pub 4096R/8E2EAD58 2017-07-30 Simon Jackson
I’ve been looking into cryptography today and have developed a quartet filter of Java classes which do Diffe-Hellmann 2048 AES key transfer with AES encryption, and ElGamal signing. I chose not to use the shared secret method which uses both private keys, but went for a single secret symmetric AES version, with no back communication.
The main issues were with the signature fail stream close handling, to avoid data corruption via pre-verified data being read as active. An interesting challenge it has been. Other ciphers may have been more logical to some people, and doing the DH modPow by explicit coding was good for the code soul.
I think the discrete logarithm problem is quite secure, and has the square order of 1 prime versus the RSA 2 primes for the same key length. The elliptic curve methods are supposed harder, but the key topology has perhaps some backdoors deep in some later maths. The AES 128 has the lowest key complexity, and is the weakness in the scheme as wrote, so an interleave was made.
Java does make it difficult to build a standard enhanced symmetric cipher to fix this key short fall. Not impossible, but difficult. I may add an intermediate permutation filter to expand the symmetric key length. In the end, I decided on a split symmetric 256 key for AES, one for an outer ECB, and one for an inner CBC. The 16 byte IV was used as a step offset between them for a good 256 bit key effective.
The DH 2048 does not do key exchange with a common p or g, as this is what leads to the x collision over the same p problem. The original plan of public key with less exchange of ephemeral keys, is better. The time solve complexity is similar to a similar RSA. EC cryptography is cool, but still a little not understood, which is ironic for a mathematical field, with a little too much “under” information on how maybe to “find” holes.
The whole concept of perfect forward security, moves the game on to AES cracks based on initial stream content estimates. I’d suggest most of the original key exchange space is pre-computed for a simple 128 bit symmetric crack by now. Out of all the built in Java key types, DH is from my point of view the best for public key cryptography. RSA is cool too for sure, but division is a “relatively” simple operation. There is estimated a 20 bit advantage in the descrete log problem.
DH keys can be decoded to do ElGamal and basic public key secret generation. I’m not sure if DSA as an alternative just needs an extra factor, but Pollard rho triggers a future co p, q effect might be possible. P and Q in DSA are not independent. one is a multiple of the other almost …
Welcome to the national insecurity bank robbery. I know, the state via an affiliated plc, stole 1/4 of my income last year by getting me to destroy evidence.
The artificial limits on the key length and problems leading from that are in the JDK source. Also the deletion of keys from the memory pages when freed back to the OS, may be a problem. Quite a nice programming challenge to do. The Java libs have some strange restrictions on g. View the source.
/* Diffe-Hellmann Cipher AES. (C)2017 K Ring Technologies Ltd.
A DH symmetric secret (1024 bit) for a 2* AES 128 (256 bit) interleave.
The 16 byte offset interleave of the ECB is used for the IV slot
of the CBC.
*/
package uk.co.kring.net;
import java.io.FilterInputStream;
import java.io.FilterOutputStream;
import java.math.BigInteger;
import java.math.SecureBigInteger;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.IvParameterSpec;
/**
*
* @author Simon
*/
public final class DHCipher {
public static final class InputStream extends FilterInputStream {
public InputStream(java.io.InputStream in, KeyPair pub) throws Exception {
super(in);
BigInteger p, sk;
SecureBigInteger x;
int bytes;
byte[] bb;
DHPublicKey k = (DHPublicKey)pub.getPublic();
p = k.getParams().getP();
bytes = (p.bitLength() + 7) / 8;
DHPrivateKey m =(DHPrivateKey)pub.getPrivate();
x = new SecureBigInteger(m.getX());
bb = new byte[bytes];
in.read(bb);
sk = new BigInteger(bb);
if(!sk.abs().equals(sk)) {
sk = new BigInteger(asLen(bb, bb.length + 1));
}
sk = sk.modPow(x, p);
x.destroy();
Cipher c = Cipher.getInstance("AES/ECB/PKCS5Padding");
c.init(Cipher.DECRYPT_MODE, Keys.getAES(sk)[0]);
in = new CipherInputStream(in, c);
bb = new byte[24];
in.read(bb);
IvParameterSpec iv = new IvParameterSpec(Arrays.copyOfRange(bb, 8, 24));
c = Cipher.getInstance("AES/CBC/PKCS5Padding");
c.init(Cipher.DECRYPT_MODE, Keys.getAES(sk)[1], iv);
in = new CipherInputStream(in, c);
int i = in.read() % 23;
in.skip(i);
}
}
public static byte[] asLen(byte[] b, int len) {
byte[] q = new byte[len];
int j;
for(int i = len - 1; i >= 0; i--) {
j = i + b.length - q.length;
if(j < 0) break;
q[i] = b[j];
}
return q;
}
public static final class OutputStream extends FilterOutputStream {
public OutputStream(java.io.OutputStream out, PublicKey pub) throws Exception {
super(out);
BigInteger y, g, p, sk;
int bytes;
byte[] bb;
DHPublicKey k = (DHPublicKey)pub;
y = k.getY();
g = k.getParams().getG();
p = k.getParams().getP();
bytes = (p.bitLength() + 7) / 8;
bb = new byte[bytes];
Keys.getR().nextBytes(bb);
BigInteger b = new BigInteger(bb);
b = b.abs();
bb = g.modPow(b, p).toByteArray();
bb = asLen(bb, bytes);
out.write(bb);//ephermeric
sk = y.modPow(b, p);
Cipher c = Cipher.getInstance("AES/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, Keys.getAES(sk)[0]);
out = new CipherOutputStream(out, c);
bb = new byte[24];
Keys.getR().nextBytes(bb);
out.write(bb);
IvParameterSpec iv = new IvParameterSpec(Arrays.copyOfRange(bb, 8, 24));
c = Cipher.getInstance("AES/CBC/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, Keys.getAES(sk)[1], iv);
out = new CipherOutputStream(out, c);
Keys.getR().nextBytes(bb);
out.write((byte)(bb[0] % 23 + 23 * bb[23]));
out.write(bb, 1, bb[0] % 23);
}
}
}
And the following code for clearing the key. Perfect forward security requires the same q to be used and a extra negotiation step. As it stands it’s not perfect, but as good as RSA, maybe slightly better.
/* Useful. (C)2017 K Ring Technologies Ltd.
*/
package java.math;
import java.util.Arrays;
import java.util.Vector;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;
import uk.co.kring.net.Keys;
/**
*
* @author Simon
*/
public final class SecureBigInteger extends BigInteger implements Destroyable {
private boolean d = false;
private BigInteger ref;
private static final Vector<SecureBigInteger> m = new Vector<SecureBigInteger>();
private synchronized void handler(BigInteger val) {
ref = val;
m.add(this);
System.arraycopy(val.mag, 0, mag, 0, mag.length);
}
public SecureBigInteger(BigInteger val) throws Exception {
super(val.bitLength(), 1, Keys.getR());
handler(val);
}
@Override
public boolean isDestroyed() {
return d;
}
@Override
public void destroy() throws DestroyFailedException {
Arrays.fill(mag, -1);
m.remove(this);
boolean in = false;
Iterable i = (Iterable) m.iterator();
for(Object x: i) {
if(((SecureBigInteger)x).ref == ref) in = true;
}
if(!in) Arrays.fill(ref.mag, -1);//clear final instance
d = true;
}
public void masterDestroy() throws DestroyFailedException {
Iterable i = (Iterable) m.iterator();
for(Object x: i) {
((SecureBigInteger)x).destroy();
}
}
}
There is also the possibility of G exchange, which would allow for calculation of new Y. This would have advantages of instancing a public key set, based on a 1 to 1 crypt role. The cracking of any public key thus only cracks one link and not the full set of peers to a node. In reality, g just alters y, and p does change the crypt. So an exchange of new y is required. There is a potential flaw in this swap if the new p and g are chosen in a cracked domain.
Allowing the client to select g in the server selected p domain is a minor concession to duplication, the server would have to return a new y. Such a thing might go DOS attack, and so should be restricted somewhat. If g is high in repeated factors, then the private key is effectively multiplied up and reduced mod p-1, and g is reduced to a lower base.
A little AES 256 interleaving, and bingo. Still might finish the permutator.
A nice CBC over ECB with IV in first 16 for interleave of 2 times AES 128.
8 byte injection, for initial expectation help, and block mixing.
The 23 x-fix interleave
SHA-256 of BigInteger.toString() upper as 1, lower as 0 for AES, OK. Mind yer, p, g and Y…
And use the modulus size … dough …
A better placement of the initialization vector.
Added in the concept of SecureBigInteger. Made an outer container for destroying X.
Better Secure tracking.