package org.bouncycastle.crypto.agreement.jpake;
import java.math.BigInteger;
import java.security.SecureRandom;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.util.Arrays;
/**
* A participant in a Password Authenticated Key Exchange by Juggling (J-PAKE) exchange.
* <p>
* The J-PAKE exchange is defined by Feng Hao and Peter Ryan in the paper
* <a href="http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf">
* "Password Authenticated Key Exchange by Juggling, 2008."</a>
* <p>
* The J-PAKE protocol is symmetric.
* There is no notion of a <i>client</i> or <i>server</i>, but rather just two <i>participants</i>.
* An instance of {@link JPAKEParticipant} represents one participant, and
* is the primary interface for executing the exchange.
* <p>
* To execute an exchange, construct a {@link JPAKEParticipant} on each end,
* and call the following 7 methods
* (once and only once, in the given order, for each participant, sending messages between them as described):
* <ol>
* <li>{@link #createRound1PayloadToSend()} - and send the payload to the other participant</li>
* <li>{@link #validateRound1PayloadReceived(JPAKERound1Payload)} - use the payload received from the other participant</li>
* <li>{@link #createRound2PayloadToSend()} - and send the payload to the other participant</li>
* <li>{@link #validateRound2PayloadReceived(JPAKERound2Payload)} - use the payload received from the other participant</li>
* <li>{@link #calculateKeyingMaterial()}</li>
* <li>{@link #createRound3PayloadToSend(BigInteger)} - and send the payload to the other participant</li>
* <li>{@link #validateRound3PayloadReceived(JPAKERound3Payload, BigInteger)} - use the payload received from the other participant</li>
* </ol>
* <p>
* Each side should derive a session key from the keying material returned by {@link #calculateKeyingMaterial()}.
* The caller is responsible for deriving the session key using a secure key derivation function (KDF).
* <p>
* Round 3 is an optional key confirmation process.
* If you do not execute round 3, then there is no assurance that both participants are using the same key.
* (i.e. if the participants used different passwords, then their session keys will differ.)
* <p>
* If the round 3 validation succeeds, then the keys are guaranteed to be the same on both sides.
* <p>
* The symmetric design can easily support the asymmetric cases when one party initiates the communication.
* e.g. Sometimes the round1 payload and round2 payload may be sent in one pass.
* Also, in some cases, the key confirmation payload can be sent together with the round2 payload.
* These are the trivial techniques to optimize the communication.
* <p>
* The key confirmation process is implemented as specified in
* <a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">NIST SP 800-56A Revision 1</a>,
* Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.
* <p>
* This class is stateful and NOT threadsafe.
* Each instance should only be used for ONE complete J-PAKE exchange
* (i.e. a new {@link JPAKEParticipant} should be constructed for each new J-PAKE exchange).
* <p>
* See {@link JPAKEExample} for example usage.
*/
public class JPAKEParticipant
{
/*
* Possible internal states. Used for state checking.
*/
public static final int STATE_INITIALIZED = 0;
public static final int STATE_ROUND_1_CREATED = 10;
public static final int STATE_ROUND_1_VALIDATED = 20;
public static final int STATE_ROUND_2_CREATED = 30;
public static final int STATE_ROUND_2_VALIDATED = 40;
public static final int STATE_KEY_CALCULATED = 50;
public static final int STATE_ROUND_3_CREATED = 60;
public static final int STATE_ROUND_3_VALIDATED = 70;
/**
* Unique identifier of this participant.
* The two participants in the exchange must NOT share the same id.
*/
private final String participantId;
/**
* Shared secret. This only contains the secret between construction
* and the call to {@link #calculateKeyingMaterial()}.
* <p>
* i.e. When {@link #calculateKeyingMaterial()} is called, this buffer overwritten with 0's,
* and the field is set to null.
* </p>
*/
private char[] password;
/**
* Digest to use during calculations.
*/
private final Digest digest;
/**
* Source of secure random data.
*/
private final SecureRandom random;
private final BigInteger p;
private final BigInteger q;
private final BigInteger g;
/**
* The participantId of the other participant in this exchange.
*/
private String partnerParticipantId;
/**
* Alice's x1 or Bob's x3.
*/
private BigInteger x1;
/**
* Alice's x2 or Bob's x4.
*/
private BigInteger x2;
/**
* Alice's g^x1 or Bob's g^x3.
*/
private BigInteger gx1;
/**
* Alice's g^x2 or Bob's g^x4.
*/
private BigInteger gx2;
/**
* Alice's g^x3 or Bob's g^x1.
*/
private BigInteger gx3;
/**
* Alice's g^x4 or Bob's g^x2.
*/
private BigInteger gx4;
/**
* Alice's B or Bob's A.
*/
private BigInteger b;
/**
* The current state.
* See the <tt>STATE_*</tt> constants for possible values.
*/
private int state;
/**
* Convenience constructor for a new {@link JPAKEParticipant} that uses
* the {@link JPAKEPrimeOrderGroups#NIST_3072} prime order group,
* a SHA-256 digest, and a default {@link SecureRandom} implementation.
* <p>
* After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}.
*
* @param participantId unique identifier of this participant.
* The two participants in the exchange must NOT share the same id.
* @param password shared secret.
* A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called).
* Caller should clear the input password as soon as possible.
* @throws NullPointerException if any argument is null
* @throws IllegalArgumentException if password is empty
*/
public JPAKEParticipant(
String participantId,
char[] password)
{
this(
participantId,
password,
JPAKEPrimeOrderGroups.NIST_3072);
}
/**
* Convenience constructor for a new {@link JPAKEParticipant} that uses
* a SHA-256 digest and a default {@link SecureRandom} implementation.
* <p>
* After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}.
*
* @param participantId unique identifier of this participant.
* The two participants in the exchange must NOT share the same id.
* @param password shared secret.
* A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called).
* Caller should clear the input password as soon as possible.
* @param group prime order group.
* See {@link JPAKEPrimeOrderGroups} for standard groups
* @throws NullPointerException if any argument is null
* @throws IllegalArgumentException if password is empty
*/
public JPAKEParticipant(
String participantId,
char[] password,
JPAKEPrimeOrderGroup group)
{
this(
participantId,
password,
group,
new SHA256Digest(),
new SecureRandom());
}
/**
* Construct a new {@link JPAKEParticipant}.
* <p>
* After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}.
*
* @param participantId unique identifier of this participant.
* The two participants in the exchange must NOT share the same id.
* @param password shared secret.
* A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called).
* Caller should clear the input password as soon as possible.
* @param group prime order group.
* See {@link JPAKEPrimeOrderGroups} for standard groups
* @param digest digest to use during zero knowledge proofs and key confirmation (SHA-256 or stronger preferred)
* @param random source of secure random data for x1 and x2, and for the zero knowledge proofs
* @throws NullPointerException if any argument is null
* @throws IllegalArgumentException if password is empty
*/
public JPAKEParticipant(
String participantId,
char[] password,
JPAKEPrimeOrderGroup group,
Digest digest,
SecureRandom random)
{
JPAKEUtil.validateNotNull(participantId, "participantId");
JPAKEUtil.validateNotNull(password, "password");
JPAKEUtil.validateNotNull(group, "p");
JPAKEUtil.validateNotNull(digest, "digest");
JPAKEUtil.validateNotNull(random, "random");
if (password.length == 0)
{
throw new IllegalArgumentException("Password must not be empty.");
}
this.participantId = participantId;
/*
* Create a defensive copy so as to fully encapsulate the password.
*
* This array will contain the password for the lifetime of this
* participant BEFORE {@link #calculateKeyingMaterial()} is called.
*
* i.e. When {@link #calculateKeyingMaterial()} is called, the array will be cleared
* in order to remove the password from memory.
*
* The caller is responsible for clearing the original password array
* given as input to this constructor.
*/
this.password = Arrays.copyOf(password, password.length);
this.p = group.getP();
this.q = group.getQ();
this.g = group.getG();
this.digest = digest;
this.random = random;
this.state = STATE_INITIALIZED;
}
/**
* Gets the current state of this participant.
* See the <tt>STATE_*</tt> constants for possible values.
*/
public int getState()
{
return this.state;
}
/**
* Creates and returns the payload to send to the other participant during round 1.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_1_CREATED}.
*/
public JPAKERound1Payload createRound1PayloadToSend()
{
if (this.state >= STATE_ROUND_1_CREATED)
{
throw new IllegalStateException("Round1 payload already created for " + participantId);
}
this.x1 = JPAKEUtil.generateX1(q, random);
this.x2 = JPAKEUtil.generateX2(q, random);
this.gx1 = JPAKEUtil.calculateGx(p, g, x1);
this.gx2 = JPAKEUtil.calculateGx(p, g, x2);
BigInteger[] knowledgeProofForX1 = JPAKEUtil.calculateZeroKnowledgeProof(p, q, g, gx1, x1, participantId, digest, random);
BigInteger[] knowledgeProofForX2 = JPAKEUtil.calculateZeroKnowledgeProof(p, q, g, gx2, x2, participantId, digest, random);
this.state = STATE_ROUND_1_CREATED;
return new JPAKERound1Payload(participantId, gx1, gx2, knowledgeProofForX1, knowledgeProofForX2);
}
/**
* Validates the payload received from the other participant during round 1.
* <p>
* Must be called prior to {@link #createRound2PayloadToSend()}.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_1_VALIDATED}.
*
* @throws CryptoException if validation fails.
* @throws IllegalStateException if called multiple times.
*/
public void validateRound1PayloadReceived(JPAKERound1Payload round1PayloadReceived)
throws CryptoException
{
if (this.state >= STATE_ROUND_1_VALIDATED)
{
throw new IllegalStateException("Validation already attempted for round1 payload for" + participantId);
}
this.partnerParticipantId = round1PayloadReceived.getParticipantId();
this.gx3 = round1PayloadReceived.getGx1();
this.gx4 = round1PayloadReceived.getGx2();
BigInteger[] knowledgeProofForX3 = round1PayloadReceived.getKnowledgeProofForX1();
BigInteger[] knowledgeProofForX4 = round1PayloadReceived.getKnowledgeProofForX2();
JPAKEUtil.validateParticipantIdsDiffer(participantId, round1PayloadReceived.getParticipantId());
JPAKEUtil.validateGx4(gx4);
JPAKEUtil.validateZeroKnowledgeProof(p, q, g, gx3, knowledgeProofForX3, round1PayloadReceived.getParticipantId(), digest);
JPAKEUtil.validateZeroKnowledgeProof(p, q, g, gx4, knowledgeProofForX4, round1PayloadReceived.getParticipantId(), digest);
this.state = STATE_ROUND_1_VALIDATED;
}
/**
* Creates and returns the payload to send to the other participant during round 2.
* <p>
* {@link #validateRound1PayloadReceived(JPAKERound1Payload)} must be called prior to this method.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_2_CREATED}.
*
* @throws IllegalStateException if called prior to {@link #validateRound1PayloadReceived(JPAKERound1Payload)}, or multiple times
*/
public JPAKERound2Payload createRound2PayloadToSend()
{
if (this.state >= STATE_ROUND_2_CREATED)
{
throw new IllegalStateException("Round2 payload already created for " + this.participantId);
}
if (this.state < STATE_ROUND_1_VALIDATED)
{
throw new IllegalStateException("Round1 payload must be validated prior to creating Round2 payload for " + this.participantId);
}
BigInteger gA = JPAKEUtil.calculateGA(p, gx1, gx3, gx4);
BigInteger s = JPAKEUtil.calculateS(password);
BigInteger x2s = JPAKEUtil.calculateX2s(q, x2, s);
BigInteger A = JPAKEUtil.calculateA(p, q, gA, x2s);
BigInteger[] knowledgeProofForX2s = JPAKEUtil.calculateZeroKnowledgeProof(p, q, gA, A, x2s, participantId, digest, random);
this.state = STATE_ROUND_2_CREATED;
return new JPAKERound2Payload(participantId, A, knowledgeProofForX2s);
}
/**
* Validates the payload received from the other participant during round 2.
* <p>
* Note that this DOES NOT detect a non-common password.
* The only indication of a non-common password is through derivation
* of different keys (which can be detected explicitly by executing round 3 and round 4)
* <p>
* Must be called prior to {@link #calculateKeyingMaterial()}.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_2_VALIDATED}.
*
* @throws CryptoException if validation fails.
* @throws IllegalStateException if called prior to {@link #validateRound1PayloadReceived(JPAKERound1Payload)}, or multiple times
*/
public void validateRound2PayloadReceived(JPAKERound2Payload round2PayloadReceived)
throws CryptoException
{
if (this.state >= STATE_ROUND_2_VALIDATED)
{
throw new IllegalStateException("Validation already attempted for round2 payload for" + participantId);
}
if (this.state < STATE_ROUND_1_VALIDATED)
{
throw new IllegalStateException("Round1 payload must be validated prior to validating Round2 payload for " + this.participantId);
}
BigInteger gB = JPAKEUtil.calculateGA(p, gx3, gx1, gx2);
this.b = round2PayloadReceived.getA();
BigInteger[] knowledgeProofForX4s = round2PayloadReceived.getKnowledgeProofForX2s();
JPAKEUtil.validateParticipantIdsDiffer(participantId, round2PayloadReceived.getParticipantId());
JPAKEUtil.validateParticipantIdsEqual(this.partnerParticipantId, round2PayloadReceived.getParticipantId());
JPAKEUtil.validateGa(gB);
JPAKEUtil.validateZeroKnowledgeProof(p, q, gB, b, knowledgeProofForX4s, round2PayloadReceived.getParticipantId(), digest);
this.state = STATE_ROUND_2_VALIDATED;
}
/**
* Calculates and returns the key material.
* A session key must be derived from this key material using a secure key derivation function (KDF).
* The KDF used to derive the key is handled externally (i.e. not by {@link JPAKEParticipant}).
* <p>
* The keying material will be identical for each participant if and only if
* each participant's password is the same. i.e. If the participants do not
* share the same password, then each participant will derive a different key.
* Therefore, if you immediately start using a key derived from
* the keying material, then you must handle detection of incorrect keys.
* If you want to handle this detection explicitly, you can optionally perform
* rounds 3 and 4. See {@link JPAKEParticipant} for details on how to execute
* rounds 3 and 4.
* <p>
* The keying material will be in the range <tt>[0, p-1]</tt>.
* <p>
* {@link #validateRound2PayloadReceived(JPAKERound2Payload)} must be called prior to this method.
* <p>
* As a side effect, the internal {@link #password} array is cleared, since it is no longer needed.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_KEY_CALCULATED}.
*
* @throws IllegalStateException if called prior to {@link #validateRound2PayloadReceived(JPAKERound2Payload)},
* or if called multiple times.
*/
public BigInteger calculateKeyingMaterial()
{
if (this.state >= STATE_KEY_CALCULATED)
{
throw new IllegalStateException("Key already calculated for " + participantId);
}
if (this.state < STATE_ROUND_2_VALIDATED)
{
throw new IllegalStateException("Round2 payload must be validated prior to creating key for " + participantId);
}
BigInteger s = JPAKEUtil.calculateS(password);
/*
* Clear the password array from memory, since we don't need it anymore.
*
* Also set the field to null as a flag to indicate that the key has already been calculated.
*/
Arrays.fill(password, (char)0);
this.password = null;
BigInteger keyingMaterial = JPAKEUtil.calculateKeyingMaterial(p, q, gx4, x2, s, b);
/*
* Clear the ephemeral private key fields as well.
* Note that we're relying on the garbage collector to do its job to clean these up.
* The old objects will hang around in memory until the garbage collector destroys them.
*
* If the ephemeral private keys x1 and x2 are leaked,
* the attacker might be able to brute-force the password.
*/
this.x1 = null;
this.x2 = null;
this.b = null;
/*
* Do not clear gx* yet, since those are needed by round 3.
*/
this.state = STATE_KEY_CALCULATED;
return keyingMaterial;
}
/**
* Creates and returns the payload to send to the other participant during round 3.
* <p>
* See {@link JPAKEParticipant} for more details on round 3.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_3_CREATED}.
*
* @param keyingMaterial The keying material as returned from {@link #calculateKeyingMaterial()}.
* @throws IllegalStateException if called prior to {@link #calculateKeyingMaterial()}, or multiple times
*/
public JPAKERound3Payload createRound3PayloadToSend(BigInteger keyingMaterial)
{
if (this.state >= STATE_ROUND_3_CREATED)
{
throw new IllegalStateException("Round3 payload already created for " + this.participantId);
}
if (this.state < STATE_KEY_CALCULATED)
{
throw new IllegalStateException("Keying material must be calculated prior to creating Round3 payload for " + this.participantId);
}
BigInteger macTag = JPAKEUtil.calculateMacTag(
this.participantId,
this.partnerParticipantId,
this.gx1,
this.gx2,
this.gx3,
this.gx4,
keyingMaterial,
this.digest);
this.state = STATE_ROUND_3_CREATED;
return new JPAKERound3Payload(participantId, macTag);
}
/**
* Validates the payload received from the other participant during round 3.
* <p>
* See {@link JPAKEParticipant} for more details on round 3.
* <p>
* After execution, the {@link #getState() state} will be {@link #STATE_ROUND_3_VALIDATED}.
*
* @param keyingMaterial The keying material as returned from {@link #calculateKeyingMaterial()}.
* @throws CryptoException if validation fails.
* @throws IllegalStateException if called prior to {@link #calculateKeyingMaterial()}, or multiple times
*/
public void validateRound3PayloadReceived(JPAKERound3Payload round3PayloadReceived, BigInteger keyingMaterial)
throws CryptoException
{
if (this.state >= STATE_ROUND_3_VALIDATED)
{
throw new IllegalStateException("Validation already attempted for round3 payload for" + participantId);
}
if (this.state < STATE_KEY_CALCULATED)
{
throw new IllegalStateException("Keying material must be calculated validated prior to validating Round3 payload for " + this.participantId);
}
JPAKEUtil.validateParticipantIdsDiffer(participantId, round3PayloadReceived.getParticipantId());
JPAKEUtil.validateParticipantIdsEqual(this.partnerParticipantId, round3PayloadReceived.getParticipantId());
JPAKEUtil.validateMacTag(
this.participantId,
this.partnerParticipantId,
this.gx1,
this.gx2,
this.gx3,
this.gx4,
keyingMaterial,
this.digest,
round3PayloadReceived.getMacTag());
/*
* Clear the rest of the fields.
*/
this.gx1 = null;
this.gx2 = null;
this.gx3 = null;
this.gx4 = null;
this.state = STATE_ROUND_3_VALIDATED;
}
}