# Introduction to Modern Cryptography: Exercise Hash Function

## The PyCrypto Libarary <a name='pycrypto'/>

Python offers a library called [Cryptography](https://cryptography.io) which includes various cryptographic algorithms, among them AES.

<b> If you're using the Docker images, the library is already installed on your image, otherwise you install it using *pip* </b>

In [1]:
pip install cryptography --user

Note: you may need to restart the kernel to use updated packages.


## Excercise 1: Hash Function <a name="hash"/>

Make yourself familar with the Hash Module in [Cryptography](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/) and experience the property of *collision-resistant* with the following hash functions:
- [MD5](#ex1:MD5)
- [SHA1](#ex1:SHA1)
- [SHA256](#ex1:SHA256)
  
by hashing the following Texts

In [1]:
text1 = b'Heute ist ein Sonniger Tag'

In [3]:
text2 = b'Heute ist ein Ronniger Tag'

In [211]:
import binascii
test1 = bin(int.from_bytes(text1, "big"))
test2 = bin(int.from_bytes(text2, "big"))

c=0
for i in range(len(test1)):
    if test1[i] == test2[i]:
        c=c+1
print(f'Compare the to inputs:\nText1: {text1.hex()}\nText2: {text2.hex()}')
print(f'{c} of {len(test1)} bits are identical')

Compare the to inputs:
Text1: 4865757465206973742065696e20536f6e6e6967657220546167
Text2: 4865757465206973742065696e20526f6e6e6967657220546167
208 of 209 bits are identical


### MD5 <a name="ex1:MD5"/>

In [None]:
#develop your code here

In [78]:
from cryptography.hazmat.primitives import hashes
h1 = hashes.Hash(hashes.MD5())
h1.update(text1)

h2 = hashes.Hash(hashes.MD5())
h2.update(text2)

h1 = h1.finalize().hex()
h2 = h2.finalize().hex()

h1=bin(int(h1, 16))[2:].zfill(len(h1)*4)
h2=bin(int(h2, 16))[2:].zfill(len(h2)*4)

c=0
for i in range(len(h1)):
    if h1[i] == h2[i]:
        c=c+1
print(f'{h1}\n{h2}')
print(f'{c} of {len(h1)} bits are identical')

10000001100010011001101110111110101100111011011111010101101111110110101101110001001010001100000100011001000110101111011100001110
00010101000100101100101101100011111010110100111011010010001011101100000101111000110001100001011001111110110110001001100110101110
64 of 128 entries are identical


### SHA1 <a name="ex1:SHA1"/>

In [None]:
#develop your code here

In [79]:
from cryptography.hazmat.primitives import hashes
h1 = hashes.Hash(hashes.SHA1())
h1.update(text1)

h2 = hashes.Hash(hashes.SHA1())
h2.update(text2)

h1 = h1.finalize().hex()
h2 = h2.finalize().hex()

h1=bin(int(h1, 16))[2:].zfill(len(h1)*4)
h2=bin(int(h2, 16))[2:].zfill(len(h2)*4)

c=0
for i in range(len(h1)):
    if h1[i] == h2[i]:
        c=c+1
print(f'{h1}\n{h2}')
print(f'{c} of {len(h1)} bits are identical')

1010110010100100001100100000001101000010110010000111100011000001110101010001011101111111111101010010110100101101100110101010011011101000101110011001101010010110
1011110001100111011111010011010010101110000100110101001111110000011111101101100110000010111010011111000111101101000000111000011010111011000001100001001011111101
77 of 160 entries are identical


### SHA256 <a name="ex1:SHA256"/>

In [None]:
#develop your code here

In [80]:
from cryptography.hazmat.primitives import hashes

h1 = hashes.Hash(hashes.SHA256())
h1.update(text1)

h2 = hashes.Hash(hashes.SHA256())
h2.update(text2)

h1 = h1.finalize().hex()
h2 = h2.finalize().hex()

h1=bin(int(h1, 16))[2:].zfill(len(h1)*4)
h2=bin(int(h2, 16))[2:].zfill(len(h2)*4)

c=0
for i in range(len(h1)):
    if h1[i] == h2[i]:
        c=c+1
print(f'{h1}\n{h2}')
print(f'{c} of {len(h1)} bits are identical')

0010100110101111010011001100101010000011111011111001001101100101000100001011101100000101111100011100001110101010100001001100010001001111010010100010100100101100110110110111001001010110011011010101111000010010000011001000111110110010001000000100000011011001
0010001111000100101110110100100001111001011101111000110111110100101111011010011100111101101001111110011100111010001010100100111101100001111111111010100000001010100101101001010011000101001000010111001100110110101001010011100111110001000100000111000001101111
139 of 256 entries are identical


## Excercise 2 : HMAC <a name="hmac"/>
An HMAC is generated by the following equation:

![HMAC](https://wikimedia.org/api/rest_v1/media/math/render/svg/f89190c72a307b34f1e6b53b5f944a7ae81a3958)

## (hash) length extension attack
A very obvious way of generating an HMAC would be to just generate the HMAC by 

*HMAC(K,M) = H(K||m)*

However, as you learned in the lecture, this holds a *(hash) length extension attack* in Merkle-Darmgard-Construction, as Eve could just intercept the HMAC *mac* and the message *m* and extend the  message by 

*m' = m || m2* 
and than generate a new HMAC by calculating

*mac' = H(mac || m2)*

and sending *m'* and *mac'* to Bob

## Exercise 2.1: Simulate the hash length extension attack for SHA-256
Alice wants to send the message *m* to Bob and are in possession of a shared key:

In [133]:
m = b'We meet at the Metro stop Praterstern at Mitnight'
key = b'Alice loves Bob'
print(len(m+key))

64


Develop a code which generates H(key||m) with SHA-256

In [None]:
#develop your code here

In [138]:
from cryptography.hazmat.primitives import hashes

h = hashes.Hash(hashes.SHA256())

h.update(key+m)
mac = h.finalize().hex()
print(mac)

8a811caf6ab5a479c28cd9f0a43d394c7214e0fcaf095530f53a9655e5b2b83c


Eve intercepts the message and wants to extend it by *m2*

In [135]:
m2 = b' next Wednesday'

Perform the *hash length extension attack* and verify Bob that Bob will not be able to expose the attack if he verifies the message *m_new = m || m2* with the preshared *key*

In [139]:
m_new = m+m2

In [141]:
h = hashes.Hash(hashes.SHA256())
h.update(key+m)
h.update(m2)
x2 = h.finalize()
print(x2)

h2 = hashes.Hash(hashes.SHA256())
h2.update(key+m_new)
check = h2.finalize()

print(check)

b'7\n\xb8\x1f\x98Y\x9cx.\x87\xd4[-\x07__"\n\xf2\x835*\xech<p;\x9d\x02\x95n-'
b'7\n\xb8\x1f\x98Y\x9cx.\x87\xd4[-\x07__"\n\xf2\x835*\xech<p;\x9d\x02\x95n-'


## Exercise 2.2: Develop HMAC by yourself for SHA-256

Develop your own HMAC as defined by  [RFC2104](https://www.ietf.org/rfc/rfc2104.html#section-2):

*H(K XOR opad, H(K XOR ipad, text))*

- *B* is the block size of the Hash function H
- *K* is the key

1. append zeros to the end of K to create a B byte string
        (e.g., if K is of length 20 bytes and B=64, then K will be
         appended with 44 zero bytes 0x00)
2. XOR (bitwise exclusive-OR) the B byte string computed in step
        (1) with ipad
3. append the stream of data 'text' to the B byte string resulting
        from step (2)
4. apply H to the stream generated in step (3)
5. XOR (bitwise exclusive-OR) the B byte string computed in
        step (1) with opad
6. append the H result from step (4) to the B byte string
        resulting from step (5)
7. apply H to the stream generated in step (6) and output
        the result

Use SHA256 as a hash function and compare your result with the HMAC function provided by *pycrypto*

Some note:
- wikipedia state the ipad to be '0x35'x block_size while RFC2104 uses '0x36'
- the SHA256 object allows you to determine the blocksize by *SHA256.block_size*

In [142]:
m = b'Lets meet at Midnight'
key = b'Alice loves Bob!Alice loves Bob!Alice loves Bob!Alice loves Bob!Alice loves Bob!'

In [195]:
key = bytes.fromhex('0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b')
m = b"Hi There"

Compare the output with the HMAC function provided by *pycrypto*

In [203]:
from cryptography.hazmat.primitives import hmac, hashes
hmac = hmac.HMAC(key, hashes.SHA256())
hmac.update(m)
sig_o = hmac.finalize()
sig_o.hex()

'492ce020fe2534a5789dc3848806c78f4f6711397f08e7e7a12ca5a4483c8aa6'

In [202]:
from cryptography.hazmat.primitives import hashes
hash = hashes.SHA256

def H(text):
    #h1 = SHA256.new(ipad_key+m)
    #h1.update(ipad_key+m)
    h = hashes.Hash(hash())
    h.update(text)
    return h.finalize()

opad = bytes.fromhex('5c'*hash.block_size)
ipad = bytes.fromhex('36'*hash.block_size)
keyBytes=key
if (len(key)>hash.block_size):
    keyBytes = H(key)
    #keyBytes=SHA256.new(key).digest()
elif (len(key)<hash.block_size):
    keyBytes=keyBytes+bytes.fromhex('00'*(hash.block_size-len(key)))

ipad_key=bytes(a ^ b for (a, b) in zip(keyBytes,ipad))
opad_key=bytes(a ^ b for (a, b) in zip(keyBytes,opad))

c1 = H(ipad_key+m)
sig = H(opad_key+c1)
sig.hex()

'492ce020fe2534a5789dc3848806c78f4f6711397f08e7e7a12ca5a4483c8aa6'

In [204]:
from cryptography.hazmat.primitives import hmac, hashes
hmac = hmac.HMAC(key, hashes.SHA256())
hmac.update(m)
hmac.verify(sig)

## Exercise 3: OpenSSL <a name="openssl"/>

For a more practical usage of Cryptography, lets try out its usage with [OpenSSL](https://en.wikipedia.org/wiki/OpenSSL)

OpenSSL is known for its broad usage in the internet, most famously for securing web-traffic e.g., for HTTP/s.
However, OpenSSL offers many more functionalities and is actually a software library that contains implementation of various cryptographic protocols and functionalities and is available for various Unix and Windows operating systems. Additionally, it is open source, carefully reviewed by security experts and therefore widely accepted as secure. 

For end-users, openssl provides a [command line interface](https://wiki.openssl.org/index.php/Command_Line_Utilities), so that you can directly interact with the library.

In Juypter Notebooks, you can directly run such command by starting the cells with `%%bash`, e.g. the following command 
1. generates a file `example.txt` with some random conent
2. outputs the contents of the file `example.txt`

In [None]:
%%bash
openssl rand -base64 365 > example.txt
cat example.txt

Create the ```SHA256``` hash of example.txt

In [1]:
%%bash
openssl sha256 example.txt

SHA2-256(example.txt)= 99c352ac3586af24fa7a39060735de6c633221e91b51900d490cd8e7ecf300ca


Create an ```HMAC``` using the ```SHA3-512``` algorithm for ```example.txt``` using the password ```HeuteIst1schoenerTag!```

In [12]:
%%bash
openssl sha3-512 -mac HMAC -macopt key:"HeuteIst1schoenerTag!" example.txt

HMAC-SHA3-512(example.txt)= f9623844747197b03accec0945b0e893f4f0223694cffc443dbaf8ff0dc49099182b887559990ef63db2d840356089f9fec53443e1d4c236655e2cc75637b2a2
