(C#) 在 (EC)DHE x25519 上使用私钥和 public 密钥计算密钥共享

Question

我正在使用 (EC)DHE 加密类型 x25519，我在计算共享密钥时遇到了一个大问题。

我有三个密钥：

• 爱丽丝的私钥：

  a : "984a382e1e48d2a522a0e81b92fd13517e904316c6687a59d66cd2e5d9519a53"
  

• Alice 的 public 密钥：

  Q(a) = a*G(a) : "3db045ba8a16efd9e15de287158097ee754ce5d76e83c5e434109dd132a4736d"
  

• Bob 的 public 键：

  Q(b) =  b*G(b) : "74676252b0757ba3cb945ea053d9d65897a22e01592f7fa9c9503b818cd9df5a"
  

所以现在我需要像这样组合 Alice 的私钥和 Bob 的 public 密钥（以找到它们之间的共享密钥）：

Z = a * Q(b) = a * b * G(b)

有人用 C# 帮我解决这个问题吗？ （我需要一个编程代码）。

Answer 1

I am working with (EC)DHE encryption type x25519 and I have a big problem on calculating shared key.

Microsoft 没有椭圆曲线 x25519 的默认实现。然而，他们对加密 Diffie Hellman 对象的实现允许我们定义我们自己的曲线。

一旦我们定义了自己的曲线以使用 (x25519)，我们就可以使用 Microsoft 的 ECDiffieHellmanCng 实现来导入曲线、生成密钥和创建共享机密。

感谢 关于 x25519 上不相关主题的问题，他为我们实现了曲线。

我们使用 ECCurve class

实现曲线

public static ECCurve Curve25519 {get; init;} = new ECCurve()
{
    CurveType = ECCurve.ECCurveType.PrimeMontgomery,
    B = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 },
    A = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x07, 0x6d, 0x06 }, // 486662
    G = new ECPoint()
    {
        X = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9 },
        Y = new byte[] { 0x20, 0xae, 0x19, 0xa1, 0xb8, 0xa0, 0x86, 0xb4, 0xe0, 0x1e, 0xdd, 0x2c, 0x77, 0x48, 0xd1, 0x4c,
        0x92, 0x3d, 0x4d, 0x7e, 0x6d, 0x7c, 0x61, 0xb2, 0x29, 0xe9, 0xc5, 0xa2, 0x7e, 0xce, 0xd3, 0xd9 }
    },
    Prime = new byte[] { 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xed },
    //Prime = new byte[] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 },
    Order = new byte[] { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed },
    Cofactor = new byte[] { 8 }
};

在我们定义了我们想要使用的曲线之后，我们只需要为曲线生成键，剩下的就是使用 ECDiffieHellmanCng class.

的标准

public class Person
{
    public string Name {get; set;}

    public byte[] PublicKey {get; private set;}

    public byte[] PrivateKey {get; private set;}

    private ECParameters EncryptionParameters;

    public void GenerateInitialKeys()
    {
        using (ECDiffieHellmanCng bob = new ECDiffieHellmanCng())
        {
            // we have to generate the key explicitly using the curve we defined, the auto-generated keys can not be used
            bob.GenerateKey(Curve25519);

            // assign what algorithms for derivation and hashing should be used
            bob.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;
            bob.HashAlgorithm = CngAlgorithm.Sha256;

            // save the keys
            PublicKey = bob.PublicKey.ToByteArray();
            PrivateKey = bob.ExportECPrivateKey();

            // export the curve information so we can create a shared secret later
            EncryptionParameters = bob.ExportParameters(true);
        }
    }

    public void CreateSharedSecret(byte[] OtherPublicKey)
    {
        if(EncryptionParameters is null)
        {
            throw new NullReferenceException($"{nameof(EncryptionParameters)} must not be null, invoke {nameof(GenerateInitialKeys)} to generate new keys and {nameof(EncryptionParameters)}");
        }
        using (ECDiffieHellmanCng bob = new ECDiffieHellmanCng())
        {
            // import the curve information from when generated our initial keys
            bob.ImportParameters(EncryptionParameters);

            // assign what algorithms for derivation and hashing should be used
            bob.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;
            bob.HashAlgorithm = CngAlgorithm.Sha256;

            // import the byte[] as a key, note EccFullPublicBlob is required, otherwise a generic runtime error will throw and will contain absolutely no useful information
            CngKey otherKey = CngKey.Import(OtherPublicKey, CngKeyBlobFormat.EccFullPublicBlob)

            // Save the shared secret
            PrivateKey = bob.DeriveKeyMaterial(otherKey);
        }
    }

    // This is just here to visually verify the private keys for equality because we don't speak or read byte[]
    public string ExportPrivateKey()
    {
        return Convert.ToBase64String(PrivateKey ?? Array.Empty<byte>());
    }
}

要使用这个 非常基本 class 我们只需调用 GenerateKeys 然后 CreateSharedSecret.

Person alice = new();
Person bob = new();

alice.GenerateInitialKeys();

bob.GenerateInitialKeys();

alice.CreateSharedSecret(bob.PublicKey);

bob.CreateSharedSecret(alice.PublicKey);

Console.WriteLine(alice.ExportPrivateKey() == bob.ExportPrivateKey());
// ideally should output: true

Answer 2

内置功能的舒适替代品（请参阅 ) is BouncyCastle，它允许更紧凑的实现，还支持轻松导入 raw X25519 密钥：

using Org.BouncyCastle.Crypto.Agreement;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Utilities.Encoders;
...
X25519PrivateKeyParameters privateKeyAlice = new X25519PrivateKeyParameters(Hex.Decode("a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4"), 0);
X25519PublicKeyParameters publicKeyBob = new X25519PublicKeyParameters(Hex.Decode("e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c"), 0);

X25519Agreement agreementAlice = new X25519Agreement();
agreementAlice.Init(privateKeyAlice);
byte[] secretAlice = new byte[agreementAlice.AgreementSize];
agreementAlice.CalculateAgreement(publicKeyBob, secretAlice, 0);

Console.WriteLine(Hex.ToHexString(secretAlice)); // c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552

在发布的示例中，使用了来自 Rfc7748 的测试向量（指定曲线 25519 等）。

与内置功能（参见here）相比，BC 愉快地提供了未修改的 共享密钥，可用于根据需要派生密钥（例如通过应用摘要）。