In [86]:
# NumPy.
import numpy as np

# Set NumPy to ignore overflow warnings for cleaner output during bitwise operations.
np.seterr(over='ignore')

{'divide': 'warn', 'over': 'warn', 'under': 'ignore', 'invalid': 'warn'}

Problem 5: Passwords


In [87]:
#Problem 5

# Problem 1: Helper

- Functions implemented: `Ch(x, y, z)`, `Maj(x, y, z)`, `Rotr(x, n)`, `Shr(x, n)`, `Sigma0(x)`, `Sigma1(x)`, `sigma0(x)`, `sigma1(x)`

In [88]:
# Ch selects bits from y or z based on x: (x AND y) XOR (NOT x AND z), 32-bit ops.
def Ch(x, y, z):
    """
    Implements the Ch (Choose) function defined in the Secure Hash Standard.
    Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
    All operations are done as 32-bit integers.
    """
    # Convert inputs to 32-bit integers to ensure correct bitwise operations.
    x = np.uint32(x)
    y = np.uint32(y)
    z = np.uint32(z)
    # Perform the Ch operation and return the result as a 32-bit integer.
    return np.uint32((x & y) ^ (~x & z))

In [89]:
# Maj returns 1 if at least two inputs are 1, else 0.
def Maj(x, y, z):
    """
    Implements the Maj (Majority) function defined in the Secure Hash Standard.
    Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
    All operations are done as 32-bit integers.
    """
    # Convert inputs to 32-bit integers to ensure correct bitwise operations.
    x = np.uint32(x)
    y = np.uint32(y)
    z = np.uint32(z)
    # Perform the Maj operation and return the result as a 32-bit integer.
    return np.uint32((x & y) ^ (x & z) ^ (y & z))

In [90]:
# Rotr rotates bits of x to the right by n positions, 32-bit ops.
def Rotr(x, num):
    """
    Implements the Rotr (Rotate right) function defined in the Secure Hash Standard.
    Rotr(n, x) = (x right rotated by n bits)
    All operations are done as 32-bit integers.
    """
    # Convert input to 32-bit integer to ensure correct bitwise operations.
    return np.uint32((x >> num) | (x << (32 - num)))

In [91]:
# Shr shifts bits of x to the right by n positions, 32-bit ops.
def Shr(x, num):
    """
    Implements the Shr (Shift right) function defined in the Secure Hash Standard.
    Shr(n, x) = (x right shifted by n bits)
    All operations are done as 32-bit integers.
    """
    # Convert input to 32-bit integer to ensure correct bitwise operations.
    return np.uint32(x >> num)

In [92]:
# Sigma0 function as defined in the Secure Hash Standard.
def Sigma0(x):
    """
    Implements the Σ0 (Sigma0) function defined in the Secure Hash Standard.
    Σ0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x)
    All operations are done as 32-bit integers.
    """
    # Convert input to a 32-bit unsigned integer to ensure correct bitwise operations.
    x = np.uint32(x)
    # Perform the rotations and XOR operations.
    rotr2 = Rotr(x, 2)
    rotr13 = Rotr(x, 13)
    rotr22 = Rotr(x, 22)
    # Return the result as a 32-bit integer.
    return np.uint32(rotr2 ^ rotr13 ^ rotr22)

In [93]:
# Sigma1 function as defined in the Secure Hash Standard.
def Sigma1(x):
    """
    Implements the Σ1 (Sigma1) function defined in the Secure Hash Standard.
    Σ1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x)
    All operations are done as 32-bit integers.
    """
    # Convert input to a 32-bit unsigned integer to ensure correct bitwise operations.
    x = np.uint32(x)
    # Perform the rotations and XOR operations.
    rotr6 = Rotr(x, 6)
    rotr11 = Rotr(x, 11)
    rotr25 = Rotr(x, 25)
    # Return the result as a 32-bit integer.
    return np.uint32(rotr6 ^ rotr11 ^ rotr25)

In [94]:
# sigma0 function as defined in the Secure Hash Standard.
def sigma0(x):
    """
    Implements the σ0 (sigma0) function defined in the Secure Hash Standard.
    σ0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x)
    All operations are done as 32-bit integers.
    """
    # Convert input to a 32-bit unsigned integer to ensure correct bitwise operations.
    x = np.uint32(x)
    # Perform the rotations and shift operations.
    rotr7 = Rotr(x, 7)
    rotr18 = Rotr(x, 18)
    shr3 = Shr(x, 3)
    # Return the result as a 32-bit integer.
    return np.uint32(rotr7 ^ rotr18 ^ shr3)

In [95]:
# sigma1 function as defined in the Secure Hash Standard.
def sigma1(x):
    """
    Implements the σ1 (sigma1) function defined in the Secure Hash Standard.
    σ1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x)
    All operations are done as 32-bit integers.
    """
    # Convert input to a 32-bit unsigned integer to ensure correct bitwise operations.
    x = np.uint32(x)
    # Perform the rotations and shift operations.
    rotr17 = Rotr(x, 17)
    rotr19 = Rotr(x, 19)
    shr10 = Shr(x, 10)
    # Return the result as a 32-bit integer.
    return np.uint32(rotr17 ^ rotr19 ^ shr10)

# Problem 2: Helper

- Functions implemented: `primes(n)`, `cube_root_fractions(prime_list)`, `fractional32_hex(frac_array)`, `cube_root_constants()`

In [96]:
# Compute the fractional parts of the cube roots for the given prime list.
def cube_root_fractions(prime_list: list) -> np.ndarray:
    """
    Compute the fractional parts of the cube roots for the given prime list.
    Returns a NumPy array of fractional parts (float64).
    """
    arr = np.array(prime_list, dtype=np.float64)
    c = np.cbrt(arr)
    frac = c - np.floor(c)

    return frac


In [97]:
def primes(n: int) -> list:
    """
    Return the first `n` prime numbers.

    This implementation uses simple trial division which is fine for small n
    (here n=64). It returns an empty list for n <= 0.
    """
    if not isinstance(n, int):
        raise TypeError("n must be an integer")
    if n <= 0:
        return []

    primes_list = [2]
    candidate = 3
    while len(primes_list) < n:
        is_prime = True
        for p in primes_list:
            if p * p > candidate:
                break
            if candidate % p == 0:
                is_prime = False
                break
        if is_prime:
            primes_list.append(candidate)
        candidate += 2
    return primes_list

In [98]:
# Extract the first 32 bits of each fractional part and format as 8-digit hex strings.
def fractional32_hex(frac_array: np.ndarray) -> list[str]:
    """
    Extract the first 32 bits of each fractional part and format as 8-digit hex strings.
    """
    words = (np.floor(frac_array * (2**32)).astype(np.uint64) & 0xFFFFFFFF)
    
    return [f"{int(w):08x}" for w in words]

In [99]:
# Compute cube root K constants: first 32 bits of fractional part of cube roots
def cube_root_constants():
    """
    Compute cube root K constants: first 32 bits of fractional part of cube roots
    of the first 64 primes. Return list of hex strings.
    """
    # Get first 64 primes
    prime_list = primes(64)

    # Fractional parts of cube roots
    frac = cube_root_fractions(prime_list)

    # First 32 bits of fractional part formatted as hex
    computed_hex = fractional32_hex(frac)

    return computed_hex

# Problem 3: Helper

- Functions implemented: `append_terminator(padded)`, `pad_to_block_size(padded)`, `append_length(padded, msg_len_bits)`, `block_parse(msg)`

In [100]:
def append_terminator(padded):
    """
    Append the '1' bit (0x80 byte) to the message.
    """
    padded.append(0x80)

In [101]:
def pad_to_block_size(padded):
    """
    Append zero bytes until room for the 64-bit length field is available.
    """
    while (len(padded) + 8) % 64 != 0:
        padded.append(0x00)

In [102]:
def append_length(padded, msg_len_bits):
    """
    Append the original message length in bits as a 64-bit big-endian integer.
    """
    padded.extend(msg_len_bits.to_bytes(8, byteorder='big'))

In [103]:
def block_parse(msg):
    """
    Generator that yields 512-bit (64-byte) blocks from msg with SHA-256 padding.
    
    Implements FIPS 180-4 Section 5.1.1 (Padding) and 5.2.1 (Parsing).
    Uses helper functions to break padding into clear, modular steps.
    
    Args:
        msg (bytes): The message to process.
        
    Yields:
        bytes: Each 512-bit block (64 bytes).
    """
    if not isinstance(msg, bytes):
        raise TypeError("msg must be a bytes object")
    
    # Calculate original message length in bits
    msg_len_bits = len(msg) * 8
    
    # Start with the original message
    padded = bytearray(msg)
    
    # Apply padding steps
    append_terminator(padded)
    pad_to_block_size(padded)
    append_length(padded, msg_len_bits)
    
    # Yield 512-bit (64-byte) blocks
    for i in range(0, len(padded), 64):
        yield bytes(padded[i:i+64])


# Problem 4: Helper

- Functions implemented: `message_schedule(block)`, `hash(current, block)`

In [104]:
# Constants K: First 64 constants from cube roots of first 64 primes.
def message_schedule(block):
    """
    Expand a 512-bit message block into 64 32-bit words.
    
    Args:
        block: 64-byte message block (512 bits)
    
    Returns:
        List of 64 32-bit words (W[0] to W[63])
    
    From FIPS 180-4 Section 6.2.2:
    - W[0..15]: First 16 words (message block parsed as big-endian 32-bit words)
    - W[16..63]: Computed using sigma0 and sigma1 functions
    """
    # Parse block into 16 32-bit words (big-endian)
    W = []
    for i in range(16):
        word = int.from_bytes(block[i*4:(i+1)*4], byteorder='big')
        W.append(np.uint32(word))
    
    # Expand to 64 words
    for t in range(16, 64):
        s0 = sigma0(W[t-15])
        s1 = sigma1(W[t-2])
        W.append(np.uint32(W[t-16] + s0 + W[t-7] + s1) & 0xFFFFFFFF)
    
    return W

In [105]:
# Generate the first 64 cube root constants in hexadecimal.
def hash(current, block):
    """
    Compute the next SHA-256 hash value.
    
    From FIPS 180-4 Section 6.2.2 - SHA-256 Hash Computation:
    - Takes current 256-bit hash (8 words) and a 512-bit message block
    - Performs 64 rounds of compression function
    - Returns new 256-bit hash (8 words)
    
    Args:
        current: Tuple/list of 8 32-bit integers (H0-H7) representing current hash
        block: 64-byte message block (512 bits)
    
    Returns:
        Tuple of 8 32-bit integers representing the updated hash
    """
    # Initialize working variables from current hash
    a, b, c, d, e, f, g, h = [np.uint32(x) for x in current]
    
    # Get K constants (first 64 constants from cube roots of first 64 primes)
    K_hex = cube_root_constants()

    # Convert hex constants to 32-bit unsigned integers
    K = [np.uint32(int(k, 16)) for k in K_hex]
    
    # Get message schedule (64 words from block)
    W = message_schedule(block)
    
    # 64 compression rounds
    for t in range(64):
        T1 = np.uint32(h + Sigma1(e) + Ch(e, f, g) + K[t] + W[t])
        T2 = np.uint32(Sigma0(a) + Maj(a, b, c))
        h = g
        g = f
        f = e
        e = np.uint32(d + T1)
        d = c
        c = b
        b = a
        a = np.uint32(T1 + T2)
    
    # Add compressed chunk to current hash values
    H = [
        np.uint32(current[0] + a),
        np.uint32(current[1] + b),
        np.uint32(current[2] + c),
        np.uint32(current[3] + d),
        np.uint32(current[4] + e),
        np.uint32(current[5] + f),
        np.uint32(current[6] + g),
        np.uint32(current[7] + h),
    ]
    
    return H

In [None]:
# List of SHA-256 hashed passwords.
hashed_passwords = [
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8",
    "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34",
    "b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342",
]

# Additional hashed passwords for testing.
more_hashed_passwords = [
    "a01edad91c00abe7be5b72b5e36bf4ce3c6f26e8bce3340eba365642813ab8b6",
    "59945da25d2521045b4bc84db7d5fd44b2c5511fe7cc247a8ce5a79bcd74a1c2",
    "daaad6e5604e8e17bd9f108d91e26afe6281dac8fda0091040a7a6d7bd9b43b5",
    "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824",
]

In [None]:
# Common weak passwords to test against.
passwords = [
    "password","baseball","dragon","cheese","P@ssw0rd","123456","qwerty","letmein",
    "monkey","football","iloveyou","admin","welcome","login","abc123","starwars",
    "trustno1","sunshine","master","hello","freedom","whatever","qazwsx","654321",
    "superman","1q2w3e4r","password1","zaq1zaq1","password123", "123qwe","12345",
    "123456789","12345678", "1234","123","111111","000000","123321","121212",
    "password!","passw0rd","letmein123","football1","baseball1","welcome1",
    "admin123", "qwerty123","dragon123","iloveyou1","trustno1!","sunshine1",
]

## Overview

- Purpose: verify and (optionally) recover plaintext passwords from given SHA-256 hashes using the notebook’s pure-Python implementation.
- Key functions: `sha256_hex`, candidate wordlist, and a matcher loop; relies on `block_parse` and `hash` from Problem 4.
- Workflow: compute SHA-256 for each candidate, compare to targets, collect matches; expand by supplying larger wordlists when needed.
- Notes: Hex digests are case-insensitive in matching here; constrain searches to avoid long runs. A quick check with "password" is provided.

# `sha256_hex(msg_bytes)`

- **Purpose**: Compute the SHA-256 digest of `msg_bytes` using the notebook's pure-Python implementation.
- **Args**: `msg_bytes` (bytes) — message to hash.
- **Returns**: Lowercase hexadecimal string (64 hex characters) representing the 256-bit digest.
- **Notes**: This function uses `block_parse()` and `hash()` defined earlier in the notebook, and is intended for direct comparison with values in `hashed_passwords`.

In [107]:
# SHA-256 implementation (from problem 4).
def sha256_hex(msg_bytes: bytes):
    '''
    Compute SHA-256 hash of msg_bytes and return as hex string.
    1. Initialize hash values (first 32 bits of the fractional parts of the square roots of the first 8 primes).
    2. Process each 512-bit block of the message.
    3. Produce the final hash value (concatenate H0-H7).
    '''
    # Compute SHA-256 hash of msg_bytes and return as hex string.
    initial = [0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]
    # Process each 512-bit block
    for block in block_parse(msg_bytes):
        # Update hash with current block
        initial = hash(initial, block)
    # Format final hash as concatenated hex string
    return ''.join(f"{int(x):08x}" for x in initial)

In [None]:
# Attempt to crack the given SHA-256 hashed passwords using a small candidate list.
def crack_passwords(hashed_passwords):
    '''
    Attempt to crack the given SHA-256 hashed passwords using a small candidate list.
    Prints found passwords and their hashes.
    '''    
    # Small candidate password list for demonstration purposes    # Use existing SHA-256 helpers in this notebook to crack the given hashes
    targets = set(h.lower() for h in hashed_passwords)

    found = {}
    # Check each candidate password
    for p in passwords:
        # Compute SHA-256 hash
        h = sha256_hex(p.encode("utf-8"))
        # Check if hash matches any target
        if h in targets:
            found[h] = p
            print("FOUND:", p, "->", h)

    # Report results
    if not found:
        print("No matches in candidate list. To search more, provide a larger wordlist.")
    else:
        print("Matches:", found)

# Test cracking the first set of hashed passwords.
print(crack_passwords(hashed_passwords)) 

FOUND: password -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
FOUND: cheese -> 873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34
FOUND: P@ssw0rd -> b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342
Matches: {'5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8': 'password', '873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34': 'cheese', 'b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342': 'P@ssw0rd'}


## Cracked Passwords

- Hash: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 → plaintext: **password**.
- Hash: 873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34 → plaintext: **cheese**.
- Hash: b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342 → plaintext: **P@ssw0rd**.

### How they were found
1. Took the provided SHA-256 hashes and loaded them into hashed_passwords.
2. Used the notebook’s pure-Python SHA-256 implementation (block_parse, hash, sha256_hex).
3. Ran a small dictionary ("password", "baseball", "dragon", "cheese", "P@ssw0rd", etc.) in crack_passwords to hash each candidate and compare against the targets.
4. Matches were printed when a candidate’s digest equaled a target hash, revealing the plaintexts above.

this tool was quite helpful: https://10015.io/tools/sha256-encrypt-decrypt (enter the plaintext to obtain the SHA-256 hex or enter the hash to verify/check it against the plaintext).

## Security Improvements for Password Hashing

The attack performed above is a **dictionary attack** — testing common passwords and comparing their SHA-256 hashes to the targets. This is effective because:

- **SHA-256 is fast**: Designed for data integrity, not password storage. An attacker can test millions of candidates per second.
- **No salt**: The same plaintext always produces the same hash, enabling rainbow table attacks and making it easy to identify identical passwords.
- **No cost function**: There is no intentional delay per hash attempt; the computation is optimized for speed rather than resistance.
- **Deterministic output**: An attacker can precompute hashes of common passwords and reuse them across multiple systems.

### Recommended Security Improvements

1. **Use a Cryptographic Salt** (16+ bytes of random data per password)
   - Store: `hash = SHA-256(salt || password)`
   - Benefit: Forces attackers to recompute every candidate password, eliminating rainbow tables.
   - Storage: Keep salt alongside the hash (salt does not need to be secret).

2. **Switch to Purpose-Built Key Derivation Functions (KDFs)**
   - **bcrypt**: Includes salt, adjustable cost factor (rounds), and intentional slowness.
   - **scrypt**: Memory-hard; resistant to GPU/ASIC attacks due to high memory consumption.
   - **argon2**: Modern NIST-recommended standard; tunable time, memory, and parallelism.
   - **PBKDF2**: Iterative hashing with configurable iteration count (e.g., 100,000+).

3. **Apply a Work Factor / Cost Parameter**
   - Make each hash computation take 0.1–1 second (not milliseconds).
   - Increases attacker cost exponentially: 1 million attempts becomes infeasible.
   - Adjust as hardware improves to maintain resistance.

4. **Use High Iteration Counts for PBKDF2**
   - At minimum, 100,000–600,000 iterations (OWASP recommendation for 2024).
   - Each iteration multiplies the time required per candidate.

5. **Never Reuse Salts**
   - Generate a unique random salt for every password.
   - Store the salt in plaintext alongside the hash.

6. **Increase Salt Length**
   - Use at least 16 bytes (128 bits) of cryptographically random salt.
   - Larger salts make precomputation impractical.

### Example: Using bcrypt (Python)
```python
import bcrypt

# Hashing a password
password = b"cheese"
salt = bcrypt.gensalt(rounds=12)  # Cost factor 12
hashed = bcrypt.hashpw(password, salt)

# Verifying a password
is_correct = bcrypt.checkpw(password, hashed)
```

**Why this is secure**: Even with the plaintext password and hash, an attacker cannot reverse it in reasonable time due to the cost parameter and salt.

### Summary Table

| Method           | Speed    | Salt? | Cost Factor? | Notes                                 |
|------------------|----------|-------|--------------|---------------------------------------|
| SHA-256 (bare)   | Very fast | No   | No           |  Vulnerable to dictionary attacks   |
| PBKDF2 (100k)    | Slow     | Yes  | Yes          |  Acceptable; widely supported       |
| bcrypt           | Very slow| Yes  | Yes          |  Strong; recommended for most apps  |
| scrypt           | Very slow| Yes  | Yes          |  Memory-hard; excellent security    |
| argon2           | Very slow| Yes  | Yes          |  Modern; NIST recommended (2023+)   |

For production systems, **bcrypt** or **argon2** are preferred over bare SHA-256.
