All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bitcoinj.crypto.KeyCrypterScrypt Maven / Gradle / Ivy

There is a newer version: 21.0.0
Show newest version
/*
 * Copyright 2013 Jim Burton.
 * Copyright 2014 Andreas Schildbach
 *
 * Licensed under the MIT license (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://opensource.org/licenses/mit-license.php
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.bitcoinj.crypto;

import com.google.common.base.Objects;
import com.google.common.base.Stopwatch;
import com.google.protobuf.ByteString;
import com.lambdaworks.crypto.SCrypt;
import org.bitcoinj.core.Utils;
import org.bitcoinj.wallet.Protos;
import org.bitcoinj.wallet.Protos.ScryptParameters;
import org.bitcoinj.wallet.Protos.Wallet.EncryptionType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.bouncycastle.crypto.BufferedBlockCipher;
import org.bouncycastle.crypto.engines.AESFastEngine;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.modes.CBCBlockCipher;
import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.crypto.params.ParametersWithIV;

import java.security.SecureRandom;
import java.util.Arrays;

import static com.google.common.base.Preconditions.checkNotNull;

/**
 * 

This class encrypts and decrypts byte arrays and strings using scrypt as the * key derivation function and AES for the encryption.

* *

You can use this class to:

* *

1) Using a user password, create an AES key that can encrypt and decrypt your private keys. * To convert the password to the AES key, scrypt is used. This is an algorithm resistant * to brute force attacks. You can use the ScryptParameters to tune how difficult you * want this to be generation to be.

* *

2) Using the AES Key generated above, you then can encrypt and decrypt any bytes using * the AES symmetric cipher. Eight bytes of salt is used to prevent dictionary attacks.

*/ public class KeyCrypterScrypt implements KeyCrypter { private static final Logger log = LoggerFactory.getLogger(KeyCrypterScrypt.class); /** * Key length in bytes. */ public static final int KEY_LENGTH = 32; // = 256 bits. /** * The size of an AES block in bytes. * This is also the length of the initialisation vector. */ public static final int BLOCK_LENGTH = 16; // = 128 bits. /** * The length of the salt used. */ public static final int SALT_LENGTH = 8; static { // Init proper random number generator, as some old Android installations have bugs that make it unsecure. if (Utils.isAndroidRuntime()) new LinuxSecureRandom(); secureRandom = new SecureRandom(); } private static final SecureRandom secureRandom; /** Returns SALT_LENGTH (8) bytes of random data */ public static byte[] randomSalt() { byte[] salt = new byte[SALT_LENGTH]; secureRandom.nextBytes(salt); return salt; } // Scrypt parameters. private final ScryptParameters scryptParameters; /** * Encryption/Decryption using default parameters and a random salt. */ public KeyCrypterScrypt() { Protos.ScryptParameters.Builder scryptParametersBuilder = Protos.ScryptParameters.newBuilder().setSalt( ByteString.copyFrom(randomSalt())); this.scryptParameters = scryptParametersBuilder.build(); } /** * Encryption/Decryption using custom number of iterations parameters and a random salt. * As of August 2016, a useful value for mobile devices is 4096 (derivation takes about 1 second). * * @param iterations * number of scrypt iterations */ public KeyCrypterScrypt(int iterations) { Protos.ScryptParameters.Builder scryptParametersBuilder = Protos.ScryptParameters.newBuilder() .setSalt(ByteString.copyFrom(randomSalt())).setN(iterations); this.scryptParameters = scryptParametersBuilder.build(); } /** * Encryption/ Decryption using specified Scrypt parameters. * * @param scryptParameters ScryptParameters to use * @throws NullPointerException if the scryptParameters or any of its N, R or P is null. */ public KeyCrypterScrypt(ScryptParameters scryptParameters) { this.scryptParameters = checkNotNull(scryptParameters); // Check there is a non-empty salt. // (Some early MultiBit wallets has a missing salt so it is not a hard fail). if (scryptParameters.getSalt() == null || scryptParameters.getSalt().toByteArray() == null || scryptParameters.getSalt().toByteArray().length == 0) { log.warn("You are using a ScryptParameters with no salt. Your encryption may be vulnerable to a dictionary attack."); } } /** * Generate AES key. * * This is a very slow operation compared to encrypt/ decrypt so it is normally worth caching the result. * * @param password The password to use in key generation * @return The KeyParameter containing the created AES key * @throws KeyCrypterException */ @Override public KeyParameter deriveKey(CharSequence password) throws KeyCrypterException { byte[] passwordBytes = null; try { passwordBytes = convertToByteArray(password); byte[] salt = new byte[0]; if ( scryptParameters.getSalt() != null) { salt = scryptParameters.getSalt().toByteArray(); } else { // Warn the user that they are not using a salt. // (Some early MultiBit wallets had a blank salt). log.warn("You are using a ScryptParameters with no salt. Your encryption may be vulnerable to a dictionary attack."); } final Stopwatch watch = Stopwatch.createStarted(); byte[] keyBytes = SCrypt.scrypt(passwordBytes, salt, (int) scryptParameters.getN(), scryptParameters.getR(), scryptParameters.getP(), KEY_LENGTH); watch.stop(); log.info("Deriving key took {} for {}.", watch, scryptParametersString()); return new KeyParameter(keyBytes); } catch (Exception e) { throw new KeyCrypterException("Could not generate key from password and salt.", e); } finally { // Zero the password bytes. if (passwordBytes != null) { java.util.Arrays.fill(passwordBytes, (byte) 0); } } } /** * Password based encryption using AES - CBC 256 bits. */ @Override public EncryptedData encrypt(byte[] plainBytes, KeyParameter aesKey) throws KeyCrypterException { checkNotNull(plainBytes); checkNotNull(aesKey); try { // Generate iv - each encryption call has a different iv. byte[] iv = new byte[BLOCK_LENGTH]; secureRandom.nextBytes(iv); ParametersWithIV keyWithIv = new ParametersWithIV(aesKey, iv); // Encrypt using AES. BufferedBlockCipher cipher = new PaddedBufferedBlockCipher(new CBCBlockCipher(new AESFastEngine())); cipher.init(true, keyWithIv); byte[] encryptedBytes = new byte[cipher.getOutputSize(plainBytes.length)]; final int length1 = cipher.processBytes(plainBytes, 0, plainBytes.length, encryptedBytes, 0); final int length2 = cipher.doFinal(encryptedBytes, length1); return new EncryptedData(iv, Arrays.copyOf(encryptedBytes, length1 + length2)); } catch (Exception e) { throw new KeyCrypterException("Could not encrypt bytes.", e); } } /** * Decrypt bytes previously encrypted with this class. * * @param dataToDecrypt The data to decrypt * @param aesKey The AES key to use for decryption * @return The decrypted bytes * @throws KeyCrypterException if bytes could not be decrypted */ @Override public byte[] decrypt(EncryptedData dataToDecrypt, KeyParameter aesKey) throws KeyCrypterException { checkNotNull(dataToDecrypt); checkNotNull(aesKey); try { ParametersWithIV keyWithIv = new ParametersWithIV(new KeyParameter(aesKey.getKey()), dataToDecrypt.initialisationVector); // Decrypt the message. BufferedBlockCipher cipher = new PaddedBufferedBlockCipher(new CBCBlockCipher(new AESFastEngine())); cipher.init(false, keyWithIv); byte[] cipherBytes = dataToDecrypt.encryptedBytes; byte[] decryptedBytes = new byte[cipher.getOutputSize(cipherBytes.length)]; final int length1 = cipher.processBytes(cipherBytes, 0, cipherBytes.length, decryptedBytes, 0); final int length2 = cipher.doFinal(decryptedBytes, length1); return Arrays.copyOf(decryptedBytes, length1 + length2); } catch (InvalidCipherTextException e) { throw new KeyCrypterException.InvalidCipherText("Could not decrypt bytes", e); } catch (RuntimeException e) { throw new KeyCrypterException("Could not decrypt bytes", e); } } /** * Convert a CharSequence (which are UTF16) into a byte array. * * Note: a String.getBytes() is not used to avoid creating a String of the password in the JVM. */ private static byte[] convertToByteArray(CharSequence charSequence) { checkNotNull(charSequence); byte[] byteArray = new byte[charSequence.length() << 1]; for(int i = 0; i < charSequence.length(); i++) { int bytePosition = i << 1; byteArray[bytePosition] = (byte) ((charSequence.charAt(i)&0xFF00)>>8); byteArray[bytePosition + 1] = (byte) (charSequence.charAt(i)&0x00FF); } return byteArray; } public ScryptParameters getScryptParameters() { return scryptParameters; } /** * Return the EncryptionType enum value which denotes the type of encryption/ decryption that this KeyCrypter * can understand. */ @Override public EncryptionType getUnderstoodEncryptionType() { return EncryptionType.ENCRYPTED_SCRYPT_AES; } @Override public String toString() { return "AES-" + KEY_LENGTH * 8 + "-CBC, Scrypt (" + scryptParametersString() + ")"; } private String scryptParametersString() { return "N=" + scryptParameters.getN() + ", r=" + scryptParameters.getR() + ", p=" + scryptParameters.getP(); } @Override public int hashCode() { return Objects.hashCode(scryptParameters); } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; return Objects.equal(scryptParameters, ((KeyCrypterScrypt)o).scryptParameters); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy