keejef
/
session-android
mirror of https://github.com/oxen-io/session-android
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity

Split HKDF secret derivation and parsing.

Browse Source
pull/1/head
Moxie Marlinspike 10 years ago
parent f29d1e6269
commit 6326ef73f3
6 changed files with 73 additions and 77 deletions
Show Stats Download Patch File Download Diff File

67
libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java
Unescape Escape View File

@ -2,7 +2,6 @@ package org.whispersystems.test.kdf;
import android.test.AndroidTestCase;
import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
import org.whispersystems.libaxolotl.kdf.HKDF;
import java.util.Arrays;
@ -20,24 +19,19 @@ public class HKDFTest extends AndroidTestCase {
byte[] info = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, (byte) 0xf4,
(byte) 0xf5, (byte) 0xf6, (byte) 0xf7, (byte) 0xf8, (byte) 0xf9};
byte[] expectedOutputOne = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
(byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
(byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
(byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
(byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
(byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
(byte) 0xc5, (byte) 0xbf};
byte[] okm = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
(byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
(byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
(byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
(byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
(byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
(byte) 0xc5, (byte) 0xbf, (byte) 0x34, (byte) 0x00, (byte) 0x72,
(byte) 0x08, (byte) 0xd5, (byte) 0xb8, (byte) 0x87, (byte) 0x18,
(byte) 0x58, (byte) 0x65};
byte[] expectedOutputTwo = {(byte) 0x34, (byte) 0x00, (byte) 0x72, (byte) 0x08, (byte) 0xd5,
(byte) 0xb8, (byte) 0x87, (byte) 0x18, (byte) 0x58, (byte) 0x65};
byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 42);
DerivedSecrets derivedSecrets = HKDF.createFor(3).deriveSecrets(ikm, salt, info);
byte[] truncatedMacKey = new byte[expectedOutputTwo.length];
System.arraycopy(derivedSecrets.getMacKey().getEncoded(), 0, truncatedMacKey, 0, truncatedMacKey.length);
assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
assertTrue(Arrays.equals(expectedOutputTwo, truncatedMacKey));
assertTrue(Arrays.equals(okm, actualOutput));
}
public void testVectorLongV3() {
@ -109,6 +103,9 @@ public class HKDFTest extends AndroidTestCase {
(byte) 0x3e, (byte) 0x87, (byte) 0xc1, (byte) 0x4c, (byte) 0x01,
(byte) 0xd5, (byte) 0xc1, (byte) 0xf3, (byte) 0x43, (byte) 0x4f,
(byte) 0x1d, (byte) 0x87};
byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 82);
assertTrue(Arrays.equals(okm, actualOutput));
}
public void testVectorV2() {
@ -122,25 +119,21 @@ public class HKDFTest extends AndroidTestCase {
byte[] info = {(byte)0xf0, (byte)0xf1, (byte)0xf2, (byte)0xf3, (byte)0xf4,
(byte)0xf5, (byte)0xf6, (byte)0xf7, (byte)0xf8, (byte)0xf9};
byte[] expectedOutputOne = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
(byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
(byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
(byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
(byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
(byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
(byte)0xd4, (byte)0x1e};
byte[] expectedOutputTwo = {(byte)0x04, (byte)0xe2, (byte)0xe2, (byte)0x11, (byte)0x01,
(byte)0xc6, (byte)0x8f, (byte)0xf0, (byte)0x93, (byte)0x94,
(byte)0xb8, (byte)0xad, (byte)0x0b, (byte)0xdc, (byte)0xb9,
(byte)0x60, (byte)0x9c, (byte)0xd4, (byte)0xee, (byte)0x82,
(byte)0xac, (byte)0x13, (byte)0x19, (byte)0x9b, (byte)0x4a,
(byte)0xa9, (byte)0xfd, (byte)0xa8, (byte)0x99, (byte)0xda,
(byte)0xeb, (byte)0xec};
DerivedSecrets derivedSecrets = HKDF.createFor(2).deriveSecrets(ikm, salt, info);
assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
assertTrue(Arrays.equals(derivedSecrets.getMacKey().getEncoded(), expectedOutputTwo));
byte[] okm = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
(byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
(byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
(byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
(byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
(byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
(byte)0xd4, (byte)0x1e, (byte)0x04, (byte)0xe2, (byte)0xe2,
(byte)0x11, (byte)0x01, (byte)0xc6, (byte)0x8f, (byte)0xf0,
(byte)0x93, (byte)0x94, (byte)0xb8, (byte)0xad, (byte)0x0b,
(byte)0xdc, (byte)0xb9, (byte)0x60, (byte)0x9c, (byte)0xd4,
(byte)0xee, (byte)0x82, (byte)0xac, (byte)0x13, (byte)0x19,
(byte)0x9b, (byte)0x4a, (byte)0xa9, (byte)0xfd, (byte)0xa8,
(byte)0x99, (byte)0xda, (byte)0xeb, (byte)0xec};
byte[] actualOutput = HKDF.createFor(2).deriveSecrets(ikm, salt, info, 64);
assertTrue(Arrays.equals(okm, actualOutput));
}
}

21
libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java
Unescape Escape View File

@ -21,12 +21,27 @@ import javax.crypto.spec.SecretKeySpec;
public class DerivedSecrets {
public static final int SIZE = 64;
private static final int CIPHER_KEYS_OFFSET = 0;
private static final int MAC_KEYS_OFFSET = 32;
private final SecretKeySpec cipherKey;
private final SecretKeySpec macKey;
public DerivedSecrets(SecretKeySpec cipherKey, SecretKeySpec macKey) {
this.cipherKey = cipherKey;
this.macKey = macKey;
public DerivedSecrets(byte[] okm) {
this.cipherKey = deriveCipherKey(okm);
this.macKey = deriveMacKey(okm);
}
private SecretKeySpec deriveCipherKey(byte[] okm) {
byte[] cipherKey = new byte[32];
System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
return new SecretKeySpec(cipherKey, "AES");
}
private SecretKeySpec deriveMacKey(byte[] okm) {
byte[] macKey = new byte[32];
System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
return new SecretKeySpec(macKey, "HmacSHA256");
}
public SecretKeySpec getCipherKey() {

45
libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java
Unescape Escape View File

@ -27,10 +27,6 @@ import javax.crypto.spec.SecretKeySpec;
public abstract class HKDF {
private static final int HASH_OUTPUT_SIZE = 32;
private static final int KEY_MATERIAL_SIZE = 64;
private static final int CIPHER_KEYS_OFFSET = 0;
private static final int MAC_KEYS_OFFSET = 32;
public static HKDF createFor(int messageVersion) {
switch (messageVersion) {
@ -40,31 +36,14 @@ public abstract class HKDF {
}
}
public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] info) {
public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] info, int outputLength) {
byte[] salt = new byte[HASH_OUTPUT_SIZE];
return deriveSecrets(inputKeyMaterial, salt, info);
}
public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info) {
byte[] prk = extract(salt, inputKeyMaterial);
byte[] okm = expand(prk, info, KEY_MATERIAL_SIZE);
SecretKeySpec cipherKey = deriveCipherKey(okm);
SecretKeySpec macKey = deriveMacKey(okm);
return new DerivedSecrets(cipherKey, macKey);
}
private SecretKeySpec deriveCipherKey(byte[] okm) {
byte[] cipherKey = new byte[32];
System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
return new SecretKeySpec(cipherKey, "AES");
return deriveSecrets(inputKeyMaterial, salt, info, outputLength);
}
private SecretKeySpec deriveMacKey(byte[] okm) {
byte[] macKey = new byte[32];
System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
return new SecretKeySpec(macKey, "HmacSHA256");
public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info, int outputLength) {
byte[] prk = extract(salt, inputKeyMaterial);
return expand(prk, info, outputLength);
}
private byte[] extract(byte[] salt, byte[] inputKeyMaterial) {
@ -79,9 +58,10 @@ public abstract class HKDF {
private byte[] expand(byte[] prk, byte[] info, int outputSize) {
try {
int iterations = (int)Math.ceil((double)outputSize/(double)HASH_OUTPUT_SIZE);
byte[] mixin = new byte[0];
ByteArrayOutputStream results = new ByteArrayOutputStream();
int iterations = (int) Math.ceil((double) outputSize / (double) HASH_OUTPUT_SIZE);
byte[] mixin = new byte[0];
ByteArrayOutputStream results = new ByteArrayOutputStream();
int remainingBytes = outputSize;
for (int i= getIterationStartOffset();i<iterations + getIterationEndOffset();i++) {
Mac mac = Mac.getInstance("HmacSHA256");
@ -94,9 +74,12 @@ public abstract class HKDF {
mac.update((byte)i);
byte[] stepResult = mac.doFinal();
results.write(stepResult, 0, stepResult.length);
int stepSize = Math.min(remainingBytes, stepResult.length);
results.write(stepResult, 0, stepSize);
mixin = stepResult;
mixin = stepResult;
remainingBytes -= stepSize;
}
return results.toByteArray();

3
libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/ChainKey.java
Unescape Escape View File

@ -56,7 +56,8 @@ public class ChainKey {
public MessageKeys getMessageKeys() {
byte[] inputKeyMaterial = getBaseMaterial(MESSAGE_KEY_SEED);
DerivedSecrets keyMaterial = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes());
byte[] keyMaterialBytes = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes(), DerivedSecrets.SIZE);
DerivedSecrets keyMaterial = new DerivedSecrets(keyMaterialBytes);
return new MessageKeys(keyMaterial.getCipherKey(), keyMaterial.getMacKey(), index);
}

3
libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RatchetingSession.java
Unescape Escape View File

@ -131,7 +131,8 @@ public class RatchetingSession {
secrets.write(Curve.calculateAgreement(theirPreKey, ourPreKey.getPrivateKey()));
}
DerivedSecrets derivedSecrets = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes());
byte[] derivedSecretBytes = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes(), DerivedSecrets.SIZE);
DerivedSecrets derivedSecrets = new DerivedSecrets(derivedSecretBytes);
return new Pair<>(new RootKey(kdf, derivedSecrets.getCipherKey().getEncoded()),
new ChainKey(kdf, derivedSecrets.getMacKey().getEncoded(), 0));

11
libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java
Unescape Escape View File

@ -22,6 +22,7 @@ import org.whispersystems.libaxolotl.ecc.ECKeyPair;
import org.whispersystems.libaxolotl.ecc.ECPublicKey;
import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
import org.whispersystems.libaxolotl.kdf.HKDF;
import org.whispersystems.libaxolotl.util.ByteUtil;
import org.whispersystems.libaxolotl.util.Pair;
public class RootKey {
@ -41,10 +42,12 @@ public class RootKey {
public Pair<RootKey, ChainKey> createChain(ECPublicKey theirEphemeral, ECKeyPair ourEphemeral)
throws InvalidKeyException
{
byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
DerivedSecrets keys = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes());
RootKey newRootKey = new RootKey(kdf, keys.getCipherKey().getEncoded());
ChainKey newChainKey = new ChainKey(kdf, keys.getMacKey().getEncoded(), 0);
byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
byte[] keyBytes = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes(), 64);
byte[][] keys = ByteUtil.split(keyBytes, 32, 32);
RootKey newRootKey = new RootKey(kdf, keys[0]);
ChainKey newChainKey = new ChainKey(kdf, keys[1], 0);
return new Pair<>(newRootKey, newChainKey);
}

Write Preview
Loading…
Cancel
Save