Kategorija: Šifriranje
Kompleksnost: Srednja
Predpogoji: Material ključev ali geslo
Ocenjeni čas: 15-20 minut
Ta scenarij opisuje varno šifriranje datotek s post-kvantno varnimi postopki. Implementacija podpira tako šifriranje na osnovi gesel kot šifriranje na osnovi ključev.
Primeri uporabe:
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography; using var ctx = PqCryptoContext.Initialize(); // Izvorna datoteka string inputFile = "document.pdf"; string outputFile = "document.pdf.enc"; string password = "MySecurePassword123!"; // Parametri šifriranja var salt = RandomNumberGenerator.GetBytes(32); var nonce = RandomNumberGenerator.GetBytes(12); // Izpeljava ključa iz gesla (Argon2id) var key = ctx.DeriveKeyArgon2id( password: Encoding.UTF8.GetBytes(password), salt: salt, outputLength: 32, iterations: 3, memoryKiB: 65536, // 64 MB parallelism: 4 ); // Branje datoteke var plaintext = File.ReadAllBytes(inputFile); // Šifriranje z AES-256-GCM var ciphertext = new byte[plaintext.Length]; var tag = new byte[16]; using var aes = new OpenSslAesGcm(key); aes.Encrypt(nonce, plaintext, ciphertext, tag); // Pisanje glave + šifriranega teksta using var output = File.Create(outputFile); using var writer = new BinaryWriter(output); // Magična številka writer.Write(Encoding.ASCII.GetBytes("PQENC")); // Verzija writer.Write((byte)1); // Sol writer.Write(salt.Length); writer.Write(salt); // Nonce writer.Write(nonce.Length); writer.Write(nonce); // Oznaka writer.Write(tag.Length); writer.Write(tag); // Šifriran tekst writer.Write(ciphertext.Length); writer.Write(ciphertext); Console.WriteLine($"Datoteka šifrirana: {outputFile}"); Console.WriteLine($" Izvirnik: {plaintext.Length:N0} bajtov"); Console.WriteLine($" Šifrirano: {output.Length:N0} bajtov");
using var ctx = PqCryptoContext.Initialize(); string encryptedFile = "document.pdf.enc"; string outputFile = "document-decrypted.pdf"; string password = "MySecurePassword123!"; using var input = File.OpenRead(encryptedFile); using var reader = new BinaryReader(input); // Preverjanje magične številke var magic = Encoding.ASCII.GetString(reader.ReadBytes(5)); if (magic != "PQENC") throw new InvalidDataException("Neveljavna oblika datoteke"); // Preverjanje verzije var version = reader.ReadByte(); if (version != 1) throw new NotSupportedException($"Verzija {version} ni podprta"); // Branje parametrov var saltLen = reader.ReadInt32(); var salt = reader.ReadBytes(saltLen); var nonceLen = reader.ReadInt32(); var nonce = reader.ReadBytes(nonceLen); var tagLen = reader.ReadInt32(); var tag = reader.ReadBytes(tagLen); var ciphertextLen = reader.ReadInt32(); var ciphertext = reader.ReadBytes(ciphertextLen); // Izpeljava ključa (enaki parametri!) var key = ctx.DeriveKeyArgon2id( password: Encoding.UTF8.GetBytes(password), salt: salt, outputLength: 32, iterations: 3, memoryKiB: 65536, parallelism: 4 ); // Dešifriranje var plaintext = new byte[ciphertext.Length]; using var aes = new OpenSslAesGcm(key); aes.Decrypt(nonce, ciphertext, tag, plaintext); // Shranjevanje File.WriteAllBytes(outputFile, plaintext); Console.WriteLine($"Datoteka dešifrirana: {outputFile}");
public class FileEncryptor { private const int ChunkSize = 64 * 1024; // 64 KB deli public void EncryptLargeFile( string inputPath, string outputPath, byte[] key) { using var ctx = PqCryptoContext.Initialize(); using var input = File.OpenRead(inputPath); using var output = File.Create(outputPath); using var writer = new BinaryWriter(output); // Pisanje glave writer.Write(Encoding.ASCII.GetBytes("PQENC")); writer.Write((byte)2); // Verzija 2 = pretakanje // Število delov var totalChunks = (int)Math.Ceiling((double)input.Length / ChunkSize); writer.Write(totalChunks); var buffer = new byte[ChunkSize]; var chunkIndex = 0; while (input.Position < input.Length) { var bytesRead = input.Read(buffer, 0, ChunkSize); var chunk = buffer.AsSpan(0, bytesRead).ToArray(); // Edinstvena nonce na del (indeks dela + naključno) var nonce = new byte[12]; BitConverter.GetBytes(chunkIndex).CopyTo(nonce, 0); RandomNumberGenerator.Fill(nonce.AsSpan(4)); var ciphertext = new byte[bytesRead]; var tag = new byte[16]; using var aes = new OpenSslAesGcm(key); // AAD = indeks dela za zaščito vrstnega reda var aad = BitConverter.GetBytes(chunkIndex); aes.Encrypt(nonce, chunk, ciphertext, tag, aad); // Pisanje dela writer.Write(nonce); writer.Write(tag); writer.Write(ciphertext.Length); writer.Write(ciphertext); chunkIndex++; } Console.WriteLine($"Šifrirano: {chunkIndex} delov"); } public void DecryptLargeFile( string inputPath, string outputPath, byte[] key) { using var input = File.OpenRead(inputPath); using var reader = new BinaryReader(input); using var output = File.Create(outputPath); // Branje glave var magic = Encoding.ASCII.GetString(reader.ReadBytes(5)); if (magic != "PQENC") throw new InvalidDataException(); var version = reader.ReadByte(); if (version != 2) throw new NotSupportedException(); var totalChunks = reader.ReadInt32(); for (int i = 0; i < totalChunks; i++) { var nonce = reader.ReadBytes(12); var tag = reader.ReadBytes(16); var ciphertextLen = reader.ReadInt32(); var ciphertext = reader.ReadBytes(ciphertextLen); var plaintext = new byte[ciphertextLen]; using var aes = new OpenSslAesGcm(key); var aad = BitConverter.GetBytes(i); aes.Decrypt(nonce, ciphertext, tag, plaintext, aad); output.Write(plaintext); } } }
public class HybridFileEncryptor { public void EncryptForRecipient( string inputPath, string outputPath, byte[] recipientMlKemPublicKey) { using var ctx = PqCryptoContext.Initialize(); // ML-KEM enkapsulacija ključa var pubKey = ctx.ImportPublicKey(recipientMlKemPublicKey); var (kemCiphertext, sharedSecret) = ctx.Encapsulate(pubKey); // Izpeljava ključa za šifriranje datoteke var fileKey = ctx.DeriveKey( sharedSecret, outputLength: 32, info: Encoding.UTF8.GetBytes("file-encryption-key") ); // Šifriranje datoteke var encryptor = new FileEncryptor(); var tempFile = Path.GetTempFileName(); encryptor.EncryptLargeFile(inputPath, tempFile, fileKey); // Izhod z KEM šifriranim tekstom using var output = File.Create(outputPath); using var writer = new BinaryWriter(output); writer.Write(Encoding.ASCII.GetBytes("PQKEM")); writer.Write((byte)1); writer.Write(kemCiphertext.Length); writer.Write(kemCiphertext); // Pripenjanje šifrirane vsebine using var encryptedContent = File.OpenRead(tempFile); encryptedContent.CopyTo(output); File.Delete(tempFile); } }
PQENC v1 (enkratno): ┌─────────────────────────────────┐ │ Magic: "PQENC" (5 bajtov) │ │ Version: 0x01 (1 bajt) │ │ Salt Length (4 bajti) │ │ Salt (spremenljivo) │ │ Nonce Length (4 bajti) │ │ Nonce (12 bajtov) │ │ Tag Length (4 bajti) │ │ Tag (16 bajtov) │ │ Ciphertext Length (4 bajti) │ │ Ciphertext (spremenljivo) │ └─────────────────────────────────┘ PQENC v2 (pretakanje): ┌─────────────────────────────────┐ │ Magic: "PQENC" (5 bajtov) │ │ Version: 0x02 (1 bajt) │ │ Total Chunks (4 bajti) │ ├─────────────────────────────────┤ │ Del 0: │ │ Nonce (12 bajtov) │ │ Tag (16 bajtov) │ │ Ciphertext Length (4 bajti) │ │ Ciphertext (spremenljivo) │ ├─────────────────────────────────┤ │ Del 1: ... │ └─────────────────────────────────┘
| Povezava | Scenarij | Opis |
|---|---|---|
| Komponenta | 7.2 Enkapsulacija ključev | ML-KEM za prejemnika |
| Povezano | 7.1 Hibridno šifriranje | Hibridni koncept |
| Povezano | 4.4 Varnostna kopija | Šifriranje varnostnih kopij |
« ← 7.2 Enkapsulacija ključev | ↑ Pregled šifriranja | → Vsi scenariji »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional