Moving to a 2-byte padding

Author: martinthomson

nodejs/decrypt-dh.js

@@ -0,0 +1,40 @@
+'use strict';
+
+var base64 = require('urlsafe-base64');
+var crypto = require('crypto');
+var ece = require('./ece.js');
+
+if (process.argv.length < 7) {
+  console.warn('Usage: ' + process.argv.slice(0, 2).join(' ') +
+               ' <receiver-private> <receiver-public> <sender-public> <salt> <message> [JSON args]');
+  process.exit(2);
+}
+
+var receiver = crypto.createECDH('prime256v1');
+// node crypto is finicky about accessing the public key
+// 1. it can't generate the public key from the private key
+// 2. it barfs when you try to access the public key, even after you set it
+// This hack squelches the complaints at the cost of a few wasted cycles
+receiver.generateKeys();
+receiver.setPublicKey(base64.decode(process.argv[3]));
+receiver.setPrivateKey(base64.decode(process.argv[2]));
+ece.saveKey('keyid', receiver, "P-256");
+
+var params = {
+  keyid: 'keyid',
+  dh: process.argv[4],
+  salt: process.argv[5]
+};
+
+if (process.argv.length > 7) {
+  var extra = JSON.parse(process.argv[7]);
+  Object.keys(extra).forEach(function(k) {
+    params[k] = extra[k];
+  });
+}
+
+console.log("Params: " + JSON.stringify(params, null, 2));
+var result = ece.decrypt(base64.decode(process.argv[6]), params);
+
+console.log(base64.encode(result));
+console.log(result.toString('utf-8'));

nodejs/decrypt.js

@@ -4,37 +4,26 @@ var base64 = require('urlsafe-base64');
 var crypto = require('crypto');
 var ece = require('./ece.js');
 
-if (process.argv.length < 7) {
+if (process.argv.length < 5) {
   console.warn('Usage: ' + process.argv.slice(0, 2).join(' ') +
-               ' <receiver-private> <receiver-public> <sender-public> <salt> <message> [JSON args]');
+               ' <key> <salt> <message> [JSON args]');
   process.exit(2);
 }
 
-var receiver = crypto.createECDH('prime256v1');
-// node crypto is finicky about accessing the public key
-// 1. it can't generate the public key from the private key
-// 2. it barfs when you try to access the public key, even after you set it
-// This hack squelches the complaints at the cost of a few wasted cycles
-receiver.generateKeys();
-receiver.setPublicKey(base64.decode(process.argv[3]));
-receiver.setPrivateKey(base64.decode(process.argv[2]));
-ece.saveKey('keyid', receiver, "P-256");
-
 var params = {
-  keyid: 'keyid',
-  dh: process.argv[4],
-  salt: process.argv[5]
+  key: process.argv[2],
+  salt: process.argv[3]
 };
 
-if (process.argv.length > 7) {
-  var extra = JSON.parse(process.argv[7]);
+if (process.argv.length > 5) {
+  var extra = JSON.parse(process.argv[5]);
   Object.keys(extra).forEach(function(k) {
     params[k] = extra[k];
   });
 }
 
 console.log("Params: " + JSON.stringify(params, null, 2));
-var result = ece.decrypt(base64.decode(process.argv[6]), params);
+var result = ece.decrypt(base64.decode(process.argv[4]), params);
 
 console.log(base64.encode(result));
 console.log(result.toString('utf-8'));

nodejs/ece.js

@@ -6,6 +6,7 @@ var base64 = require('urlsafe-base64');
 var savedKeys = {};
 var keyLabels = {};
 var AES_GCM = 'id-aes128-GCM';
+var PAD_SIZE = 2;
 var TAG_LENGTH = 16;
 var KEY_LENGTH = 16;
 var NONCE_LENGTH = 12;
@@ -135,8 +136,8 @@ function determineRecordSize(params) {
   if (isNaN(rs)) {
     return 4096;
   }
-  if (rs <= 1) {
-    throw new Error('The rs parameter has to be greater than 1');
+  if (rs <= PAD_SIZE) {
+    throw new Error('The rs parameter has to be greater than ' + PAD_SIZE);
   }
   return rs;
 }
@@ -156,16 +157,16 @@ function decryptRecord(key, counter, buffer) {
   gcm.setAuthTag(buffer.slice(buffer.length - TAG_LENGTH));
   var data = gcm.update(buffer.slice(0, buffer.length - TAG_LENGTH));
   data = Buffer.concat([data, gcm.final()]);
-  var pad = data.readUInt8(0);
-  if (pad + 1 > data.length) {
+  var pad = data.readUIntBE(0, PAD_SIZE);
+  if (pad + PAD_SIZE > data.length) {
     throw new Error('padding exceeds block size');
   }
   var padCheck = new Buffer(pad);
   padCheck.fill(0);
-  if (padCheck.compare(data.slice(1, 1 + pad)) !== 0) {
+  if (padCheck.compare(data.slice(PAD_SIZE, PAD_SIZE + pad)) !== 0) {
     throw new Error('invalid padding');
   }
-  return data.slice(1 + pad);
+  return data.slice(PAD_SIZE + pad);
 }
 
 // TODO: this really should use the node streams stuff
@@ -205,9 +206,9 @@ function encryptRecord(key, counter, buffer, pad) {
   pad = pad || 0;
   var nonce = generateNonce(key.nonce, counter);
   var gcm = crypto.createCipheriv(AES_GCM, key.key, nonce);
-  var padding = new Buffer(pad + 1);
+  var padding = new Buffer(pad + PAD_SIZE);
   padding.fill(0);
-  padding.writeUIntBE(pad, 0, 1);
+  padding.writeUIntBE(pad, 0, PAD_SIZE);
   var epadding = gcm.update(padding);
   var ebuffer = gcm.update(buffer);
   gcm.final();
@@ -236,13 +237,14 @@ function encrypt(buffer, params) {
   // of a buffer.
   for (var i = 0; start <= buffer.length; ++i) {
     // Pad so that at least one data byte is in a block.
-    var recordPad = Math.min(255, Math.min(rs - 2, pad));
+    var recordPad = Math.min((1 << (PAD_SIZE * 8)) - 1, // maximum padding
+                             Math.min(rs - PAD_SIZE - 1, pad));
     pad -= recordPad;
 
-    var end = Math.min(start + rs - 1 - recordPad, buffer.length);
+    var end = Math.min(start + rs - PAD_SIZE - recordPad, buffer.length);
     var block = encryptRecord(key, i, buffer.slice(start, end), recordPad);
     result = Buffer.concat([result, block]);
-    start += rs - 1 - recordPad;
+    start += rs - PAD_SIZE - recordPad;
   }
   if (pad) {
     throw new Error('Unable to pad by requested amount, ' + pad + ' remaining');

nodejs/encrypt.js nodejs/encrypt-dh.jsnodejs/encrypt.js renamed to nodejs/encrypt-dh.js

@@ -22,19 +22,28 @@ if (count === 1) {
 } else {
   log = function() {};
 }
+function logbuf(msg, buf) {
+  if (typeof buf === 'string') {
+    buf = base64.decode(buf);
+  }
+  log(msg + ': [' + buf.length + ']');
+  for (i = 0; i < buf.length; i += 48) {
+    log('    ' + base64.encode(buf.slice(i, i + 48)));
+  }
+}
 
 function encryptDecrypt(length, encryptParams, decryptParams) {
   decryptParams = decryptParams || encryptParams;
-  log("Salt: " + base64.encode(encryptParams.salt));
+  logbuf('Salt', encryptParams.salt);
   var input = plaintext || crypto.randomBytes(Math.min(length, maxLen));
   // var input = new Buffer('I am the walrus');
-  log("Input: " + base64.encode(input));
+  logbuf('Input', input);
   var encrypted = ece.encrypt(input, encryptParams);
-  log("Encrypted: " + base64.encode(encrypted));
+  logbuf('Encrypted', encrypted);
   var decrypted = ece.decrypt(encrypted, decryptParams);
-  log("Decrypted: " + base64.encode(decrypted));
+  logbuf('Decrypted', decrypted);
   assert.equal(Buffer.compare(input, decrypted), 0);
-  log("----- OK");
+  log('----- OK');
 }
 
 function useExplicitKey() {
@@ -44,7 +53,7 @@ function useExplicitKey() {
     salt: base64.encode(crypto.randomBytes(16)),
     rs: length.readUInt16BE(0) + 1
   };
-  log('Key: ' + base64.encode(params.key));
+  logbuf('Key', params.key);
   encryptDecrypt(length.readUInt16BE(2), params);
 }
 
@@ -56,8 +65,8 @@ function authenticationSecret() {
     rs: length.readUInt16BE(0) + 1,
     authSecret: base64.encode(crypto.randomBytes(16))
   };
-  log('Key: ' + base64.encode(params.key));
-  log('Context: ' + base64.encode(params.authSecret));
+  logbuf('Key', params.key);
+  logbuf('Context', params.authSecret);
   encryptDecrypt(length.readUInt16BE(2), params);
 }
 
@@ -78,12 +87,12 @@ function detectTruncation() {
     salt: base64.encode(crypto.randomBytes(16)),
     rs: length + 1
   };
-  log("Salt: " + base64.encode(params.salt));
+  logbuf('Salt', params.salt);
   var input = crypto.randomBytes(Math.min(length, maxLen));
-  log("Input: " + base64.encode(input));
+  logbuf('Input', input);
   var encrypted = ece.encrypt(input, params);
   encrypted = encrypted.slice(0, length + 1 + 16);
-  log("Encrypted: " + base64.encode(encrypted));
+  logbuf('Encrypted', encrypted);
   var ok = false;
   try {
     ece.decrypt(encrypted, params);
@@ -117,8 +126,8 @@ function useDH() {
   var staticKeyId = staticKey.getPublicKey().toString('hex')
   ece.saveKey(staticKeyId, staticKey, 'P-256');
 
-  log("Receiver private: " + base64.encode(staticKey.getPrivateKey()));
-  log("Receiver public: " + base64.encode(staticKey.getPublicKey()));
+  logbuf('Receiver private', staticKey.getPrivateKey());
+  logbuf('Receiver public', staticKey.getPublicKey());
 
   // the ephemeral key is used by the sender
   var ephemeralKey = crypto.createECDH('prime256v1');
@@ -127,8 +136,8 @@ function useDH() {
   var ephemeralKeyId = ephemeralKey.getPublicKey().toString('hex');
   ece.saveKey(ephemeralKeyId, ephemeralKey, 'P-256');
 
-  log("Sender private: " + base64.encode(ephemeralKey.getPrivateKey()));
-  log("Sender public: " + base64.encode(ephemeralKey.getPublicKey()));
+  logbuf('Sender private', ephemeralKey.getPrivateKey());
+  logbuf('Sender public', ephemeralKey.getPublicKey());
 
   var length = crypto.randomBytes(4);
   var encryptParams = {
@@ -148,12 +157,16 @@ function useDH() {
 
 var i;
 for (i = 0; i < count; ++i) {
-  useExplicitKey();
-  authenticationSecret();
-  exactlyOneRecord();
-  detectTruncation();
-  useKeyId();
-  useDH();
+  [ useExplicitKey,
+    authenticationSecret,
+    exactlyOneRecord,
+    detectTruncation,
+    useKeyId,
+    useDH,
+  ].forEach(function(f) {
+    log('Test: ' + f.name);
+    f();
+  });
 }
 
 console.log('All tests passed.');

nodejs/test.js

@@ -9,8 +9,9 @@
 
 keys = {}
 labels = {}
+padSize = 2
 
-def deriveKey(mode, salt, key=None, dh=None, keyid=None, authSecret=b""):
+def deriveKey(mode, salt, key=None, dh=None, keyid=None, authSecret=None):
     def buildInfo(base, context):
         return b"Content-Encoding: " + base + b"\0" + context
 
@@ -77,32 +78,33 @@ def lengthPrefix(key):
         info=buildInfo(b"nonce", context),
         backend=default_backend()
     )
-    return (hkdf_key.derive(secret), hkdf_nonce.derive(secret))
+    result = (hkdf_key.derive(secret), hkdf_nonce.derive(secret))
+    return result
 
 def iv(base, counter):
     if (counter >> 64) != 0:
         raise Exception(u"Counter too big")
     (mask,) = struct.unpack("!Q", base[4:])
     return base[:4] + struct.pack("!Q", counter ^ mask)
 
-def decrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=b""):
+def decrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=None):
     def decryptRecord(key, nonce, counter, buffer):
         decryptor = Cipher(
             algorithms.AES(key),
             modes.GCM(iv(nonce, counter), tag=buffer[-16:]),
             backend=default_backend()
         ).decryptor()
         data = decryptor.update(buffer[:-16]) + decryptor.finalize()
-        (pad,) = struct.unpack("!B", data[0:1]);
-        if data[1:1+pad] != (b"\x00" * pad):
+        (pad,) = struct.unpack("!H", data[0:padSize]);
+        if data[padSize:padSize+pad] != (b"\x00" * pad):
             raise Exception(u"Bad padding")
-        data = data[1+pad:]
+        data = data[padSize+pad:]
         return data
 
     (key_, nonce_) = deriveKey(mode="decrypt", salt=salt,
                                key=key, keyid=keyid, dh=dh,
                                authSecret=authSecret)
-    if rs < 2:
+    if rs <= padSize:
         raise Exception(u"Record size too small")
     rs += 16 # account for tags
     if len(buffer) % rs == 0:
@@ -115,58 +117,29 @@ def decryptRecord(key, nonce, counter, buffer):
         counter += 1
     return result
 
-def encrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=b""):
+def encrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=None):
     def encryptRecord(key, nonce, counter, buffer):
         encryptor = Cipher(
             algorithms.AES(key),
             modes.GCM(iv(nonce, counter)),
             backend=default_backend()
         ).encryptor()
-        data = encryptor.update(b"\x00" + buffer) + encryptor.finalize()
+        data = encryptor.update(b"\0\0" + buffer) + encryptor.finalize()
         data += encryptor.tag
         return data
 
     (key_, nonce_) = deriveKey(mode="encrypt", salt=salt,
                                key=key, keyid=keyid, dh=dh,
                                authSecret=authSecret)
-    if rs < 2:
+    if rs <= padSize:
         raise Exception(u"Record size too small")
-    rs -= 1 # account for padding
+    rs -= padSize # account for padding
 
     result = b""
     counter = 0
-    # the extra one ensures that we produce a padding only record if the data
-    # length is an exact multiple of rs-1
-    for i in list(range(0, len(buffer) + 1, rs)):
+    # the extra padSize on the loop ensures that we produce a padding only record if the data
+    # length is an exact multiple of rs-padSize
+    for i in list(range(0, len(buffer) + padSize, rs)):
         result += encryptRecord(key_, nonce_, counter, buffer[i:i+rs])
-        ++counter
+        counter += 1
     return result
-
-if __name__ == "__main__":
-    import base64
-
-    salt=base64.urlsafe_b64decode("mUFsKgrmI-i_-HowjX_2XA==")
-    key=base64.urlsafe_b64decode("F-hAEGCm7KIGUiSdS4GGtA==")
-    m = base64.urlsafe_b64decode("iEPbDBuohQLznv45IlaF1eLRCeu6aWfsq-pDP7OnzgH4A0x5lyIEVAfM39RgeLekW1VgZWIFL_WvuveEhaHj0-iEvxDHw_apYGFYWEY6KmMhXgWPmFZ-2wAMnDsQ-DDVbZHsXw==")
-    rs=3300
-    print ("message", len(m),  base64.urlsafe_b64encode(m))
-    e = encrypt(m, salt=salt, key=key, rs=rs)
-    print ("encrypted", len(e), base64.urlsafe_b64encode(e))
-    d = decrypt(e, salt=salt, key=key, rs=rs)
-    print ("decrypted", len(d), base64.urlsafe_b64encode(d))
-    print (m == d)
-
-    salt = os.urandom(16)
-    print ("salt", base64.urlsafe_b64encode(salt))
-    keys["receiver"] = pyelliptic.ECC(curve="prime256v1")
-    print ("receiver", base64.urlsafe_b64encode(keys["receiver"].get_pubkey()),
-           base64.urlsafe_b64encode(keys["receiver"].get_privkey()))
-    keys["sender"] = pyelliptic.ECC(curve="prime256v1")
-    print ("sender", base64.urlsafe_b64encode(keys["sender"].get_pubkey()),
-           base64.urlsafe_b64encode(keys["sender"].get_privkey()))
-
-    e = encrypt(m, salt=salt, keyid="sender", dh=keys["receiver"].get_pubkey(), rs=rs)
-    print ("encrypted", len(e), base64.urlsafe_b64encode(e))
-    d = decrypt(e, salt=salt, keyid="receiver", dh=keys["sender"].get_pubkey(), rs=rs)
-    print ("decrypted", len(d), base64.urlsafe_b64encode(d))
-    print (m == d)