# Hashing, HMAC and HKDF
In this workbook we will use the cryptography library and which integrates the Hazmat primitives. The lab examples use Python 3.7, and cover the concepts of hashing, HMAC and HKDF. This test.

## 1 Hashing
Within hashing methods, we take data in the form of a byte array, and then create a fixed length hash value. For MD5, the length of the hash is 128 bits, for SHA-1 it is 160 bits, and for SHA-256, it is 256 bits. 

<img src='graphics/hash01.png' width="800px">

These hashes include MD5, SHA-1 and SHA-256. With MD5 we get a 128-bit output, and which is 32 hex characters. SHA-1 has an output of 160 bits, and SHA-256 has an output of 256 bits. MD5 should not be used in production environments as the method has weaknesses, along with the output hash begin too short. SHA-1, too, has been shown to have weaknesses, and thus we should use SHA-2 methods. These include SHA224, SHA-256, SHA-384 and SHA-512. A newer standard is known as SHA-3.  

### 1 MD5 and SHA-1
In the following we will use the hashing methods supported by the Hazmat primitive. You can change the input string by modifying Line 6, and replacing the string:

In [5]:
from cryptography.hazmat.primitives import hashes
import binascii
import sys
from cryptography.hazmat.backends import default_backend

st = "Hello"

try:
    data=st.encode() # Convert to a byte array

    digest = hashes.Hash(hashes.MD5(),backend=default_backend())
    digest.update(data)
    res=digest.finalize()
    hexval=binascii.b2a_hex(res).decode() # hex format
    b64val=binascii.b2a_base64(res).decode() # Base64 format


    print ("Data: ",st)
    print (" Hex: ",binascii.b2a_hex(data).decode())
    print (f"MD5: {hexval} {b64val}")

except Exception as e:
    print(e)

Data:  Hello
 Hex:  48656c6c6f
MD5: 8b1a9953c4611296a827abf8c47804d7 ixqZU8RhEpaoJ6v4xHgE1w==



#### 1.1 Question

Can you determine the hash value for "Hello"?

#### 1.2 Question

Now modify Line 11 in the program below to give SHA1() and also SHA256(). What are the values (list the first two hex characters)?

In [6]:
from cryptography.hazmat.primitives import hashes
import binascii
import sys
from cryptography.hazmat.backends import default_backend

st = "hello"

try:
    data=st.encode()

    digest = hashes.Hash(hashes.SHA1(),backend=default_backend())
    digest.update(data)
    res=digest.finalize()
    hexval=binascii.b2a_hex(res).decode()
    b64val=binascii.b2a_base64(res).decode()


    print ("Data: ",st)
    print (" Hex: ",binascii.b2a_hex(data).decode())
    print (f"MD5: {hexval} {b64val}")

except Exception as e:
    print(e)

Data:  hello
 Hex:  68656c6c6f
MD5: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d qvTGHdzF6KLavt4PO0gs2a6pQ00=



In the following we integrate a wide range of hashes for both hex and Base64 hashes:

In [1]:
from cryptography.hazmat.primitives import hashes
import binascii
import sys
from cryptography.hazmat.backends import default_backend

st = "hello"
hex=False
showhex="No"

def show_hash(name,type,data):
  digest = hashes.Hash(type,backend=default_backend())
  digest.update(data)
  res=digest.finalize()
  hex=binascii.b2a_hex(res).decode()
  b64=binascii.b2a_base64(res).decode()
  print (f"{name}: {hex} {b64}")

if (showhex=="yes"): hex=True

try:
	if (hex==True): data = binascii.a2b_hex(st)
	else: data=st.encode()


	print ("Data: ",st)
	print (" Hex: ",binascii.b2a_hex(data).decode())
	print()

	show_hash("Blake2p (64 bytes)",hashes.BLAKE2b(64),data)
	show_hash("Blake2s (32 bytes)",hashes.BLAKE2s(32),data)
	show_hash("MD5",hashes.MD5(),data)
	show_hash("SHA1",hashes.SHA1(),data)	
	show_hash("SHA224",hashes.SHA224(),data)
	show_hash("SHA256",hashes.SHA256(),data)
	show_hash("SHA384",hashes.SHA384(),data)
	show_hash("SHA3_224",hashes.SHA3_224(),data)
	show_hash("SHA3_256",hashes.SHA3_256(),data)
	show_hash("SHA3_384",hashes.SHA3_384(),data)
	show_hash("SHA3_512",hashes.SHA3_512(),data)
	show_hash("SHA512",hashes.SHA512(),data)
	show_hash("SHA512_224",hashes.SHA512_224(),data)
	show_hash("SHA512_256",hashes.SHA512_256(),data)
	show_hash("SHAKE128 (64 bytes)",hashes.SHAKE128(64),data)
	show_hash("SHAKE256 (64 bytes)",hashes.SHAKE256(64),data)

except Exception as e:
    print(e)

Data:  hello
 Hex:  68656c6c6f

Blake2p (64 bytes): e4cfa39a3d37be31c59609e807970799caa68a19bfaa15135f165085e01d41a65ba1e1b146aeb6bd0092b49eac214c103ccfa3a365954bbbe52f74a2b3620c94 5M+jmj03vjHFlgnoB5cHmcqmihm/qhUTXxZQheAdQaZboeGxRq62vQCStJ6sIUwQPM+jo2WVS7vlL3Sis2IMlA==

Blake2s (32 bytes): 19213bacc58dee6dbde3ceb9a47cbb330b3d86f8cca8997eb00be456f140ca25 GSE7rMWN7m294865pHy7Mws9hvjMqJl+sAvkVvFAyiU=

MD5: 5d41402abc4b2a76b9719d911017c592 XUFAKrxLKna5cZ2REBfFkg==

SHA1: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d qvTGHdzF6KLavt4PO0gs2a6pQ00=

SHA224: ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193 6gmunMZ2jFD87pA+0FRVblv8g0eQfxJZiqJBkw==

SHA256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=

SHA384: 59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f WeF0h3dEjGnea4ANejO7+5/xtGPkQ1TDVTvNucZm+pASWjx5+QOXvfX2oT3oKGhP

SHA3_224: b87f88c72702fff1748e58b87e9141a42c0dbedc29a78cb0d4

#### 1.3 Question

In this case the input data is "00". Can you run the program again, and this time use the data input of "The quick brown fox jumps over the lazy dog". Prove that:

* MD5 hash value is "9e107d9d372bb6826bd81d3542a419d6"
* SHA-1 hash value is "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
* SHA-256 hash value is "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"

#### 1.4 Question 

How many hex characters does MD5, SHA-1 and SHA-256, and how would you determine number of characters used?

## 2 HMAC (Hash-based Message Authentication Code)
HMAC (hash-based message authentication code) supports the usage of a key to hash data. This key is kept secret between Bob and Alice, and can be used to authentication both the data and that the sender still knows the secret. Overall HMAC can be used with a range of different hashing methods, such as MD5, SHA-1, SHA-256 (SHA-2) and SHA-3. 

<img src='graphics/hmac.png' width="800px">

In this following, we implement HMAC with the MD5 hashing method:

In [1]:
from cryptography.hazmat.primitives import hashes, hmac
import binascii
import sys
from cryptography.hazmat.backends import default_backend

st = "The quick brown fox jumps over the lazy dog"

k="key"
data=st.encode()  # convert to byte array
key=k.encode()    # convert to byte array

print ("Data: ",st)
print (" Hex: ",binascii.b2a_hex(data).decode())
print ("Key: ",key)
print (" Hex: ",binascii.b2a_hex(key).decode())
print()
try:
    digest = hmac.HMAC(key, hashes.MD5(),backend=default_backend())
    digest.update(data)
    res=digest.finalize()
    hexval=binascii.b2a_hex(res).decode()
    b64=binascii.b2a_base64(res).decode()
    print (f"HMAC-MD5: {hexval} {b64}")

except Exception as e:
    print(e)

Data:  The quick brown fox jumps over the lazy dog
 Hex:  54686520717569636b2062726f776e20666f78206a756d7073206f76657220746865206c617a7920646f67
Key:  b'key'
 Hex:  6b6579

HMAC-MD5: 80070713463e7749b90c2dc24911e275 gAcHE0Y+d0m5DC3CSRHidQ==



#### 2.1 Question
By modifying Line 18,  determine the first two hex characters for a message of "qwerty123" for the following methods:
    
* HMAC-MD5: 
* HMAC-SHA1: 
* HMAC-SHA224: 
* HMAC-SHA256: 
* HMAC-SHA512: 

The following outlines the main HMAC methods that can be implemented within the cryptography library. You can either enter as a hexademical string or an ASCII string, and the output is displayed in a hexademical and a Base-64 format.

In [27]:
from cryptography.hazmat.primitives import hashes, hmac
import binascii
import sys
from cryptography.hazmat.backends import default_backend

st = "The quick brown fox jumps over the lazy dog"
hex=False
showhex="No"
k="key"

def show_hmac(name,type,data,key):
  digest = hmac.HMAC(key, type,backend=default_backend())
  digest.update(data)
  res=digest.finalize()
  hex=binascii.b2a_hex(res).decode()
  b64=binascii.b2a_base64(res).decode()
  print (f"HMAC-{name}: {hex} {b64}")

if (showhex=="yes"): hex=True


try:
	if (hex==True): data = binascii.a2b_hex(st)
	else: data=st.encode()

	if (hex==True): key = binascii.a2b_hex(k)
	else: key=k.encode()

	print ("Data: ",st)
	print (" Hex: ",binascii.b2a_hex(data).decode())
	print ("Key: ",k)
	print (" Hex: ",binascii.b2a_hex(key).decode())
	print()

	show_hmac("Blake2p (64 bytes)",hashes.BLAKE2b(64),data,key)
	show_hmac("Blake2s (32 bytes)",hashes.BLAKE2s(32),data,key)
	show_hmac("MD5",hashes.MD5(),data,key)
	show_hmac("SHA1",hashes.SHA1(),data,key)	
	show_hmac("SHA224",hashes.SHA224(),data,key)
	show_hmac("SHA256",hashes.SHA256(),data,key)
	show_hmac("SHA384",hashes.SHA384(),data,key)
	show_hmac("SHA3_224",hashes.SHA3_224(),data,key)
	show_hmac("SHA3_256",hashes.SHA3_256(),data,key)
	show_hmac("SHA3_384",hashes.SHA3_384(),data,key)
	show_hmac("SHA3_512",hashes.SHA3_512(),data,key)
	show_hmac("SHA512",hashes.SHA512(),data,key)
	show_hmac("SHA512_224",hashes.SHA512_224(),data,key)
	show_hmac("SHA512_256",hashes.SHA512_256(),data,key)


except Exception as e:
    print(e)

Data:  The quick brown fox jumps over the lazy dog
 Hex:  54686520717569636b2062726f776e20666f78206a756d7073206f76657220746865206c617a7920646f67
Key:  key
 Hex:  6b6579

HMAC-Blake2p (64 bytes): 92294f92c0dfb9b00ec9ae8bd94d7e7d8a036b885a499f149dfe2fd2199394aaaf6b8894a1730cccb2cd050f9bcf5062a38b51b0dab33207f8ef35ae2c9df51b kilPksDfubAOya6L2U1+fYoDa4haSZ8Unf4v0hmTlKqva4iUoXMMzLLNBQ+bz1Bio4tRsNqzMgf47zWuLJ31Gw==

HMAC-Blake2s (32 bytes): f93215bb90d4af4c3061cd932fb169fb8bb8a91d0b4022baea1271e1323cd9a0 +TIVu5DUr0wwYc2TL7Fp+4u4qR0LQCK66hJx4TI82aA=

HMAC-MD5: 80070713463e7749b90c2dc24911e275 gAcHE0Y+d0m5DC3CSRHidQ==

HMAC-SHA1: de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9 3nybhbi3iqa8ino29wqQcBydtNk=

HMAC-SHA224: 88ff8b54675d39b8f72322e65ff945c52d96379988ada25639747e69 iP+LVGddObj3IyLmX/lFxS2WN5mIraJWOXR+aQ==

HMAC-SHA256: f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8 97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=

HMAC-SHA384: d7f4727e2c0b39ae0f1e40cc96f60242d5b7801841cea6fc59

#### 2.2 Question
Outline the first two hex characters for a message of "hello123" and a key of "qwerty":
    
* HMAC-MD5: 
* HMAC-SHA1: 
* HMAC-SHA224: 
* HMAC-SHA256: 
* HMAC-SHA512:  

In [None]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF

from cryptography.hazmat.backends import default_backend


import binascii
import sys

st = "test"
hex=False
showhex="No"
k="00"
length=16
slt=""


try:


    data=st.encode()
    salt=slt.encode()

    print ("Key: ",st)
    print (" Hex: ",binascii.b2a_hex(data).decode())
    print ("Salt: ",slt)
    print (" Hex: ",binascii.b2a_hex(salt).decode())

    print()
    
    hkdf = HKDF(algorithm=hashes.SHA256(), length=length,salt=salt, info=b"",backend=default_backend())
    mykey=hkdf.derive(data)
    hexval=binascii.b2a_hex(mykey).decode()
    b64=binascii.b2a_base64(mykey).decode()
    print (f"HKDF-SHA256: {hexval} {b64}")

except Exception as e:
    print(e)

#### 3.1 Question
Can you modify the program above so that it generates a 256-bit key?

#### 3.2 Question
Can you modify the program to integrate a 256-bit key and using SHA-512?

#### 3.3 Question
Can you add a salt value of "abc", with a 256-bit key and using SHA-256? What are the first two hex characters of the key?


### Scrypt, PBKDF
In this case we will use a range of hashing methods, and derive a key of a given size. While HKDF is a fast method, we can use a slower hashing method such as Scrypt to PBKDF2. These slower methods can defeat GPU cracking, and will be more robust against dictionary cracking. For the following, we will generate keys for a range of hashing methods:

In [28]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.kdf.concatkdf import ConcatKDFHash,ConcatKDFHMAC
from cryptography.hazmat.primitives.kdf.x963kdf import X963KDF
from cryptography.hazmat.backends import default_backend


import binascii
import sys

st = "test"
hex=False
showhex="No"
k="00"
length=16
slt=""

def show_hash(name,type,data,length,salt):

  hkdf = HKDF(algorithm=type, length=length,salt=salt, info=b"",backend=default_backend())
  mykey=hkdf.derive(data)
  hex=binascii.b2a_hex(mykey).decode()
  b64=binascii.b2a_base64(mykey).decode()
  print (f"HKDF {name}: {hex} {b64}")

def show_hash_pbkdf2(name,type,data,length,salt):

  hkdf = PBKDF2HMAC(algorithm=type, length=length,salt=salt, iterations=1000,backend=default_backend())
  mykey=hkdf.derive(data)
  hex=binascii.b2a_hex(mykey).decode()
  b64=binascii.b2a_base64(mykey).decode()
  print (f"HKDF {name}: {hex} {b64}")

def show_hash_scrypt(name,data,length,salt):

  hkdf = Scrypt(length=length,salt=salt,n=2**14,r=8, p=1,backend=default_backend())
  mykey=hkdf.derive(data)
  hex=binascii.b2a_hex(mykey).decode()
  b64=binascii.b2a_base64(mykey).decode()
  print (f"HKDF {name}: {hex} {b64}")

def show_hash_concat(name,type,data,length,salt):

  hkdf = ConcatKDFHash(algorithm=type, length=length,otherinfo=b"",backend=default_backend())
  mykey=hkdf.derive(data)
  hex=binascii.b2a_hex(mykey).decode()
  b64=binascii.b2a_base64(mykey).decode()
  print (f"HKDF {name}: {hex} {b64}")


if (showhex=="yes"): hex=True



try:
	if (hex==True): data = binascii.a2b_hex(st)
	else: data=st.encode()
	if (hex==True): salt = binascii.a2b_hex(slt)
	else: salt=slt.encode()


	print ("Key: ",st)
	print (" Hex: ",binascii.b2a_hex(data).decode())

	print ("Salt: ",slt)
	print (" Hex: ",binascii.b2a_hex(salt).decode())

	print()


	show_hash("Blake2p (64 bytes)",hashes.BLAKE2b(64),data,length,salt)
	show_hash("Blake2s (32 bytes)",hashes.BLAKE2s(32),data,length,salt)
	show_hash("MD5",hashes.MD5(),data,length,salt)
	show_hash("SHA1",hashes.SHA1(),data,length,salt)	
	show_hash("SHA224",hashes.SHA224(),data,length,salt)
	show_hash("SHA256",hashes.SHA256(),data,length,salt)
	show_hash("SHA384",hashes.SHA384(),data,length,salt)
	show_hash("SHA3_224",hashes.SHA3_224(),data,length,salt)
	show_hash("SHA3_256",hashes.SHA3_256(),data,length,salt)
	show_hash("SHA3_384",hashes.SHA3_384(),data,length,salt)
	show_hash("SHA3_512",hashes.SHA3_512(),data,length,salt)
	show_hash("SHA512",hashes.SHA512(),data,length,salt)
	show_hash("SHA512_224",hashes.SHA512_224(),data,length,salt)
	show_hash("SHA512_256",hashes.SHA512_256(),data,length,salt)
	show_hash_pbkdf2("PBKDF2",hashes.SHA256(),data,length,salt)
	show_hash_scrypt("Scrypt SHA256",data,length,salt)
	show_hash_concat("Concat SHA256",hashes.SHA256(),data,length,salt)

except Exception as e:
    print(e)

Key:  test
 Hex:  74657374
Salt:  
 Hex:  

HKDF Blake2p (64 bytes): 8f372bc847c2940843f8086d4dbf5acf jzcryEfClAhD+AhtTb9azw==

HKDF Blake2s (32 bytes): 5bca0d548d6e85aafc2fbbec5a8093f5 W8oNVI1uhar8L7vsWoCT9Q==

HKDF MD5: c86c155b5dc28eddb37a95205a58662e yGwVW13Cjt2zepUgWlhmLg==

HKDF SHA1: a1dd66f74543371850b7a82d91530c7d od1m90VDNxhQt6gtkVMMfQ==

HKDF SHA224: 9b9dada7f6c2b48040ac2fa9677b1a27 m52tp/bCtIBArC+pZ3saJw==

HKDF SHA256: 578aa064bafda09ccd91c44698ae2537 V4qgZLr9oJzNkcRGmK4lNw==

HKDF SHA384: c5ef81301332c2adccdc102e5679de43 xe+BMBMywq3M3BAuVnneQw==

HKDF SHA3_224: ce525a89491a2de63946afcb681f35fe zlJaiUkaLeY5Rq/LaB81/g==

HKDF SHA3_256: dbca097bd653c24d7dcd35cf25e2de27 28oJe9ZTwk19zTXPJeLeJw==

HKDF SHA3_384: fa44e24b8e3e3de669ac7d6a5fc39161 +kTiS44+PeZprH1qX8ORYQ==

HKDF SHA3_512: ac0d3f9cc5bc50948f3ae4962968b6c6 rA0/nMW8UJSPOuSWKWi2xg==

HKDF SHA512: 818e212ef59c12d7102669739686d23a gY4hLvWcEtcQJmlzlobSOg==

HKDF SHA512_224: 647a9fb1447253c51200b3b404ed92a3 ZHqfsURyU8USALO

#### 3.4 Question
For a key of "hello", what is the first two characters for the following methods:

* HKDF SHA512_256
* HKDF PBKDF2
* HKDF Scrypt SHA256

#### 3.5 Question
For a key of "hello" and a salt value of "xyz123", what is the first two characters for the following methods:

* HKDF SHA512_256
* HKDF PBKDF2
* HKDF Scrypt SHA256