# Notebook for Lab 3 - Asymmetric Encryption

## General goal
In this lab you’ll get familiarized with programming hash functions, MAC, key derivation functions,
authenticated encryption and signatures using pyca/cryptography library. 

## Specific goals
- Hash with SHA256 and SHA512
- MAC with HMAC and CMAC
- Key derivation functions with Scrypt and PBKDF2
- Authenticated encryption with Fernet and AES-GCM
- RSA-PSS signature scheme

## Modules
Cryptography library documentation can be found at https://pypi.org/project/cryptography. You’ll may find useful to have these links as reference:
- Hash functions:
https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/
- MAC:
https://cryptography.io/en/latest/hazmat/primitives/mac/
- Key derivation functions:
https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/
- Authenticated encryption with Fernet (Encrypt-then-MAC):
https://cryptography.io/en/latest/fernet/
https://github.com/fernet/spec/blob/master/Spec.md
- RSA signatures:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#signing
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#verification

## Lab assignment and assessment
You are given one Python script/notebook, that contains the headers of all the functions you should develop at the end of this lab. Next, you’ll be guided through several tasks you’ll have to complete in order to do so.

Lab 3 assessment will be performed with a test/quiz/exam at the end of the course (along the other lab assessments).

# 0. Modules installation and imports

In [151]:
import base64, os

from cryptography.hazmat.primitives import hashes, hmac, cmac
from cryptography.exceptions import InvalidSignature
from cryptography.fernet import InvalidToken
from cryptography.hazmat.primitives.ciphers import algorithms

from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
from cryptography.exceptions import InvalidKey, InvalidTag

from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding as asym_padding
from cryptography.hazmat.primitives.asymmetric import utils

from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
from cryptography.hazmat.primitives import serialization

# 1. Message digests (Hash functions)
First, you’ll focus on cryptographic hash functions. A cryptographic hash function takes an arbitrary block of data and
calculates a fixed-size bit string (a digest), such that different data results (with a high probability) in different digests.

Read documentation at: https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/

Notice that every time you need to compute a digest you need to create a hash object (if you do not do this, you’ll get
an error).

### Task 1.1 Applying SHA256 hash function

#### TASK 
<mark>Compute the hash of the given message using SHA256 algorithm. Check that you should obtain the following digest or hash value</mark>

In [130]:
message = b'very important software that needs its integrity checked'

# YOUR CODE HERE

#### CHECK

In [128]:
digest_value_SHA256 = b'\xb8\r\x9eN\xa8\xb6\x9dp\xbc\xb6\xd0\xcf\xb8\x90;\x99\xee\x96\xe0\xda\xa8\x0e5\xa1i\xfe\xbe\x9e\xb5\x9c\x1a\x8c'
b64_digest_value_SHA256 = b'uA2eTqi2nXC8ttDPuJA7me6W4NqoDjWhaf6+nrWcGow='

#### QUESTION

<mark>Which is the length of the digest?</mark>

### Task 1.2 Applying SHA512 hash function

#### TASK

<mark>Repeat again the previous computation with the same message, but in this case, use SHA512 algorithm.</mark>

In [134]:
message = b'very important software that needs its integrity checked'

# YOUR CODE HERE

#### CHECK

In [86]:
digest_value_SHA512 = b'=\xbf\xe6^\x8c\xf6\xfd\xae;\x96\xb8\xce\xeb\n\xe70\xe5=\x1d\xe2D%\xa4\xa6P\x81\xae\xdd"\xef\xb7 6\x99b\xc1\xb4\xf1_E\xce\x08\xd1\xdf\xacvG;\xfd\xb7\x8a\x89jDM?\x9ak\xd7\xbf\x0b\x99x\xfc'
b64_digest_value_SHA512 = b'Pb/mXoz2/a47lrjO6wrnMOU9HeJEJaSmUIGu3SLvtyA2mWLBtPFfRc4I0d+sdkc7/beKiWpETT+aa9e/C5l4/A=='

#### QUESTION

<mark>Which is the length of the digest?</mark>

### Task 1.3 Comparing outputs with 1-bit different inputs

#### TASK

<mark>Check that by changing just one bit of the input, the digest is quite different. Use the following data:</mark>

In [136]:
data_to_hash_1 = b'abc123'
data_to_hash_2 = b'bbc123'

# YOUR CODE HERE

Notice that their binary representation only differs in one bit (you can easily check it by printing their hex value (<code>data_to_hash.hex()</code>). You can also use hexadecimal representation to assess the differences in the outputs.

# 2. Message Authentication Codes (MAC)

Now you’ll generate and verify Message Authentication Codes or MACs.
Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/mac/

## 2.1 HASH-BASED MESSAGE AUTHENTICATION CODE (HMAC)

Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/mac/hmac/

### Task 2.1.1 Computing an authentication tag with HMAC

#### TASK 

<mark>Use the HMAC algorithm (combined with the hash function SHA256) to compute the authentication tag on the given message and using the given key. You should obtain the authentication tag shown below.</mark>

Notice that if you want to use a fresh key you may use the following method provided by the library to get the size of
the digest (in the case of HMAC it would be wise to use a key of this size): 
<code>hmac_key = os.urandom(hashes.SHA256.digest_size)</code>

In [88]:
hmac_key = b'$\x7f0^\xcd\xce?5\xf3\x08\xaftq\xfc\x92"D5\xacQ\xbbz^P\xeej\x15\x83G\xbf\x86\xd2'
b64_hmac_key = b'JH8wXs3OPzXzCK90cfySIkQ1rFG7el5Q7moVg0e/htI='
message_to_mac = b'message to mac'

# YOUR CODE HERE

#### CHECK

In [89]:
hmac_auth_tag = b'k~\x91g=\x1aL\x05\xd10\x01\xaat$\xaf\x03@\x1dW\xc2\xc1\x9a\xe9m\xe2\xb6\r\xfce-\x91\xdc'
b64_hmac_auth_tag = b'a36RZz0aTAXRMAGqdCSvA0AdV8LBmult4rYN/GUtkdw='



### Task 2.1.2 Verifying an HMAC authentication tag

#### TASK

<mark>Now you’ll verify the authentication tag you have generated. We are going to capture the exception that may be raised when verification fails. You can use the following code, where we capture the exception <code>cryptography.exceptions.InvalidSignature</code>.</mark>

In [90]:
mac = hmac.HMAC(hmac_key, hashes.SHA256())
try:
    mac.update(message_to_mac)
    mac.verify(hmac_auth_tag)
    print('The HMAC verification has been successful')
except InvalidSignature:
    print('The HMAC verification has failed')

The HMAC verification has been successful


In [147]:
# YOUR CODE HERE

### Task 2.1.3 Failed HMAC verifications

#### TASK 

<mark>Check that verification fails when you modify the message, the authentication tag or both.</mark>

In [92]:
# YOUR CODE HERE

## 2.2 CIPHER-BASED MESSAGE AUTHENTICATION CODE (CMAC)

Now you’ll repeat the previous tasks but, in this case, you’ll use the CMAC algorithm.
Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/mac/cmac/

### Task 2.2.1 Computing an authentication tag with CMAC

#### TASK 

<mark>Use the CMAC algorithm (combined with AES 128 block cipher) to compute the authentication tag on the
given message and using the given key.</mark> 

Notice that if you want to use a fresh key you may use the following method provided by the library to get the size of the digest (in the case of HMAC it would be wise to use a key of this size) as shown next.

<code>AES_128_BYTE_KEY_SIZE = 128/8</code>

<code>cmac_key = os.urandom(AES_128_BYTE_KEY_SIZE)</code>


In [152]:
cmac_key = b'\xf8&=\x1a$\xb4\xfa\x1a\xe2\xed\xe16.\xf9\x8af'
b64_cmac_key = b'+CY9GiS0+hri7eE2LvmKZg=='
message_to_mac = b'message to mac'

# YOUR CODE HERE

#### CHECK

In [94]:
cmac_auth_tag = b'K\xaf\xa2\xedQq\xc4q\xfdk4\xd6\xf3\x11u\xb1'
b64_cmac_auth_tag = b'S6+i7VFxxHH9azTW8xF1sQ=='

### Task 2.2.2 Comparing HMAC and CMAC

#### TASK 

<mark>Compare the length of the tag obtained with CMAC and with HMAC with the provided parameters and configurations.
Justify their values and provide reasons for their differences.</mark>

In [95]:
# YOUR CODE HERE

### Task 2.2.3 Verifying a CMAC authentication tag

#### TASK 

<mark>Verify the authentication tag you have generated. You may have to capture the exception <code>cryptography.exceptions.InvalidSignature</code>.</mark>

In [96]:
# YOUR CODE HERE

### Task 2.2.4 Failed CMAC verifications

#### TASK 

<mark>Check that verification fails when you modify the message, the authentication tag or both.</mark>

In [97]:
# YOUR CODE HERE

# 3. Key Derivation Functions (KDF)

Key derivation functions derive bytes suitable for cryptographic operations from other data (like passwords) or
entropy-rich data sources.

Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/

Notice that these functions may have two different goals:
- Cryptographic key derivation. In this case, we seek to enhance the quality of the key.
- Password storage. In this case, we seek to conceal the real value of the password but at the same time increase the computational effort an adversary should have to do in order to run a brute force attack.

## 3.1 Scrypt (Secure password storage)

You’ll first use Scrypt to compute the “hash” of a password (eg, you would store this value in a server’s database,
together with the needed additional parameters, to authenticate users by checking their passwords).

Read documentation at: https://cryptography.io/en/latest/hazmat/primitives/key-derivationfunctions/#cryptography.hazmat.primitives.kdf.scrypt.Scrypt

Notice that the salt should be randomly generated, but we provide it here so you can replicate the results.

### Task 3.1.1 Secure password storage with Scrypt

#### TASK

<mark>Compute the “hash” of the given password using the following parameters and configurations.</mark>

In [162]:
password = b'my great password'
salt = b'f?d\xbc\xf1\x94\xe2<\xad\xeb\x11\xa8\xb7q\xbc\xeb'
b64_salt = b'Zj9kvPGU4jyt6xGot3G86w=='
length = 32
n = 2^14
r = 8
p = 1

# YOUR CODE HERE

#### CHECK

In [99]:
hashed_pwd = b'\x0e\xc6M\xf7In\x97\xce\x87\x8c\xce\x06\xceo\xe2\xeb\x18\x02*v\xa2=c\xfd\x14\xba\xe0\xf7 \xc2\xf0\x97' 
b64_hashed_pwd = b'DsZN90lul86HjM4Gzm/i6xgCKnaiPWP9FLrg9yDC8Jc='

### Task 3.1.2 Password verification with Scrypt

#### TASK

<mark>Now verify the password against the “hash” of the password using the same parameters and configuration.</mark>

In [100]:
# YOUR CODE HERE

### Task 3.1.3 Failed password verification with Scrypt

#### TASK

<mark>Try to verify the “hashed” password against another (incorrect) password. Notice that you have to capture the
exception <code>cryptography.exceptions.InvalidKey</code>.</mark>

In [101]:
# YOUR CODE HERE

## 3.2 PBKDF2 (Password Based Key Derivation Function 2)

Now, you’ll use PBKDF2 (combined with a SHA256 based HMAC) to derive a high-quality key from a password.

Read documentation at: https://cryptography.io/en/latest/hazmat/primitives/key-derivationfunctions/#cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC

### Task 3.2.1 Generating high-quality keys from a password with PBKDF2

#### TASK 

<mark>Compute the derived key from the given password using the following parameters and configurations.</mark>

Note: We will not practice the verification of PBKDF2 as it is not necessary if used for generating higher quality keys.
However, it can be verified similarly to Scrypt function

In [167]:
pwd = b'my great password'
salt = b'\x00\x10\xe1e\xbek\xeeSGd\xb5(=\x1f\xaft'
b64_salt = b'ABDhZb5r7lNHZLUoPR+vdA=='
algorithm = hashes.SHA256()
length = 32
iterations = 100000

# YOUR CODE HERE

#### CHECK

In [103]:
derived_key = b'\xbeW\x06U\xc2\xb8\xf8\xdai\xf5\x12k\x18\xe8\x82\xdb\xde/\xfcnB\xf7\x1b\xa6\xe1J\xa1\x82\x984+\xe2'
b64_derived_key = b'vlcGVcK4+Npp9RJrGOiC294v/G5C9xum4Uqhgpg0K+I='

# 4. Authenticated Encryption

## 4.1 FERNET

Fernet is a system for symmetric encryption/decryption, using current best practices. It also authenticates the
message, which means that the recipient can tell if the message has been altered in any way from what was originally
sent. Fernet is included in the cryptography library. It is implemented with AES 128 in CBC mode and 256-bit SHA256
HMAC.

To encrypt and decrypt data, we will need a secret key that must be shared between anyone who needs to encrypt or
decrypt data. It must be kept secret from anyone else, because anyone who knows the key can read and create
encrypted messages. This means that we will need a secure mechanism to share the key. The same key can be used
multiple times.

Read documentation at:

https://cryptography.io/en/latest/fernet/

https://github.com/fernet/spec/blob/master/Spec.md

### Task 4.1.1 Encrypting a message with Fernet

To encrypt (and authenticate) a message, we must first create a Fernet object using a previously created key. We then
call the encrypt function, passing the data we wish to encrypt in the form of a byte array.

#### TASK 

<mark>Encrypt the given message using Fernet with the given key given.</mark>

Notice that although in this lab assignment the key is provided to you, you should randomly generate new ones for
each session.

Notice also that the key and the token are coded following a variant of base64 which is safe for URL encoding:
<code>base64URL</code>.

In [170]:
message = b'my deep dark secret'
fernet_key = b'jdOQiny3SqoBvqNyFUSrGSG_rYzoDoPIONR21LTRCxk='

# YOUR CODE HERE

#### CHECK

You should get something *similar* to the token shown next (notice that it should be different, as the IV, is with a high probability different). Notice that this token contains the HMAC authentication tag, several parameters (version, timestamp), the IV for CBC and the AES ciphertext.

In [105]:
fernet_token = b'gAAAAABfs9hj_1geoztj4Toon--b6IKAHZtUhYAofYN5jK29l-9_1i-Gb9R6AOQqZSpTSyX8-0fIgbY8fgNUz7gmVhmAYiQ1qJS1xp0eMaZHOWrQlBTTgfA='

### Task 4.1.2 Decrypting a message encrypted with Fernet

To decrypt (and verify) a Fernet token, you must again create a Fernet object using the same key that was used to
encrypt (and authenticate) the data. You then have to call the decrypt function, passing to it the Fernet token in the
form of a byte array. The function returns the decrypted original message if everything is correct.

#### TASK 

<mark>Verify the Fernet token you obtained in the previous task.</mark>

In [106]:
# YOUR CODE HERE

### Task 4.1.3 Failed Fernet token verification

#### TASK 

<mark>Modify the token and check that the decryption (and verification) raises an error. It could be a good idea to capture the exception <code>cryptography.fernet.InvalidToken</code>. To make the modifications at the beginning of the Fernet token, you can use, for example, <code>corrupted_token = b'01a2' + token </code>.</mark>

In [107]:
# YOUR CODE HERE

## 4.2 AES-GCM

Another way to implement both encryption and authentication is using an authenticated encryption operation mode.
These modern operation modes encrypt the plaintext and also generate an authentication tag, in both cases using
symmetric cryptography. Encryption is done with a symmetric cipher and authentication with a MAC.

In this Lab you’ll use one of these special operation modes, particularly, the Galois Counter Mode (GCM).
GCM implements what is known as authenticated encryption with additional data (AEAD). In this case data used as
input to the algorithm is composed by two different parts:
- plaintext: this will be the part of the input that will be encrypted and authenticated
- associated data: this part of the input will NOT be encrypted, but will be authenticated

Read the documentation of the function that already integrates AES with GCM at:

https://cryptography.io/en/latest/hazmat/primitives/aead/#cryptography.hazmat.primitives.ciphers.aead.AESGCM

### Task 4.2.1 Encrypting (and authenticating) with AES-GCM

#### TASK 

<mark>Encrypt with AESGCM the following plaintext (data) and associated data (aad) using the parameters given in Code
Snippet 12.</mark>

Notice that although in this lab assignment the key is provided to you, you should randomly generate new ones each
time you would like to use AESGCM.

Notice also that the documentation of this class repeats multiple times that YOU SHOULD NEVER REUSE A NONCE
with the same key. Doing so makes the encryption completely vulnerable.

In [178]:
data = b"my super mega secret message"
aad = b"authenticated but unencrypted data"
aesgcm_key = b'\x00A \x07a\x1c\xa4T\xd8N\xa6\x1c\xae\x89\xd2\xde'
b64_aesgcm_key = b'AEEgB2EcpFTYTqYcronS3g=='
aesgcm_nonce = b'&\xa8\xc4\xb0\xf6\xbf\xd4\xea\xe3UU+'
b64_aesgcm_nonce = b'JqjEsPa/1OrjVVUr'

# YOUR CODE HERE

#### CHECK

In [109]:
ciphertext_tag = b'\xea\x80\x94\t(\x9e\xda\xcdo\xdc\xb7\x048\x8e\xb6\xaa6\nZu\xa7y\xe0n\xa8\x0bv\xcd\xf3\xd6\xf9\xec\x85j\xcco\xa3\xc2\xa1\xd2n\xb5|\x18'
b64_ciphertext_tag = b'6oCUCSie2s1v3LcEOI62qjYKWnWneeBuqAt2zfPW+eyFasxvo8Kh0m61fBg='

### Task 4.2.2 Decrypting (and verifying) an AES-GCM ciphertext (and authentication tag)

#### TASK 

<mark>Verify your ciphertext and tag. You should get the original plaintext.</mark>

In [110]:
# YOUR CODE HERE

### Task 4.2.3 Failed AES-GCM decryption (and authentication)

#### TASK 

<mark>Modify the ciphertext and check that the decryption and verification process fail. You may have to capture the
exception <code>cryptography.exceptions.InvalidTag</code>.</mark>

In [111]:
# YOUR CODE HERE

# 5. RSA Signatures

## 5.1 RSA SIGNATURE GENERATION (SIGNING)

A digital signature is a byte-like object that allows verifying the authenticity of digital messages or documents. Digital
signatures schemes use asymmetric cryptography. In this Lab you’ll use RSA signature generation and verification
functions.

Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#signing

### Task 5.1.1 Reading the contents of a file

#### TASK

<mark>Create a file called <code>payload.txt</code> within the Lab environment. Write something (ascii) in the file. Save it.</mark>

Now you can read its contents (as binary data) with the following code.

In [112]:
with open('payload.txt', 'rb') as f:
    payload = f.read()

<mark>Retrieve the content of the file (by reading it) and print it with Python.</mark>

Remember that to avoid dealing with the path of the file you should save it in the same folder where your script
is stored.

In [113]:
# YOUR CODE HERE

### Task 5.1.2 Signing with RSA-PSS

To perform the signature, you may use one of the asymmetric keys generated previously in Lab2 or generate a
new keypair. Which one do you have to use to generate the signature, the public or the private one? Check the
library documentation to answer this question or review lecture materials!

#### TASK 

<mark>Sign the contents of the file <code>payload.dat</code>. Use PSS padding and SHA256 hash. For PSS padding, use the parameters given next.</mark>

In [184]:
mgf = asym_padding.MGF1(hashes.SHA256())
salt_length = asym_padding.PSS.MAX_LENGTH

# YOUR CODE HERE

### Task 5.1.3 Saving data to a file

#### TASK

<mark>After generating the signature, save it in a file called <code>signature.sig</code> using the following code.</mark>

In [194]:
with open('signature.sig', 'wb') as f:
    f.write(signature)
    
# YOUR CODE HERE

<mark>Have a look at the contents of this file using the IDE you are using (or a simple text editor like NotePad++ or similar).
If you do not like what you see, encode the data before saving with base64 encoding or in hexadecimal.</mark>

## 5.2 RSA SIGNATURE VERIFICATION

To verify the document signed in the previous section it is necessary that you use the corresponding key, and the
contents of the files <code>payload.dat</code> and <code>signature.sig</code>. If you encoded the signature, remember to decode it before the verification.

Read the documentation at: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#verification

### Task 5.2.1 Verifying an RSA-PSS signature

First, make sure you know the key you should use, the public or the private one?

#### TASK 

<mark>Write the code needed to verify the previous signature using the same algorithm parameters. Note that it may raise
the exception <code>cryptography.exceptions.InvalidSignature</code> if the signature isn’t valid.</mark>

### Task 5.2.2 Failed RSA-PSS signature verification


#### TASK 

<mark>Sign the document again and before verifying it:</mark>
- <mark>Check that the generated signature is different</mark>
- <mark>Change some character within the contents of <code>payload.txt</code> and check that the verification fails.</mark>