt( Util.slice(hash( k3, l, k3), 0, KEY_LEN), r);
		l = xor( l, hash(k2, r, k2 ));
		r = encrypt( Util.slice(hash( k1, l, k1), 0, KEY_LEN), r);
		result = Util.concat(l, r);
		return(result);
	}
	/**
	 * Decrypt a message using our super pseudorandom permutation.
	 *
	 * The message will be decrypted using a subkey constructed from
	 * <code>k</code> and <code>p</code> (=HASH(k | p)).
	 *
	 * @param k a master key for the SPRP decryption.
	 * @param p a string to build a subkey with.
	 * @param m the message to decrypt
	 * @return the encrypted message. (len(e) == len(m))
	 * @throws IllegalArgumentException if <code>m</code> is shorter than SPRP_KEY_LEN (=20) octets
	 * @see #sprpEncrypt(byte[] k, byte[] m)
	 * @see #sprpDecrypt(byte[] k, byte[] m)
	 */
	public static byte[] sprpDecrypt(byte[] k, String p, byte[] m) {
		return sprpDecrypt(hash(k, Util.toOctets(p)) ,m);
	}
	/**
	 * Build a subkey from <code>k</code> and <code>p</code>.
	 *
	 * The subkey is generated using HASH(k | p).
	 *
	 * @param k a master key
	 * @param p a string to build a subkey with
	 * @return the subkey
	 * @throws IllegalArgumentException if <code>k</code> is not KEY_LEN (=16) octets long
	 */
	public static byte[] subKey(byte[] k, String p) {
		if (k.length != KEY_LEN)
			throw new IllegalArgumentException("Argument k to subKey must be KEY_LEN bytes");
		return Util.slice(hash(k, Util.toOctets(p)), 0, 16);
	}
}