Apple eciesEncryptionCofactorVariableIVX963SHA256AESGCM vs BouncyCastle ECCDHwithSHA256KDF
Apple eciesEncryptionCofactorVariableIVX963SHA256AESGCM vs BouncyCastle ECCDHwithSHA256KDF
我正在尝试加密 Java (BouncyCastle) and iOS using the Apple algorithm eciesEncryptionCofactorVariableIVX963SHA256AESGCM.
之间的通信
Apple 的算法没有很好的记录,但我发现 this article 这很有帮助。
我还在 BouncyCastle documentation 中找到了以下算法,它似乎与我正在寻找的算法很接近:
ECCDHwithSHA256KDF 表示使用 X9.63 KDF 和 SHA256 作为 PRF 的 EC 辅因子 DH
package com.example.ios.encryption;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.ECPointUtil;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECNamedCurveSpec;
import org.bouncycastle.jce.spec.ECParameterSpec;
import org.bouncycastle.util.encoders.Base64;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.ECPoint;
import java.security.spec.ECPrivateKeySpec;
import java.security.spec.ECPublicKeySpec;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class IOSEncryptionECwithAES {
public void testDecrypt() {
// Receiver EC Public Key
String pubKeyBase64 = "BBPT50Rn0PeeV0LxUbhDV7U1FUgVw9YLVctQx5HA+TiA3lp3k/cud8Xsjh6lytgaI5S7IUW1YouUiPNR/7LPArk=";
PublicKey pubKey = getPublicKey(Base64.decode(pubKeyBase64));
// Receiver EC Private Key
String privateKeyBase64 = "BBPT50Rn0PeeV0LxUbhDV7U1FUgVw9YLVctQx5HA+TiA3lp3k/cud8Xsjh6lytgaI5S7IUW1YouUiPNR/7LPArkWcIYOQWtdkbTqmy++lz0cQ8ukWvUyhD9yzqZHPLQgQg==";
PrivateKey privateKey = getPrivateKey(Base64.decode(privateKeyBase64));
// Encrypted data
String iosOutputBase64 = "BNNzHjSJQxP8jNuj5W9XSW0XNgpOlEHY/S4KzZQJFxwjzoujuwz5kJeOLj6cASBaYKePGLhkbE0qN20y8aHpU+PmeuDJWY7LZ25LjvutafOJGugdRZdURRwFSke7hzhXlSneaTFegT3xOoq9ffjCynwD7iRD";
byte[] iosOutput = Base64.decode(iosOutputBase64);
// Plaintext is a random UUID
String plainText = "514227F0-51E9-41AC-9A39-42752E2ABADF";
byte[] decryptedData = decryptEciesEncryptionCofactorVariableIVX963SHA256AESGCM(privateKey, iosOutput);
System.out.println(new String(decryptedData));
}
public byte[] decryptEciesEncryptionCofactorVariableIVX963SHA256AESGCM(PrivateKey privateKey, byte[] iosOutput) throws Exception {
// 1. Take ephemeral public key
byte[] ephemeralKeyBytes = Arrays.copyOfRange(iosOutput, 0, 65);
PublicKey ephemeralPublicKey = getPublicKey(ephemeralKeyBytes);
byte[] encryptedData = Arrays.copyOfRange(iosOutput, 65, iosOutput.length);
// 2. Key agreement using ECDH with Cofactor and integrated X9.63
byte[] kdfOut = getSharedSecret(ephemeralPublicKey, privateKey);
byte[] secretKeyBytes = Arrays.copyOfRange(kdfOut, 0, 16);
SecretKey secretKey = new SecretKeySpec(secretKeyBytes, "AES");
// 4. Decrypt with AES key
int tagLength = 128;
byte[] iv = Arrays.copyOfRange(kdfOut, 16, kdfOut.length);
GCMParameterSpec aesGcmParams = new GCMParameterSpec(tagLength, iv);
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.DECRYPT_MODE, secretKey, aesGcmParams);
byte[] decryptedData = c.doFinal(encryptedData);
return decryptedData;
}
/**
* Convert uncompressed public key into PublicKey using BouncyCastle
* For an elliptic curve public key, the format follows the ANSI X9.63 standard
* using a byte string of 04 || X || Y
*
* @param encodedBytes raw bytes received
* @return the Elliptic-Curve Public Key based on curve SECP256R1
*/
private PublicKey getPublicKey(byte[] encodedBytes) throws Exception {
KeyFactory keyFactory = KeyFactory.getInstance("EC");
ECParameterSpec ecParameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
ECNamedCurveSpec params = new ECNamedCurveSpec("secp256r1", ecParameterSpec.getCurve(), ecParameterSpec.getG(), ecParameterSpec.getN());
ECPoint publicPoint = ECPointUtil.decodePoint(params.getCurve(), encodedBytes);
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(publicPoint, params);
return keyFactory.generatePublic(pubKeySpec);
}
/**
* Convert private key for external output from iOS
* For an elliptic curve private key, the output is formatted as the public key
* concatenated with the big endian encoding of the secret scalar, or 04 || X || Y || K.
*
* @param encodedBytes raw bytes received
* @return the Elliptic-Curve Private Key based on curve SECP256R1
*/
private PrivateKey getPrivateKey(byte[] encodedBytes) throws Exception {
BigInteger s = new BigInteger(Arrays.copyOfRange(encodedBytes, 65, encodedBytes.length));
ECParameterSpec ecParameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
ECNamedCurveSpec params = new ECNamedCurveSpec("secp256r1", ecParameterSpec.getCurve(), ecParameterSpec.getG(), ecParameterSpec.getN());
ECPrivateKeySpec privateKeySpec = new ECPrivateKeySpec(s, params);
KeyFactory keyFactory = KeyFactory.getInstance("EC");
return keyFactory.generatePrivate(privateKeySpec);
}
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralPublicKey created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getSharedSecret(PublicKey ephemeralPublicKey, PrivateKey privateKey) throws Exception {
String keyAgreementAlgorithm = "ECCDHwithSHA256KDF";
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
}
不幸的是,这不起作用并导致异常。
javax.crypto.AEADBadTagException: Tag mismatch!
at java.base/com.sun.crypto.provider.NativeGaloisCounterMode.decryptFinal(NativeGaloisCounterMode.java:454)
我错过了什么?可以通过小改动修复此代码吗?
我确实通过使用 O2 Czech Republic 中的代码设法使它工作并且确实有效,但该代码来自 2017 年,我希望这些天可以用更少的行来完成当前版本的 BouncyCastle。
请参阅下面的工作代码。它将 KeyAgreement 和 KeyDerivationFunction 分成两个单独的函数。
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralPublicKey created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getInitialSecret(PublicKey ephemeralPublicKey, PrivateKey privateKey) throws Exception {
String keyAgreementAlgorithm = "ECCDH"; // Seems to be equivalent to "ECDHC"
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
/**
* Derive actual SecretKey with X9.63 KDF SHA-256
*
* @param initialSecret output from the ECDH agreement with Cofactor
* @param ephemeralKeyBytes emphemeral public key from sender
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getDerivation(byte[] initialSecret, byte[] ephemeralKeyBytes) {
KDF2BytesGenerator kdfGenerator = new KDF2BytesGenerator(new SHA256Digest());
kdfGenerator.init(new KDFParameters(initialSecret, ephemeralKeyBytes));
byte[] kdfOut = new byte[32];
kdfGenerator.generateBytes(kdfOut, 0, 32);
return kdfOut;
}
}
正在改变
byte[] kdfOut = getSharedSecret(ephemeralPublicKey, privateKey);
进入
byte[] initialSecret = getInitialSecret(ephemeralPublicKey, privateKey);
byte[] kdfOut = getDerivation(initialSecret, ephemeralKeyBytes);
虽然上面的代码确实有效,但正确的方法是将 ECCDHwithSHA256KDF 与 UserKeyingMaterialSpec 一起使用,如下所示:
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralKeyBytes created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getSharedSecret(byte[] ephemeralKeyBytes, PrivateKey privateKey) throws Exception {
PublicKey ephemeralPublicKey = getPublicKey(ephemeralKeyBytes);
String keyAgreementAlgorithm = "ECCDHwithSHA256KDF";
UserKeyingMaterialSpec spec = new UserKeyingMaterialSpec(ephemeralKeyBytes);
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey, spec);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
这样一来,您可以使用 BouncyCastle 一次性完成密钥协议和 KDF,而不必将其一分为二。
我正在尝试加密 Java (BouncyCastle) and iOS using the Apple algorithm eciesEncryptionCofactorVariableIVX963SHA256AESGCM.
之间的通信Apple 的算法没有很好的记录,但我发现 this article 这很有帮助。
我还在 BouncyCastle documentation 中找到了以下算法,它似乎与我正在寻找的算法很接近:
ECCDHwithSHA256KDF表示使用 X9.63 KDF 和 SHA256 作为 PRF 的 EC 辅因子 DH
package com.example.ios.encryption;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.ECPointUtil;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECNamedCurveSpec;
import org.bouncycastle.jce.spec.ECParameterSpec;
import org.bouncycastle.util.encoders.Base64;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.ECPoint;
import java.security.spec.ECPrivateKeySpec;
import java.security.spec.ECPublicKeySpec;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class IOSEncryptionECwithAES {
public void testDecrypt() {
// Receiver EC Public Key
String pubKeyBase64 = "BBPT50Rn0PeeV0LxUbhDV7U1FUgVw9YLVctQx5HA+TiA3lp3k/cud8Xsjh6lytgaI5S7IUW1YouUiPNR/7LPArk=";
PublicKey pubKey = getPublicKey(Base64.decode(pubKeyBase64));
// Receiver EC Private Key
String privateKeyBase64 = "BBPT50Rn0PeeV0LxUbhDV7U1FUgVw9YLVctQx5HA+TiA3lp3k/cud8Xsjh6lytgaI5S7IUW1YouUiPNR/7LPArkWcIYOQWtdkbTqmy++lz0cQ8ukWvUyhD9yzqZHPLQgQg==";
PrivateKey privateKey = getPrivateKey(Base64.decode(privateKeyBase64));
// Encrypted data
String iosOutputBase64 = "BNNzHjSJQxP8jNuj5W9XSW0XNgpOlEHY/S4KzZQJFxwjzoujuwz5kJeOLj6cASBaYKePGLhkbE0qN20y8aHpU+PmeuDJWY7LZ25LjvutafOJGugdRZdURRwFSke7hzhXlSneaTFegT3xOoq9ffjCynwD7iRD";
byte[] iosOutput = Base64.decode(iosOutputBase64);
// Plaintext is a random UUID
String plainText = "514227F0-51E9-41AC-9A39-42752E2ABADF";
byte[] decryptedData = decryptEciesEncryptionCofactorVariableIVX963SHA256AESGCM(privateKey, iosOutput);
System.out.println(new String(decryptedData));
}
public byte[] decryptEciesEncryptionCofactorVariableIVX963SHA256AESGCM(PrivateKey privateKey, byte[] iosOutput) throws Exception {
// 1. Take ephemeral public key
byte[] ephemeralKeyBytes = Arrays.copyOfRange(iosOutput, 0, 65);
PublicKey ephemeralPublicKey = getPublicKey(ephemeralKeyBytes);
byte[] encryptedData = Arrays.copyOfRange(iosOutput, 65, iosOutput.length);
// 2. Key agreement using ECDH with Cofactor and integrated X9.63
byte[] kdfOut = getSharedSecret(ephemeralPublicKey, privateKey);
byte[] secretKeyBytes = Arrays.copyOfRange(kdfOut, 0, 16);
SecretKey secretKey = new SecretKeySpec(secretKeyBytes, "AES");
// 4. Decrypt with AES key
int tagLength = 128;
byte[] iv = Arrays.copyOfRange(kdfOut, 16, kdfOut.length);
GCMParameterSpec aesGcmParams = new GCMParameterSpec(tagLength, iv);
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.DECRYPT_MODE, secretKey, aesGcmParams);
byte[] decryptedData = c.doFinal(encryptedData);
return decryptedData;
}
/**
* Convert uncompressed public key into PublicKey using BouncyCastle
* For an elliptic curve public key, the format follows the ANSI X9.63 standard
* using a byte string of 04 || X || Y
*
* @param encodedBytes raw bytes received
* @return the Elliptic-Curve Public Key based on curve SECP256R1
*/
private PublicKey getPublicKey(byte[] encodedBytes) throws Exception {
KeyFactory keyFactory = KeyFactory.getInstance("EC");
ECParameterSpec ecParameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
ECNamedCurveSpec params = new ECNamedCurveSpec("secp256r1", ecParameterSpec.getCurve(), ecParameterSpec.getG(), ecParameterSpec.getN());
ECPoint publicPoint = ECPointUtil.decodePoint(params.getCurve(), encodedBytes);
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(publicPoint, params);
return keyFactory.generatePublic(pubKeySpec);
}
/**
* Convert private key for external output from iOS
* For an elliptic curve private key, the output is formatted as the public key
* concatenated with the big endian encoding of the secret scalar, or 04 || X || Y || K.
*
* @param encodedBytes raw bytes received
* @return the Elliptic-Curve Private Key based on curve SECP256R1
*/
private PrivateKey getPrivateKey(byte[] encodedBytes) throws Exception {
BigInteger s = new BigInteger(Arrays.copyOfRange(encodedBytes, 65, encodedBytes.length));
ECParameterSpec ecParameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
ECNamedCurveSpec params = new ECNamedCurveSpec("secp256r1", ecParameterSpec.getCurve(), ecParameterSpec.getG(), ecParameterSpec.getN());
ECPrivateKeySpec privateKeySpec = new ECPrivateKeySpec(s, params);
KeyFactory keyFactory = KeyFactory.getInstance("EC");
return keyFactory.generatePrivate(privateKeySpec);
}
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralPublicKey created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getSharedSecret(PublicKey ephemeralPublicKey, PrivateKey privateKey) throws Exception {
String keyAgreementAlgorithm = "ECCDHwithSHA256KDF";
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
}
不幸的是,这不起作用并导致异常。
javax.crypto.AEADBadTagException: Tag mismatch!
at java.base/com.sun.crypto.provider.NativeGaloisCounterMode.decryptFinal(NativeGaloisCounterMode.java:454)
我错过了什么?可以通过小改动修复此代码吗?
我确实通过使用 O2 Czech Republic 中的代码设法使它工作并且确实有效,但该代码来自 2017 年,我希望这些天可以用更少的行来完成当前版本的 BouncyCastle。
请参阅下面的工作代码。它将 KeyAgreement 和 KeyDerivationFunction 分成两个单独的函数。
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralPublicKey created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getInitialSecret(PublicKey ephemeralPublicKey, PrivateKey privateKey) throws Exception {
String keyAgreementAlgorithm = "ECCDH"; // Seems to be equivalent to "ECDHC"
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
/**
* Derive actual SecretKey with X9.63 KDF SHA-256
*
* @param initialSecret output from the ECDH agreement with Cofactor
* @param ephemeralKeyBytes emphemeral public key from sender
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getDerivation(byte[] initialSecret, byte[] ephemeralKeyBytes) {
KDF2BytesGenerator kdfGenerator = new KDF2BytesGenerator(new SHA256Digest());
kdfGenerator.init(new KDFParameters(initialSecret, ephemeralKeyBytes));
byte[] kdfOut = new byte[32];
kdfGenerator.generateBytes(kdfOut, 0, 32);
return kdfOut;
}
}
正在改变
byte[] kdfOut = getSharedSecret(ephemeralPublicKey, privateKey);
进入
byte[] initialSecret = getInitialSecret(ephemeralPublicKey, privateKey);
byte[] kdfOut = getDerivation(initialSecret, ephemeralKeyBytes);
虽然上面的代码确实有效,但正确的方法是将 ECCDHwithSHA256KDF 与 UserKeyingMaterialSpec 一起使用,如下所示:
/**
* Key agreement using ECDH with Cofactor and integrated X9.63 KDF SHA-256
*
* @param ephemeralKeyBytes created by the sender
* @param privateKey from the receiver
* @return shared secret of 32-bytes containing the 128-bit AES key and 16-byte IV
*/
private byte[] getSharedSecret(byte[] ephemeralKeyBytes, PrivateKey privateKey) throws Exception {
PublicKey ephemeralPublicKey = getPublicKey(ephemeralKeyBytes);
String keyAgreementAlgorithm = "ECCDHwithSHA256KDF";
UserKeyingMaterialSpec spec = new UserKeyingMaterialSpec(ephemeralKeyBytes);
KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm, new BouncyCastleProvider());
keyAgreement.init(privateKey, spec);
keyAgreement.doPhase(ephemeralPublicKey, true);
return keyAgreement.generateSecret();
}
这样一来,您可以使用 BouncyCastle 一次性完成密钥协议和 KDF,而不必将其一分为二。