Merge pull request #31 from PandaTechAM/development

AES256 is now replaced by a new AES-SIV implementation for determinis…

Author: HaikAsatryan

Pandatech.Crypto.sln.DotSettings

@@ -1,3 +1,4 @@
 <wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=aead/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=decryptor/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=Pandatech/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

Readme.md

@@ -2,21 +2,26 @@
 
 ## Introduction
 
-PandaTech.Crypto is a **wrapper library** that consolidates several widely used cryptographic libraries and tools into
-one
-**simple-to-use package**. It eliminates the need for multiple dependencies, excessive `using` directives, and
-duplicated
-code, offering an **intuitive API** to streamline **most popular** cryptographic tasks.
+**PandaTech.Crypto** is a **wrapper library** that consolidates several widely used cryptographic libraries and tools
+into one **simple-to-use package**. This means no more juggling multiple dependencies, heavy `using` directives, or
+scattered code to handle everyday cryptographic tasks. The library provides an **intuitive API** that streamlines the *
+*most popular** operations:
+
+- AES encryption (including a straightforward **AES256-SIV** implementation not natively offered by Microsoft or
+  BouncyCastle),
+- Hashing (Argon2Id, SHA2, SHA3),
+- GZip compression,
+- Secure random generation,
+- Password validation/strength checks,
+- Masking of sensitive data.
 
 Whether you need to **encrypt data**, **hash passwords**, or **generate secure random tokens**, PandaTech.Crypto
-provides
-lightweight abstractions over popular cryptographic solutions, ensuring simplicity and usability without sacrificing
-performance.
+provides lightweight abstractions over popular cryptographic solutions, ensuring simplicity and usability without
+sacrificing performance.
 
-The **Argon2Id** password hashing is optimized to run efficiently even in **resource-constrained environments** (e.g.,
-hash
-generation under 500ms on a container with 1 vCore and 1GB of RAM). Other operations such as **AES encryption**, **SHA**
-hashing, and **GZip** compression are lightweight enough for almost any environment.
+**Argon2Id** password hashing is optimized to run efficiently even in **resource-constrained environments** (e.g., under
+500 ms on a container with 1 vCore and 1 GB of RAM). Other operations—such as **AES encryption**, **SHA** hashing, and *
+*GZip** compression—are lightweight enough for almost any environment.
 
 ## Installation
 
@@ -30,7 +35,7 @@ Install-Package Pandatech.Crypto
 
 ### Configuring in Program.cs
 
-Use the following code to configure AES256 and Argon2Id in your `Program.cs`:
+Use the following code to configure AES256/AES256-SIV and Argon2Id in your `Program.cs`:
 
 ```csharp
 using Pandatech.Crypto.Helpers;
@@ -54,7 +59,13 @@ app.Run();
 
 ```
 
-### AES256 Class
+### AES256 Class (Old, Deprecated)
+
+> Warning
+> `Aes256` is now deprecated because it used a SHA3 hash for deterministic output, which can weaken overall security.
+> For
+> new development, use `Aes256Siv` instead.
+> For existing data, see the `AesMigration` class below to migrate old ciphertext to the new SIV format.
 
 **Encryption/Decryption methods with hashing**
 
@@ -112,6 +123,51 @@ string decryptedText = Encoding.UTF8.GetString(outputStream.ToArray());
    encrypting emails in your software and also want that emails to be unique. With our Aes256 class by default your
    emails will be unique as in front will be the unique hash.
 
+### AES256Siv (New, Recommended)
+
+**AES-SIV** (RFC 5297) is the new recommended approach in PandaTech.Crypto for deterministic AES encryption.
+It **does not** rely on storing a large hash for uniqueness, instead uses a **synthetic IV** approach to provide both
+authentication and deterministic encryption.
+
+```csharp
+// Encrypt
+byte[] sivCipher = Aes256Siv.Encrypt("your-plaintext");
+
+// Decrypt
+string decrypted = Aes256Siv.Decrypt(sivCipher);
+```
+
+**Notes:**
+
+- Deterministic: Encrypting the same plaintext with the same key always produces the same ciphertext.
+
+- Security: AES-SIV is an AEAD mode, providing both authenticity (tamper detection) and deterministic encryption.
+- Stream-based usage is also available via `Encrypt(Stream in, Stream out, string? key = null) and Decrypt(Stream in,
+  Stream out, string? key = null)`.
+
+### AesMigration
+
+If you have data encrypted with the old `Aes256` approach—either hashed or non-hashed—and want to convert it to the new
+`Aes256Siv` format, **AesMigration** can help:
+
+```csharp
+using Pandatech.Crypto.Helpers;
+
+// Convert a single ciphertext that was hashed (Aes256.Encrypt(...))
+byte[] newCipher = AesMigration.MigrateFromOldHashed(oldCiphertext);
+
+// Convert multiple hashed ciphertexts:
+List<byte[]> newCipherList = AesMigration.MigrateFromOldHashed(oldCipherList);
+```
+
+Similarly for **non-hashed** old ciphertext:
+
+```csharp
+byte[] newCipher = AesMigration.MigrateFromOldNonHashed(oldCiphertext);
+```
+
+The library provides nullable-friendly variants too (`MigrateFromOldHashedNullable`, etc.).
+
 ### Argon2id Class
 
 **Default Configurations**

src/Pandatech.Crypto/Extensions/WebAppExtensions.cs

@@ -8,6 +8,7 @@ public static class WebAppExtensions
    public static WebApplicationBuilder AddAes256Key(this WebApplicationBuilder builder, string aesKey)
    {
       Aes256.RegisterKey(aesKey);
+      Aes256Siv.RegisterKey(aesKey);
       return builder;
    }
 

src/Pandatech.Crypto/Helpers/Aes256.cs

@@ -3,6 +3,8 @@
 
 namespace Pandatech.Crypto.Helpers;
 
+[Obsolete(
+   "This class is deprecated due to security concerns. Use Aes256Siv instead. For migration purposes we let this obsolete class with AesMigration class to make migration easier. Later this class will be removed.")]
 public static class Aes256
 {
    private const int KeySize = 256;

src/Pandatech.Crypto/Helpers/Aes256Siv.cs

@@ -0,0 +1,195 @@
+using System.Diagnostics.CodeAnalysis;
+using System.Security.Cryptography;
+using System.Text;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Engines;
+using Org.BouncyCastle.Crypto.Macs;
+using Org.BouncyCastle.Crypto.Modes;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Utilities;
+
+namespace Pandatech.Crypto.Helpers;
+
+public static class Aes256Siv
+{
+   private static string? GlobalKey { get; set; }
+
+   internal static void RegisterKey(string key)
+   {
+      ValidateKey(key);
+      GlobalKey = key;
+   }
+
+   public static byte[] Encrypt(string plaintext, string? key = null)
+   {
+      var bytes = Encoding.UTF8.GetBytes(plaintext);
+      return Encrypt(bytes, key);
+   }
+
+   public static byte[] Encrypt(byte[] plaintext, string? key = null)
+   {
+      if (plaintext.Length == 0)
+      {
+         return [];
+      }
+
+      var keyBytes = GetKeyBytes(key);
+      var macKey = keyBytes[..16];
+      var encKey = keyBytes[16..];
+
+      var siv = ComputeS2V(macKey, plaintext);
+      var cipher = AesCtr(encKey, siv, plaintext);
+      return Arrays.Concatenate(siv, cipher);
+   }
+
+   public static void Encrypt(Stream input, Stream output, string? key = null)
+   {
+      ArgumentNullException.ThrowIfNull(input);
+      ArgumentNullException.ThrowIfNull(output);
+
+      using var ms = new MemoryStream();
+      input.CopyTo(ms);
+      var encrypted = Encrypt(ms.ToArray(), key);
+      output.Write(encrypted, 0, encrypted.Length);
+   }
+
+   public static string Decrypt(byte[] ciphertext, string? key = null)
+   {
+      var plain = DecryptToBytes(ciphertext, key);
+      return Encoding.UTF8.GetString(plain);
+   }
+
+   public static byte[] DecryptToBytes(byte[] ciphertext, string? key = null)
+   {
+      var keyBytes = GetKeyBytes(key);
+
+      switch (ciphertext.Length)
+      {
+         case 0:
+            return [];
+         case < 16:
+            throw new ArgumentException("At least 16 bytes are required for the SIV.");
+      }
+
+      var macKey = keyBytes[..16];
+      var encKey = keyBytes[16..];
+
+      var siv = ciphertext[..16];
+      var encrypted = ciphertext[16..];
+
+      var plain = AesCtr(encKey, siv, encrypted);
+      var expectedSiv = ComputeS2V(macKey, plain);
+
+      if (!CryptographicOperations.FixedTimeEquals(siv, expectedSiv))
+         throw new CryptographicException("Invalid SIV / authentication tag.");
+
+      return plain;
+   }
+
+   public static void Decrypt(Stream input, Stream output, string? key = null)
+   {
+      ArgumentNullException.ThrowIfNull(input);
+      ArgumentNullException.ThrowIfNull(output);
+
+      using var ms = new MemoryStream();
+      input.CopyTo(ms);
+      var decrypted = DecryptToBytes(ms.ToArray(), key);
+      output.Write(decrypted, 0, decrypted.Length);
+   }
+
+   private static byte[] ComputeS2V(byte[] macKey, byte[] data)
+   {
+      var cmac = new CMac(new AesEngine());
+      cmac.Init(new KeyParameter(macKey));
+      var D = CmacHash(cmac, new byte[16]);
+
+      if (data.Length >= 16)
+      {
+         var block = new byte[16];
+         Array.Copy(data, data.Length - 16, block, 0, 16);
+         for (var i = 0; i < 16; i++)
+            block[i] ^= D[i];
+         return CmacHash(cmac, block);
+      }
+      else
+      {
+         D = DoubleBlock(D);
+         var block = Pad(data);
+         for (var i = 0; i < 16; i++)
+            block[i] ^= D[i];
+         return CmacHash(cmac, block);
+      }
+   }
+
+   private static byte[] AesCtr(byte[] key, byte[] iv, byte[] input)
+   {
+      var cipher = new BufferedBlockCipher(new SicBlockCipher(new AesEngine()));
+      cipher.Init(true, new ParametersWithIV(new KeyParameter(key), iv));
+      return cipher.DoFinal(input);
+   }
+
+   private static byte[] CmacHash(IMac cmac, byte[] input)
+   {
+      cmac.Reset();
+      cmac.BlockUpdate(input, 0, input.Length);
+      var output = new byte[cmac.GetMacSize()];
+      cmac.DoFinal(output, 0);
+      return output;
+   }
+
+   private static byte[] Pad(byte[] input)
+   {
+      var padded = new byte[16];
+      Array.Copy(input, padded, input.Length);
+      padded[input.Length] = 0x80;
+      return padded;
+   }
+
+   private static byte[] DoubleBlock(byte[] block)
+   {
+      var output = new byte[16];
+      var carry = 0;
+      for (var i = 15; i >= 0; i--)
+      {
+         var val = (block[i] & 0xFF) << 1;
+         val |= carry;
+         output[i] = (byte)(val & 0xFF);
+         carry = (val >> 8) & 1;
+      }
+
+      if ((block[0] & 0x80) != 0)
+         output[15] ^= 0x87;
+      return output;
+   }
+
+   private static byte[] GetKeyBytes(string? overrideKey)
+   {
+      if (!string.IsNullOrEmpty(overrideKey))
+      {
+         ValidateKey(overrideKey);
+         return Convert.FromBase64String(overrideKey);
+      }
+
+      if (GlobalKey is null)
+      {
+         throw new InvalidOperationException("AES256 Key not configured. Call RegisterKey(...) or provide a key.");
+      }
+
+      return Convert.FromBase64String(GlobalKey);
+   }
+
+   private static void ValidateKey([NotNull] string? key)
+   {
+      if (string.IsNullOrWhiteSpace(key) || !IsBase64String(key))
+         throw new ArgumentException("Key must be valid Base64.");
+      if (Convert.FromBase64String(key)
+                 .Length != 32)
+         throw new ArgumentException("Key must be 32 bytes (256 bits).");
+   }
+
+   private static bool IsBase64String(string input)
+   {
+      var buffer = new Span<byte>(new byte[input.Length]);
+      return Convert.TryFromBase64String(input, buffer, out _);
+   }
+}