<h1>Cryptography</h1>

<p>Cryptography is the science of securing communications so that third parties or the public cannot read private data. Sometimes these third parties are referred to as adversaries because they may want to read communication without the permission or knowledge of the participants.</p>

<p>To <b>encrypt</b> a message means to convert it into a form that is unreadable or gibberish, using a computer function. This gibberish for is known as <b>ciphertext</b>.</p>

<p>To <b>decrypt</b> a message means to convert the ciphertext back to the original message, using a computer function. This readable message (the original message) is known as <b>cleartext</b>.</p>

Using pip, run:</br>
<b>pip install cryptography</b></br>
<b>pip install pycryptodome</b>

<h2>Symmetric-Key Cryptography</p>

In [1]:
# import one of the encryption algorithms from the cryptography module
from cryptography.fernet import Fernet
# generate a key
key = Fernet.generate_key()
# create an encrypter object
cipherSuite = Fernet(key)

In [2]:
# encrypt some text (must be bytes)
cipherText = cipherSuite.encrypt(b'This is a secret piece of information.')
# show the gibberish
print (cipherText)

b'gAAAAABh4t1rlxxinvQkJpBjZsz_WBYFlJT8RUpdn0I6ENjZSyCctHdiflLX0Lnkv9ks-MDYiGbeIbLU2r2hszeZmLVn6tHxT8qYzdu68LaCKWjqMmkBLxssg2PrJaC9Ci5idozyfDFG'


In [3]:
# decrypt the string
plainText = cipherSuite.decrypt(cipherText)
# show the text
print(plainText)

b'This is a secret piece of information.'


<p>In symmetric-key cryptography, the same key is used in encryption and decryption. Therefore <b>all correspondents must know it</b>. This scheme is also known as <b>private-key cryptography</b>.</p>

In [4]:
# use a different algorithm
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from Crypto.Util.Padding import pad
import os

In [5]:
def hashedPassword(passString):
    # hash it to get a key that is a multiple of 16
    key = SHA256.new(passString.encode('utf-8')).digest()
    return key

def encryptAES(plainText, iv):
    # supply a key
    key = hashedPassword('mysecretpass')
    # set up the encrypter
    mode = AES.MODE_CBC
    encryptor = AES.new(key, mode, iv)
    print('Encrypting...')
    # convert text to bytes
    plainText = plainText.encode('utf-8')
    # pad data to be a multiple of the block size
    plainText = pad(plainText, AES.block_size)
    # encrypt
    cipherText = encryptor.encrypt(plainText)
    print(f'Encrypting complete. The ciphertext is {cipherText}')
    return cipherText

<p>In cryptography, an initialization vector (IV) or starting variable (SV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. It enhances security by making encryption results different in each use, even if the password (key) does not change. An attacker cannot therefore figure out what ciphertext corresponds to a particular plaintext by observation.</p>

In [6]:
# generate an IV
iv = os.urandom(16)

In [7]:
# encrypt a string with AES from the PyCrypto module
cipherText = encryptAES('This is a secret piece of information.', iv)

Encrypting...
Encrypting complete. The ciphertext is b'\x9av\xba\xdfM\xed\xb8\xf2\x07\xab\xf0<_=I\xc8\xd5\xac\xf2\xcc\xf6\xab\x90T7)qh\xc9\xd6\xc2\xa0\xbd\xd8\xb5\x88\x82e|\xa9\xa1,\xae\xd8\x85\xd8\x92\xf9'


In [8]:
def decryptAES(cipherText, iv):
    # supply the same key
    key = hashedPassword('mysecretpass')
     # set up the decrypter
    mode = AES.MODE_CBC
    decryptor = AES.new(key, mode, iv)
    # remember to remove trailing spaces
    plainText = decryptor.decrypt(cipherText).rstrip()
    print(f'Decrypting complete. The plaintext is {plainText}.')
    return plainText

In [9]:
# decrypt the string
plainText = decryptAES(cipherText, iv)

Decrypting complete. The plaintext is b'This is a secret piece of information.'.


<h2>Asymmetric-Key Cryptography</h2>

<p>This is also called public-key cryptography and in this type the key for encryption and the key for decryption are different. This makes the scheme more secure, since the sender and recipient of a message do not have to share a key. The encryption key can be made public by listing it in a directory or mailing it to your correspondent, while you keep the decryption key secret. Your correspondent then <b>sends you data encrypted with your public key</b>, and you <b>use the private key to decrypt it</b>. While the two keys are related, it's very difficult to derive the private key given only the public key; however, deriving the private key is always possible given enough time and computing power. This makes it very important to pick keys of the right size: large enough to be secure, but small enough to be applied fairly quickly.</p>

In [10]:
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

In [11]:
# generate an RSA key pair
secretCode = 'somesecretGINIpassword'
key = RSA.generate(2048)
# get a private key
privateKey = key.export_key(passphrase=secretCode, pkcs=8, protection="scryptAndAES128-CBC")
# save the key to a file
with open('data/ginikey.pem', 'wb') as keyFile:
    keyFile.write(privateKey)
# get a public key
publicKey = key.publickey().export_key(pkcs=8, protection="scryptAndAES128-CBC")
# save the key to a file
with open('data/ginikey.pem', 'wb') as keyFile:
    keyFile.write(privateKey)
with open('data/ginikey.pub', "wb") as keyFile:
    keyFile.write(publicKey)

In [12]:
# read in the keys and display
# public key
pubFileContent = open('data/ginikey.pub').read()
publicKey = RSA.import_key(pubFileContent)
print(pubFileContent)
print(publicKey)

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6WSfrw1ri23qZa/5g5P7
4yg6wh7sGx+yAexPuoxyVwAt+DJouqroZchklhnNtOwpL6u30rilOl0wq56SdVh9
Ik058JUeudSOB+te3rFF4FgUdWf93FM5DM73vhOU2yFUgh8Sz782pCwYQcsnHe4o
OguR/CvMd3Snmv0fhR1WbWID2Pn6uhJ/0K6PA2Bhl3FC490Q/a8jD/eSbJSl8qn5
qSrWDYdpdkRYoGMYMtoHnqkPzvzA2TrFbrofOVStibe8PWVxo9jXgO+7PFEcEv3o
buqdwtEn+ijmY1ah2NM8xFA6wCNyitaf3tZsulZzoNrPuFqNmf5c2uMRpqw+Bp36
lQIDAQAB
-----END PUBLIC KEY-----
Public RSA key at 0x7F7A844FB580


In [13]:
# private key
privFileContent = open('data/ginikey.pem').read()
privateKey = RSA.import_key(privFileContent, secretCode)
print(privFileContent)
print(privateKey)

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFJTBPBgkqhkiG9w0BBQ0wQjAhBgkrBgEEAdpHBAswFAQItYwHwbBP9BoCAkAA
AgEIAgEBMB0GCWCGSAFlAwQBAgQQViq1o9YhbuO+B9JTXGmbwgSCBNCVgFRgFXQf
gjdUiuaMDOkdLmG11MgeT//D4Otdf/GuwkQcGypBVJUi1LgyVYpDmAZJajWJcnUA
igAkwCBqfg9jl29Iy5/oVrlgFpucQGFYdrDP2ueNK9f4fZoLC75GTcMZUrur09yE
3IqdgvfZrAglkaQlol+ayz+0IpDRmBhRU6oq1pUanV9sCMq1BiH7IHqfGjeN5MT0
EC6l9V34sIEXyiM8h7ecdYOE9pOuiua6gFyW/lfhVjZWO1LnMSqwKnXH1ssZjZNX
XCsdr1xHW9D474t0grA++rEUCp3O/mMDZ/G9UxJW+9qa+HNOFnNd6SHTi6303Dp8
gT0/3KrJ01O1F8xdbeDn/UzNsbIXPmNYjvEbwwudQTDiO1asylvI2xHFcbUj2u7F
XL/YPOY/o0ruWDT77WEGfoRpoRFx45lQ2d6PeMGww9OTEomiErK0qOu1o+I6x5Bl
OG/P5OkD60ZlVuLhYiZP2c5B3BPyaNPsTfyovDpvOunprVy/j9S1vNMSPChReNh7
hd8dObyra63jEHngncJOZEVCqEX2P88+X5ICeFcJNdwJk8aOHgfbUL9/nMsKYfp5
EKnAq9IzvkF5lZ/RJT8ifYenc8WYGJP0EcxAWYSQ3ZupegDAQEWTBjU7bQls+J5+
zsK+RMJ5EMayLe60JMY2kTgbGGm+F7KTkxRqVMBxoPT1nQZjJIhRBzxw2JsTx4JD
AT6LU+xjJJ6n0kIloQ9BeEg+NLfJ0rLKowuTBuXs++q871itn8WCqV1t43nD8xpx
1sAMwx6KB85Lq2mkkL3R0EXithyWuqqTS2zgUsiF2SpCK25pbKST

In [14]:
# change the input string to bytes
plainText = 'Watch https://www.youtube.com/watch?v=JIniOUNzsq4 to learn more about NFTs.'.encode("utf-8")

In [15]:
# prepare the encryptor
# RSA encryption protocol according to PKCS#1 OAEP
encryptor = PKCS1_OAEP.new(key=publicKey)

In [16]:
# encrypt the plaintext
cipherText = encryptor.encrypt(plainText)
print(cipherText)

b'\x01\xfc"\x7f&\x03\x13\xa6}PS\x9a\xaf"\xd2\xc8\x135\x14\xdf\xce=\xf9>\xdb\xe2.h\xedD\xcc9\xcc\x94\xce/\xd7\x926\xc2\xbb\x14\x8eM\x15\x18+\x0f\xa2>Y\t\x7f\xedJ\x8d\x9e\xdfu\x15\xafe\xc8x\x92\xea\x8c{\xd3\xeea"\x8c\xe0\xd4p\x15\xdc\x1a\xe2I]\x93\xbe\xe4\xaaJ\xf3\xb0\xee\x9fCX\xa8\xb6\x18[\xcaq\xc0^~\x9c\x07\xa2\x9fhG\xa9\xc6\xb5\xd8h\xf5\xe4 \xc1\xee\xd8+\xc9\n\x87\xaa\x07\xa9\xd7\xe9\x07%\x13\x13\xfeb\xcff\x89<\x82\xfa\x97\x1f\xe9\xa9\xb0\xce\xe3\xf8\x19\x15\xd5M\xfc\xedm\xc5\xd9\xd9\x18hf\x82\xffx\xdd\x8a\x83\xd2\xd0.P f?W\xab\x81YH&5W&\x10\xf5AP\x94[\xa2\xb4\xb3\x95\xe9Y\x83?Sq+\xf2\'\x08\xa9\xec\x10\xf0\xeb\xa3&U\x07=\x1e2\xd0\xd2\x81K\xef\xd7w\xe98\xe7+Xd\x85\x93\xbd\xe31\t\xe8\x0b\xad\x7f!\x14\xb6\n\x0eY\xfeh\x93\xaev\xc1\\\xc2\xf9fAJ'


<p>Note that the encrypted data is binary data. We have now successfully encrypted data using a public key (which in a peer-to-peer setup would be a public key belonging to the recipient that the sender has).</p>

In [17]:
# prepare a decryptor
decryptor = PKCS1_OAEP.new(privateKey)

In [18]:
# decrypt the ciphertext
resultText = decryptor.decrypt(cipherText)
print(resultText)

b'Watch https://www.youtube.com/watch?v=JIniOUNzsq4 to learn more about NFTs.'


<h2>Exercise</h2>

<p>Create a text file with some text <b>plain.txt</b>. Use RSA to encrypt the data into a new file <b>secret.enc</b>. Finally, decrypt secret.enc and use Python to check whether the result is equal to the contents of plain.txt</p>

<h2>Hashes</h2>

<p>In layman’s terms, a hash is a string of letters and numbers of a fixed size that uniquely identifies a piece of data. More formally, a hash function is a one-way computer function that converts some data of any size to a fixed-size unreadable form known as a hash. Because each piece of data produces a universally unique hash, it follows that hashes can be used to determine if a piece of data has been modified.</p>

In [19]:
from Crypto.Hash import MD5
# get the has of some data
hash1 = MD5.new('The quick brown fox jumps over the lazy dog'.encode('utf-8')).hexdigest()
print(hash1)

9e107d9d372bb6826bd81d3542a419d6


In [20]:
# alter the data slightly and hash
hash2 = MD5.new('The quick brown fox jumps over the lazy dog.'.encode('utf-8')).hexdigest()
print(hash2)

e4d909c290d0fb1ca068ffaddf22cbd0


<p>Note how different the hash is when we simply add a fullstop to the string.</p>

In [21]:
# use a different hash function
from Crypto.Hash import SHA256
# get the has of some data
hash1 = SHA256.new('The quick brown fox jumps over the lazy dog'.encode('utf-8')).hexdigest()
print(hash1)

d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592


<p>Hash algorithms are usually specified in terms of the bit-size, which is the size in bits of the hashes that they generate. For example SHA-256 generates hashes of 256 bits in length and MD5 has 128 bit long hashes.</p>

<h3>Hashing Passwords</h3>

<p>Passwords are usually stored in databases as hashes, not in plaintext. This way even if the database falls into the wrong hands, passwords will remain unknown.</p>

In [22]:
# get a password from the user
passwd = input('Please enter a new password: ')
# hash the password
passhash = SHA256.new(passwd.encode('utf-8')).hexdigest()
# ask the user to verify the password
passverify = input('Please enter the password again: ')
# prompt until correct password is found
while SHA256.new(passverify.encode('utf-8')).hexdigest() != passhash:
    passverify = input('Please enter the password again: ')
# here we have correct password
print('Password verified!')

Password verified!


<p>Note that we are able to verify the password is correct without using the original password, just the hash.</p>

<h2>Exercise</h2>

<p>Update Virtual Bank 3.1 to employ password hashing. All passwords stored in the database must be hashes.</p>