# Notebook for Lab 2 - Asymmetric Encryption

## General goal
In this lab you’ll get familiarized with programming, asymmetric encryption and key exchange algorithms using the pyca/cryptography library. 

## Specific goals
- Being capable of serializing and unserializing RSA private and public keys to and from PEM/PKCS encoding/format.
- Being capable of saving and loading RSA private and public keys to and from a file.
- Make use of the pyca/cryptography library to encrypt and decrypt simple messages (strings) with RSA asymmetric cipher using two different paddings (PKCS1v15 and OAEP).
- Make use of the pyca/cryptography library to wrap symmetric keys (recall that key wrapping uses symmetric encryption to encapsulate symmetric key material).
- Make a combined use of RSA OAEP asymmetric encryption and AES 256 CTR to implement hybrid encryption.
- Make use of the pyca/cryptography library to implement a simple anonymous Diffie-Hellman Key Exchange

## Modules
Cryptography library documentation can be found at https://pypi.org/project/cryptography. You’ll may find useful to have these links as reference:
- Asymmetric RSA:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
- Key Wrapping:
https://cryptography.io/en/latest/hazmat/primitives/keywrap/
- Diffie-Hellman key exchange:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dh/

## Lab assignment and assessment
You are given one Python script/notebook, that contains the headers of all the functions you should develop at the end of this lab. Next, you’ll be guided through several tasks you’ll have to complete in order to do so.

Lab 2 assessment will be performed with a test/quiz/exam at the end of the course (along the other lab assessments).

# 0. Modules installation and imports

In [1]:
import os

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric import utils
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

from cryptography.hazmat.primitives.keywrap import aes_key_wrap, aes_key_unwrap

from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
from cryptography.hazmat.primitives import serialization

from time import time
from cryptography.hazmat.primitives.asymmetric import dh

PUBLIC_EXPONENT = 65537
KEY_SIZE = 2048
KEY_SIZE_AES = 32
BLOCK_SIZE_AES = 16
GENERATOR = 2

# 1. Asymmetric Encryption with RSA

## 1.1 GENERATING RSA PRIVATE AND PUBLIC KEYS

### TASK 1.1.1 Generating an RSA key pair

Before using the RSA cipher, you need to generate a pair of RSA public/private keys. Read the documentation at:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation

#### TASK
<mark>Complete the code of function <code>gen_priv_key()</code> to create the private key first and then the code of function <code>gen_pub_key(private_key)</code> to create the pairing public key. Use the already given parameters for creating the private key PUBLIC_EXPONENT and KEY_SIZE.</mark>

In [2]:
from cryptography.hazmat.primitives.asymmetric import rsa

def gen_priv_key():
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
    )
    return private_key

def gen_pub_key(private_key):
    public_key = private_key.public_key()
    return public_key

## 1.2 SERIALIZATION OF PRIVATE AND PUBLIC KEYS

### TASK 1.2.1 Serializing RSA keys

Read documentation at:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-serialization

Serialization is the process of transforming a data structure created in a specific context into another that is easily stored or transmitted (https://en.wikipedia.org/wiki/Serialization). It is also called marshalling. The inverse process is called unserialization or unmarshalling.

In the case of private and public keys it is highly recommended to ensure interoperability. Serialization can be done following different encodings and formats. In the case of private keys, you can choose to serialize the key in clear or encrypted using a symmetric key derived from a password. Obviously, in real life, private keys MUST be always protected.

#### TASK
<mark>Create two functions, <code>pem_serialize_pub_key(pk)</code> and <code>pem_serialize_enc_priv_key(sk, pwd)</code>, that serialize the private and public keys using the following encoding and formats.</mark>

For the private key: 
<code>encoding = serialization.Encoding.PEM, 
    format = serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.BestAvailableEncryption(pwd)</code>

For the public key: 
    <code>encoding = serialization.Encoding.PEM, 
    format = serialization.PublicFormat.SubjectPublicKeyInfo</code>
    
The output of the serialization process uses PEM format. More information about PEM format: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail

Once you have coded the functions, print the output. You should obtain something similar to the following result.

In [None]:
b'-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,802BDB9DB78F07FB34A14F88BF4C4CA9\n\n0ASfOGx4tbVzkqKcCGmaPUVGgj68JE6exAKtMaaL5nT2ZVY/WsWxinclZqTMpyF7\nmPaFoQLaudwh+N/3s11wwpIUx7MMND0bEhyHdisRe/3m7MfAI1E2onTw7TCzYNAZ\nCN007wa2BphFfQ1PZ5upy+p27d91xiKP9RSf6Vtusj1smA6lLBeQdYpcoLhZnyyL\n/b/QVG0JhKizkh84hOuz6TR/eXXEtro3Bwbs+2L/ZSqAA+yrvwABwVnX43y4Fdlg\n/p1y+Kc8PD+JHEtw1ibWsQM9yrt0/ZBvEMrLbx9QzpapEqOQgbFc/FRX8jfLmoM0\nO9ievrIRDK3NnhpxvDi6AEqkyJqU/BM9Kwh04dMr7MP1AgqVwxEssnlioh8IP+ZF\njk1zPIUj3bi1HBvCYngwk1pKpCcC2xcS1PE5bXiXstWYe85Jkr6tQHjrdo/oLN85\nlZjhneegszt1+BP0sC1tlAGYH6qhR11wghiU3bhDgFmFtmpu4geDdHDCnK/AEeUI\njIsf0/2cwsJv7m92xw7O2gWy7o8SfXIHsZzMM2X3ogrghD2NldpGoFyjBtBuc2qc\nXXCV7FnrmPF2Uby1brBy0t24t8W+bIS9cl/0IIrqShYV+KgqaRC4tIKKfH/BqN6N\n/vEyp+QdnVz96/PdM69ExaZ5VhZ/mnASVV80RV3j/JvB8QmZ/N7zn4h7LPWZEbyS\ntb7EI2dtk5VKLxkz7Uj2uIGLVUemLYvLNNzUYJcUMRORSl6wpwZ6qq8bQJ2tJlHQ\nFXpEE24T9clBXtrBi22hWHeRZzFXsE4iAXFAQpeFXUwAFTDXW7Fc6xIGD31zncLy\ndI4xd39hk4X3PTHKyMDSM1qQ3aoww8i8MgoRhggpKr+wTUc/T82ggJTn37JK8z2g\nRxEGJAkYwiAMb0GcDgvm8cd0IcJjuYbJSB+A0QAHPaFR0OCn2e9q7HRqV3rOejNa\nvmidIp+smjC79ea9D7ewJFT8gEkppRzNlw0pMus1GpgdZLS9/zJTYVo66YjC0laD\nf9XQ1oEzldALgI3ZoEnli02nC1PVaff9GAkcwBj+yre3RgLxoFwwf6i8ZKwQo7dm\nLQ+JhraRWzD87jLbaDOOX0gQa1e6LcJTf/cljaD1n97ang/YOqCWUz0IAVPajrvx\nE4qyBnfdqfnHt2i/doOZ66d7gFtzvG5FFG6sGSfhNLUfVTZ/29VL8RBGnEsv4sz+\nlAXnIKx5Zw7GPjcIptFx+ySe10Srq4u3AlGtAksjOxP20EfjLNYiYTXZ9icTQJb6\nwryftBSTT07Mb9GrsSPueQ6COOS8i5BCBQdXaCJHA21bC+h9aHwImRhHj0K1UB0A\nBAboZ7yCWaL2zNCiBaIH6vj3eA5cWGmSq1CgtJLoeY6vwD+wJLzldMVDXbcpqtA4\nVzqmOboPsmE3/n3j5sqMqhiZnUKNFbir4rfP27WLCD23UXdXyZ+v6l7ZyKRo3xjB\n/JMVBAS+Ygn4FAMPrM+ScwriB0lP4JvEeQCItvTyRf1Uk1W4Od2fI9rIo9fgDvL3\n/XhuxkHbmts0W5P5Hho4JBI7qNlq/4nv+XPgEj9ptxEGR7ilK7O/HGOKb+VuxH8L\n-----END RSA PRIVATE KEY-----\n'

In [None]:
b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4BKsvzPODKFgeBWlrXwf\nOq0yEeH4YXhcwDBdtphEV4WzpTCh0nxZKZQh9diwjS7WEsjPUnVQJx8XBNdt5YOo\nO1ui4fLS+6v/JHMhjDln9D79pcHFvnduwOdM5mFkmDSJrwna+Qk7r000RWk8lhTK\nds4etkrHomk8txXBlNAcoEu1nzII76Y9G5LiffRrtGSoi7yybYCIaeKwG9q6PI50\nak6K6OIhxB6AcEq5KCs/Y0zkM6TzQLz8V9cyHnZ2ApTht5M2YifX2m09/vtQmDdw\n6wNl9rwP9O8ws2Dmfs0ijovJE4M8C1UviHJicmOaPaaDzzG6Kh8L0FwNf0b+d3CM\nbQIDAQAB\n-----END PUBLIC KEY-----\n'

In [4]:
from cryptography.hazmat.primitives import serialization

def pem_serialize_pub_key(pk):
    pem = pk.public_bytes(
        encoding = serialization.Encoding.PEM,
        format = serialization.PublicFormat.SubjectPublicKeyInfo
    )
    return pem

def pem_serialize_enc_priv_key(sk, pwd):
    pem = sk.private_bytes(
        encoding = serialization.Encoding.PEM,
        format = serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm = serialization.BestAvailableEncryption(pwd) 
    )
    return pem

# Test output
private_key = gen_priv_key()
public_key = gen_pub_key(private_key)

# Serialize and print private and public keys
print(pem_serialize_enc_priv_key(private_key, b'password'))
print(pem_serialize_pub_key(public_key))

b'-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,5E10D3B800302EEA65EACDE3B70DD4B7\n\n1cYiJApoY332hbnWRrHzX3aVQiQfIpwBTgR6cfbhmXh3QFxUHLh5/rCQ6bTWMkAm\nkoxe7zNYZLMEZItEbYR59M87kcIA+R1JvCSCmdgSiKQlcKRgWvOLf5MFoNOKrMH7\nmdLcLctbacUyzhsuCxoxePCxQGis/EnGolYx/Vi5LkjTKDIGzc7jRsOzD2nAzprr\n9q9GnJcRNEryAdE5jaQFevb5jPPNKoafxXyY2xo1NbV3/iFoKh6nD6ckBjMNLnxs\nwpsNATFN4I5xdeedv5ayMnTbnW2xpqldHq0dmn3BXuRePz1yTeDxjD8rymBv79vf\nELrbomkxXDrBNIWUYpRYS6F/GNo99q7E6p9iIBOmmoCt79uW93t8TCkvwuyyTdkz\npWhJZ//yvt36/S3XIBF1o3lXEMGU6+mLecZrCxGfTCVHJeLjXXa622YEexnTDHef\nS/3LPgdtcQ7QftPpBe2GNQnoEqmi8sje4UdOKPL3qp64bqI36EVPASI8OQA+Grsg\nukowMG6qWLo90tKEVImMkhExHfAO2mUR3b277agXfR5CVINNkcskWSbGivkxErL4\nUJJF4IbxAoPHKSFilQb1xavm+M899K/0hwIY97s0kVMef6xhL/Y9ILqZLfy/sYIt\nv+7Je+YNQQ9HtrSxWlqSZxXY0oZdq/gdEydogrMaPXhbs5J786XDQ3lKw29VIuim\nEXLqL7FlpqqyoNNRiY/uh6lvt1AqNgIYH0wXo2IZs11eCRkwFGed2RO8S1eUx/RZ\nrRZNZBWeSOo1ij2mJCbw5K1YID89retPdpPRob95ldhdeEvLvT/kaseKJ/ddCBWU\nGimJDO6lIbV9pv8UrCXM/xfa/

## 1.3 SAVING/LOADING PRIVATE AND PUBLIC KEYS TO/FROM FILE

Read documentation at:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-loading

Once you have the private and public key serialized, it is advisable to save them into files so you can reuse them. You can use the following functions.

In [9]:
def save_pem(pem, filename): 
    with open(filename, 'wb') as pem_out: 
        pem_out.write(pem) 
def load_pem(filename): 
    with open(filename, 'rb') as pem_in: 
        pemlines = pem_in.read() 
        return pemlines

### TASK 1.3.1 Saving PEM serialized keys to file

#### TASK

<mark>Save your private and public keys to two files, once they are in PEM format.</mark>

In [6]:
private_key = gen_priv_key()
public_key = gen_pub_key(private_key)

pem_private_key = pem_serialize_enc_priv_key(private_key, b'password')
pem_public_key = pem_serialize_pub_key(public_key)

save_pem(pem_private_key, "lab2_private_key.txt")
save_pem(pem_public_key, "lab2_public_key.txt")

### TASK 1.3.2 Loading PEM serialized keys from file

#### TASK

<mark>Now, load your previously saved keys. Check that you are really accessing the previously saved keys and not to newly created ones.</mark>

In [7]:
loaded_pem_private_key = load_pem("lab2_private_key.txt")
loaded_pem_public_key = load_pem("lab2_public_key.txt")

assert loaded_pem_private_key == pem_private_key
assert loaded_pem_public_key == pem_public_key

## 1.4 NUMBERS OF RSA KEYS

Read documentation at:

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#numbers

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-interfaces

The cryptography library provides an interface to access the numbers composing RSA private and public keys.
To access an attribute of a Python object you have to use <code>name_of_object.name_of_attribute</code>. Eg., for accessing the <code>modulo</code> attribute of public key <code>pk</code>, we can do so using the method <code>public_numbers()</code> offered by the key interface of an <code>RSAPublicKey</code>, and then access to the attributes that will be copied in that new <code>RSAPublicNumbers</code> object. Next code shows you how to access to the public key exponent and the public key modulo.

In [None]:
# my_public_key is an RSAPublicKey object 
# u is a RSAPublicNumbers object 

my_private_key = rsa.generate_private_key(public_exponent=PUBLIC_EXPONENT, key_size=KEY_SIZE, backend=None)

my_public_key = my_private_key.public_key()
    

u = my_public_key.public_numbers() 
print("e: ", u.e, "\nn: ", u.n)

### TASK 1.4.1 Retrieving RSA key numbers

#### TASK

<mark>Retrieve and print the numbers that compose your private and public keys.</mark>
- <mark>Get primes p and q from the private key.</mark>
- <mark>Get public exponent e and modulo n from the public key and private exponent d from the private key.</mark>

You should get something similar to the contents of the following cell.

PUBLIC KEY NUMBERS: 
- e= 65537 
- n= 28286589195806813523758388238601420643684675859590271480242198902877495065174939388967352229927118658568849300194854591753778288782981184337483735526054958723030953718998273608377686022156012991767916779100447389061810656324359973280201303652806242293533570949451679574458537712176089120105323691385066797554509039787547107291385254211206950822572782513783075701597720659181873730425007754038442219693054334894078838357139617750150040561481356423076762837510859732933469937162361387743959048254286717249809639810546656863888521654105634360262835982057012810292159145370934780218418147053162085567559518732703990058093 
PRIVATE KEY NUMBERS: 
- d= 2476592593581328043690215171782274923378590263245631898830122485080352574636828085110619453061962049878207078208005792872471730793853030131505587293414458293067299577942415642535837197234099860334838434448912326143043922455852076333701498090541254837424594200344137470409739374589413604088749062989876150638049371610876500881319783760547095681764714011329189154531191659301167658509610759475554004075665737029703132094188039196801496683266639152961385368199124994673494303163660572592242786952701985154543342061112087376755920622578733780801891307137613105350769102406658645478262464641227300809810227199587461602753 
- p= 173957046990765938927114424239968578264521087635448939562764984761896855350232514127134303004576939168705624803510295654154543576942608560832992595163874428473745256858843090788377514132354371334064080364302929220414371906509415218717097948593452823050272958790363412458250094316606182472717994334049807405561 
- q= 162606745085229770189985671425851241203684542132103997916672688079679761839438825873423154557612040598908562445786602535037029202864692413022732794513932886210021622367508721149060877356643046321234055671565639387905524818711158877967217539235998104116519392501591296531710899513810414567038655806921266817813

In [8]:

private_key = gen_priv_key()
public_key = gen_pub_key(private_key)

p = private_key.private_numbers().p
q = private_key.private_numbers().q
d = private_key.private_numbers().d
e = public_key.public_numbers().e
n = public_key.public_numbers().n

print(f"e = {e}\nn = {n}\nd = {d}\np = {p}\nq = {q}")

e = 65537
n = 25689060396309447309554327220065595087540266258706621148254392466126430854011636763799930608657366527491806937835083073525379729522736718051174499289061481201816770898784097712330228282600121674002506835854415198829215956223188211368150267042907299693349513306478042533696997272376843771014347576595895922707296848310988384650204405858880276578264427741901977813592572832018023202308489808385553148746787306465772965333407751987849283203311844629751679444002880501997058230319801808041479325305819781780963206598285266674876785485695453328680539989562094608561127083480907657467793510506370980575847226375927831817989
d = 1793397219558643190915642089409114148103645317914269319751451990946258644198189436556077216187186111736986583034468526666569931603504908208548394462246952742246550514284479653605427116742698119977722040995817830209551403080857254132202107348338520574972875791620972337798452580533777171114536731156756836906863057665093259336922308188701548118390310470630379808717

### TASK 1.4.2 Checking RSA key numbers

#### TASK

<mark>Then, do some checks using the web tool https://www.boxentriq.com/code-breaking/big-number-calculator :</mark>
- <mark>Compute the product of p and q and compare the result with the value retrieved for modulo n.</mark>
- <mark>Check that exponents e and d are the multiplicative inverse of each other with respect to phi(n)=(p-1)·(q-1), that is, their multiplication modulo phi(n) is equal to 1.</mark>

## 1.5 RSA ENCRYPTION/DECRYPTION WITH PKCS1V15

Read documentation at:

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#decryption

Take into account that RSA is an asymmetric block cipher, therefore it needs padding, but not only because of the length of the message, but more importantly, because the security. The
library cryptography offers PKCS1v15 and OAEP paddings for asymmetric encryption. 

Read the documentation at:

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#module-cryptography.hazmat.primitives.asymmetric.padding

### TASK 1.5.1 Encrypting/Decrypting with RSA PKCSv15

#### TASK

<mark>Now you are ready to encrypt with RSA. Create two functions <code>rsapkcs1v15_encryption(public_key, message)</code> and <code>rsapkcs1v15_decryption(private_key, ciphertext)</code> that encrypt and decrypt a message with RSA using PKCS1v15 padding (note that this padding method does not need any parameter). Using your RSA key pair, encrypt and decrypt a small message using these functions. Check that you obtain the original message after decryption. </mark>

In [7]:
from cryptography.hazmat.primitives.asymmetric import padding

def rsapkcs1v15_encryption(public_key, message):
    # Encrypt the message
    ciphertext = public_key.encrypt(
        message,
        padding.PKCS1v15()
    )
    
    return ciphertext

def rsapkcs1v15_decryption(private_key, ciphertext):
    # Decrypt the ciphertext
    plaintext = private_key.decrypt(
        ciphertext,
        padding.PKCS1v15()
    )
    
    return plaintext

private_key = gen_priv_key()
public_key = gen_pub_key(private_key)

message = b'Hello, this is a test'
ciphertext = rsapkcs1v15_encryption(public_key, message)
plaintext = rsapkcs1v15_decryption(private_key, ciphertext)

assert plaintext == message

### TASK 1.5.2 Decrypting a given ciphertext with RSA PKCSv15

#### TASK

<mark> In the lab’s materials folder you’ll find two files containing a private and public key pair, PEM encoded (filenames are <code>fixed_private_key.pem</code> and <code>fixed_public_key.pem</code>. Notice that the password used to protect the private key is <code>b'password'</code>. Decrypt the ciphertext provided in next cell.</mark>

In [8]:
ciphertext_pkcs1v15 = b'8\xd5\xaag\x9c8:\xc8\x8d\xd7\xbc\x1f\tb\xf6\\`\xba' \
                 b'\x90\xc2\xc9\x019\'\xcd\xc3R\x82\xd09\xb1L+\xb85f\x8b' \
                 b'\x01I\xc7*\xb4\xa7\xa5\xaa\xc9X\x94\t\x03\x9d"\xdc\xcc' \
                 b'\xf8\x9b\xd62\xa0\xa1b%\x8c\xaa\x0f\xeb\xbeI\x849\xc9' \
                 b'\x8c\x01\x12Q\x82\xe1\xa5w\x12\x86*>\xc7\xbeR\x9e\\kv' \
                 b'\x97\x8d\xa9ez/\x18\xe7\x14\x9121\x05:\x8f3\xa5=\xcc\x06' \
                 b'\xfc\x1b\xe0\xae\xb3U\x14]R\x94\x8fh\xabm\x9fC\x0c\xd58J' \
                 b'\x7fQP\xe5\xa7S\xce\xa2\xef0^\x1aD\xc5\x8f\xffF\x86\xe6\x1f' \
                 b'\x8bF\x0c\xf5Ik1%0\x1f\x12\x82\'H\x81\xe9\xd2\xbf\xda<\xa3' \
                 b'\x80\xed\xb5\xef\x8c\x08{ScD:\xfc\xff\xc9P\\\xff\xf5\x8bV' \
                 b'\xc8\x0e\x1b\x93P\xaf\xb8\x1c$5\x85\x90\xf6h\x05x]\xc9\x8a' \
                 b'\xb7\xe8\xfc\x99\x1a2\xc0i\x00\xebn\xbaE\xbf\xf7\xd5+\x1b/' \
                 b'\x9b\xff\xb2\xa3\xf1\x08\x8c!\xcb85/\xb4\xdf\xce/\xacd\xd6\x93k_x\x12\xc3@\x04'

In [13]:
from cryptography.hazmat.primitives import serialization

# Read PEM keys
pem_private_key = load_pem("lab2_fixed_private_key.pem")
pem_public_key = load_pem("lab2_fixed_public_key.pem")
password = b'password'

# Decrypt from PEM
private_key = serialization.load_pem_private_key(
    pem_private_key,
    password=password,
)
public_key = serialization.load_pem_public_key(
    pem_public_key,
)

# Decrypt cipher text
plaintext_pkcs1v15 = rsapkcs1v15_decryption(private_key, ciphertext_pkcs1v15)

print(plaintext_pkcs1v15)


b'GREAT AND AWESOME MESSAGE THAT WILL HELP YOU TO PASS THIS COURSE'


### TASK 1.5.3 Encrypting twice the same message with RSA PKCSv15

#### TASK

<mark> Encrypt twice the same message. Do you obtain the same ciphertext? Can you provide some reason for the result you have obtained? Hint: You can find why at: https://datatracker.ietf.org/doc/html/rfc8017#section-7.2.1 </mark>

In [14]:
message = b'Test message'

ciphertext1 = rsapkcs1v15_encryption(public_key, message)
ciphertext2 = rsapkcs1v15_encryption(public_key, message)

print(ciphertext1)
print(ciphertext2)
print(ciphertext1 == ciphertext2)

b"\x93\xael\xe6\xa2\xc8t&L\x8b\xd1U\x1b\xe6\x9f8\xeea,7l\x93r\xf3\x13\xb9\xe7b\x84\x17\x91\xe0\x8c\xde\xb5\xf87\x05\xec\xcdx\xed\r\xfc\xff\x80\x02F\x92\xd6 \xd8@+\xbc7\xbel\x1c\xda\xda\xf9T\xe2\xd8\x04Z\xce\xe1\x00\xe4^\x16\x8c\x0bN\xeb\xbd\x06\xa4\x9f\x18=>\x82\xb58\x81\xcb\xf0\xcbL3\x93\xb7Ga}\x82N\xb0\x81t\xadpO\x89\xc6\xfd\xcbY4U\xf8\xc7>\xe7|kpm\xd3\x9e\xa7\x9c\x0e\xb3\xc1\x10_\xb8\xa6'\x9d\x05\xe3\x1c\xd2Fk\x80\x19U\xec\x8e\xca\x9bb\xa2*\x08U\x05\x00\xf4\xe7\xa1;Z\xe1#\x81'3\xd9\xba\xcf\x85`\xb9\x99b\x87w\x8c\x0b!\x85\xfb\x15\xf2m\x967\x99\xd5\x8d\xa3v?6\xd8\x08y\xda\xca\xd1\x9f\xbf\x1e\x1fj<\xb6\xf7\xc1\x95\xa8\x0bw4\xc4\xc4Q\xd4j\xe1yU\x03\xb9\x8c\xe3ep\xfc\xb2HW^\xc6\xb1\xd2\x82\x9f\x9d\xfb\x92\x924\xab\xf7E5\xcc=2,\x1b\xdf\x91\xb8\xba\xb4m\xcf"
b'$\xf3\x8f \xbbY\xacw\xe5\xd2\x0ea\x18!\xf7%\x82`y][\x95\xf5W8-\xb4\xf0\xa2r$\xcbm\x8f\x15C8C%\xd5Q\x9fw\x8a\xb1\x00Ug\xe1N\x8f%dO\xf0w\xdf6\x1f\x0c\xa6\x15\x02j\xdfS<\xb1=\x81\x95\xfa\xeama\xfb\xda\x01r^\x9b\x8b\xa1\x8d\x11m\xe5\x04\

The reason why `ciphertext1` and `ciphertext2` are different is because we are utilizing PKCS1v15 padding. This technique concatentaes the original message with pseudorandom octet strings, which will be different during each execution of the encryption, even with the same message.

### TASK 1.5.4 Largest accepted message length with RSA PKCSv15

#### TASK

<mark> How long is the longest message that you can encrypt using RSA with PKCS1v15 padding? Try to encrypt messages of increasing length and note down when an error is raised. </mark>

In [15]:
test_string = b'a'

while True:
    try:
        rsapkcs1v15_encryption(public_key, test_string)
    except:
        print("Length of breaking string: ", len(test_string))
        break
    
    test_string += b'a'

Length of breaking string:  246


## 1.6 RSA ENCRYPTION/DECRYPTION WITH OAEP PADDING

### TASKS 1.6.1-1.6.4

#### TASK

<mark>Repeat the previous TASKS (from 1.5.1 to 1.5.4) but use in this case OAEP padding. The suggested name of the functions in this case is <code>rsaoaep_encryption(public_key, message)</code> and <code>rsaoaep_decryption(private_key, ciphertext)</code>. Notice that OAEP padding needs at least the following two parameters: <code>mgf = padding.MGF1(algorithm=utils.hashes.SHA256())</code> and 
<code>algorithm = utils.hashes.SHA256()</code>, using also <code>label = None</code>.</mark>

<mark>You should use for Task 1.6.2 the ciphertext provided in the next cell.</mark>

In [17]:
ciphertext_oaep = b'6\x9b\x14\x13l\xc0\xe1I\x02\x8e\xd3\x1f\x9c\xd9\x813P\xae5' \
                 b'\x99\x9f\xec\xbe\xb3\x89\x95\n\x83\xc88\xc1\xc9,\x99\xf3\xcd=d' \
                 b'\x01\xd0\x12\x80+\xc5\xa8\x94\xec\xa5=\xee\x9b\xa7E\xec,rG\xa6' \
                 b'\xd6\xa8p\xf3\xb9\xddC\xee\xbdB\xb1E\x135\xc5\xdbX\xf7\x87)mN\xb0' \
                 b'\x98d\xc5Q\x97\x1ftZ\x8e\x92\x9fS\xac\xee\x96?\xc5\xb1\x08\x81P' \
                 b'\xe8\xe2\x08d\x98\xaf\xf2\x1a\xba\xea!m\xb9M\x8cX\'\x86\x8a\xcd' \
                 b'\xaco6\xaaJ\xa5v5\xa4\xafG\x9fjQWq\xac\xd22kv1\x91\x8f\xbd\x14\x82' \
                 b'\xe7O/\x12r\xc9\x89f\xcb)\xef\xe5W\xa2\xe8\xca\xf43\xa3\xbe\x07\xd9' \
                 b'\x9eA\xc4\x89W\xda\xe1u\xc2<%.\xad\xf7\xb7\xedf\xfc\x9b\xa9\x04=|}\x92' \
                 b'UO?\xc5\x9141d\x10D\xbe\x1a\xa1\xa9\xa4\x18\xdd\xd7\xafP ~\xacs\xefZK' \
                 b'\x9f\xf8}8\x87\xe9\x9d\'\x13b"\x1c\x88\x89)7qzlq\xd7aX\x0e5\xa3s~\xa3\x84\xee\x0b\xa5'

In [20]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

def rsaoaep_encryption(public_key, message):
    cipher_text = public_key.encrypt(
        message,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    return cipher_text

def rsaoaep_decryption(private_key, ciphertext):
    plain_text = private_key.decrypt(
        ciphertext,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    return plain_text

private_key = gen_priv_key()
public_key = gen_pub_key(private_key)

message = b'Hello, this is a test'
ciphertext = rsaoaep_encryption(public_key, message)
plaintext = rsaoaep_decryption(private_key, ciphertext)

assert plaintext == message

pem_private_key = load_pem("lab2_fixed_private_key.pem")
pem_public_key = load_pem("lab2_fixed_public_key.pem")
password = b'password'

# Decrypt from PEM
private_key = serialization.load_pem_private_key(
    pem_private_key,
    password=password,
)
public_key = serialization.load_pem_public_key(
    pem_public_key,
)

# Decrypt cipher text
plaintext_oaep = rsaoaep_decryption(private_key, ciphertext_oaep)

print(plaintext_oaep)

message = b'Test message'

ciphertext1 = rsaoaep_encryption(public_key, message)
ciphertext2 = rsaoaep_encryption(public_key, message)

print(ciphertext1)
print(ciphertext2)
print(ciphertext1 == ciphertext2)

test_string = b'a'

while True:
    try:
        rsaoaep_encryption(public_key, test_string)
    except:
        print("Length of breaking string: ", len(test_string))
        break
    
    test_string += b'a'

b'I personally think we developed language because of our deep need to complain'
b"\xaf\xb4\x19m\x04\x0c\xab\xb3ku\x88k\xbcNp\x012n\xc7\xe8S\x94J\x953\x1a\x00LJ\xd9\x8c'i^\x86z\x82j\xa4\xc8\xcbW\\\xaa\xea\xf4}\xb5\x18\x04\xdd\xfcoq\xe9\xa7 \xeb0N>\xf2\xb1\xae\xe2h\x1c(\xdc\xceL\x0fY^\xc6N\xbc\x13\xcf\xae$\xf0\xfe\xb0\xfc\xd1\xbe\x8b\x04\x17Q\x0b\x80j \xaa3\x1a\x0f\xaa\xc8x\xe3P\x86\x0c\x17r\x98\xe7T-\xd0\x06c\x0c\x16\x91\xd4\x15\xe1E'\x87=\x9b\xbf@\xad\x1d\xd62Q\xd0\x96mo\x1a\xf3\x02\x1e\xcc\xca\x807g\xb5\xaf\x12\xa7\x83\xb1\xec\xe0\x1a\xb6\x00\xbe\xc7\xd1[\x99\xd2[\x7fp\xdc\xa3\x8c!,y\x85\x1e\xed+Ws\x1d\x9b_\x1f\x8a\xb6\x0b7\xd6|[f\xc3\x84\xe3\xb3Xh\xb3\x91\x0e2[\xbfX\xb5<\x0e\xe2\xc9\xf2\xe5\xe6\xf6\x862I\x8dh\x03C\xd5\x9f\xd0\xbd\x10W\xcf#\x9d\x94%\x8bB21-\xde&\x13\xcc)\x8d,z\xc8\xa1\x7f\xae\xc0(\x97\xd0\r\xce\xd1\xb0#"
b"s\rc\xb1\x10\x96\x1et\xd3\x9fx\x87U7\xbbJS\xd8\xe4\xb9j\xc3\xb2Oc\xf3j\xa3\x92\xdc#4\xae\x0f\xaa@\xdb:o\x94\xbbf\x99\x87\xf4\x87\x1e\xb8\xa1\xfb#'\x08N\xac\x90\x9a

#### QUESTION

<mark>Which is the recommended RSA padding scheme? Why?</mark>

OAEP is recomemnded over PKCSv15 because PKCSv15 is considered vulnerable to several types of cryptographic attacks which can allow an attacker to decrypt the ciphertext without having the private key.

# 2. Key Wrapping

Now you’ll focus on Key Wrapping. Key wrapping is the process of encrypting a symmetric key, key_to_wrap, using another symmetric key, wrapping_key, in order to securely store the first one or transmit it over an untrusted channel.

The library cryptography offers a specific class to wrap and unwrap symmetric keys using AES with and without padding.

Read documentation at:

https://cryptography.io/en/latest/hazmat/primitives/keywrap/

### TASK 2.1 Wrapping/Unwrapping symmetric keys

#### TASK

<mark>In this task you are requested to wrap and unwrap the symmetric key <code>key_to_wrap</code> using given symmetric key <code>wrapping_key</code>. Using the given values for the wrapping key and the key to wrap, check that you obtain the same key when you unwrap it as shown in the following cell.<mark>

In [21]:
wrapping_key = b"000102030405060708090A0B0C0D0E0F"
key_to_wrap = b"00112233445566778899AABBCCDDEEFF"

In [23]:
from cryptography.hazmat.primitives.keywrap import aes_key_wrap, aes_key_unwrap

wrapped_key = aes_key_wrap(wrapping_key, key_to_wrap)
unwrapped_key = aes_key_unwrap(wrapping_key, wrapped_key)

assert key_to_wrap == unwrapped_key

print("wrapped_key = ", wrapped_key)
print("unwrapped_key = ", unwrapped_key)


wrapped_key =  b'\xf4z\xe5PY\x0e\xfas,?\xd75yj)\x0e\xb4\xb5\x8d\xdd\xaa/z\xde>\xe6 \xfc\xefh\x19\x90\xd1C\xb6fV\xa5\x81\x86'
unwrapped_key =  b'00112233445566778899AABBCCDDEEFF'


#### CHECK

You should obtain the following result.

<code>wrapped_key =  b'\xf4z\xe5PY\x0e\xfas,?\xd75yj)\x0e\xb4\xb5\x8d\xdd\xaa/z\xde>\xe6 \xfc\xefh\x19\x90\xd1C\xb6fV\xa5\x81\x86'</code>

<code>unwrapped_key =  b'00112233445566778899AABBCCDDEEFF'</code>

# 3. Hybrid Encryption

Now you will implement hybrid encryption combining AES256-CTR (CTR operation mode) with RSA-OAEP. Review the concept in the lecture slides.

## TASK 3.1 Hybrid encryption/decryption with RSA OAEP and AES 256 CTR

#### TASK

<mark>Complete the code of the following two functions: </mark>
- <mark><code>hybrid_encryption_rsaoaep_aes256_ctr(public_key, message)</code>, which returns three results: <code>encrypted_symmetric_key</code>, <code>nonce</code>, <code>encrypted_message</code> </mark>
- <mark><code>hybrid_decryption_rsaoaep_aes256_ctr(private_key, encrypted_symmetric_key, nonce, encrypted_message)</code>, which returns the result of the decryption: <code>plaintext</code> </mark>

<mark>Note that you need the functions <code>aes256_ctr_encrypt</code> and <code>aes256_ctr_decrypt</code> coded in previous Lab 1.</mark>

In [28]:
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import os

def aes256_ctr_encrypt(data_to_encrypt, key, nonce = None):
    if not nonce:
        nonce = os.urandom(16)

    cipher = Cipher(algorithms.AES(key), modes.CTR(nonce))

    encryptor = cipher.encryptor()
    ct = encryptor.update(data_to_encrypt) + encryptor.finalize()
    
    return ct, nonce 


def aes256_ctr_decrypt(encrypted_data, key, nonce):
    cipher = Cipher(algorithms.AES(key), modes.CTR(nonce))
    decryptor = cipher.decryptor()
    padded_pt = decryptor.update(encrypted_data) + decryptor.finalize()
    
    return padded_pt



def hybrid_encryption_rsaoaep_aes256_ctr(public_key, message, nonce = None):
    # Generate a random symmetric key
    symmetric_key = os.urandom(32)

    # Encrypt the symmetric key using RSA OAEP
    encrypted_symmetric_key = public_key.encrypt(
        symmetric_key,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

    # Encrypt the message using AES 256 CTR
    encrypted_message, nonce = aes256_ctr_encrypt(message, symmetric_key, nonce)

    return encrypted_symmetric_key, nonce, encrypted_message

def hybrid_decryption_rsaoaep_aes256_ctr(private_key, encrypted_symmetric_key, nonce, encrypted_message):
    # Decrypt the symmetric key using RSA OAEP
    symmetric_key = private_key.decrypt(
        encrypted_symmetric_key,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

    # Decrypt the message using AES 256 CTR
    plaintext = aes256_ctr_decrypt(encrypted_message, symmetric_key, nonce)

    return plaintext

<mark>After you have coded the functions, use them as shown in the next cell. Print all variables and check that the plaintext you obtain is equal to the message.</mark>

In [26]:
# A encrypts a message for B, by computing C_K, NONCE, C_M and sends these values to B 

B_private_key = gen_priv_key()
B_public_key = gen_pub_key(B_private_key)
message = b'this is a cool lab'

C_K, NONCE, C_M = hybrid_encryption_rsaoaep_aes256_ctr(B_public_key, message)

print("C_K: ", C_K)
print("NONCE: ", NONCE),
print("C_M: ", C_M)

# B receives C_K, NONCE, C_M and decrypts the message 

plaintext = hybrid_decryption_rsaoaep_aes256_ctr(B_private_key, C_K, NONCE, C_M)
print("plaintext: ", plaintext)

assert plaintext == message

C_K:  b'\x89\xb26\xcd\xcb9\x0f\xad\xeb\xdc\xe2\xc8j8(k..~\r\xa1-\xc1c\xd4\xd5}x\x80`\x82\xbe[RM\r\x90\xb3w\xb6\xa3\x87h\xf8\x05\xa9\xc27V\x10\x9d[\x9do\x00\xb16)T\x8a\xc5\xfd(\xee\xb7*?\xfa\xe5\xcc\x15f\xc9\xd6\xb7.\xa6\'\x86\xbbi\x00\xd1\x1b<\xd6\xb4*}\xf6\x03\xccuH\xfa\x9f\x93\xd0\x84\x08Q\x88\x13\xbeLU&\x10\xb1\xb5\xd3\xa9V[\xdf\x88\x013%\xc9\xc5\xd9\xb9{\x98\xaf\xbe\x06\xa4=>\x8e\xfaj\xc8\xe7\xe4A\xe3:\xb1R\x82R\x915\x07f\x90\xc0\x9bt\x92\x156~\xf5f3S=\x0fW~\xf8II\x01\xf8\tx\xb6\x95\xf4\xe2Sh\xc7P+Ot\xa5\xb3\x08@\xcbo\x02\x1a\xe6\xf71\xe9l\tC\xc6\x905\x12U\x810U8\x16N\x8b\x90\x98\xb2\xf7+\x1b7\xbc/\xdf\x87\xcc\xd54q\x15V\x8a=\'\xc6\xa3\xe2\x88z\x8b\xfc\xad\xe2\x8c\xe6O9\xc8,\x97\x1c\xaa\x9e\xc7b"f\xbd\x87\x86\x15'
NONCE:  b'<\xe2L}{\xe0\x87\xf0\x87\x82s\x00Nd\xfe?'
C_M:  b'\x1b\x93\x13\x08e\xf9\xba\xd9b\x8f\xc7N\x88!\xa2\x80\x1f\xe7'
plaintext:  b'this is a cool lab'


### TASK 3.2 Decrypt a given ciphertext with hybrid encryption

#### TASK 

<mark>Using the RSA key pair provided in the lab’s material folder, decrypt the ciphertext given in the next cell and which has been encrypted using the functions specified in Task 3.1.</mark>

In [27]:
C_K = b"5\xed.\xa6w\xb3\x9cyOT8p\xbc\xe8\x0b\xf1\xca1J\xd2|p\x95f'\x90@" \
          b"\x05\xd1A\xb1\x9fz\x0e\xb4\xd4JOK\xe0\x16\x92H\xed\xaeBYA\xfenD" \
          b"\xbf\x82\x83\x07\x99N\x89\x82\xc84\xeaV\xca\xb1\x9e\x1a ]\xbe\xd6" \
          b"\xfc\xce'Q\xfd\x14\x87J\x01,B\xf2\xd2\x01(\xa3\xda\xf1\x9cV\x95}" \
          b"\xec<o\xb3\xe57(J\xb4\xb8\x1d\x1d\xa0+S\xe0\xbb\x8fJ\x07~f\x91\xe57" \
          b"\xb0\xe1\xaa[\x89\xf6\x0b\x7f\x121\xc3\x92\xd6\x02\xbeM<\xda\x8dR6" \
          b"\xa9\xb4C\xa2m\xbdZiAc\xd6\xe6z5\t\xe3C$j$\x8a\xf7\xd5\t\x87\xc4\xa9" \
          b"w\x02\xa7#\xff\xbak\xcd&\x17\x15\xcd%~\xe7h`J[\x95\x81\xb5\xdd:)+\xe5" \
          b"dYY\xb3\xdaF\x9bz\xe8\xf5Y?Ok\xd8\xe5\xecw\x9f\x80H;\x02l]\xdb_\xfe\x83" \
          b"<\xcf\xf4\xd2/\xcf)\x0c\xf9k7\xf4\xbb?l\xb1\xaa\x07\xd1f\x9f'\x96\xcc" \
          b"\xc9i\xdb\x83XQ\x8e\xc7U\x8d"

b64_C_K = b'Ne0upneznHlPVDhwvOgL8coxStJ8cJVmJ5BABdFBsZ96DrTUSk9L4BaSSO2u' \
              b'QllB/m5Ev4KDB5lOiYLINOpWyrGeGiBdvtb8zidR/RSHSgEsQvLSASij2vGcVp' \
              b'V97Dxvs+U3KEq0uB0doCtT4LuPSgd+ZpHlN7DhqluJ9gt/EjHDktYCvk082o1SN' \
              b'qm0Q6JtvVppQWPW5no1CeNDJGokivfVCYfEqXcCpyP/umvNJhcVzSV+52hgSluVg' \
              b'bXdOikr5WRZWbPaRpt66PVZP09r2OXsd5+ASDsCbF3bX/6DPM/00i/PKQz5azf0uz9' \
              b'ssaoH0WafJ5bMyWnbg1hRjsdVjQ=='

NONCE = b'\x01\xd5\xef00rB\x13e\xd6\x1e84\n\xbc\xe3'

b64_NONCE = b'AdXvMDByQhNl1h44NAq84w=='

C_M = b'\x18\xe6\x0c\x98&\x83\xef\x85J\x12zsJ\xb2\x87\x84\r\xa68\xb9\xcf\x90' \
          b'\x10~\x84|\x9f>\xfd%LGk\x8a\xe7\xeb\xa8\xaaK\x0c\x8dc\xa8\xc2\xb3d\x90' \
          b'\x8f\xa1u\x8e\xcc_h'

b64_C_M = b'GOYMmCaD74VKEnpzSrKHhA2mOLnPkBB+hHyfPv0lTEdriufrqKpLDI1jqMKzZJCPoXWOzF9o'



In [29]:
pem_private_key = load_pem("lab2_fixed_private_key.pem")
pem_public_key = load_pem("lab2_fixed_public_key.pem")
password = b'password'

# Decrypt from PEM
private_key = serialization.load_pem_private_key(
    pem_private_key,
    password=password,
)
public_key = serialization.load_pem_public_key(
    pem_public_key,
)

plaintext = hybrid_decryption_rsaoaep_aes256_ctr(private_key, C_K, NONCE, C_M)

print(plaintext)

b'YOU ARE GETTING THROUGH THIS LAB AS A TRUE NINJA CODER'


# 4. Diffie-Hellman Key Exchange

Now you’ll code a (non-authenticated) Diffie-Hellman key exchange.
Read documentation at:

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dh/#diffie-hellman-key-exchange

Notice that there are three main steps: 
- Generate a parameters object using in this case <code>GENERATOR=2</code> and <code>KEY_SIZE=2048</code> (already given in Section 0). This object must be known by both entities participating in the key exchange.
- Each entity generates his/her private share (called here private key).
- From the private share, the public share can be computed using function <code>my_public_share = my_private_key.public_key()</code>. This is the value that is sent to the other entity through the insecure channel.
- Then each party can compute the shared key using function <code>my_private_key.exchange(the_public_share_of_the_other_party)</code>

### TASK 4.1 (Local) Diffie-Hellman key exchange

#### TASK 

<mark> Write code where two entities compute their Diffie-Hellman private and public shares (using the generator and key size stated above) and then both compute the shared key (assuming that public shares have been exchanged somehow). Check that both parties compute the same the same shared key. </mark>

<mark> Note: The Diffie-Hellman method takes several minutes to finish its execution.</mark> 

In [31]:
from cryptography.hazmat.primitives.asymmetric import dh
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF

parameters = dh.generate_parameters(generator=2, key_size=2048)

# Entity 1
private_key1 = parameters.generate_private_key()
public_key1 = private_key1.public_key()

# Entity 2
private_key2 = parameters.generate_private_key()
public_key2 = private_key2.public_key()

# Exchange and generate shared key
shared_key1 = private_key1.exchange(public_key2)
shared_key2 = private_key2.exchange(public_key1)

# Derive a symmetric key from the shared key
derived_key1 = HKDF(
    algorithm=hashes.SHA256(),
    length=32,
    salt=None,
    info=b'handshake data',
).derive(shared_key1)

derived_key2 = HKDF(
    algorithm=hashes.SHA256(),
    length=32,
    salt=None,
    info=b'handshake data',
).derive(shared_key2)

# Check if both parties compute the same shared key
assert derived_key1 == derived_key2


### TASK 4.2 Diffie-Hellman key exchange with a peer

#### TASK 

<mark>Try to execute the Diffie-Hellman key exchange with one of your peers. Do you compute the same shared key?</mark>

In [None]:
# YOUR CODE HERE