ECDiffieHellmanCng derivekey methods fail if the private key isn't a MicrosoftSoftwareKeyStorageProvider key

[MattR-entrust]

In the latest dotnet, the ECDiffieHellmanCng DeriveKeyFromHash and DeriveKeyMaterial methods will fail if the ECDH key isn't a MicrosoftSoftwareKeyStorageProvider key. This is because these methods take the public key from any KSP provider and convert them to a MicrosoftSoftwareKeyStorageProvider public key before sending them to the native dll from the provider of the private key. This breaks the contract of NCryptSecretAgreement unless the private key provider is also MicrosoftSoftwareKeyStorageProvider.
This issue came up when attempting to use a Hardware Security Module (HSM) protected non-exportable private ECDH key. The only work-around I found is to make an unsafe call to NCryptSecretAgreement etc. in my own code, by-passing these CNG methods.
I think that the code fix would be to ensure that the CNG wrapper functions import the public key into the private key's KSP provider before calling down to the ncrypt dll.

[mkArtakMSFT]

@blowdart can you please move this to the right area / repo? Thanks!

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

In the latest dotnet, the ECDiffieHellmanCng DeriveKeyFromHash and DeriveKeyMaterial methods will fail if the ECDH key isn't a MicrosoftSoftwareKeyStorageProvider key. This is because these methods take the public key from any KSP provider and convert them to a MicrosoftSoftwareKeyStorageProvider public key before sending them to the native dll from the provider of the private key. This breaks the contract of NCryptSecretAgreement unless the private key provider is also MicrosoftSoftwareKeyStorageProvider.
This issue came up when attempting to use a Hardware Security Module (HSM) protected non-exportable private ECDH key. The only work-around I found is to make an unsafe call to NCryptSecretAgreement etc. in my own code, by-passing these CNG methods.
I think that the code fix would be to ensure that the CNG wrapper functions import the public key into the private key's KSP provider before calling down to the ncrypt dll.

Author:	MattR-entrust
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[blowdart]

This is right :)

[vcsjones]

@MattR-entrust

In the latest dotnet,

Do you mean this is a regression in behavior from a previous version of .NET? Did this used to work in .NET Core 3.1 or .NET 5?

Do you have a quick example program that you can show to demonstrate the behavior, assuming new CngProvider("Some other CNG Provider") is an available CNG provider for a given KSP?

[MattR-entrust]

I have only tested this with the latest .NET. I don't know if the same issue exists in older versions but I expect it will. I should be able to get you a minimal test case shortly.
The symptom is that the alternative provider determines that the pointer to the public key object is invalid in the context of that provider and then fails.
I am confident about my analysis from inspecting the source. Additionally, I managed a successful work round by manually calling down to the ncrypt library. I can attach this code as well. I'm not confident it is completely correct as I'm not primarily a .NET coder, and I copied the protections around calling unsafe code without understanding it.

[MattR-entrust]

Program.zip

Here's a very simple piece of example code. If the provider is changed, this code will fail. It generates a new ECDH private key and uses a default public key.

[vcsjones]

@MattR-entrust Can you run your sample program and include the exception that you get (remove the try / catch)? I can reproduce an issue with a different CNG Provider and I want to make sure I have reproduced the exact issue you are seeing.

[MattR-entrust]

The supplied handle is invalid.
at System.Security.Cryptography.NCryptNative.DeriveSecretAgreement(SafeNCryptKeyHandle privateKey, SafeNCryptKeyHandle otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveSecretAgreementHandle(CngKey otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveSecretAgreementHandle(ECDiffieHellmanPublicKey otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveKeyFromHash(ECDiffieHellmanPublicKey otherPartyPublicKey, HashAlgorithmName hashAlgorithm, Byte[] secretPrepend, Byte[] secretAppend)
at HSMTest.Program.Main() in G:\Documents\CNG derive\CNGPropertiesTest\HSMTest\Program.cs:line 54

[MattR-entrust]

The actual error is bubbling up from the native provider dll so the precise behaviour might vary depending on the provider being used.
With a 3rd party provider bug which NPE-d when passed an invalid public key handle, the stack trace was

StackTrace " at System.Security.Cryptography.NCryptNative.UnsafeNativeMethods.NCryptSecretAgreement(SafeNCryptKeyHandle hPrivKey, SafeNCryptKeyHandle hPubKey, SafeNCryptSecretHandle& phSecret, Int32 dwFlags)
at System.Security.Cryptography.NCryptNative.DeriveSecretAgreement(SafeNCryptKeyHandle privateKey, SafeNCryptKeyHandle otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveSecretAgreementHandle(CngKey otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveSecretAgreementHandle(ECDiffieHellmanPublicKey otherPartyPublicKey)
at System.Security.Cryptography.ECDiffieHellmanCng.DeriveKeyFromHash(ECDiffieHellmanPublicKey otherPartyPublicKey, HashAlgorithmName hashAlgorithm, Byte[] secretPrepend, Byte[] secretAppend)
at System.Security.Cryptography.ECDiffieHellman.DeriveKeyFromHash(ECDiffieHellmanPublicKey otherPartyPublicKey, HashAlgorithmName hashAlgorithm)
at MessageSecurityTest.Form1.GetEncryptionKeyCNG_new(String deviceMacId, String deviceInternalSerialNo, Byte[] devicePublicKey)

This was a 3rd party bug being triggered by the .NET bug

[vcsjones]

Thanks for the repro and the stack trace. I can reproduce it, and I think I have a work around that will work for now.

Using your example program, if you replace DeriveKeyFromHash with:

ecdhkey.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;
ecdhkey.HashAlgorithm = CngAlgorithm.Sha256;
ecdhkey.SecretPrepend =  prepend.ToString().HexToByteArray();
ecdhkey.SecretAppend = append.ToString().HexToByteArray();
key = ecdhkey.DeriveKeyMaterial(cngpub);

Does that work with your CNG Provider?