I have problems with my c++ mc-eliece implementation from Botan crypto library. There seems to be virtually only one example of it in the whole internet, with a link to it.
https://www.cryptosource.de/docs/mceliece_in_botan.pdf
But this example is 6 years old, hence it is totally outdated and the Botan docs do not provide any other.
The problem is basically, that unfortunatelly function names and specs have changed over time, hence i get a couple of compiler errors while i try to use them. I managed to demystify some of them by looking into the header implementations. But now i'm, frankly said, in front of a wall.
It would be great if anybody familar with the Botan MC-Eliece implementation, could give me a hint, how the current functions are called.
This is my code with marks. I removed a lot of unnecessary code and other implementations, to make it more readable. You will also not be able to make it run without the necessary modules, but i will try to write it down in a way, that somebody with Botan library should be able to run it.
//to compile: g++ -o mc_eliece mc_eliece.cpp -Wall -I/usr/local/include/botan-2/ -I/home/pi/projects/RNG_final/ -ltss2-esys -ltss2-rc -lbotan-2
#include <iostream>
#include <botan/rng.h>
#include <botan/system_rng.h>
#include <botan/mceies.h>
#include <botan/mceliece.h>
int main() {
Botan::size_t n = 1632; // Parameters for key generation
Botan::size_t t = 33;
// initialize RNG type
Botan::System_RNG rng; // is a standard Botan RNG
// create a new MCEliece private key with code length n and error weigth t
Botan::McEliece_PrivateKey sk1(rng, n, t); // actually works!
// derive the corresponding public key
Botan::McEliece_PublicKey pk1(*dynamic_cast<Botan::McEliece_PublicKey*>(&sk1)); // actually works!
// encode the public key
std::vector<uint8_t> pk_enc = pk1.subject_public_key(); // actually works!
// encode the private key
Botan::secure_vector<uint8_t> sk_enc = sk1.private_key_bits(); // had to replace sk1.pkcs8_private_key()
// encryption side: decode a serialized public key
Botan::McEliece_PublicKey pk(pk_enc);
McEliece_KEM_Encryptor enc(pk); // does not work, can't find a working corresponding function in the header
// perform encryption -> will find out if it works after upper case had been solved
std::pair<secure_vector<Botan::byte>,secure_vector<Botan::byte> > ciphertext__sym_key = enc.encrypt(rng);
secure_vector<Botan::byte> sym_key_encr = ciphertext__sym_key.second;
secure_vector<Botan::byte> ciphertext = ciphertext__sym_key.first;
// code used at the decrypting side: -> will find out if it works after upper case had been solved
// decode a serialized private key
McEliece_PrivateKey sk(sk_enc);
McEliece_KEM_Decryptor dec(sk);
// perform decryption -> will find out if it works after upper case had been solved
secure_vector<Botan::byte> sym_key_decr = dec.decrypt(&ciphertext[0],
ciphertext.size() );
// both sides now have the same 64-byte symmetric key.
// use this key to instantiate an authenticated encryption scheme.
// in case shorter keys are needed, they can simple be cut off.
return 0;
}
Thx for any help in advance.
I have now updated the example code in https://www.cryptosource.de/docs/mceliece_in_botan.pdf to reflect these the changes to Botan's new KEM API.
Please note that it is unnecessary to provide a salt value for the KDF when used in the context of a KEM for a public key scheme such as McEliece. That the KDF can accept a salt value here is a mere artefact of the API, owing to that fact that KDFs can be used also in other contexts. Specifically, a salt value is only necessary when deriving keys of secrets that potentially lack entropy, such as passwords. Then it mitigates attacks based on precomputed tables.
The McEliece unit test can be taken as reference (link).
Based on that code, your example can be rewritten as follows:
#include <botan/auto_rng.h>
#include <botan/data_src.h>
#include <botan/hex.h>
#include <botan/mceies.h>
#include <botan/mceliece.h>
#include <botan/pkcs8.h>
#include <botan/pubkey.h>
#include <botan/x509_key.h>
#include <cassert>
#include <iostream>
int main() {
// Parameters for McEliece key
// Reference: https://en.wikipedia.org/wiki/McEliece_cryptosystem#Key_sizes
Botan::size_t n = 1632;
Botan::size_t t = 33;
// Size of the symmetric key in bytes
Botan::size_t shared_key_size = 64;
// Key-derivation function to be used for key encapsulation
// Reference: https://botan.randombit.net/handbook/api_ref/kdf.html
std::string kdf{"KDF1(SHA-512)"};
// Salt to be used for key derivation
// NOTE: Pick salt dynamically, Botan recommds for example using a session ID.
std::vector<Botan::byte> salt{0x01, 0x02, 0x03};
Botan::AutoSeeded_RNG rng{};
// Generate private key
Botan::McEliece_PrivateKey priv{rng, n, t};
std::vector<Botan::byte> pub_enc{priv.subject_public_key()};
Botan::secure_vector<Botan::byte> priv_enc{Botan::PKCS8::BER_encode(priv)};
// Encrypting side: Create encapsulated symmetric key
std::unique_ptr<Botan::Public_Key> pub{Botan::X509::load_key(pub_enc)};
Botan::PK_KEM_Encryptor encryptor{*pub, rng, kdf};
Botan::secure_vector<Botan::byte> encapsulated_key{};
Botan::secure_vector<Botan::byte> shared_key1{};
encryptor.encrypt(encapsulated_key, shared_key1, shared_key_size, rng, salt);
std::cout << "Shared key 1: " << Botan::hex_encode(shared_key1) << std::endl;
// Decrypting side: Unpack encapsulated symmetric key
Botan::DataSource_Memory priv_enc_src{priv_enc};
std::unique_ptr<Botan::Private_Key> priv2{
Botan::PKCS8::load_key(priv_enc_src)};
Botan::PK_KEM_Decryptor decryptor{*priv2, rng, kdf};
Botan::secure_vector<Botan::byte> shared_key2{
decryptor.decrypt(encapsulated_key, shared_key_size, salt)};
std::cout << "Shared key 2: " << Botan::hex_encode(shared_key2) << std::endl;
assert(shared_key1 == shared_key2);
return 0;
}
I tested this code against 2.15.0. Example output:
$ g++ -g $(pkg-config --cflags --libs botan-2) test.cpp
$ ./a.out
Shared key 1: 32177925CE5F3D607BA45575195F13B9E0123BD739580DFCF9AE53D417C530DB115867E5E377735CB405CDA6DF7866C647F85FDAC5C407BB2E2C3A8E7D41A5CC
Shared key 2: 32177925CE5F3D607BA45575195F13B9E0123BD739580DFCF9AE53D417C530DB115867E5E377735CB405CDA6DF7866C647F85FDAC5C407BB2E2C3A8E7D41A5CC
Some notes on what I changed compared to the code you gave:
Every Botan::Private_Key is also a Botan::Public_Key (reference). Therefore, we do not need to cast the generated private key to a public key. Instead, we can call subject_public_key directly on the private key to obtain the public key encoding.
Using private_key_bits to obtain the raw private key bits for serialization works, but using PKCS8 might be more robust in terms of interoperability. So I would use Botan::PKCS8::BER_encodeon the private key for that reason.
Constructing the McEliece_PublicKey directly from the public key encoding did not work for me, as the constructor expects the raw public key bits and not the x509 public key encoding. For this reason, I had to use Botan::X509::load_key.
The McEliece_KEM_Encryptor has been removed (reference):
Add generalized interface for KEM (key encapsulation) techniques. Convert McEliece KEM to use it. The previous interfaces McEliece_KEM_Encryptor and McEliece_KEM_Decryptor have been removed. The new KEM interface now uses a KDF to hash the resulting keys; to get the same output as previously provided by McEliece_KEM_Encryptor, use "KDF1(SHA-512)" and request exactly 64 bytes.
Instead you would use Botan::PK_KEM_Encryptor, which takes the public key as a parameter and infers the encryption algorithm to be used from the public key. You can see from the code that it becomes more flexible this way, we do not have to reference McEliece after the key has been generated. If we want to switch to a different algorithm, we only have to change the key generation part, but not the key encapsulation part.
The same applies for McEliece_KEM_Decryptor.
As noted in the above quote, the new KEM interface allows to specify the key-derivation function to be used for KEM, as well as the desired size of the symmetric key. Also, you can pass a salt that will be used for key derivation. For the salt, you would use some value that is unique to your application or even better unique to the current session (reference):
Typically salt is a label or identifier, such as a session id.
Related
The documentation of xerces anticipates the need to make a copy of attributes, but the AttributesImpl class doesn't seem to exist. Neither does the facility seem to exist in other associated classes in either the current 3.2.3 version of xerces or previous 2.X
Xerces documentation in the file itself src/xercesc/sax2/Attributes.hpp says:
"The instance provided will return valid results only during the scope of the startElement invocation (to save it for future use, the application must make a copy: the AttributesImpl helper class provides a convenient constructor for doing so)."
See also I've left issue here as a bug in xerces
https://issues.apache.org/jira/browse/XERCESC-2238
Appears I will be stuck instead creating my own version of attributes in which to copy or clone, and not overwritten each new line. Not saving whole document (which would defeat purpose of SAX streaming parse), but the existing framework populating Attributes is pretty convoluted and undocumented. Obviously the library and docs are designed to use the api, not to hack or extend the application.
Is this really correct, AttributesImpl is helper class in the documentation that doesn't actually exist? Neither is there a different class with this functionality to save an element's attributes for later use (outside the handler)?
Below is a working version of an Attributes deep copy utility function. It may be missing a few includes which I'm getting from other includes of my larger file. When I get the chance, I'll try making this a stand alone and update this answer. It still falls short of the Java version utility, due to inaccessible members of RefVectorOf class, because the wrapping class, the Attributes interface and VecAttributesImpl interface, do not provide access to them. https://xerces.apache.org/xerces-j/apiDocs/org/xml/sax/helpers/AttributesImpl.html
Last release of Xerces C/C++ is from 2016, so although marked status active, https://projects.apache.org/project.html?xerces-for_c++_xml_parser , really not so much. Can't vouch for libhunt site, but came up in quick google just now https://cpp.libhunt.com/xerces-c++-alternatives . One can see latest comment here, note use of the phrase "unless a security issue pops up or new committers appear to revive the project" https://issues.apache.org/jira/browse/XERCESC-2238?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17571942#comment-17571942
Leaving the status of Xerces C/C++ as active is either a lie or a gross and negligent oversight. This page shows no major release since 2010. https://xerces.apache.org/news.html (C++ is listed below the Java project updates)
#include <xercesc/validators/common/GrammarResolver.hpp>
#include <xercesc/framework/XMLGrammarPool.hpp>
#include <xercesc/sax2/Attributes.hpp>
#include <xercesc/util/RefVectorOf.hpp>
#include "spdlog/spdlog.h"
#define tr XMLString::transcode
static spdlog::logger logger = getLog();
/*
* cloneAttributes
* Uses LocalName as key instead of QName and ignores URI and URI id, id inside RefVectorOf
* but inaccessible to wrapper VecAttributesImpl, and type defaults to CDATA
*/
VecAttributesImpl* cloneAttributes(VecAttributesImpl& attrs, bool useScanner=false){
// from XMLReaderFactory::CreateXMLReader line 49
MemoryManager* const memManager = XMLPlatformUtils::fgMemoryManager;
XMLScanner* scanner;
if(useScanner){
// from void SAX2XMLReaderImpl::initialize() line 124
GrammarResolver* grammarResolver = new (memManager) GrammarResolver(0, memManager); // line 127
// use of 0 from SAX2XMLReaderImpl.hpp line 74 default constructor, XMLGrammarPool* const gramPool = 0
XMLStringPool* URIStringPool = grammarResolver->getStringPool(); // line 128
scanner = XMLScannerResolver::getDefaultScanner(0, grammarResolver, memManager);
// line 42 of XMLScannerResolver::getDefaultScanner uses return new (manager) IGXMLScanner(valToAdopt, grammarResolver, manager);
scanner->setURIStringPool(URIStringPool);
}else{
scanner = NULL;
}
VecAttributesImpl* newAttrs = new VecAttributesImpl(); //VecAttributesImpl is not a vector, it's a wrapper around RefVectorOf
RefVectorOf<XMLAttr> * newRefVectorOf = new (memManager) RefVectorOf<XMLAttr> (32, false, memManager) ;
XMLSize_t atLen = attrs.getLength();
XMLSize_t i;
std::stringstream bruce;
XMLAttr* cpXMLAttr;
for(i = 0;i<atLen;i++){
//Ever QName != LocalName? when URI != ""? logger.debug(format("{}. QName LocalName URI type: {}, {}, {}, {}", i, tr(attrs.getQName(i)), tr(attrs.getLocalName(i)), tr(attrs.getURI(i)),tr(attrs.getType(i)))); // #suppress("Invalid arguments")
cpXMLAttr = new (memManager) XMLAttr
(
0, //URIId, 0 if reading file, but int is inaccessible from attrs, inside RefVectorOf XMLAttr, and getURI(i) returns an XMLCh*
attrs.getLocalName(i),
attrs.getValue(i)
);
if(logger.level() == spdlog::level::debug){
bruce << tr(attrs.getLocalName(i))<<" : "<<tr(attrs.getValue(i))<< " | ";
}
newRefVectorOf->addElement(cpXMLAttr);
}
logger.debug(bruce.str());
newRefVectorOf->size();
logger.debug(newRefVectorOf->size());
//The scanner can actually be set to NULL and the above scanner construction skipped if the VecAttributesImpl isn't scanning.
newAttrs->setVector(newRefVectorOf, newRefVectorOf->size(), scanner, false);
return newAttrs;
}
The background of this is that I'm going to be given a binary file that's been signed using CryptoPP, with the signature included in the file, and the public key, and I want to be able to verify the file and extract the data (without its signature) into another file.
The code that's used to do this with Crypto++ is relatively trivial, but I've been looking around and can't find anything similar. Everything I've looked at seems to be messages where the signature is separate, but I'm not sure how I work out where, in the file, to pull the signature out.
The reason I want to do this is that, given I have a need for OpenSSL for other reasons, I don't want to have to also include Crypto++ in my application if I don't have to.
The existing verification code is like this:
const char *key = kPublicKey; // hex encoded public key
CryptoPP::StringSource f( key, true, new CryptoPP::HexDecoder);
CryptoPP::RSASS< CryptoPP::PSSR, CryptoPP::SHA1 >::Verifier verifier(f);
CryptoPP::FileSource( packageFilename.toStdString().c_str(), true,
new CryptoPP::SignatureVerificationFilter(
verifier,
new CryptoPP::FileSink( recoveredFilename.toStdString().c_str()),
CryptoPP::SignatureVerificationFilter::THROW_EXCEPTION | CryptoPP::SignatureVerificationFilter::PUT_MESSAGE )
);
Which, as I said, looks trivial but, presumably, there's a lot going on under the hood. Essentially that's given the name of a file that includes the content AND the signature, and a "verifier" which incorporates the public key, and checks if the file content is correct and produces a copy of the file without the signature in it.
What I want to do, then, is replicate this using OpenSSL, but I'm not sure whether there are functions in OpenSSL that will let me just pass the whole file and public key and let it work out where the signature is itself, or if I need to pull the signature out of the file somehow (it's stored at the end of the file!), then pass the file content bit by bit into EVP_DigestVerifyUpdate, then pass the signature into EVP_DigestVerifyFinal function.
Any help would be very gratefully appreciate.
UPDATE
I'm new to digital signing, so may have missed the significance of PSSR here. After some further research I now understand that the idea of PSSR is that the signature contains the message. It may be that the whole of the above could be summarised to:
Given a public key, and a PSSR signature generated using Crypto++, is it possible to verify the message and extract the original data using OpenSSL?
From the files (signatures) I've looked at, that have been generated by Crypto++ using its PSSR implementation, it looks like the data isn't changed; it just has extra stuff added at the end (the SIGNATURE_AT_END flag is used). I am struggling to find any reference to PSSR/PSS-R and OpenSSL using Google.
I am trying to encrypt a file using AES with crypto++. I can see the functions EncryptFile and DecryptFile which use DefaultEncryptorWithMAC/DefaultDecryptorWithMAC from test.cpp in crypto++.
void EncryptFile(const char *in, const char *out, const char *passPhrase)
{
FileSource f(in, true, new DefaultEncryptorWithMAC(passPhrase, new FileSink(out)));
}
void DecryptFile(const char *in, const char *out, const char *passPhrase)
{
FileSource f(in, true, new DefaultDecryptorWithMAC(passPhrase, new FileSink(out)));
}
However I want to use AES and as far as I understand the default encryption scheme is DES_EDE2. Is there a build in way to handle this?
I don't need a MAC so something similar to the DefaultEncryptor/DefaultDecryptor class pair would be good enough.
Also I would prefere to use a random SecByteBlock instead of a passphrase as the following
// Generate a random key
SecByteBlock key(0x00, AES::DEFAULT_KEYLENGTH);
rnd.GenerateBlock( key, key.size() );
However I want to use AES and as far as I understand the default encryption scheme is DES_EDE2. Is there a build in way to handle this?
The project changed the defaults. The commit of interest is Commit bfbcfeec7ca7, and the issue of interest is Issue 345. It will be available in Crypto++ 5.7.
For those who need the old algorithms, they can use LegacyEncryptor, LegacyDecryptor, LegacyEncryptorWithMAC and LegacyDecryptorWithMAC.
The Mash function was retained to keep things less complicated. If these were new classes, they would have used HKDF to extract and expand the entropy; and used PBKDF to grind over the derived key. Since both old and new needed support, we opted for the single source solution. As far as I know, the mash function meets the security goals.
If you are not using Master, then you can also change the following typedfs in default.h to suit your taste. However, you will need to recompile the library afterwards:
typedef DES_EDE2 DefaultBlockCipher;
typedef SHA DefaultHashModule;
typedef HMAC<DefaultHashModule> DefaultMAC;
I've been working on a project based on RSA key exchange and I have used Crypto++ Library. I followed the guidelines in https://www.cryptopp.com/wiki/Raw_RSA and my project works fine. However, I noticed that the public key is always fixed to 1710 = 1116 and when I looked in the rsa.cpp in Crypto++ that public key is fixed!
Again, my project works fine, but I just want to know why..
I noticed that the public key is always fixed to 1710 = 1116 and when I looked in the rsa.cpp in Crypto++ that public key is fixed!
... my project works fine, but I just want to know why..
That's the public exponent, and you can change it. See InvertibleRSAFunction Class Reference.
InvertibleRSAFunction is an odd name if you are not familiar with the library, but there's a type define for typedef InvertibleRSAFunction PrivateKey in rsa.h. RSA::PrivateKey's Initialize function that takes the RandomNumberGenerator is the one that creates keys:
void Initialize (RandomNumberGenerator &rng, unsigned int modulusBits, const Integer &e=17)
The only requirement for the public exponent (e) is it must be co-prime or relatively prime to phi. Phi is Euler's Φ-function, and it's defined as (p-1)*(q-1). It ensures there's an inverse (the private exponent, d).
The public exponent is usually selected for a low-hamming weight to make public key operations faster. A low hamming weight means it has very few 1's, and typical values are 3 (0x3), 17 (0x11) and 65537 (0x10001). Fewer 1's makes the exponentiation fast for the public key operations.
For completeness, the public key is {n,e}. The private key is {n,e,d}. Private keys with CRT parameters are {n,e,d,p,q,dp,dp,u}.
i am doing RSA encryption
i want to convert reference of public key class to string so that i can pass to server
//declaration
const CRSAPrivateKey &iRSAPrivateKey =iRSAKeyPair->PrivateKey();
const CRSAPublicKey &iRSAPublicKey =iRSAKeyPair->PublicKey() ;
i have convert &iRSAPublicKey into TBuf
i tried lot but fails to convert
plz help me out from situation
thanks in advance
If you're using CRSAPublicKey, you probably downloaded the Symbian cryptography library and its documentation from http://developer.symbian.com/main/tools_and_sdks/developer_tools/supported/crypto_api/index.jsp
Admitedly, the documentation isn't explicit but I would venture that you can just send the modulus and exponent components to any other RSA engine in order to reconstitute the public key:
HBufC8* localModulusBuffer = iRSAPublicKey.N().BufferLC();
HBufC8* localExponentBuffer = iRSAPublicKey.E().BufferLC();
Then simply copy the 2 HBufC8 into a TBuf if you really need it.
Just remember that methods with a trailing "C" leave what they return on the cleanup stack.