# Notebook for Lab 2 - Asymmetric Encryption
By Luis Daniel Casais Mezquida  
Cryptography 22/23  
Bachelor's degree in Applied Mathematics and Computing, grp. 121  
Universidad Carlos III de Madrid

## General goal
In this lab you’ll get familiarized with programming, asymmetric encryption and key exchange algorithms using the pyca/cryptography library. 

## Specific goals
- Being capable of serializing and unserializing RSA private and public keys to and from PEM/PKCS encoding/format.
- Being capable of saving and loading RSA private and public keys to and from a file.
- Make use of the pyca/cryptography library to encrypt and decrypt simple messages (strings) with RSA asymmetric cipher using two different paddings (PKCS1v15 and OAEP).
- Make use of the pyca/cryptography library to wrap symmetric keys (recall that key wrapping uses symmetric encryption to encapsulate symmetric key material).
- Make a combined use of RSA OAEP asymmetric encryption and AES 256 CTR to implement hybrid encryption.
- Make use of the pyca/cryptography library to implement a simple anonymous Diffie-Hellman Key Exchange

## Modules
Cryptography library documentation can be found [here](https://pypi.org/project/cryptography). You’ll may find useful to have these links as reference:
- [Asymmetric RSA](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)
- [Key Wrapping](https://cryptography.io/en/latest/hazmat/primitives/keywrap/)
- [Diffie-Hellman key exchange](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dh/)

## Lab assignment and assessment
You are given one Python script/notebook, that contains the headers of all the functions you should develop at the end of this lab. Next, you’ll be guided through several tasks you’ll have to complete in order to do so.

Lab 2 assessment will be performed with a test/quiz/exam at the end of the course (along the other lab assessments).

# 0. Modules installation and imports

In [52]:
import os

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric import utils
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

from cryptography.hazmat.primitives.keywrap import aes_key_wrap, aes_key_unwrap

from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
from cryptography.hazmat.primitives import serialization

from time import time
from cryptography.hazmat.primitives.asymmetric import dh

PUBLIC_EXPONENT = 65537
KEY_SIZE = 2048
KEY_SIZE_AES = 32
BLOCK_SIZE_AES = 16
GENERATOR = 2

PASSWORD = b"pene"

# 1. Asymmetric Encryption with RSA

## 1.1 GENERATING RSA PRIVATE AND PUBLIC KEYS

### TASK 1.1.1 Generating an RSA key pair

Before using the RSA cipher, you need to generate a pair of RSA public/private keys. Read the documentation [here](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation).

In [53]:
priv_key = rsa.generate_private_key(PUBLIC_EXPONENT, KEY_SIZE)
pub_key = priv_key.public_key()

## 1.2 SERIALIZATION OF PRIVATE AND PUBLIC KEYS

### TASK 1.2.1 Serializing RSA keys

Read documentation [here](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-serialization).

[Serialization](https://en.wikipedia.org/wiki/Serialization) is the process of transforming a data structure created in a specific context into another that is easily stored or transmitted. It is also called marshalling. The inverse process is called unserialization or unmarshalling.

In the case of private and public keys it is highly recommended to ensure interoperability. Serialization can be done following different encodings and formats. In the case of private keys, you can choose to serialize the key in clear or encrypted using a symmetric key derived from a password. Obviously, in real life, private keys MUST be always protected.

Create two functions, <code>pem_serialize_pub_key(pub_key)</code> and <code>pem_serialize_enc_priv_key(priv_key, pwd)</code>, that serialize the private and public keys using the following encoding and formats.

For the private key: 
- `encoding = serialization.Encoding.PEM`
- `format = serialization.PrivateFormat.TraditionalOpenSSL`
- `encryption_algorithm=serialization.BestAvailableEncryption(pwd)`


For the public key: 
- `encoding = serialization.Encoding.PEM`
- `format = serialization.PublicFormat.SubjectPublicKeyInfo`
    
The output of the serialization process uses PEM format. More information about PEM format [here](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail).

Once you have coded the functions, print the output. You should obtain something similar to the following result:
```python
b'-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,802BDB9DB78F07FB34A14F88BF4C4CA9\n\n0ASfOGx4tbVzkqKcCGmaPUVGgj68JE6exAKtMaaL5nT2ZVY/WsWxinclZqTMpyF7\nmPaFoQLaudwh+N/3s11wwpIUx7MMND0bEhyHdisRe/3m7MfAI1E2onTw7TCzYNAZ\nCN007wa2BphFfQ1PZ5upy+p27d91xiKP9RSf6Vtusj1smA6lLBeQdYpcoLhZnyyL\n/b/QVG0JhKizkh84hOuz6TR/eXXEtro3Bwbs+2L/ZSqAA+yrvwABwVnX43y4Fdlg\n/p1y+Kc8PD+JHEtw1ibWsQM9yrt0/ZBvEMrLbx9QzpapEqOQgbFc/FRX8jfLmoM0\nO9ievrIRDK3NnhpxvDi6AEqkyJqU/BM9Kwh04dMr7MP1AgqVwxEssnlioh8IP+ZF\njk1zPIUj3bi1HBvCYngwk1pKpCcC2xcS1PE5bXiXstWYe85Jkr6tQHjrdo/oLN85\nlZjhneegszt1+BP0sC1tlAGYH6qhR11wghiU3bhDgFmFtmpu4geDdHDCnK/AEeUI\njIsf0/2cwsJv7m92xw7O2gWy7o8SfXIHsZzMM2X3ogrghD2NldpGoFyjBtBuc2qc\nXXCV7FnrmPF2Uby1brBy0t24t8W+bIS9cl/0IIrqShYV+KgqaRC4tIKKfH/BqN6N\n/vEyp+QdnVz96/PdM69ExaZ5VhZ/mnASVV80RV3j/JvB8QmZ/N7zn4h7LPWZEbyS\ntb7EI2dtk5VKLxkz7Uj2uIGLVUemLYvLNNzUYJcUMRORSl6wpwZ6qq8bQJ2tJlHQ\nFXpEE24T9clBXtrBi22hWHeRZzFXsE4iAXFAQpeFXUwAFTDXW7Fc6xIGD31zncLy\ndI4xd39hk4X3PTHKyMDSM1qQ3aoww8i8MgoRhggpKr+wTUc/T82ggJTn37JK8z2g\nRxEGJAkYwiAMb0GcDgvm8cd0IcJjuYbJSB+A0QAHPaFR0OCn2e9q7HRqV3rOejNa\nvmidIp+smjC79ea9D7ewJFT8gEkppRzNlw0pMus1GpgdZLS9/zJTYVo66YjC0laD\nf9XQ1oEzldALgI3ZoEnli02nC1PVaff9GAkcwBj+yre3RgLxoFwwf6i8ZKwQo7dm\nLQ+JhraRWzD87jLbaDOOX0gQa1e6LcJTf/cljaD1n97ang/YOqCWUz0IAVPajrvx\nE4qyBnfdqfnHt2i/doOZ66d7gFtzvG5FFG6sGSfhNLUfVTZ/29VL8RBGnEsv4sz+\nlAXnIKx5Zw7GPjcIptFx+ySe10Srq4u3AlGtAksjOxP20EfjLNYiYTXZ9icTQJb6\nwryftBSTT07Mb9GrsSPueQ6COOS8i5BCBQdXaCJHA21bC+h9aHwImRhHj0K1UB0A\nBAboZ7yCWaL2zNCiBaIH6vj3eA5cWGmSq1CgtJLoeY6vwD+wJLzldMVDXbcpqtA4\nVzqmOboPsmE3/n3j5sqMqhiZnUKNFbir4rfP27WLCD23UXdXyZ+v6l7ZyKRo3xjB\n/JMVBAS+Ygn4FAMPrM+ScwriB0lP4JvEeQCItvTyRf1Uk1W4Od2fI9rIo9fgDvL3\n/XhuxkHbmts0W5P5Hho4JBI7qNlq/4nv+XPgEj9ptxEGR7ilK7O/HGOKb+VuxH8L\n-----END RSA PRIVATE KEY-----\n'
```
```python
b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4BKsvzPODKFgeBWlrXwf\nOq0yEeH4YXhcwDBdtphEV4WzpTCh0nxZKZQh9diwjS7WEsjPUnVQJx8XBNdt5YOo\nO1ui4fLS+6v/JHMhjDln9D79pcHFvnduwOdM5mFkmDSJrwna+Qk7r000RWk8lhTK\nds4etkrHomk8txXBlNAcoEu1nzII76Y9G5LiffRrtGSoi7yybYCIaeKwG9q6PI50\nak6K6OIhxB6AcEq5KCs/Y0zkM6TzQLz8V9cyHnZ2ApTht5M2YifX2m09/vtQmDdw\n6wNl9rwP9O8ws2Dmfs0ijovJE4M8C1UviHJicmOaPaaDzzG6Kh8L0FwNf0b+d3CM\nbQIDAQAB\n-----END PUBLIC KEY-----\n'
```

In [54]:
def pem_serialize_pub_key(pub_key):
    encoding = serialization.Encoding.PEM
    format = serialization.PublicFormat.SubjectPublicKeyInfo

    return pub_key.public_bytes(encoding, format)

def pem_serialize_enc_priv_key(priv_key, pwd: bytes):
    encoding = serialization.Encoding.PEM
    format = serialization.PrivateFormat.TraditionalOpenSSL

    encyption_algorithm = serialization.BestAvailableEncryption(pwd)

    return priv_key.private_bytes(encoding, format, encyption_algorithm)

pub_key_pem = pem_serialize_pub_key(pub_key)
priv_key_pem = pem_serialize_enc_priv_key(priv_key, PASSWORD)

print(pub_key_pem)
print(priv_key_pem)

b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA35SXpAlBpvW47hYyboEs\n47JOSTQhmllP8HIwYWneWhH2uS4Bq4rrHH5M6qGwxbIS0AvvzT3PrcbHdU+mEwEH\ns8QV4dnCd6MGsTnmvOolbRpF/skrEoFTo6KS023SDa4UCSdeIYifV/lJqE+BbOBm\n2ciW1c0SCZTFe8r3U3tXhfDWUn1ks8Aymkm2MDoxFqcTgPJ8lUE+l1AXBbC0jxN3\n/0sc41H/DOT0yOog+hlct/EMd+GiPDOxto7/0G4UzLY59UmsCACBbtWRC3Yp+yVg\n0iITeLWd0Ih9Qme03KrUjglINTdLWeZxCAbsHBnsmaAvJlt6rG1+fJT0tcOnob0p\n9wIDAQAB\n-----END PUBLIC KEY-----\n'
b'-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,F65D07BE5378BA0D03680D4216B4D123\n\nOPtKFQEZKez3PlSRSJS6VREAoAOBiQjhx7wAbdwdO/Oe7398j7UdlO8XHVVM1MpC\nFp3ZoNGH8r1knmkaUQKulJtc4Q0RfNYuZhJ6KSKrKRgdpBH0UB3OM54I7yBKYzo3\nDrFJkyAeUNKQoD7cIvz6BlExoyMmvx4fsE1QTvykNLwYx7Kf+S/xD34RKOvFTdep\n9nhlST//+oiGpnIVUzJj9+vJZadu3i9sTQv/0ioTYeEYe5nwEG9S68G5asnpT03W\nkvaxb2pedp6aF8wOoLcJtvBaDK0lIwTI/ORbBHGHtQFPcqUAGVyL7y/EEyvDgmg+\nyznOyFnmwf3Mqfk6lTSM7V3BtFUUwDPUGbUNh1UnSuuWL6KxK4xLnd08YHSMh5Xr\n1rGIoVT7uJZ8pKpLxIGjzbB

### TASK 1.2.2 Deserializing RSA keys

Now deserialize the keys using `load_pem_public_key()` and `load_pem_private_key`, and check they are correct.

In [55]:
_pub_key_pem = load_pem_public_key(pub_key_pem)
_priv_key_pem = load_pem_private_key(priv_key_pem, PASSWORD)


# checking numbers are the same

assert pub_key.public_numbers().n == _pub_key_pem.public_numbers().n
assert pub_key.public_numbers().e == _pub_key_pem.public_numbers().e

assert priv_key.private_numbers().d == _priv_key_pem.private_numbers().d
assert priv_key.private_numbers().q == _priv_key_pem.private_numbers().q
assert priv_key.private_numbers().p == _priv_key_pem.private_numbers().p

## 1.3 SAVING/LOADING PRIVATE AND PUBLIC KEYS TO/FROM FILE

Read documentation [here](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-loading).

Once you have the private and public key serialized, it is advisable to save them into files so you can reuse them. You can use the following functions:

In [56]:
def save_pem(pem, filename): 
    with open(filename, 'wb') as pem_out: 
        pem_out.write(pem)
        
def load_pem(filename): 
    with open(filename, 'rb') as pem_in: 
        pemlines = pem_in.read() 
        return pemlines

### TASK 1.3.1 Saving PEM serialized keys to file

Save your private and public keys to two files, once they are in PEM format.

In [57]:
save_pem(pub_key_pem, "files/pub_key.pem")
save_pem(priv_key_pem, "files/priv_key.pem")

### TASK 1.3.2 Loading PEM serialized keys from file

Now, load your previously saved keys. Check that you are really accessing the previously saved keys and not to newly created ones.

In [58]:
assert pub_key_pem == load_pem("files/pub_key.pem")
assert priv_key_pem == load_pem("files/priv_key.pem")

## 1.4 NUMBERS OF RSA KEYS

Read documentation for [key numbers](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#numbers) and [key interfaces](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-interfaces).

The cryptography library provides an interface to access the numbers composing RSA private and public keys.
To access an attribute of a Python object you have to use <code>name_of_object.name_of_attribute</code>. Eg., for accessing the <code>modulo</code> attribute of public key <code>pk</code>, we can do so using the method <code>public_numbers()</code> offered by the key interface of an <code>RSAPublicKey</code>, and then access to the attributes that will be copied in that new <code>RSAPublicNumbers</code> object. Next code shows you how to access to the public key exponent and the public key modulo.

In [59]:
# my_public_key is an RSAPublicKey object 
# u is a RSAPublicNumbers object 

my_private_key = rsa.generate_private_key(public_exponent=PUBLIC_EXPONENT, key_size=KEY_SIZE, backend=None)

my_public_key = my_private_key.public_key()
    

u = my_public_key.public_numbers() 
print("e: ", u.e, "\nn: ", u.n)

e:  65537 
n:  24731735315544743935119966938570575707961082653065767752718289855885169107523958282157266144641135340337381207869980003949317252852332325702905736102931625659711180678217374681351336051081875802220473358218603148888402764320105992292504226552304900273695640709847538128199163664242752982827069554147955611041537278875030664792232091986378254044100579448004296790464282501108674841897379288253072842385217348480827934549931623582131992224401404502574497461484972542565203444892187746643944550499938246386461505059257391706599632793968852047825515320559440369740761252298286197706086592377608393391506649860524210877191


### TASK 1.4.1 Retrieving RSA key numbers

Retrieve and print the numbers that compose your private and public keys.
- Get primes `p` and `q` from the private key.
- Get public exponent `e` and modulo `n` from the public key and private exponent `d` from the private key.

You should get something similar to the following:
```python
PUBLIC KEY NUMBERS:
e = 65537 
n = 28286589195806813523758388238601420643684675859590271480242198902877495065174939388967352229927118658568849300194854591753778288782981184337483735526054958723030953718998273608377686022156012991767916779100447389061810656324359973280201303652806242293533570949451679574458537712176089120105323691385066797554509039787547107291385254211206950822572782513783075701597720659181873730425007754038442219693054334894078838357139617750150040561481356423076762837510859732933469937162361387743959048254286717249809639810546656863888521654105634360262835982057012810292159145370934780218418147053162085567559518732703990058093 
PRIVATE KEY NUMBERS: 
d = 2476592593581328043690215171782274923378590263245631898830122485080352574636828085110619453061962049878207078208005792872471730793853030131505587293414458293067299577942415642535837197234099860334838434448912326143043922455852076333701498090541254837424594200344137470409739374589413604088749062989876150638049371610876500881319783760547095681764714011329189154531191659301167658509610759475554004075665737029703132094188039196801496683266639152961385368199124994673494303163660572592242786952701985154543342061112087376755920622578733780801891307137613105350769102406658645478262464641227300809810227199587461602753 
p = 173957046990765938927114424239968578264521087635448939562764984761896855350232514127134303004576939168705624803510295654154543576942608560832992595163874428473745256858843090788377514132354371334064080364302929220414371906509415218717097948593452823050272958790363412458250094316606182472717994334049807405561 
q = 162606745085229770189985671425851241203684542132103997916672688079679761839438825873423154557612040598908562445786602535037029202864692413022732794513932886210021622367508721149060877356643046321234055671565639387905524818711158877967217539235998104116519392501591296531710899513810414567038655806921266817813
```

In [60]:
u = pub_key.public_numbers()
e = u.e
n = u.n

v = priv_key.private_numbers()
d = v.d
p = v.p
q = v.q

print("PUBLIC KEY NUMBERS:")
print("e =", e)
print("n =", n)

print("PRIVATE KEY NUMBERS:")
print("d =", d)
print("p =", p)
print("q =", q)

PUBLIC KEY NUMBERS:
e = 65537
n = 28224415624555221454089129579294265333135378249267894433893669311514519844392945517809906830080963094641529951351959201994877043381682023663854152293567157789858337924969174846341137836709710369843864796138381255556875225278760858841945659849552789169553582214930153304426028780887251827434879332571112286289926253594893934491733014264755917538161816015515207072372780297079835116112855940637073569182737406399679354730995785067941636481103328974947929076009760642791738331971030836724223345655591136043780399002674507478725335767977799433035307878631225356087976097045513893943072827874809706726571011642661013367287
PRIVATE KEY NUMBERS:
d = 18632670735559785406887196411922522996751486030098653473341922925411228787824599658636275981559315627655611232513580342009984516866937344611694918885227933560862123538211870389656977409787534051776779687885119322240386447681242482228310404403480498396642137029906054331385204315197322891099227220099930925527856358982965760

### TASK 1.4.2 Checking RSA key numbers

Then, do some checks using the web tool [Big Number Calculator](https://www.boxentriq.com/code-breaking/big-number-calculator):
- Compute the product of $p$ and $q$ and compare the result with the value retrieved for modulo $n$.
- Check that exponents $e$ and $d$ are the multiplicative inverse of each other with respect to $\phi(n) = (p-1) \cdot (q-1)$, that is, their multiplication modulo $\phi(n)$ is equal to $1$.

## 1.5 RSA ENCRYPTION/DECRYPTION WITH PKCS1V15

Read documentation for [encryption](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption) and [decryption](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#decryption).

Take into account that RSA is an asymmetric block cipher, therefore it needs padding, but not only because of the length of the message, but more importantly, because the security. The library cryptography offers PKCS1v15 and OAEP paddings for asymmetric encryption. 

Read the documentation [here](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#module-cryptography.hazmat.primitives.asymmetric.padding).

### TASK 1.5.1 Encrypting/Decrypting with RSA PKCSv15

Now you are ready to encrypt with RSA. Create two functions <code>rsapkcs1v15_encryption(public_key, message)</code> and <code>rsapkcs1v15_decryption(private_key, ciphertext)</code> that encrypt and decrypt a message with RSA using PKCS1v15 padding (note that this padding method does not need any parameter). Using your RSA key pair, encrypt and decrypt a small message using these functions. Check that you obtain the original message after decryption.

In [61]:
def rsapkcs1v15_encryption(public_key, message):
    padder = padding.PKCS1v15()

    return public_key.encrypt(message, padder)

def rsapkcs1v15_decryption(private_key, ciphertext):
    padder = padding.PKCS1v15()

    return private_key.decrypt(ciphertext, padder)


message = b"a secret message"

ct = rsapkcs1v15_encryption(pub_key, message)
pt = rsapkcs1v15_decryption(priv_key, ct)

print(pt)

b'a secret message'


### TASK 1.5.2 Decrypting a given ciphertext with RSA PKCSv15
In the `files/` folder you’ll find two files containing a private and public key pair, PEM encoded: <code>fixed_private_key.pem</code> and <code>fixed_public_key.pem</code>. Notice that the password used to protect the private key is <code>b'password'</code>.  

Decrypt the ciphertext provided in next cell:

In [62]:
ciphertext_pkcs1v15 = b'8\xd5\xaag\x9c8:\xc8\x8d\xd7\xbc\x1f\tb\xf6\\`\xba' \
                 b'\x90\xc2\xc9\x019\'\xcd\xc3R\x82\xd09\xb1L+\xb85f\x8b' \
                 b'\x01I\xc7*\xb4\xa7\xa5\xaa\xc9X\x94\t\x03\x9d"\xdc\xcc' \
                 b'\xf8\x9b\xd62\xa0\xa1b%\x8c\xaa\x0f\xeb\xbeI\x849\xc9' \
                 b'\x8c\x01\x12Q\x82\xe1\xa5w\x12\x86*>\xc7\xbeR\x9e\\kv' \
                 b'\x97\x8d\xa9ez/\x18\xe7\x14\x9121\x05:\x8f3\xa5=\xcc\x06' \
                 b'\xfc\x1b\xe0\xae\xb3U\x14]R\x94\x8fh\xabm\x9fC\x0c\xd58J' \
                 b'\x7fQP\xe5\xa7S\xce\xa2\xef0^\x1aD\xc5\x8f\xffF\x86\xe6\x1f' \
                 b'\x8bF\x0c\xf5Ik1%0\x1f\x12\x82\'H\x81\xe9\xd2\xbf\xda<\xa3' \
                 b'\x80\xed\xb5\xef\x8c\x08{ScD:\xfc\xff\xc9P\\\xff\xf5\x8bV' \
                 b'\xc8\x0e\x1b\x93P\xaf\xb8\x1c$5\x85\x90\xf6h\x05x]\xc9\x8a' \
                 b'\xb7\xe8\xfc\x99\x1a2\xc0i\x00\xebn\xbaE\xbf\xf7\xd5+\x1b/' \
                 b'\x9b\xff\xb2\xa3\xf1\x08\x8c!\xcb85/\xb4\xdf\xce/\xacd\xd6\x93k_x\x12\xc3@\x04'

In [63]:
FIXED_PASSWORD = b"password"

fixed_priv_key_pem = load_pem("files/fixed_private_key.pem")
fixed_priv_key = load_pem_private_key(fixed_priv_key_pem, FIXED_PASSWORD)

pt = fixed_priv_key.decrypt(ciphertext_pkcs1v15, padding.PKCS1v15())

print(pt)

b'GREAT AND AWESOME MESSAGE THAT WILL HELP YOU TO PASS THIS COURSE'


### TASK 1.5.3 Encrypting twice the same message with RSA PKCSv15

Encrypt twice the same message.  

**Q:** Do you obtain the same ciphertext? Can you provide some reason for the result you have obtained?  
Hint: You can find why [here](https://datatracker.ietf.org/doc/html/rfc8017#section-7.2.1).

In [64]:
ct = rsapkcs1v15_encryption(pub_key, message)
try:
    ct2 = rsapkcs1v15_encryption(pub_key, ct)
except ValueError:
    print("Second encryption failed")

Second encryption failed


**A:** The padding made the ciphertext too long for it to be encrypted.

### TASK 1.5.4 Largest accepted message length with RSA PKCSv15

How long is the longest message that you can encrypt using RSA with PKCS1v15 padding? Try to encrypt messages of increasing length and note down when an error is raised.

In [65]:
msg = b""

while(1):
    try:
        rsapkcs1v15_encryption(pub_key, msg)
        msg += b"0"
    except ValueError:
        print("The maximum lenght is:", len(msg), "\bB")
        break

The maximum lenght is: 246B


## 1.6 RSA ENCRYPTION/DECRYPTION WITH OAEP PADDING

### TASK 1.6.1
Repeat the previous tasks (from [1.5.1](#task-151-encryptingdecrypting-with-rsa-pkcsv15) to [1.5.4](#task-154-largest-accepted-message-length-with-rsa-pkcsv15)) but use in this case OAEP padding.  

The suggested name of the functions in this case is <code>rsaoaep_encryption(public_key, message)</code> and <code>rsaoaep_decryption(private_key, ciphertext)</code>.  
Notice that OAEP padding needs at least the following parameters: 
- <code>mgf = padding.MGF1(algorithm=utils.hashes.SHA256())</code> 
- <code>algorithm = utils.hashes.SHA256()</code>
- <code>label = None</code>.

You should use for Task 1.5.2 the ciphertext provided in the next cell:

In [66]:
ciphertext_oaep = b'6\x9b\x14\x13l\xc0\xe1I\x02\x8e\xd3\x1f\x9c\xd9\x813P\xae5' \
                 b'\x99\x9f\xec\xbe\xb3\x89\x95\n\x83\xc88\xc1\xc9,\x99\xf3\xcd=d' \
                 b'\x01\xd0\x12\x80+\xc5\xa8\x94\xec\xa5=\xee\x9b\xa7E\xec,rG\xa6' \
                 b'\xd6\xa8p\xf3\xb9\xddC\xee\xbdB\xb1E\x135\xc5\xdbX\xf7\x87)mN\xb0' \
                 b'\x98d\xc5Q\x97\x1ftZ\x8e\x92\x9fS\xac\xee\x96?\xc5\xb1\x08\x81P' \
                 b'\xe8\xe2\x08d\x98\xaf\xf2\x1a\xba\xea!m\xb9M\x8cX\'\x86\x8a\xcd' \
                 b'\xaco6\xaaJ\xa5v5\xa4\xafG\x9fjQWq\xac\xd22kv1\x91\x8f\xbd\x14\x82' \
                 b'\xe7O/\x12r\xc9\x89f\xcb)\xef\xe5W\xa2\xe8\xca\xf43\xa3\xbe\x07\xd9' \
                 b'\x9eA\xc4\x89W\xda\xe1u\xc2<%.\xad\xf7\xb7\xedf\xfc\x9b\xa9\x04=|}\x92' \
                 b'UO?\xc5\x9141d\x10D\xbe\x1a\xa1\xa9\xa4\x18\xdd\xd7\xafP ~\xacs\xefZK' \
                 b'\x9f\xf8}8\x87\xe9\x9d\'\x13b"\x1c\x88\x89)7qzlq\xd7aX\x0e5\xa3s~\xa3\x84\xee\x0b\xa5'

In [67]:
def rsaoaep_encryption(public_key, message):
    padder = padding.OAEP(mgf = padding.MGF1(utils.hashes.SHA256()), algorithm = utils.hashes.SHA256(), label = None)

    return public_key.encrypt(message, padder)

def rsaoaep_decryption(private_key, ciphertext):
    padder = padding.OAEP(mgf = padding.MGF1(utils.hashes.SHA256()), algorithm = utils.hashes.SHA256(), label = None)

    return private_key.decrypt(ciphertext, padder)


message = b"en el aeropuerto hay avione"

ct = rsaoaep_encryption(pub_key, message)
pt = rsaoaep_decryption(priv_key, ct)

assert message == pt

In [68]:
padder = padding.OAEP(mgf = padding.MGF1(utils.hashes.SHA256()), algorithm = utils.hashes.SHA256(), label = None)

pt = fixed_priv_key.decrypt(ciphertext_oaep, padder)

print(pt)

b'I personally think we developed language because of our deep need to complain'


In [69]:
msg = b""

while(1):
    try:
        rsaoaep_encryption(pub_key, msg)
        msg += b"0"
    except ValueError:
        print("The maximum lenght is:", len(msg), "\bB")
        break

The maximum lenght is: 191B


**Q:** Which is the recommended RSA padding scheme? Why?  

**A:** OAEP, as it has been proven secure (and uses mask generation functions and hashes)

# 2. Key Wrapping

Now you’ll focus on Key Wrapping. Key wrapping is the process of encrypting a symmetric key, `key_to_wrap`, using another symmetric key, `wrapping_key`, in order to securely store the first one or transmit it over an untrusted channel.

The library cryptography offers a specific class to wrap and unwrap symmetric keys using AES with and without padding.

Read documentation [here](https://cryptography.io/en/latest/hazmat/primitives/keywrap/).

### TASK 2.1 Wrapping/Unwrapping symmetric keys

In this task you are requested to wrap and unwrap the symmetric key <code>key_to_wrap</code> using given symmetric key <code>wrapping_key</code>. Using the given values for the wrapping key and the key to wrap, check that you obtain the same key when you unwrap it as shown in the following cell.

In [70]:
wrapping_key = b"000102030405060708090A0B0C0D0E0F"
key_to_wrap = b"00112233445566778899AABBCCDDEEFF"

In [71]:
wrapped_key = aes_key_wrap(wrapping_key, key_to_wrap)
unwrapped_key = aes_key_unwrap(wrapping_key, wrapped_key)

print(wrapped_key)
print(unwrapped_key)

b'\xf4z\xe5PY\x0e\xfas,?\xd75yj)\x0e\xb4\xb5\x8d\xdd\xaa/z\xde>\xe6 \xfc\xefh\x19\x90\xd1C\xb6fV\xa5\x81\x86'
b'00112233445566778899AABBCCDDEEFF'


You should obtain the following result:
```python
wrapped_key = b'\xf4z\xe5PY\x0e\xfas,?\xd75yj)\x0e\xb4\xb5\x8d\xdd\xaa/z\xde>\xe6 \xfc\xefh\x19\x90\xd1C\xb6fV\xa5\x81\x86'
unwrapped_key = b'00112233445566778899AABBCCDDEEFF'
```

# 3. Hybrid Encryption
Now you will implement hybrid encryption combining AES256-CTR (CTR operation mode) with RSA-OAEP. Review the concept in the lecture slides.

## TASK 3.1 Hybrid encryption/decryption with RSA-OAEP and AES256-CTR
Complete the code of the following two functions: 
- <code>hybrid_encryption_rsaoaep_aes256_ctr(public_key, message)</code>, which returns three results:
    - <code>encrypted_symmetric_key</code>
    - <code>nonce</code>
    - <code>encrypted_message</code> 
- <code>hybrid_decryption_rsaoaep_aes256_ctr(private_key, encrypted_symmetric_key, nonce, encrypted_message)</code>, which returns the result of the decryption, <code>plaintext</code> 

_Note: you need the functions <code>aes256_ctr_encrypt()</code> and <code>aes256_ctr_decrypt()</code> coded in `Lab1.ipynb`._

In [72]:
def aes256_ctr_encrypt(data_to_encrypt, key, nonce = None):
    if nonce is None: nonce = os.urandom(BLOCK_SIZE_AES)
    
    cipher = Cipher(algorithms.AES256(key), modes.CTR(nonce))
    encryptor = cipher.encryptor()
    ct = encryptor.update(data_to_encrypt) + encryptor.finalize()
    
    return ct, nonce


def aes256_ctr_decrypt(encrypted_data, key, nonce):
    
    cipher = Cipher(algorithms.AES256(key), modes.CTR(nonce))
    decryptor = cipher.decryptor()
    pt = decryptor.update(encrypted_data) + decryptor.finalize()
    
    return pt


def hybrid_encryption_rsaoaep_aes256_ctr(public_key, message):
    # generate the symmetric key for AES-256
    key = os.urandom(KEY_SIZE_AES)

    # encrypt the symmetric key with RSA2048-OAEP
    padder = padding.OAEP(mgf = padding.MGF1(utils.hashes.SHA256()), algorithm = utils.hashes.SHA256(), label = None)
    encrypted_symmetric_key = public_key.encrypt(key, padder)

    # encrypt the message with AES256-CTR
    encrypted_message, nonce = aes256_ctr_encrypt(message, key)

    return encrypted_symmetric_key, nonce, encrypted_message

def hybrid_decryption_rsaoaep_aes256_ctr(private_key, encrypted_symmetric_key, nonce, encrypted_message):
    # decrypt the AES key
    padder = padding.OAEP(mgf = padding.MGF1(utils.hashes.SHA256()), algorithm = utils.hashes.SHA256(), label = None)
    key = private_key.decrypt(encrypted_symmetric_key, padder)

    # decrypt the cyphertext
    plaintext = aes256_ctr_decrypt(encrypted_message, key, nonce)

    return plaintext

After you have coded the functions, use them as shown in the next cell. Print all variables and check that the plaintext you obtain is equal to the message.

In [73]:
B_pub_key = pub_key
B_priv_key = priv_key

# A encrypts a message for B, by computing C_K, NONCE, C_M and sends these values to B 
C_K, NONCE, C_M = hybrid_encryption_rsaoaep_aes256_ctr(B_pub_key, message) 

# B receives C_K, NONCE, C_M and decrypts the message 
plaintext = hybrid_decryption_rsaoaep_aes256_ctr(B_priv_key, C_K, NONCE, C_M)

assert plaintext == message

### TASK 3.2 Decrypt a given ciphertext with hybrid encryption
Using the RSA key pair provided in the lab’s material folder, decrypt the ciphertext given in the next cell and which has been encrypted using the functions specified in [Task 3.1](#task-31-hybrid-encryptiondecryption-with-rsa-oaep-and-aes256-ctr).

In [74]:
C_K = b"5\xed.\xa6w\xb3\x9cyOT8p\xbc\xe8\x0b\xf1\xca1J\xd2|p\x95f'\x90@" \
          b"\x05\xd1A\xb1\x9fz\x0e\xb4\xd4JOK\xe0\x16\x92H\xed\xaeBYA\xfenD" \
          b"\xbf\x82\x83\x07\x99N\x89\x82\xc84\xeaV\xca\xb1\x9e\x1a ]\xbe\xd6" \
          b"\xfc\xce'Q\xfd\x14\x87J\x01,B\xf2\xd2\x01(\xa3\xda\xf1\x9cV\x95}" \
          b"\xec<o\xb3\xe57(J\xb4\xb8\x1d\x1d\xa0+S\xe0\xbb\x8fJ\x07~f\x91\xe57" \
          b"\xb0\xe1\xaa[\x89\xf6\x0b\x7f\x121\xc3\x92\xd6\x02\xbeM<\xda\x8dR6" \
          b"\xa9\xb4C\xa2m\xbdZiAc\xd6\xe6z5\t\xe3C$j$\x8a\xf7\xd5\t\x87\xc4\xa9" \
          b"w\x02\xa7#\xff\xbak\xcd&\x17\x15\xcd%~\xe7h`J[\x95\x81\xb5\xdd:)+\xe5" \
          b"dYY\xb3\xdaF\x9bz\xe8\xf5Y?Ok\xd8\xe5\xecw\x9f\x80H;\x02l]\xdb_\xfe\x83" \
          b"<\xcf\xf4\xd2/\xcf)\x0c\xf9k7\xf4\xbb?l\xb1\xaa\x07\xd1f\x9f'\x96\xcc" \
          b"\xc9i\xdb\x83XQ\x8e\xc7U\x8d"

b64_C_K = b'Ne0upneznHlPVDhwvOgL8coxStJ8cJVmJ5BABdFBsZ96DrTUSk9L4BaSSO2u' \
              b'QllB/m5Ev4KDB5lOiYLINOpWyrGeGiBdvtb8zidR/RSHSgEsQvLSASij2vGcVp' \
              b'V97Dxvs+U3KEq0uB0doCtT4LuPSgd+ZpHlN7DhqluJ9gt/EjHDktYCvk082o1SN' \
              b'qm0Q6JtvVppQWPW5no1CeNDJGokivfVCYfEqXcCpyP/umvNJhcVzSV+52hgSluVg' \
              b'bXdOikr5WRZWbPaRpt66PVZP09r2OXsd5+ASDsCbF3bX/6DPM/00i/PKQz5azf0uz9' \
              b'ssaoH0WafJ5bMyWnbg1hRjsdVjQ=='

NONCE = b'\x01\xd5\xef00rB\x13e\xd6\x1e84\n\xbc\xe3'

b64_NONCE = b'AdXvMDByQhNl1h44NAq84w=='

C_M = b'\x18\xe6\x0c\x98&\x83\xef\x85J\x12zsJ\xb2\x87\x84\r\xa68\xb9\xcf\x90' \
          b'\x10~\x84|\x9f>\xfd%LGk\x8a\xe7\xeb\xa8\xaaK\x0c\x8dc\xa8\xc2\xb3d\x90' \
          b'\x8f\xa1u\x8e\xcc_h'

b64_C_M = b'GOYMmCaD74VKEnpzSrKHhA2mOLnPkBB+hHyfPv0lTEdriufrqKpLDI1jqMKzZJCPoXWOzF9o'

In [75]:
plaintext = hybrid_decryption_rsaoaep_aes256_ctr(fixed_priv_key, C_K, NONCE, C_M)
print(plaintext)

b'YOU ARE GETTING THROUGH THIS LAB AS A TRUE NINJA CODER'


# 4. Diffie-Hellman Key Exchange
Now you’ll code a (non-authenticated) Diffie-Hellman key exchange.
Read documentation [here](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dh/#diffie-hellman-key-exchange).

Notice that there are three main steps: 
1. Generate a parameters object using in this case <code>GENERATOR=2</code> and <code>KEY_SIZE=2048</code> (already given in Section 0). This object must be known by both entities participating in the key exchange.
2. Each entity generates their private share (called here private key).
3. From the private share, the public share can be computed using function <code>my_public_share = my_private_key.public_key()</code>. This is the value that is sent to the other entity through the insecure channel.

Then each party can compute the shared key using function <code>my_private_key.exchange(the_public_share_of_the_other_party)</code>

### TASK 4.1 (Local) Diffie-Hellman key exchange
Write code where two entities compute their Diffie-Hellman private and public shares (using the generator and key size stated above) and then both compute the shared key (assuming that public shares have been exchanged somehow). Check that both parties compute the same the same shared key.

_Note: The Diffie-Hellman method takes several minutes to finish its execution._

In [76]:
# generate the parameters
parameters = dh.generate_parameters(GENERATOR, KEY_SIZE)

# each party generates their private key
a_priv_key = parameters.generate_private_key()
b_priv_key = parameters.generate_private_key()

# compute the public keys
a_pub_key = a_priv_key.public_key()
b_pub_key = b_priv_key.public_key()

# <share the public keys>

# compute the shared key
shared_key_a = a_priv_key.exchange(b_pub_key)
shared_key_b = b_priv_key.exchange(a_pub_key)

assert shared_key_a == shared_key_b

### TASK 4.2 Diffie-Hellman key exchange with a peer