Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypto 3.2: Prevent replay attacks #485

Closed
romanstrobl opened this issue May 25, 2023 · 0 comments
Closed

Crypto 3.2: Prevent replay attacks #485

romanstrobl opened this issue May 25, 2023 · 0 comments
Assignees
@romanstrobl
Labels
enhancement

Comments

@romanstrobl
Copy link
Member

Changes in ECIES algorithm

Associated data

Let's define ASSOCIATED_DATA as data trasmitted as plaintext and included in MAC calculation. The content of ASSOCIATED_DATA (AD) depends on the scope of encryptor and whether data is associated with the request or the response1:

Version Scope Request Response
== 3.2 APPLICATION ByteUtils.joinStrings(VERSION, APPLICATION_KEY) null
== 3.2 ACTIVATION ByteUtils.joinStrings(VERSION, APPLICATION_KEY, ACTIVATION_ID) null
< 3.2 APPLICATION null null
< 3.2 ACTIVATION null null

Note 1: The response doesn't use AD in this protocol version

Encryption

In ECIES Encryption, let's keep the existing algorithm up to step 6 and change the next steps:

  1. Get current timestamp. 
    long TIMESTAMP = Time.getTimestamp();
byte[] TIMESTAMP_BYTES = ByteUtils.encode(TIMESTAMP); // BigEndian encoding
  2. Compute the MAC of encrypted data, include ASSOCIATED_DATA and SHARED_INFO_2. 
    byte[] AD = ByteUtils.concat(ASSOCIATED_DATA, ByteUtils.join(NONCE, TIMESTAMP_BYTES, KEY_EPH_PUB));
byte[] DATA = Bytes.concat(AD, DATA_ENCRYPTED, SHARED_INFO_2);
byte[] MAC = Mac.hmacSha256(KEY_MAC, DATA);
  3. Prepare ECIES payload. 
    EciesPayload payload = (DATA_ENCRYPTED, MAC, KEY_EPH_PUB, NONCE, ASSOCIATED_DATA, TIMESTAMP);

As you can see the encryptor includes internally more data into MAC calculation than ASSOCIATED_DATA.

Decryption

In ECIES Decryption, change step 4:

  1. Validate the MAC value in payload against expected MAC value. Include ASSOCIATED_DATA and SHARED_INFO_2. If the MAC values are different, terminate the decryption. 
    byte[] AD;
if (TIMESTAMP != null) {
    // Protocol 3.2+
    byte[] TIMESTAMP_BYTES = ByteUtils.encode(TIMESTAMP);
    AD = ByteUtils.concat(ASSOCIATED_DATA, ByteUtils.join(NONCE, TIMESTAMP_BYTES, KEY_EPH_PUB));
} else {
    // Protocol V3.1 and older
    AD = new byte[0];
}
byte[] DATA = Bytes.concat(AD, DATA_ENCRYPTED, SHARED_INFO_2);
byte[] MAC_EXPECTED = Mac.hmacSha256(KEY_MAC, DATA);
if (MAC_EXPECTED != MAC) {
    throw EciesException("Invalid MAC"); // terminate the validation with an error
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanstrobl romanstrobl

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@romanstrobl