# Cryptographic Services
## hashlib — Secure hashes and message digests
### Hash algorithms

In [1]:
import hashlib
from hashlib import blake2b, blake2s
import hmac
import os
import string
import random

In [18]:
m = hashlib.sha256()

In [19]:
m.update(b"Nobody inspects")
m.update(b" the spammish repetition")

In [20]:
m.digest()

b'\x03\x1e\xdd}Ae\x15\x93\xc5\xfe\\\x00o\xa5u+7\xfd\xdf\xf7\xbcN\x84:\xa6\xaf\x0c\x95\x0fK\x94\x06'

In [21]:
m.digest_size

32

In [22]:
m.block_size

64

In [23]:
hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest()

'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'

hashlib.**new**(name[, data])

In [26]:
h = hashlib.new('ripemd160')
h.update(b"Nobody inspects the spammish repetition")
h.hexdigest()

'cc4a5ce1b3df48aec5d22d1f16b894a0b894eccc'

hashlib.**algorithms_guaranteed**

In [27]:
hashlib.algorithms_guaranteed

{'blake2b',
 'blake2s',
 'md5',
 'sha1',
 'sha224',
 'sha256',
 'sha384',
 'sha3_224',
 'sha3_256',
 'sha3_384',
 'sha3_512',
 'sha512',
 'shake_128',
 'shake_256'}

hashlib.**algorithms_available**

In [29]:
hashlib.algorithms_available

{'blake2b',
 'blake2s',
 'md4',
 'md5',
 'md5-sha1',
 'mdc2',
 'ripemd160',
 'sha1',
 'sha224',
 'sha256',
 'sha384',
 'sha3_224',
 'sha3_256',
 'sha3_384',
 'sha3_512',
 'sha512',
 'sha512_224',
 'sha512_256',
 'shake_128',
 'shake_256',
 'sm3',
 'whirlpool'}

hash.**digest_size**

In [30]:
hashlib.sha256().digest_size

32

hash.**block_size**

In [31]:
hashlib.sha256().block_size

64

hash.**name**

In [33]:
hashlib.new('sha256').name

'sha256'

hash.**update**(data)

In [37]:
m = hashlib.sha256()
m.update(b'a')
m.update(b'b')

hash.**digest**()

In [38]:
m.digest()

b'\xfb\x8e \xfc.L?$\x8c`\xc3\x9b\xd6R\xf3\xc14r\x98\xbb\x97{\x8bMY\x03\xb8PUb\x06\x03'

hash.**hexdigest**()

In [40]:
m.hexdigest()

'fb8e20fc2e4c3f248c60c39bd652f3c1347298bb977b8b4d5903b85055620603'

hash.**copy**()

In [41]:
m2 = m.copy()
m2.hexdigest()

'fb8e20fc2e4c3f248c60c39bd652f3c1347298bb977b8b4d5903b85055620603'

### SHAKE variable length digests
shake.**digest**(*length*)

In [52]:
hash = hashlib.shake_256()
hash.update(b'some message')
hash.digest(16)

b'b\xd4\xef\xf4x\xeb4qA\xc9\xccM\x91kGu'

In [53]:
hash.digest(32)

b'b\xd4\xef\xf4x\xeb4qA\xc9\xccM\x91kGu\x9e\x0b\xc7\xb8\x96\xae\xbc\xf9\x17\xff\x02IF{\x0e\xd1'

In [54]:
hash.digest(40)

b'b\xd4\xef\xf4x\xeb4qA\xc9\xccM\x91kGu\x9e\x0b\xc7\xb8\x96\xae\xbc\xf9\x17\xff\x02IF{\x0e\xd1@\x90\t\x1d~\x07\xf2s'

shake.**hexdigest**(*length*)

In [55]:
hash.hexdigest(16)

'62d4eff478eb347141c9cc4d916b4775'

In [56]:
hash.hexdigest(32)

'62d4eff478eb347141c9cc4d916b47759e0bc7b896aebcf917ff0249467b0ed1'

In [57]:
hash.hexdigest(40)

'62d4eff478eb347141c9cc4d916b47759e0bc7b896aebcf917ff0249467b0ed14090091d7e07f273'

In [58]:
hash.hexdigest(256)

'62d4eff478eb347141c9cc4d916b47759e0bc7b896aebcf917ff0249467b0ed14090091d7e07f27351e7a0cdfdc595a6bcef8fe1ad0ea21446473f0a023d50c420a779dd238e0f1fb0f590687b4d40bbb8076436b4ee349932fd7bed146cc2db9063ed6d6ec61fb5566a9ecccf3004b430a31753a8f5af76894dc57dfd55fbe19a3c498e1f5b4a4464c99d4397ab57862cc4358c5df329390c7a27998fd69a241902d30e938c1abc3503dffed48322907f9f9097e255b1c4c3b5d581ab652fb9dca181c9eaf3a545af03fa0408663836d9abcb6dddffd7e3169a9b173b76f6d8bf13c401e1e1379bdbfed6f59de76968573fcb5553a8af504855ced00d300210'

### Key derivation
hashlib.**pbkdf2_hmac**(*hash_name, password, salt, iterations, dklen=None*)

In [8]:
pass_ = bytes(''.join(random.choices(string.printable, k=16)), encoding='utf-8')
salt = os.urandom(16)
dk = hashlib.pbkdf2_hmac('sha256', pass_, salt, 100000)
type(dk)

bytes

In [9]:
pass_

b'K1);Yj1VJj>o7/H+'

In [10]:
salt

b'D%\xbb\x8f\xe9$\xfbq\x1b\xbd\xd1\xe8R\x0cV\xbb'

In [6]:
dk.hex()

'f32ef2085d6f6cbb7432cc57fe2b76eae9746f3c1639a95d90351f4801867314'

## BLAKE2
    • BLAKE2b, optimized for 64-bit platforms and produces digests of any size between 1 and 64 bytes,
    • BLAKE2s, optimized for 8- to 32-bit platforms and produces digests of any size between 1 and 32 bytes.

### Creating hash objects
hashlib.**blake2b**(*data=b'', *, digest_size=64, key=b'', salt=b'', person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, node_depth=0, inner_size=0, last_node=False*)

hashlib.**blake2s**(*data=b'', *, digest_size=32, key=b'', salt=b'', person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, node_depth=0, inner_size=0, last_node=False*)

In [3]:
data = bytes(''.join(random.choices(string.printable, k=32)), encoding='utf-8')
key = os.urandom(64)
salt = os.urandom(16)
person = os.urandom(16)
blake2b_hash = blake2b(data, key=key, salt=salt, person=person)
blake2b_hash.hexdigest()

'363643ee7bc590604843b558e4ec0060b71c819b05becc984237dca0828fd03ee0879ae08be6f0a646ba6b263a054caec5f3f0601993ad176710d21966faccc1'

### Constants

blake2b.**SALT_SIZE**

blake2s.**SALT_SIZE**

In [4]:
blake2b_hash.SALT_SIZE

16

blake2b.**PERSON_SIZE**

blake2s.**PERSON_SIZE**

In [5]:
blake2b_hash.PERSON_SIZE

16

blake2b.**MAX_KEY_SIZE**

blake2s.**MAX_KEY_SIZE**

In [6]:
blake2b_hash.MAX_KEY_SIZE

64

blake2b.**MAX_DIGEST_SIZE**

blake2s.**MAX_DIGEST_SIZE**

In [7]:
blake2b_hash.MAX_DIGEST_SIZE

64

### Examples
### Simple hashing

In [12]:
h = blake2b()
h.update(b'Hello world')
h.hexdigest()

'6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183'

In [13]:
# shortcut
blake2b(b'Hello world').hexdigest()

'6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183'

In [14]:
# many updates
items = [b'Hello', b' ', b'world']
h = blake2b()
for item in items:
    h.update(item)
h.hexdigest()

'6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183'

### Using different digest sizes

In [15]:
h = blake2b(digest_size=20)
h.update(b'Replacing SHA1 with the more secure function')
h.hexdigest()

'd24f26cf8de66472d58d4e1b1774b4c9158b1f4c'

In [16]:
h.digest_size

20

In [17]:
len(h.digest())

20

In [20]:
# BLAKE2b and BLAKE2s produce different outputs
blake2b(digest_size=10).hexdigest()

'6fa1d8fcfd719046d762'

In [21]:
blake2b(digest_size=11).hexdigest()

'eb6ec15daf9546254f0809'

In [22]:
blake2s(digest_size=10).hexdigest()

'1bf21a98c78a1c376ae9'

In [23]:
blake2s(digest_size=11).hexdigest()

'567004bf96e4a25773ebf4'

### Keyed hashing

In [24]:
# a (hex-encoded) 128-bit authentication code for message with key b'pseudorandom key':
h = blake2b(key=b'pseudorandom key', digest_size=16)
h.update(b'message data')
h.hexdigest()

'3d363ff7401e02026f4a4687d4863ced'

In [26]:
# A web application can symmetrically sign cookies sent to users and later verify them to make sure they weren’t tampered with:
from hmac import compare_digest

SECRET_KEY = b'pseudorandomly generated server secret key'
AUTH_SIZE = 16

def sign(cookie):
    h = blake2b(digest_size=AUTH_SIZE, key=SECRET_KEY)
    h.update(cookie)
    return h.hexdigest().encode('utf-8')

def verify(cookie, sig):
    good_sig = sign(cookie)
    return compare_digest(good_sig, sig)

cookie = b'user-alice'
sig = sign(cookie)
print(f"{cookie.decode('utf-8')}, {sig}")

user-alice, b'43b3c982cf697e0c5ab22172d1ca7421'


In [27]:
verify(cookie, sig)

True

In [28]:
verify(b'user-bob', sig)

False

In [29]:
verify(cookie, b'0102030405060708090a0b0c0d0e0f00')

False

In [31]:
# BLAKE2 can, of course, be used in HMAC construction with hmac module:
m = hmac.new(b'secret key', digestmod=hashlib.blake2s)
m.update(b'message')
m.hexdigest()

'e3c8102868d28b5ff85fc35dda07329970d1a01e273c37481326fe0c861c8142'

In [34]:
blake2s(b'message', key=b'secret key').hexdigest()

'fcd053018c41d70f22fc8eceb8ac39dec4e392448f507dfa4cd9990d7f0a0457'

### Randomized hashing

In [3]:
msg = b'some message'

# Calculate the first hash with a random salt.
salt1 = os.urandom(blake2b.SALT_SIZE)
h1 = blake2b(salt=salt1)
h1.update(msg)

# Calculate the second hash with a different random salt.
salt2 = os.urandom(blake2b.SALT_SIZE)
h2 = blake2b(salt=salt2)
h2.update(msg)

# The digests are different.
h1.digest() != h2.digest()

True

### Personalization

In [4]:
FILES_HASH_PERSON = b'MyApp Files Hash'
BLOCK_HASH_PERSON = b'MyApp Block Hash'

In [5]:
h = blake2b(digest_size=32, person=FILES_HASH_PERSON)
h.update(b'the same content')
h.hexdigest()

'20d9cd024d4fb086aae819a1432dd2466de12947831b75c5a30cf2676095d3b4'

In [3]:
h = blake2b(digest_size=32, person=BLOCK_HASH_PERSON)
h.update(b'the same content')
h.hexdigest()

'cf68fb5761b9c44e7878bfb2c4c9aea52264a80b75005e65619778de59f383a3'

In [6]:
from base64 import b64decode, b64encode
orig_key = b64decode(b'Rm5EPJai72qcK3RGBpW3vPNfZy5OZothY+kHY6h21KM=')
enc_key = blake2s(key=orig_key, person=b'kEncrypt').digest()
mac_key = blake2s(key=orig_key, person=b'kMAC').digest()
print(b64encode(enc_key).decode('utf-8'))

rbPb15S/Z9t+agffno5wuhB77VbRi6F9Iv2qIxU7WHw=


In [7]:
orig_key

b'FnD<\x96\xa2\xefj\x9c+tF\x06\x95\xb7\xbc\xf3_g.Nf\x8bac\xe9\x07c\xa8v\xd4\xa3'

### Tree mode

In [8]:
FANOUT = 2
DEPTH = 2
LEAF_SIZE = 4096
INNER_SIZE = 64
buf = bytearray(6000)
# Left leaf
h00 = blake2b(buf[0:LEAF_SIZE], fanout=FANOUT, depth=DEPTH,
              leaf_size=LEAF_SIZE, inner_size=INNER_SIZE,
              node_offset=0, node_depth=0, last_node=False)
# Right leaf
h01 = blake2b(buf[LEAF_SIZE:], fanout=FANOUT, depth=DEPTH,
              leaf_size=LEAF_SIZE, inner_size=INNER_SIZE,
              node_offset=1, node_depth=0, last_node=True)
# Root node
h10 = blake2b(digest_size=32, fanout=FANOUT, depth=DEPTH,
              leaf_size=LEAF_SIZE, inner_size=INNER_SIZE,
              node_offset=0, node_depth=1, last_node=True)
h10.update(h00.digest())
h10.update(h01.digest())
h10.hexdigest()

'3ad2a9b37c6070e374c7a8c508fe20ca86b6ed54e286e93a0318e95e881db5aa'