#  Tutorial of Applied Cryptography in Python

#### Guevara Noubir
##### Northeastern University


A great way to consolidate your understanding of cryptographic is to use them in practical settings. There are a number of crypto libraries in Python, (cryptography, pycrypto, m2crypto). This tutorial uses the cryptography.io. This library provides high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions. You can download the library from [here](https://cryptography.io/) and follow the instructions. You should be able to install the library using the following command: 

```bash
pip install cryptography
```

Note that you need to have pip installed. To install pip, follow the instructions [here](https://pip.pypa.io/)

*note: Each code block has extra imports, so that blocks would be independent runnable code*

## Cyrptography.io
Cryptography components are divided into different submodules. Following is a list of these submodules (not exhaustive)

* Primitive Crypto Blocks (*cryptography.hazmat*)
 * Message Digest and Hashing algorithms (*cryptography.hazmat.primitives.hashes*)
 * Symmetric encryption algorithms (*cryptography.hazmat.primitives.ciphers*)
 * Asymmetric encryption algorithms (*cryptography.hazmat.primitives.asymmetric*)
* X.509 Ecosystem (*cryptography.x509*)
* Full high level crypto recipe (*cryptography.fernet*)


## Hashing Algorithms

As we discussed in class, the goal is to have a long message as input and produce an output which is much shorter called the hash or message digest. Furthermore, we want it to have properties such as pre-image, second preimage, and  collision resistance. *SHA* is a family of popular hash functions.


### Note on MD5

MD5 is hashing algorithm with block size of 512 bits, and digest size of 128 bit. It was designed by Ron Rivest in 1991. MD5 is considered insecure these days, and it is highly advised **not to be used in security systems**.

In [108]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
import base64
print("You successfully imported the necessary packages")

You successfully imported the necessary packages


In [109]:
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(b"A Single Message or")
msg_digest = digest.finalize()
print "SHA256", len(msg_digest), len(msg_digest) * 8, base64.b64encode(msg_digest)

SHA256 32 256 2OMi/1VrbIqEin/Ihxcyo6uKjbBGhcDkNmlqcfWqggY=


#### You can also computer a digest one piece at a time.

In [110]:
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(b"A Single ")
digest.update(b"Message or")
msg_digest = digest.finalize()# Notice the output size of the digest
print "SHA256", len(msg_digest), len(msg_digest) * 8, base64.b64encode(msg_digest)

SHA256 32 256 2OMi/1VrbIqEin/Ihxcyo6uKjbBGhcDkNmlqcfWqggY=


#### Note that both hashing methods result in the same digest. The advantage of the second method is that you can hash a very long message (e.g., a large file that cannot fit in memory) iteratively.

### SHA Family

Secure Hash Algorithm (SHA) family, is a series of hashing algorithms. Ranging from SHA-0 to SHA-3. SHA-0 should never be used, it's advised to move away from SHA-1 to SHA-2. Recent research indicates that SHA-1 is about to be broken. SHA-3 is the most recent version, published in 2015.

 * SHA-1: Digest size (160), Block size (512)
 * SHA-2: Digest size (224, 256, 384, or 512), Block size (512, 1024)
 * SHA-3: Digest size (224, 256, 384, 512), Block size (1600)

In [111]:
for _hash in [hashes.SHA1, hashes.SHA224, hashes.SHA256, hashes.SHA384, hashes.SHA512]:
    digest = hashes.Hash(_hash(), backend=default_backend())
    digest.update(b"Network")
    digest.update(b"Security")
    msg_digest = digest.finalize()
    # Notice the output size of the digest
    print _hash.name, len(msg_digest), len(msg_digest) * 8
    print base64.b64encode(msg_digest)

sha1 20 160
3Nfw+zQO2zp/8ZWVUdVm3hiCjmg=
sha224 28 224
WYm+UTU7ZMq4BAaX1+fwHRBtgt2KRE/ci+J1Zw==
sha256 32 256
Wr+fCs2Rfq5Q9nUtnl1pV8tNxrzYIhzR+8TPdyWMLjg=
sha384 48 384
I121lIgEBkunsrznkTk8wvV1rYJT27CxN5w3vND36C9E+bUnfp/carfxDdgi6b0n
sha512 64 512
NRJrp7SwnPeOgak1bffPaKtUfoboqWsmNtp/ybIyhgEtggqeuGvW+uZ5TBcTbQNDnlihqxKnHGtnFuDgN4iSEw==


In [112]:
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(b"Network")
digest.update(b"Security")
msg_digest = digest.finalize()

In [113]:
print base64.b64encode(msg_digest)

Wr+fCs2Rfq5Q9nUtnl1pV8tNxrzYIhzR+8TPdyWMLjg=


In [114]:
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(b"NetworkSecurity")
msg_digest = digest.finalize()

In [115]:
print base64.b64encode(msg_digest)

Wr+fCs2Rfq5Q9nUtnl1pV8tNxrzYIhzR+8TPdyWMLjg=


### Hash-based message authentication code (HMAC)

HMAC is used for message authentications combined with a secret key. It provides integrity check and authentication.

<img src="include/SHAhmac.png">

image source: wikipedia

In [11]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, hmac
import os

for _hash in [hashes.SHA224, hashes.SHA256, hashes.SHA384, hashes.SHA512]:
    h = hmac.HMAC(os.urandom(16), _hash(), backend=default_backend())
    h.update("Network Security")
    msg_digest = h.finalize()
    print _hash.name, len(msg_digest), len(msg_digest) * 8, base64.b64encode(msg_digest)

sha224 28 224 PbMZZErt7B/61/7uvIM4pErySd/eKOuj5dNksA==
sha256 32 256 +IpREbQ6As8r5Rb5jj/FoHOF2XKaxttepz6ZD/y5fmk=
sha384 48 384 I/k1iBdbzdPlMltW9L6Eh/2bxLbYGA8uyd+DgiS2MupIG1efg/yyHwxx2xTecUUY
sha512 64 512 6wopf5MXYumYmyQMbvMqUaWaXUpqVsDNC9zuMIEVArNDEbM/bvk+hOa4Cy8MKpUqTjYemgsbMBRU7vZi3Www6g==


## Symmetric Encryption

In the following we look at the symmetric encryption algorithms. In symmetric crpto, we use the same key for encryption and decryption. Therefore, the two parties needs to establish a secret key between them. It's up to 1000 times faster than asymmetric encryption.


### Advanced Encryption Algorithm (AES)

AES is based on Rijndael encryption algorithm, designed by Joan Daemen and Vincent Rijmen. It was one of the algorithms submitted to U.S. National Institute of Standards and Technology (NIST) to replace DES and 3DES. It was published in 1998 and accepted and standardized in 2001.

 * AES supports key sizes of 128/192/256 bits
 * Block size: 128 bit
 * It's iterative rather than Feistel cipher
 * Treats data in 4 groups of 4 bytes
 * Operates on an entire block in every round
 * Resistant against known attacks
 * Speed and code compactness on many CPUs
 * Rijndael block and key size vary between 128, 192, 256
 * However, in AES block size in 128
 * Number of rounds a function of key size
  * 128 bits     10 rounds
  * 192 bits     12 rounds
  * 256 bits     14 rounds

 * Today most implementations use the CPU support (Intel AES-NI)

### Block cipher mode of operation

To encrypt messages of arbitrary size with block ciphers, we use the following algorithms, called the modes of operation. They define how to encrypt each block of the plaintext to produce the corresponding cipher text block. Some of these are complemetly insecure (ECB) and should not be used.

 * Electronic Codebook (ECB)
 * Cipher Block Chaining (CBC)
 * Cipher Feedback (CFB)
 * Output Feedback (OFB)
 * Counter (CTR)
 * Galois Counter Mode (GCM)
 
 
### Electronic Codebook (ECB)

<img src="include/ECB_enc.png">
<img src="include/ECB_dec.png">



### Cipher Block Chaining (CBC)

<img src="include/CBC_enc.png">
<img src="include/CBC_dec.png">



### Counter (CTR)

<img src="include/CTR_enc.png">
<img src="include/CTR_dec.png">

image source: wikipedia

The following images are encrypted with ECB. Note that you can see the pattern in the data. Therefore, ECB is not secure or recommended to be used.

<img src="include/tux.png">
<img src="include/ECB1.png">
<img src="include/ECB2.png">

In [116]:
import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
key = os.urandom(16) # in bytes, 128 bits
iv = os.urandom(16)

In [119]:
# ECB Mode, we only need a key
### *** DO NOT ECB. IT IS INSECURE *** ###

cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
encryptor = cipher.encryptor()

# note that we don't need padding here, since len("Network Security") = 16
cipher_text = encryptor.update(b"Network Security1234567890123456") + encryptor.finalize()
print base64.b64encode(cipher_text)

JwfVBXEJJvuOTlBrzpborPm/vHidBrqZd5SuA9EnZ6M=


###### cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
encryptor = cipher.encryptor()
ct1 = encryptor.update("Network Security1234567890123457")
encryptor.finalize()
print base64.b64encode(ct1)

In [64]:
decryptor = cipher.decryptor()
decryptor.update(cipher_text) + decryptor.finalize()

'Network Security1234567890123456'

In [121]:
# padding
# first import padding 
from cryptography.hazmat.primitives import padding

padder = padding.PKCS7(128).padder()

# pad the plaintext
padded_data = padder.update(b"Network Security: -")
padded_data += padder.finalize()

print padded_data

# encrypt 
cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
encryptor = cipher.encryptor()
cipher_text = encryptor.update(padded_data) + encryptor.finalize()
print base64.b64encode(cipher_text)

# decrypt
decryptor = cipher.decryptor()
padded_text = decryptor.update(cipher_text) + decryptor.finalize()

#unpad
unpadder = padding.PKCS7(128).unpadder()
plain_text = unpadder.update(padded_text) + unpadder.finalize()
print plain_text

Network Security: -
JwfVBXEJJvuOTlBrzpborGRCgAxWGvjqF/G/Mu0+6q8=
Network Security: -


In [122]:
# CBC Mode, we also need an IV
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()

# note that we don't need padding here, since len("Network Security") = 16
cipher_text = encryptor.update("Network Security") + encryptor.finalize()

In [34]:
base64.b64encode(cipher_text)

'w4jSTr43SVnItntvJ/kbyw=='

In [35]:
decryptor = cipher.decryptor()
decryptor.update(cipher_text) + decryptor.finalize()

'Network Security'

In [126]:
# GCM Mode, we also need an IV
cipher = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend())
encryptor = cipher.encryptor()

# note that we don't need padding here, since len("Network Security") = 16
encryptor.authenticate_additional_data(b"Only authenticate")
cipher_text = encryptor.update("Network Security") + encryptor.finalize()
tag = encryptor.tag

In [127]:
base64.b64encode(cipher_text)

'bns6Q9mUYupXl+VyJPIsAQ=='

In [129]:
decryptor = Cipher(algorithms.AES(key), modes.GCM(iv,tag), backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(b"Only authenticate")
decryptor.update(cipher_text) 
decryptor.finalize()

''

In [82]:
# CTR Mode, we don't need padding in CTR mode. In transforms a block cipher into a stream cipher
# we only need to introduce the nonce
cipher = Cipher(algorithms.AES(key), modes.CTR(os.urandom(16)), backend=default_backend())
encryptor = cipher.encryptor()
# len("Network Security CS 6740") = 25, but no padding is needed
cipher_text = encryptor.update("Network Security CS(6740)") + encryptor.finalize()

In [83]:
base64.b64encode(cipher_text)

'jI90CwaOqlWSVMexQTIF2A1oFvWWvvVlrA=='

In [84]:
decryptor = cipher.decryptor()
decryptor.update(cipher_text) + decryptor.finalize()

'Network Security CS(6740)'

## Asymmetric Encryption

Asymmetric encryption mechanism use two different keys for encryption and decryption. Therefore, the two parties do not need to share a secret key between them.


### RSA

RSA, is an asymmetric encryption algorithm by Ron Rivest, Adi Shamir, and Leonard Adleman. It was published in 1977. It's security is based on the hardness of factorization problem. However, now it has its own problem, called the RSA problem. RSA is slow, and is not used for encryptin large data, but it's mostly used to encrypt the symmetric key that is used for encryption.


 * p, q, two big prime numbers (private, chosen)
 * n = pq, f(n) = (p-1)(q-1)   (public, calculated)
 * e, with gcd(f(n), e) = 1,  1 < e < f(n)	(public, chosen)
 * d = e-1 mod f(n)	(private, calculated)
 * $E(M) = M^e \mod n$
 * $D(M) = M^d \mod n$
 * $D(E(M)) = M^{ed} \mod n = M$
 
 


In [130]:
# Generate a 2048 bit private key
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa

private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend())
# to get the public key
public_key = private_key.public_key()

<img src="include/RSA_OAEP.png">

image souce: wikipedia

In [133]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

message = b"Network Security:"
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None))
base64.b64encode(ciphertext)

'AK9kI6ocn8Rs41esBjHqFIrNmDzKk4TjVIFcFEHuyYfLg+fxgdr0ofycIxd32VtIkQWj8gGw95V1lRDq0/tT1Zs0WMe5kb4qA874wGfC5SatNI4RbVGB9DI82RiFpQ3BWM0lbUxR+A9qgM0ef5zcCs7yzQeLSa9zEpr1ZJxeEG2CaFkJGjWriNzIkKVouOa9WDHqjZbMoz7btSRf9t0uTl5Jg43RLAx0sQd6z6a1B/2lJ7Ih8ws4bwR3ibWZB03CfVe0EdF7RBypyzd4g8aoQn0kei2ah/YphHK5rKz0OMBw2ilHJOOeWljlZv96b/FoYwTKG7xB7t1RvL50mymUXw=='

In [134]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

plaintext = private_key.decrypt(
    ciphertext,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None))
plaintext

'Network Security:'

In [135]:
plaintext == message

True

### OpenSSL - RSA

To generate keys, use the following instructions:

```bash
 openssl genrsa -out private_key.pem 2048
 openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key.der -nocrypt
 openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der
 ```
 

In [105]:
%%bash
openssl genrsa -out private_key.pem 2048
openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key.der -nocrypt
openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der

Generating RSA private key, 2048 bit long modulus
....+++
....................+++
e is 65537 (0x10001)
writing RSA key


In [106]:
# import key from a file. E.g., previously generated by OpenSSL
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

with open("private_key.pem", "rb") as key_file:
     private_key = serialization.load_pem_private_key(
            key_file.read(),
            password=None,
            backend=default_backend())
public_key = private_key.public_key()