# Introduction to Modern Cryptography: Exercise Hash Function

## The PyCrypto Libarary <a name='pycrypto'/>

Python offers a library called [Cryptography](https://cryptography.io) which includes various cryptographic algorithms, among them AES.

<b> If you're using the Docker images, the library is already installed on your image, otherwise you install it using *pip* </b>

In [1]:
pip install cryptography --user

Note: you may need to restart the kernel to use updated packages.


## Excercise 1: Hash Function <a name="hash"/>

Make yourself familar with the Hash Module in [Cryptography](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/) and experience the property of *collision-resistant* with the following hash functions:
- [MD5](#ex1:MD5)
- [SHA1](#ex1:SHA1)
- [SHA256](#ex1:SHA256)
  
by hashing the following Texts

In [1]:
text1 = b'Heute ist ein Sonniger Tag'

In [3]:
text2 = b'Heute ist ein Ronniger Tag'

In [211]:
import binascii
test1 = bin(int.from_bytes(text1, "big"))
test2 = bin(int.from_bytes(text2, "big"))

c=0
for i in range(len(test1)):
    if test1[i] == test2[i]:
        c=c+1
print(f'Compare the to inputs:\nText1: {text1.hex()}\nText2: {text2.hex()}')
print(f'{c} of {len(test1)} bits are identical')

Compare the to inputs:
Text1: 4865757465206973742065696e20536f6e6e6967657220546167
Text2: 4865757465206973742065696e20526f6e6e6967657220546167
208 of 209 bits are identical


### MD5 <a name="ex1:MD5"/>

In [None]:
#develop your code here

### SHA1 <a name="ex1:SHA1"/>

In [None]:
#develop your code here

### SHA256 <a name="ex1:SHA256"/>

In [None]:
#develop your code here

## Excercise 2 : HMAC <a name="hmac"/>
An HMAC is generated by the following equation:

![HMAC](https://wikimedia.org/api/rest_v1/media/math/render/svg/f89190c72a307b34f1e6b53b5f944a7ae81a3958)

## (hash) length extension attack
A very obvious way of generating an HMAC would be to just generate the HMAC by 

*HMAC(K,M) = H(K||m)*

However, as you learned in the lecture, this holds a *(hash) length extension attack* in Merkle-Darmgard-Construction, as Eve could just intercept the HMAC *mac* and the message *m* and extend the  message by 

*m' = m || m2* 
and than generate a new HMAC by calculating

*mac' = H(mac || m2)*

and sending *m'* and *mac'* to Bob

## Exercise 2.1: Simulate the hash length extension attack for SHA-256
Alice wants to send the message *m* to Bob and are in possession of a shared key:

In [133]:
m = b'We meet at the Metro stop Praterstern at Mitnight'
key = b'Alice loves Bob'
print(len(m+key))

64


Develop a code which generates H(key||m) with SHA-256

In [None]:
#develop your code here

Eve intercepts the message and wants to extend it by *m2*

In [135]:
m2 = b' next Wednesday'

Perform the *hash length extension attack* and verify Bob that Bob will not be able to expose the attack if he verifies the message *m_new = m || m2* with the preshared *key*

<b> Be careful, as "cryptography" tries to prevent this attack, you have to re-create the hash-object in order to simulate the attack </b>

In [139]:
m_new = m+m2

In [1]:
#develop your code here

## Exercise 2.2: Develop HMAC by yourself for SHA-256

Develop your own HMAC as defined by  [RFC2104](https://www.ietf.org/rfc/rfc2104.html#section-2):

*H(K XOR opad, H(K XOR ipad, text))*

- *B* is the block size of the Hash function H
- *K* is the key

1. append zeros to the end of K to create a B byte string
        (e.g., if K is of length 20 bytes and B=64, then K will be
         appended with 44 zero bytes 0x00)
2. XOR (bitwise exclusive-OR) the B byte string computed in step
        (1) with ipad
3. append the stream of data 'text' to the B byte string resulting
        from step (2)
4. apply H to the stream generated in step (3)
5. XOR (bitwise exclusive-OR) the B byte string computed in
        step (1) with opad
6. append the H result from step (4) to the B byte string
        resulting from step (5)
7. apply H to the stream generated in step (6) and output
        the result

Use SHA256 as a hash function and compare your result with the HMAC function provided by *pycrypto*

Some note:
- wikipedia state the ipad to be '0x35'x block_size while RFC2104 uses '0x36'
- the SHA256 object allows you to determine the blocksize by *SHA256.block_size*

In [142]:
m = b'Lets meet at Midnight'
key = b'Alice loves Bob!Alice loves Bob!Alice loves Bob!Alice loves Bob!Alice loves Bob!'

In [2]:
#develop your code here

Verify your  output with the HMAC function provided by *cryptography*

In [204]:
from cryptography.hazmat.primitives import hmac, hashes
hmac = hmac.HMAC(key, hashes.SHA256())
hmac.update(m)
hmac.verify(sig)