def derive_secrets(self, initiator_nonce: bytes, responder_nonce: bytes, remote_ephemeral_pubkey: datatypes.PublicKey, auth_init_ciphertext: bytes, auth_ack_ciphertext: bytes ) -> Tuple[bytes, bytes, sha3.keccak_256, sha3.keccak_256]: """Derive base secrets from ephemeral key agreement.""" # ecdhe-shared-secret = ecdh.agree(ephemeral-privkey, remote-ephemeral-pubk) ecdhe_shared_secret = ecies.ecdh_agree( self.ephemeral_privkey, remote_ephemeral_pubkey) # shared-secret = sha3(ecdhe-shared-secret || sha3(nonce || initiator-nonce)) shared_secret = keccak( ecdhe_shared_secret + keccak(responder_nonce + initiator_nonce)) # aes-secret = sha3(ecdhe-shared-secret || shared-secret) aes_secret = keccak(ecdhe_shared_secret + shared_secret) # mac-secret = sha3(ecdhe-shared-secret || aes-secret) mac_secret = keccak(ecdhe_shared_secret + aes_secret) # setup sha3 instances for the MACs # egress-mac = sha3.update(mac-secret ^ recipient-nonce || auth-sent-init) mac1 = sha3.keccak_256(sxor(mac_secret, responder_nonce) + auth_init_ciphertext) # ingress-mac = sha3.update(mac-secret ^ initiator-nonce || auth-recvd-ack) mac2 = sha3.keccak_256(sxor(mac_secret, initiator_nonce) + auth_ack_ciphertext) if self._is_initiator: egress_mac, ingress_mac = mac1, mac2 else: egress_mac, ingress_mac = mac2, mac1 return aes_secret, mac_secret, egress_mac, ingress_mac
def encrypt(self, header: bytes, frame: bytes) -> bytes: if len(header) != HEADER_LEN: raise ValueError("Unexpected header length: {}".format(len(header))) header_ciphertext = self.aes_enc.update(header) mac_secret = self.egress_mac.digest()[:HEADER_LEN] self.egress_mac.update(sxor(self.mac_enc(mac_secret), header_ciphertext)) header_mac = self.egress_mac.digest()[:HEADER_LEN] frame_ciphertext = self.aes_enc.update(frame) self.egress_mac.update(frame_ciphertext) fmac_seed = self.egress_mac.digest()[:HEADER_LEN] mac_secret = self.egress_mac.digest()[:HEADER_LEN] self.egress_mac.update(sxor(self.mac_enc(mac_secret), fmac_seed)) frame_mac = self.egress_mac.digest()[:HEADER_LEN] return header_ciphertext + header_mac + frame_ciphertext + frame_mac
def create_auth_message(self, nonce: bytes) -> bytes: ecdh_shared_secret = ecies.ecdh_agree(self.privkey, self.remote.pubkey) secret_xor_nonce = sxor(ecdh_shared_secret, nonce) # S(ephemeral-privk, ecdh-shared-secret ^ nonce) S = self.ephemeral_privkey.sign_msg_hash(secret_xor_nonce).to_bytes() # S || H(ephemeral-pubk) || pubk || nonce || 0x0 return (S + keccak(self.ephemeral_pubkey.to_bytes()) + self.pubkey.to_bytes() + nonce + b'\x00')
def decrypt_header(self, data: bytes) -> bytes: if len(data) != HEADER_LEN + MAC_LEN: raise ValueError("Unexpected header length: {}".format(len(data))) header_ciphertext = data[:HEADER_LEN] header_mac = data[HEADER_LEN:] mac_secret = self.ingress_mac.digest()[:HEADER_LEN] aes = self.mac_enc(mac_secret)[:HEADER_LEN] self.ingress_mac.update(sxor(aes, header_ciphertext)) expected_header_mac = self.ingress_mac.digest()[:HEADER_LEN] if not bytes_eq(expected_header_mac, header_mac): raise AuthenticationError('Invalid header mac') return self.aes_dec.update(header_ciphertext)
def decrypt_body(self, data: bytes, body_size: int) -> bytes: read_size = roundup_16(body_size) if len(data) < read_size + MAC_LEN: raise ValueError('Insufficient body length; Got {}, wanted {}'.format( len(data), (read_size + MAC_LEN))) frame_ciphertext = data[:read_size] frame_mac = data[read_size:read_size + MAC_LEN] self.ingress_mac.update(frame_ciphertext) fmac_seed = self.ingress_mac.digest()[:MAC_LEN] self.ingress_mac.update(sxor(self.mac_enc(fmac_seed), fmac_seed)) expected_frame_mac = self.ingress_mac.digest()[:MAC_LEN] if not bytes_eq(expected_frame_mac, frame_mac): raise AuthenticationError('Invalid frame mac') return self.aes_dec.update(frame_ciphertext)[:body_size]
def decode_authentication(self, ciphertext: bytes) -> Tuple[datatypes.PublicKey, bytes]: """Decrypts and decodes the auth_init message. Returns the initiator's ephemeral pubkey and nonce. """ if len(ciphertext) < ENCRYPTED_AUTH_MSG_LEN: raise ValueError("Auth msg too short: {}".format(len(ciphertext))) elif len(ciphertext) == ENCRYPTED_AUTH_MSG_LEN: sig, initiator_pubkey, initiator_nonce, version = decode_auth_plain( ciphertext, self.privkey) else: sig, initiator_pubkey, initiator_nonce, version = decode_auth_eip8( ciphertext, self.privkey) self.got_eip8_auth = True # recover initiator ephemeral pubkey from sig # S(ephemeral-privk, ecdh-shared-secret ^ nonce) shared_secret = ecies.ecdh_agree(self.privkey, initiator_pubkey) ephem_pubkey = sig.recover_public_key_from_msg_hash( sxor(shared_secret, initiator_nonce)) return ephem_pubkey, initiator_nonce