Closed ykharko closed 1 year ago
Additionally I would like to clarify if it’s necessary to hardcore using of such things like the length of the aad and IV in the code without any possibility to impact on that?
It's actually important to have the aad length here included (or some other form of separating the aad and ciphertext) and not just concatenate aad and ciphertext for the authentication. For example if you have a cipher C = C1||C2
and want to authenticate it you would do something like HMAC(C1||C2)
for computing the tag. However, if you now have a ciphertext C = C2
and use aad = C1
, this would give you the same tag HMAC(C1||C2)
. This immediately breaks the security properties of the AEAD, as someone can forge a valid message without the key.
Thank you for your reply!
I see what you mean. But at the same time I have some questions:
Why this solution isn't used in Java code? Is it a security issue? Implementation of Hmac calculation: https://github.com/google/tink/blob/master/apps/paymentmethodtoken/src/main/java/com/google/crypto/tink/apps/paymentmethodtoken/PaymentMethodTokenUtil.java#L70 Used here: https://github.com/google/tink/blob/acddae66fbcd38d0502c0e65c051a780eca7d6a1/apps/paymentmethodtoken/src/main/java/com/google/crypto/tink/apps/paymentmethodtoken/PaymentMethodTokenHybridDecrypt.java#L102 As you can see there aren't any additional data.
I can't understand why GooglePay documentation says:
Note: We strongly recommend that you use our Tink library. It handles the decryption process outlined in steps 1–6, so it's unnecessary for you to write your own implementation. This outline is provided mainly for reference. If you only want code to decrypt the token, see the Use the Tink library to manage the encrypted response section instead.
For me it looks like I can't use Tink for decryption if I don't use this Java solution because it seems they create tag just from plaintext without any extra data. (commenting line with adding length of aad leads to successful mac verification).
@ykharko Did you ever figure out how to Decrypt the payload in Python?
Unfortunately, changing this is infeasible.
(To clarify: Google Pay tokens are currently not supported in Tink Python).
Hi there.
I'm trying to use python version of library to decrypt Google pay tokens. https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography?hl=en#payment-method-token-structure
Algorithm parameters: https://developers.google.com/pay/api/processors/guides/implementation/payment-data-cryptography#encrypt-spec
ECIES, NIST P-256, AES-256-CTR, HMAC-based with SHA-256.
I've prepared keyset and trying to run the code (sorry I don't know how to insert code correctly with new lines):
_reader = CustomReader(keyset) private_keyset_handle = cleartext_keyset_handle.read(reader) hybrid_decrypt = private_keyset_handle.primitive(hybrid.HybridDecrypt) plaintext = hybriddecrypt.decrypt(ciphertext, context)
Where "context" is "Google" string and "ciphertext" is encryptedMessage field from the GooglePay response. This encryptedMessage doesn't contain mac or any additional things, just plaintext.
Python uses C++ implementation and after some investigations of the C++ code I found out that ciphertext has to have format:
ephemeralPublicKey + IV + encryptedMessage + tag
There are 2 problems with MAC verification:
Question: What I'm doing wrong? is it possible to verify content correctly if it was encoded not by tink library without adding len of additional data at the end of toAuthData?
auto pt = ind_cpa_cipher_->Decrypt(payload);
This Decrypt method takes IV from rest of ciphertext:https://github.com/google/tink/blob/master/cc/subtle/aes_ctr_boringssl.cc#L102
So, I have a situation: When I pass IV (zero IV) through ciphertext and format of ciphertext is
ephemeralPublicKey + IV + encryptedMessage + tag
decryption is working fine but verifying of mac failed. (looks like expected tag was computed without using IV?)But if I pass ciphertext without IV and comment line from point 1 - verification works but decryption not.
Can someone help me and say what I'm doing wrong and what I can do? Thanks.