Class JPAKEUtil
- java.lang.Object
-
- org.bouncycastle.crypto.agreement.jpake.JPAKEUtil
-
public class JPAKEUtil extends java.lang.ObjectPrimitives needed for a J-PAKE exchange.The recommended way to perform a J-PAKE exchange is by using two
JPAKEParticipants. Internally, those participants call these primitive operations inJPAKEUtil.The primitives, however, can be used without a
JPAKEParticipantif needed.
-
-
Constructor Summary
Constructors Constructor Description JPAKEUtil()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.math.BigIntegercalculateA(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger gA, java.math.BigInteger x2s)Calculate A as done in round 2.static java.math.BigIntegercalculateGA(java.math.BigInteger p, java.math.BigInteger gx1, java.math.BigInteger gx3, java.math.BigInteger gx4)Calculate ga as done in round 2.static java.math.BigIntegercalculateGx(java.math.BigInteger p, java.math.BigInteger g, java.math.BigInteger x)Calculate g^x mod p as done in round 1.static java.math.BigIntegercalculateKeyingMaterial(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger gx4, java.math.BigInteger x2, java.math.BigInteger s, java.math.BigInteger B)Calculates the keying material, which can be done after round 2 has completed.static java.math.BigIntegercalculateMacTag(java.lang.String participantId, java.lang.String partnerParticipantId, java.math.BigInteger gx1, java.math.BigInteger gx2, java.math.BigInteger gx3, java.math.BigInteger gx4, java.math.BigInteger keyingMaterial, Digest digest)Calculates the MacTag (to be used for key confirmation), as defined by NIST SP 800-56A Revision 1, Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.static java.math.BigIntegercalculateS(char[] password)Converts the given password to aBigIntegerfor use in arithmetic calculations.static java.math.BigIntegercalculateX2s(java.math.BigInteger q, java.math.BigInteger x2, java.math.BigInteger s)Calculate x2 * s as done in round 2.static java.math.BigInteger[]calculateZeroKnowledgeProof(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger g, java.math.BigInteger gx, java.math.BigInteger x, java.lang.String participantId, Digest digest, java.security.SecureRandom random)Calculate a zero knowledge proof of x using Schnorr's signature.static java.math.BigIntegergenerateX1(java.math.BigInteger q, java.security.SecureRandom random)Return a value that can be used as x1 or x3 during round 1.static java.math.BigIntegergenerateX2(java.math.BigInteger q, java.security.SecureRandom random)Return a value that can be used as x2 or x4 during round 1.static voidvalidateGa(java.math.BigInteger ga)Validates that ga is not 1.static voidvalidateGx4(java.math.BigInteger gx4)Validates that g^x4 is not 1.static voidvalidateMacTag(java.lang.String participantId, java.lang.String partnerParticipantId, java.math.BigInteger gx1, java.math.BigInteger gx2, java.math.BigInteger gx3, java.math.BigInteger gx4, java.math.BigInteger keyingMaterial, Digest digest, java.math.BigInteger partnerMacTag)Validates the MacTag received from the partner participant.static voidvalidateNotNull(java.lang.Object object, java.lang.String description)Validates that the given object is not null.static voidvalidateParticipantIdsDiffer(java.lang.String participantId1, java.lang.String participantId2)Validates that the given participant ids are not equal.static voidvalidateParticipantIdsEqual(java.lang.String expectedParticipantId, java.lang.String actualParticipantId)Validates that the given participant ids are equal.static voidvalidateZeroKnowledgeProof(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger g, java.math.BigInteger gx, java.math.BigInteger[] zeroKnowledgeProof, java.lang.String participantId, Digest digest)Validates the zero knowledge proof (generated bycalculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, String, Digest, SecureRandom)) is correct.
-
-
-
Method Detail
-
generateX1
public static java.math.BigInteger generateX1(java.math.BigInteger q, java.security.SecureRandom random)Return a value that can be used as x1 or x3 during round 1.The returned value is a random value in the range [0, q-1].
-
generateX2
public static java.math.BigInteger generateX2(java.math.BigInteger q, java.security.SecureRandom random)Return a value that can be used as x2 or x4 during round 1.The returned value is a random value in the range [1, q-1].
-
calculateS
public static java.math.BigInteger calculateS(char[] password)
Converts the given password to aBigIntegerfor use in arithmetic calculations.
-
calculateGx
public static java.math.BigInteger calculateGx(java.math.BigInteger p, java.math.BigInteger g, java.math.BigInteger x)Calculate g^x mod p as done in round 1.
-
calculateGA
public static java.math.BigInteger calculateGA(java.math.BigInteger p, java.math.BigInteger gx1, java.math.BigInteger gx3, java.math.BigInteger gx4)Calculate ga as done in round 2.
-
calculateX2s
public static java.math.BigInteger calculateX2s(java.math.BigInteger q, java.math.BigInteger x2, java.math.BigInteger s)Calculate x2 * s as done in round 2.
-
calculateA
public static java.math.BigInteger calculateA(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger gA, java.math.BigInteger x2s)Calculate A as done in round 2.
-
calculateZeroKnowledgeProof
public static java.math.BigInteger[] calculateZeroKnowledgeProof(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger g, java.math.BigInteger gx, java.math.BigInteger x, java.lang.String participantId, Digest digest, java.security.SecureRandom random)Calculate a zero knowledge proof of x using Schnorr's signature. The returned array has two elements {g^v, r = v-x*h} for x.
-
validateGx4
public static void validateGx4(java.math.BigInteger gx4) throws CryptoExceptionValidates that g^x4 is not 1.- Throws:
CryptoException- if g^x4 is 1
-
validateGa
public static void validateGa(java.math.BigInteger ga) throws CryptoExceptionValidates that ga is not 1.As described by Feng Hao...
Alice could simply check ga != 1 to ensure it is a generator. In fact, as we will explain in Section 3, (x1 + x3 + x4 ) is random over Zq even in the face of active attacks. Hence, the probability for ga = 1 is extremely small - on the order of 2^160 for 160-bit q.
- Throws:
CryptoException- if ga is 1
-
validateZeroKnowledgeProof
public static void validateZeroKnowledgeProof(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger g, java.math.BigInteger gx, java.math.BigInteger[] zeroKnowledgeProof, java.lang.String participantId, Digest digest) throws CryptoExceptionValidates the zero knowledge proof (generated bycalculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, String, Digest, SecureRandom)) is correct.- Throws:
CryptoException- if the zero knowledge proof is not correct
-
calculateKeyingMaterial
public static java.math.BigInteger calculateKeyingMaterial(java.math.BigInteger p, java.math.BigInteger q, java.math.BigInteger gx4, java.math.BigInteger x2, java.math.BigInteger s, java.math.BigInteger B)Calculates the keying material, which can be done after round 2 has completed. A session key must be derived from this key material using a secure key derivation function (KDF). The KDF used to derive the key is handled externally (i.e. not byJPAKEParticipant).KeyingMaterial = (B/g^{x2*x4*s})^x2
-
validateParticipantIdsDiffer
public static void validateParticipantIdsDiffer(java.lang.String participantId1, java.lang.String participantId2) throws CryptoExceptionValidates that the given participant ids are not equal. (For the J-PAKE exchange, each participant must use a unique id.)- Throws:
CryptoException- if the participantId strings are equal.
-
validateParticipantIdsEqual
public static void validateParticipantIdsEqual(java.lang.String expectedParticipantId, java.lang.String actualParticipantId) throws CryptoExceptionValidates that the given participant ids are equal. This is used to ensure that the payloads received from each round all come from the same participant.- Throws:
CryptoException- if the participantId strings are equal.
-
validateNotNull
public static void validateNotNull(java.lang.Object object, java.lang.String description)Validates that the given object is not null.- Parameters:
object- object in questiondescription- name of the object (to be used in exception message)- Throws:
java.lang.NullPointerException- if the object is null.
-
calculateMacTag
public static java.math.BigInteger calculateMacTag(java.lang.String participantId, java.lang.String partnerParticipantId, java.math.BigInteger gx1, java.math.BigInteger gx2, java.math.BigInteger gx3, java.math.BigInteger gx4, java.math.BigInteger keyingMaterial, Digest digest)Calculates the MacTag (to be used for key confirmation), as defined by NIST SP 800-56A Revision 1, Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.MacTag = HMAC(MacKey, MacLen, MacData) MacKey = H(K || "JPAKE_KC") MacData = "KC_1_U" || participantId || partnerParticipantId || gx1 || gx2 || gx3 || gx4 Note that both participants use "KC_1_U" because the sender of the round 3 message is always the initiator for key confirmation. HMAC =
HMacused with the givenDigestH = The givenDigestMacLen = length of MacTag
-
validateMacTag
public static void validateMacTag(java.lang.String participantId, java.lang.String partnerParticipantId, java.math.BigInteger gx1, java.math.BigInteger gx2, java.math.BigInteger gx3, java.math.BigInteger gx4, java.math.BigInteger keyingMaterial, Digest digest, java.math.BigInteger partnerMacTag) throws CryptoExceptionValidates the MacTag received from the partner participant.- Parameters:
partnerMacTag- the MacTag received from the partner.- Throws:
CryptoException- if the participantId strings are equal.
-
-