Class JPakeUtilities
- Namespace
- Org.BouncyCastle.Crypto.Agreement.JPake
- Assembly
- BouncyCastle.Cryptography.dll
Primitives needed for a J-PAKE exchange.
The recommended way to perform a J-PAKE exchange is by using two JPAKEParticipants. Internally, those participants call these primitive operations in JPakeUtilities.
The primitives, however, can be used without a JPAKEParticipant if needed.
public abstract class JPakeUtilities- Inheritance
-
JPakeUtilities
- Inherited Members
Fields
One
public static readonly BigInteger OneField Value
Zero
public static readonly BigInteger ZeroField Value
Methods
CalculateA(BigInteger, BigInteger, BigInteger, BigInteger)
Calculate A as done in round 2.
public static BigInteger CalculateA(BigInteger p, BigInteger q, BigInteger gA, BigInteger x2s)Parameters
pBigIntegerqBigIntegergABigIntegerx2sBigInteger
Returns
CalculateGA(BigInteger, BigInteger, BigInteger, BigInteger)
Calculate ga as done in round 2.
public static BigInteger CalculateGA(BigInteger p, BigInteger gx1, BigInteger gx3, BigInteger gx4)Parameters
pBigIntegergx1BigIntegergx3BigIntegergx4BigInteger
Returns
CalculateGx(BigInteger, BigInteger, BigInteger)
Calculate g^x mod p as done in round 1.
public static BigInteger CalculateGx(BigInteger p, BigInteger g, BigInteger x)Parameters
pBigIntegergBigIntegerxBigInteger
Returns
CalculateKeyingMaterial(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger)
Calculates the keying material, which can be done after round 2 has completed. A session key must be derived from this key material using a secure key derivation function (KDF). The KDF used to derive the key is handled externally (i.e. not by JPAKEParticipant).
KeyingMaterial = (B/g^{x2x4s})^x2
public static BigInteger CalculateKeyingMaterial(BigInteger p, BigInteger q, BigInteger gx4, BigInteger x2, BigInteger s, BigInteger B)Parameters
pBigIntegerqBigIntegergx4BigIntegerx2BigIntegersBigIntegerBBigInteger
Returns
CalculateMacTag(string, string, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, IDigest)
Calculates the MacTag (to be used for key confirmation), as defined by NIST SP 800-56A Revision 1, Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.
MacTag = HMAC(MacKey, MacLen, MacData) MacKey = H(K || "JPAKE_KC") MacData = "KC_1_U" || participantId || partnerParticipantId || gx1 || gx2 || gx3 || gx4
Note that both participants use "KC_1_U" because the sender of the round 3 message is always the initiator for key confirmation.
HMAC = {@link HMac} used with the given {@link Digest} H = The given {@link Digest} MacLen = length of MacTag
public static BigInteger CalculateMacTag(string participantId, string partnerParticipantId, BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, BigInteger keyingMaterial, IDigest digest)Parameters
participantIdstringpartnerParticipantIdstringgx1BigIntegergx2BigIntegergx3BigIntegergx4BigIntegerkeyingMaterialBigIntegerdigestIDigest
Returns
CalculateS(BigInteger, byte[])
Converts the given password to a BigInteger mod q.
public static BigInteger CalculateS(BigInteger q, byte[] password)Parameters
qBigIntegerpasswordbyte[]
Returns
CalculateS(BigInteger, char[])
Converts the given password (UTF8 encoded) to a BigInteger mod q.
public static BigInteger CalculateS(BigInteger q, char[] password)Parameters
qBigIntegerpasswordchar[]
Returns
CalculateS(BigInteger, ReadOnlySpan<char>)
Converts the given password (UTF8 encoded) to a BigInteger mod q.
public static BigInteger CalculateS(BigInteger q, ReadOnlySpan<char> password)Parameters
qBigIntegerpasswordReadOnlySpan<char>
Returns
CalculateS(char[])
Converts the given password to a BigInteger for use in arithmetic calculations.
[Obsolete("Use version including the modulus instead")]
public static BigInteger CalculateS(char[] password)Parameters
passwordchar[]
Returns
CalculateX2s(BigInteger, BigInteger, BigInteger)
Calculate x2 * s as done in round 2.
public static BigInteger CalculateX2s(BigInteger q, BigInteger x2, BigInteger s)Parameters
qBigIntegerx2BigIntegersBigInteger
Returns
CalculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, string, IDigest, SecureRandom)
Calculate a zero knowledge proof of x using Schnorr's signature. The returned array has two elements {g^v, r = v-x*h} for x.
public static BigInteger[] CalculateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, BigInteger gx, BigInteger x, string participantId, IDigest digest, SecureRandom random)Parameters
pBigIntegerqBigIntegergBigIntegergxBigIntegerxBigIntegerparticipantIdstringdigestIDigestrandomSecureRandom
Returns
GenerateX1(BigInteger, SecureRandom)
Return a value that can be used as x1 or x3 during round 1. The returned value is a random value in the range [0, q-1].
public static BigInteger GenerateX1(BigInteger q, SecureRandom random)Parameters
qBigIntegerrandomSecureRandom
Returns
GenerateX2(BigInteger, SecureRandom)
Return a value that can be used as x2 or x4 during round 1. The returned value is a random value in the range [1, q-1].
public static BigInteger GenerateX2(BigInteger q, SecureRandom random)Parameters
qBigIntegerrandomSecureRandom
Returns
ValidateGa(BigInteger)
Validates that ga is not 1.
As described by Feng Hao... Alice could simply check ga != 1 to ensure it is a generator. In fact, as we will explain in Section 3, (x1 + x3 + x4 ) is random over Zq even in the face of active attacks. Hence, the probability for ga = 1 is extremely small - on the order of 2^160 for 160-bit q.
throws CryptoException if ga is 1
public static void ValidateGa(BigInteger ga)Parameters
gaBigInteger
ValidateGx4(BigInteger)
Validates that g^x4 is not 1. throws CryptoException if g^x4 is 1
public static void ValidateGx4(BigInteger gx4)Parameters
gx4BigInteger
ValidateMacTag(string, string, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, IDigest, BigInteger)
Validates the MacTag received from the partner participant.
throws CryptoException if the participantId strings are equal.
public static void ValidateMacTag(string participantId, string partnerParticipantId, BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, BigInteger keyingMaterial, IDigest digest, BigInteger partnerMacTag)Parameters
participantIdstringpartnerParticipantIdstringgx1BigIntegergx2BigIntegergx3BigIntegergx4BigIntegerkeyingMaterialBigIntegerdigestIDigestpartnerMacTagBigInteger
ValidateNotNull(object, string)
Validates that the given object is not null. throws NullReferenceException if the object is null.
public static void ValidateNotNull(object obj, string description)Parameters
objobjectobject in question
descriptionstringname of the object (to be used in exception message)
ValidateParticipantIdsDiffer(string, string)
Validates that the given participant ids are not equal. (For the J-PAKE exchange, each participant must use a unique id.)
Throws CryptoException if the participantId strings are equal.
public static void ValidateParticipantIdsDiffer(string participantId1, string participantId2)Parameters
ValidateParticipantIdsEqual(string, string)
Validates that the given participant ids are equal. This is used to ensure that the payloads received from each round all come from the same participant.
public static void ValidateParticipantIdsEqual(string expectedParticipantId, string actualParticipantId)Parameters
ValidateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger[], string, IDigest)
Validates the zero knowledge proof (generated by calculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, string, Digest, SecureRandom) is correct.
throws CryptoException if the zero knowledge proof is not correct
public static void ValidateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, BigInteger gx, BigInteger[] zeroKnowledgeProof, string participantId, IDigest digest)Parameters
pBigIntegerqBigIntegergBigIntegergxBigIntegerzeroKnowledgeProofBigInteger[]participantIdstringdigestIDigest