| blob | 01388885699323d82572b7201e6ce8a3168fb84a |
1 /* UMac32.java --
2 Copyright (C) 2001, 2002, 2003, 2006 Free Software Foundation, Inc.
4 This file is a part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or (at
9 your option) any later version.
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; if not, write to the Free Software
18 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
19 USA
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
24 combination.
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
55 /**
56 * <p>The implementation of the <i>UMAC</i> (Universal Message Authentication
57 * Code).</p>
58 *
59 * <p>The <i>UMAC</i> algorithms described are <i>parameterized</i>. This means
60 * that various low-level choices, like the endian convention and the underlying
61 * cryptographic primitive, have not been fixed. One must choose values for
62 * these parameters before the authentication tag generated by <i>UMAC</i> (for
63 * a given message, key, and nonce) becomes fully-defined. In this document
64 * we provide two collections of parameter settings, and have named the sets
65 * <i>UMAC16</i> and <i>UMAC32</i>. The parameter sets have been chosen based on
66 * experimentation and provide good performance on a wide variety of processors.
67 * <i>UMAC16</i> is designed to excel on processors which provide small-scale
68 * SIMD parallelism of the type found in Intel's MMX and Motorola's AltiVec
69 * instruction sets, while <i>UMAC32</i> is designed to do well on processors
70 * with good 32- and 64- bit support. <i>UMAC32</i> may take advantage of SIMD
71 * parallelism in future processors.</p>
72 *
73 * <p><i>UMAC</i> has been designed to allow implementations which accommodate
74 * <i>on-line</i> authentication. This means that pieces of the message may
75 * be presented to <i>UMAC</i> at different times (but in correct order) and an
76 * on-line implementation will be able to process the message correctly without
77 * the need to buffer more than a few dozen bytes of the message. For
78 * simplicity, the algorithms in this specification are presented as if the
79 * entire message being authenticated were available at once.</p>
80 *
81 * <p>To authenticate a message, <code>Msg</code>, one first applies the
82 * universal hash function, resulting in a string which is typically much
83 * shorter than the original message. The pseudorandom function is applied to a
84 * nonce, and the result is used in the manner of a Vernam cipher: the
85 * authentication tag is the xor of the output from the hash function and the
86 * output from the pseudorandom function. Thus, an authentication tag is
87 * generated as</p>
88 *
89 * <pre>
90 * AuthTag = f(Nonce) xor h(Msg)
91 * </pre>
92 *
93 * <p>Here <code>f</code> is the pseudorandom function shared between the sender
94 * and the receiver, and h is a universal hash function shared by the sender and
95 * the receiver. In <i>UMAC</i>, a shared key is used to key the pseudorandom
96 * function <code>f</code>, and then <code>f</code> is used for both tag
97 * generation and internally to generate all of the bits needed by the universal
98 * hash function.</p>
99 *
100 * <p>The universal hash function that we use is called <code>UHASH</code>. It
101 * combines several software-optimized algorithms into a multi-layered
102 * structure. The algorithm is moderately complex. Some of this complexity comes
103 * from extensive speed optimizations.</p>
104 *
105 * <p>For the pseudorandom function we use the block cipher of the <i>Advanced
106 * Encryption Standard</i> (AES).</p>
107 *
108 * <p>The UMAC32 parameters, considered in this implementation are:</p>
109 * <pre>
110 * UMAC32
111 * ------
112 * WORD-LEN 4
113 * UMAC-OUTPUT-LEN 8
114 * L1-KEY-LEN 1024
115 * UMAC-KEY-LEN 16
116 * ENDIAN-FAVORITE BIG *
117 * L1-OPERATIONS-SIGN UNSIGNED
118 * </pre>
119 *
120 * <p>Please note that this UMAC32 differs from the one described in the paper
121 * by the <i>ENDIAN-FAVORITE</i> value.</p>
122 *
123 * <p>References:</p>
124 *
125 * <ol>
126 * <li><a href="http://www.ietf.org/internet-drafts/draft-krovetz-umac-01.txt">
127 * UMAC</a>: Message Authentication Code using Universal Hashing.<br>
128 * T. Krovetz, J. Black, S. Halevi, A. Hevia, H. Krawczyk, and P. Rogaway.</li>
129 * </ol>
130 */
132 {
134 // Constants and variables
135 // -------------------------------------------------------------------------
137 /**
138 * Property name of the user-supplied <i>Nonce</i>. The value associated to
139 * this property name is taken to be a byte array.
140 */
143 /** Known test vector. */
144 // private static final String TV1 = "3E5A0E09198B0F94";
145 // private static final String TV1 = "5FD764A6D3A9FD9D";
146 // private static final String TV1 = "48658DE1D9A70304";
151 // UMAC32 parameters
158 /** caches the result of the correctness test, once executed. */
167 /** The authentication key for this instance. */
170 // Constructor(s)
171 // -------------------------------------------------------------------------
173 /** Trivial 0-arguments constructor. */
175 {
177 }
179 /**
180 * <p>Private constructor for cloning purposes.</p>
181 *
182 * @param that the instance to clone.
183 */
185 {
189 {
191 }
193 {
195 }
197 {
199 }
201 }
203 // Class methods
204 // -------------------------------------------------------------------------
206 // Instance methods
207 // -------------------------------------------------------------------------
209 // java.lang.Cloneable interface implementation ----------------------------
212 {
214 }
216 // gnu.crypto.mac.IMac interface implementation ----------------------------
219 {
221 }
223 /**
224 * <p>Initialising a <i>UMAC</i> instance consists of defining values for
225 * the following parameters:</p>
226 *
227 * <ol>
228 * <li>Key Material: as the value of the attribute entry keyed by
229 * {@link #MAC_KEY_MATERIAL}. The value is taken to be a byte array
230 * containing the user-specified key material. The length of this array,
231 * if/when defined SHOULD be exactly equal to {@link #KEY_LEN}.</li>
232 *
233 * <li>Nonce Material: as the value of the attribute entry keyed by
234 * {@link #NONCE_MATERIAL}. The value is taken to be a byte array
235 * containing the user-specified nonce material. The length of this array,
236 * if/when defined SHOULD be (a) greater than zero, and (b) less or equal
237 * to 16 (the size of the AES block).</li>
238 * </ol>
239 *
240 * <p>For convenience, this implementation accepts that not both parameters
241 * be always specified.</p>
242 *
243 * <ul>
244 * <li>If the <i>Key Material</i> is specified, but the <i>Nonce Material</i>
245 * is not, then this implementation, re-uses the previously set <i>Nonce
246 * Material</i> after (a) converting the bytes to an unsigned integer,
247 * (b) incrementing the number by one, and (c) converting it back to 16
248 * bytes.</li>
249 *
250 * <li>If the <i>Nonce Material</i> is specified, but the <i>Key Material</i>
251 * is not, then this implementation re-uses the previously set <i>Key
252 * Material</i>.</li>
253 * </ul>
254 *
255 * <p>This method throws an exception if no <i>Key Material</i> is specified
256 * in the input map, and there is no previously set/defined <i>Key Material</i>
257 * (from an earlier invocation of this method). If a <i>Key Material</i> can
258 * be used, but no <i>Nonce Material</i> is defined or previously set/defined,
259 * then a default value of all-zeroes shall be used.</p>
260 *
261 * @param attributes one or both of required parameters.
262 * @throws InvalidKeyException the key material specified is not of the
263 * correct length.
264 */
266 IllegalStateException
267 {
275 {
277 {
280 }
282 }
283 else
284 {
286 {
288 }
289 }
292 {
294 {
297 }
304 }
305 else
306 {
308 }
311 }
316 }
321 {
322 // limit reached. we SHOULD have a key
324 }
329 {
331 }
333 {
336 }
337 else
338 {
341 }
342 }
343 else
346 }
349 {
351 }
356 }
359 {
361 }
364 {
366 }
369 {
373 {
375 }
378 }
381 {
383 {
385 }
386 }
389 {
391 {
393 try
394 {
396 }
398 {
400 }
406 try
407 {
409 }
411 {
414 }
421 // System.out.println("UMAC test vector: "+Util.toString(result));
423 }
425 }
427 // helper methods ----------------------------------------------------------
429 /**
430 *
431 * @return byte array of length 8 (or OUTPUT_LEN) bytes.
432 */
434 {
435 // Make Nonce 16 bytes by prepending zeroes. done (see init())
437 // one AES invocation is enough for more than one PDF invocation
438 // number of index bits needed = 1
440 // Extract index bits and zero low bits of Nonce
445 // Generate subkey, AES and extract indexed substring
449 // map.put(IBlockCipher.CIPHER_BLOCK_SIZE, new Integer(128/8));
451 // map.put(UMacGenerator.CIPHER, Registry.AES_CIPHER);
454 try
455 {
457 }
459 {
462 }
464 {
467 }
470 try
471 {
473 }
475 {
478 }
480 {
483 }
490 }
491 }