# Introduction to Modern Cryptography: Exercise Hash Function

## Table of Contents
1. [Hash Functions](#hash)
2. [Exercise 2: HMAC](#hmac)
  1. [Hash Extension Attack](#hash-extension)
  2. [SHA256 HMAC](#hmac-sha256)

## Excercise 1: Hash Function <a name="hash"/>

Make yourself familar with the Crypto.Hash Module in (pycrypto)[https://www.dlitz.net/software/pycrypto/api/] and experience the property of *collision-resistant* by hashing the text 

In [None]:
text1= b'Heute ist ein Sonniger Tag'

In [None]:
text2 = b'Heute ist ein sonniger Tag'

with the following hash functions:
- MD5

In [None]:
#develop your code here

- SHA1

In [None]:
#develop your code here


- SHA256

In [None]:
#develop your code here

## Excercise 2 : HMAC <a name="hmac"/>
An HMAC is generated by the following equation:

![HMAC](https://wikimedia.org/api/rest_v1/media/math/render/svg/f89190c72a307b34f1e6b53b5f944a7ae81a3958)

### (hash) length extension attack
A very obvious way of generating an HMAC would be to just generate the HMAC by 

*HMAC(K,M) = H(K||m)*

However, as you learned in the lecture, this permits a *(hash) length extension attack* if H is a  Merkle-Darmgard-Construction as Eve could just intercept the HMAC *mac* and the message *m*, extend the  message by 

*m' = m || m2*, 
generate a new HMAC by calculating

*mac' = H(mac || m2)*

and send *m'* and *mac'*  to Bob

## Exercise 2.1: Simulate the hash length extension attack for SHA-256 <a name="hash-extension"/>
Alice wants to send the message *m* to Bob and both are in possession of a shared key:

In [None]:
from Crypto import Random
m = b'Lets meet at Midnight'
key = b'Alice loves Bob!'

Develop a code which generates H(key||m) with SHA-256

In [None]:
#develop your code here

Eve intercepts the message and wants to extend it by *m2*

In [None]:
m2 = b' next Wednesday'

Perform the *hash length extension attack* and verify Bob that Bob will not be able to expose the attack if he verifies the message *m_new = m || m2* with the preshared *key*

In [None]:
m_new = m+m2

In [None]:
#develop your code here

## Exercise 2.2: Develop HMAC by yourself for SHA-256 <a name="hmac-sha256"/>

Develop your own HMAC as defined by  [RFC2104](https://www.ietf.org/rfc/rfc2104.html#section-2):

*H(K XOR opad, H(K XOR ipad, text))*

- *B* is the block size of the Hash function H
- *K* is the key

1. append zeros to the end of K to create a B byte string
        (e.g., if K is of length 20 bytes and B=64, then K will be
         appended with 44 zero bytes 0x00)
2. XOR (bitwise exclusive-OR) the B byte string computed in step
        (1) with ipad
3. append the stream of data 'text' to the B byte string resulting
        from step (2)
4. apply H to the stream generated in step (3)
5. XOR (bitwise exclusive-OR) the B byte string computed in
        step (1) with opad
6. append the H result from step (4) to the B byte string
        resulting from step (5)
7. apply H to the stream generated in step (6) and output
        the result

Use SHA256 as a hash function and compare your result with the HMAC function provided by *pycrypto*

Some notes:
- Wikipedia states that ipad is'0x35' times the block_size while RFC2104 uses '0x36'
- the SHA256 object allows you to determine the blocksize by *SHA256.block_size*

In [None]:
m = b'Lets meet at Midnight'
key = b'Alice loves Bob!'

In [None]:
#develop your code here

Compare the output with the HMAC function provided by *pycrypto*

In [None]:
from Crypto.Hash import HMAC
hmac = HMAC.new(key, msg=m, digestmod=SHA256)
hmac.hexdigest()

## Excercise 3 (optional): CBC-MAC <a name="cbc-mac"/>
If you're not yet satisfied, try to implement the *AES-CBC-MAC* by using the *AES* module of *pycrypto*

In [None]:
#develop your code here