# Symmetric Encryption Lab
Symmetric cryptography, also known as shared-key cryptography, is a method of encryption and decryption that uses the same secret key for both processes. 

When performing symmetric encryption, there are a lot of options, each with different results. In this lab we'll look at the effect of different ciphers and modes of operation on the ciphertext. We'll also look at key derivation functions, padding and error propagation.

This lab will run on the bash kernel and we will rely on openssl for most of the work.

Locate the "USD_logo.bmp" file and copy into to a working directory for the encrypted images you'll be generating.

First, let's check the version of openssl we are using. Type:

`openssl version`

In [21]:
!openssl version # remember to use the ! character to execute linux commands in jupyter labs

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)


to see a list of all available ciphers type:

`openssl enc -list`

In [22]:
!openssl enc -list

Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb              
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr              
-aes-192-ecb               -aes-192-ofb               -aes-256-cbc              
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8             
-aes-256-ctr               -aes-256-ecb               -aes-256-ofb              
-aes128                    -aes128-wrap               -aes192                   
-aes192-wrap               -aes256                    -aes256-wrap              
-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1            
-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb             
-aria-128-ofb              -aria-192-cbc              -aria-192-cfb             
-aria-192

For this lab, we'll start with AES-128-CBC

Before we can start encrypting, we need something to encrypt. You can create your plaintext using an editor or use the code model in the code cell below to create your file. Change the "..." to your message. Make sure you use at least 100 characters.

`echo "..." > plain.txt`



In [23]:
!echo "This is my plain text for my CYBR504 class" > plain.txt 
!cat plain.txt

Turing played a pivotal role in cracking the German Enigma code during WWII.


Now, let's encrypt your secret message using AES-128-CBC.  

We'll use the openssl command to encrypt the file:

`openssl <cipher> -e -in plain.txt -out cipher.txt -K <key> -iv <iv>`

You'll need to replace \<cipher\> with the cipher to use. We're using AES-128-CBC, so use "aes-128-cbc" as the cipher.
    
For CBC mode you'll also need both a key and an intialization vector. These should be random (i.e, unguessable). Let's generate those.

We can use the random number functions of openssl to generate these. Because the encryption command expects these in hex format we'll use the -hex option

`openssl rand -hex <number of bytes>`
    
If we are using a 128-bit key size, how many bytes is that?
    
In the code cell below, run your openssl command to generate the random value. Run it a few times, just to see how it changes.

In [24]:
# !openssl enc -aes-128-cbc -e -in plain.txt -out cipher.txt -K $(openssl rand -hex 16) -iv $(openssl rand -hex 16)

print('If we are using a 128-bit key size, we are using 16 bytes')
print()
print('My generated random values:')
!openssl rand -hex 16
!openssl rand -hex 16
!openssl rand -hex 16
!openssl rand -hex 16

If we are using a 128-bit key size, we are using 16 bytes

My generated random values:
27e5b6785f4dc17ba29020bc5cd0f5b3
6ab11314818b6d596c7c40a3b2e87e79
296fb9f56bc2f032cbe20f9557d6d7f9
77e3964f1b2b27dca38e63e0292af5aa


We could just cut and paste the random values into the openssl command to do the encryption, but let's look at a bash shell trick.

We can send the output of the command to an variable we can use later. Try running the following in a code cell.

``` myKey=$(openssl rand -hex 16)
echo $myKey ```

In [50]:
!myKey=$(openssl rand -hex 16)
!echo $myKey 




Do it again, but use myIV as the variable.

In [51]:
!myIV=$(openssl rand -hex 16)
!echo $myIV 




Let's use this to encrypt our plaintext. Use the command:

`openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV`



In [52]:
!myKey=$(openssl rand -hex 16)
!myIV=$(openssl rand -hex 16)

!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV

iv undefined


In [28]:
!myKey=$(openssl rand -hex 16)
!myIV=$(openssl rand -hex 16)
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV

iv undefined


In [53]:
"""
I was getting an "iv endefined error" using the example code.
It could be that the shell commands are running in different shell sessions.
To fix this, I ensure the '!myIV' variable is defined in the same subshell session by combining all the commands into a single line.
!bash commands are separated by semicilons;; and I only use the ! character one (1) time to initiate all three (3) bash commands.
"""

!myKey=$(openssl rand -hex 16); myIV=$(openssl rand -hex 16); openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV

look at the ciphertext

In [54]:
cat cipher.txt

4lR���$�!��b�:;��XE�ۉ��塖w�&T
%=:��X��7�
�M��%(�0����$����XA9���}	��

Now try looking it in hex format.

In [55]:
cat cipher.txt | hexdump -C

00000000  34 6c 52 11 b8 88 0c 98  24 f1 21 e5 e3 a6 62 dc  |4lR.....$.!...b.|
00000010  3a 3b a6 c9 58 45 8a db  89 83 9d e5 a1 96 77 ea  |:;..XE........w.|
00000020  85 26 54 0a 25 3d 3a 81  dc 58 e4 11 a3 37 c2 99  |.&T.%=:..X...7..|
00000030  02 a7 0a 85 4d 8f a0 25  1e 28 a4 30 f4 b5 d4 fa  |....M..%.(.0....|
00000040  24 a6 f6 f5 d9 58 41 39  e0 db 0b f9 7d 09 f5 b2  |$....XA9....}...|
00000050


Now decrypt the file. 
* use the same openssl command as before, but use -d for decrypt instead of -e,
* use 'decrypted.txt' as the output filename.

In [56]:
# openssl ...
# cat decrypted.txt

!openssl aes-128-cbc -d -in cipher.txt -out plain2.txt -K $myKey -iv $myIV

iv undefined


In [33]:
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV

iv undefined


In [38]:
!myKey=$(openssl rand -hex 16)
!myIV=$(openssl rand -hex 16)
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV
!openssl aes-128-cbc -d -in cipher.txt -out plain2.txt -K $myKey -iv $myIV


iv undefined
iv undefined


In [39]:
!myKey=$(openssl rand -hex 16)
!myIV="0123456789abcdef0123456789abcdef" # replace with the desired value for the IV
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV
!openssl aes-128-cbc -d -in cipher.txt -out plain2.txt -K $myKey -iv $myIV


iv undefined
iv undefined


In [41]:
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -K $(openssl rand -hex 16) -iv "0123456789abcdef0123456789abcdef"

In [42]:
!openssl aes-128-cbc -d -in cipher.txt -out plain2.txt -K $(openssl rand -hex 16) -iv "0123456789abcdef0123456789abcdef"

bad decrypt
2020E39CFFFF0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:


In [None]:
# trying using other hashing algo
!myKey=$(openssl rand -hex 16)
!myIV=$(openssl rand -hex 16)
!openssl aes-256-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV
!openssl aes-256-cbc -d -in cipher.txt -out plain2.txt -K $myKey -iv $myIV


In [48]:
!myKey=$(openssl rand -hex 32);
!myIV=$(openssl rand -hex 16);
!openssl aes-256-cbc -e -in plain.txt -out cipher.txt -K $myKey -iv $myIV;
!openssl aes-256-cbc -d -in cipher.txt -out plain2.txt -K $myKey -iv $myIV


iv undefined
iv undefined


Next, verify that the decrypted output is the same as the original input. 

Use `diff -as <f1> <f2>` 

In [49]:
!diff -as plain.txt plain2.txt

1d0
< Turing played a pivotal role in cracking the German Enigma code during WWII.


---
## Key Derevation Functions

In the previous examples, we explicitly included the key and initializtion vector. Another way to do this is to use a key derivation function. These take a passphrase and extend it to the number of bits desired. Typically KDFs use a hash function of a specialized hash function for the task. Think about it. If you take a simple passphrase and hash it to 128-bits, that is a unique transormation based on the passphrase. We can use this when encrypting or decrypting with openssl.

If we change our encryption command to:

`openssl aes-128-cbc -e -in plain.txt -out cipher.txt -pbkdf2 -k my_passphrase -P`

In this case, PBKDF2 is the specified key derivation function.

openssl will automatically generate the key and IV needed. Try it in a code cell.

In [64]:
!cat plain.txt

Turing played a pivotal role in cracking the German Enigma code during WWII.


In [61]:
!openssl aes-128-cbc -e -in plain.txt -out cipher.txt -pbkdf2 -k my_passphrase -P

salt=C6A324B9F1016CD4
key=DB5398F36E11359027F4759B99755BB0
iv =055FA608B9B1E39F5414D0D8088CEA9B


Run the same command again with the same passphrase, but name your output 'cipher2.txt', then compare the two files.

`diff -as cipher.txt cipher2.txt`

In [62]:
# add this line -> Run the same command again with the same passphrase, but name your output 'cipher2.txt'
!openssl aes-128-cbc -e -in plain.txt -out cipher2.txt -pbkdf2 -k my_passphrase -P

salt=916DD99DF22F7E32
key=46FDC683987BDB3D0A43EDDBD7D0F543
iv =28373997013385AF847C34498DAF72B5


In [63]:
# hten compare the two files
!diff -as cipher.txt cipher2.txt`

/bin/bash: -c: line 1: unexpected EOF while looking for matching ``'
/bin/bash: -c: line 2: syntax error: unexpected end of file


<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
Although you used the same plaintext file, and the same passphrase, why are they not the same?</div>

>If you need a hint, open a code cell and run `hexdump -C cipher.txt | head -n 4`

In his section, instead of explicitly stating a key an initialization vector, we used the PBKDF2 key derivation function. This generated these for us.

KDFs have the advantage the rather than recall a long, random key and IV, you can just use a passphrase and let a cryptographic algorithm expand it. The downside of KDFs is that they start with a relatively low entropy value. This can simplify finding the passphrase given the key. The KDF maps the passprase directlty to the key. One way to make this more secure is to use more "rounds". That is the output of the KDF is fed back into the KDF multiple times. This breaks the 1-to-1 connection between the passphrase and the key. The more rounds, the harder it is to recover the passphrase, but it is slower to generate the key. Typically, this is not a significant issue. But, depending on the application, may need optimization.

---
## Padding

Block ciphers require full blocks to operate. When the number of bytes of data to be encrypted is not an exact multiple of the block size, the data needs to be padded, that is extended, to fill the last block being encrypted. Different algorithms use different padding schemes. AES specifies the PCKS#5 standard.

First, create some ciphertext, shorter than a block. How big is a block in AES?

In [None]:
echo -n "hello" | openssl aes-128-cbc -out pad_test.cbc -nosalt -pbkdf2 -k secret
hexdump -C pad_test.cbc

Notice the length of the output is larger than the the input.

Let's decrypt it and look at the output

In [None]:
openssl aes-128-cbc -d -in pad_test.cbc -nosalt -pbkdf2 -k secret | hexdump -C

Normally decryption strips the padding out. 

To see the padding, open a new code cell and rerun that command, but add the '-nopad' option to the openssl command

Try encrypting plaintext of different lengths and notice how the padding changes. You can use the model below. Open additional code cells as needed. 

In [None]:
echo -n "xxxxx" | openssl aes-128-cbc -out pad_test.cbc -nosalt -pbkdf2 -k secret
openssl aes-128-cbc -d -in pad_test.cbc -nosalt -pbkdf2 -k secret -nopad | hexdump -C

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
Explain the differences. Why those specific values? <br>
What happens when you input 15 bytes? 16?

---
## Exploring Modes of Operation

Block ciphers encrypt the plaintext in fixed size blocks. The block size depends on the symmetric cipher chosen and a valid block size (in general the block size otions are limited by the cipher used). How successive blocks are encrypted depends on the "Mode of Operation". In this section we will explore different modes of operation.

In the previous examples we used CBC - Cipher Block Chaining. In CBC, the output of one block is used as the IV for the next block. Next we'll look at ECB - Electronic Code Book, where blocks are encrypted independly (possibly in parallel) using the same key.  We'll use the openssl command with a KDF.

We'll be using this USD logo in our examples.

![USD_logo.bmp](attachment:3f14ba9b-bd18-48c4-92a2-92b9673ba5cf.bmp)

The first thing to do is encrypt it using AES-128-ECB.

In [None]:
openssl aes-128-ecb -e -in ./images/USD_logo.bmp -out ./images/USD_logo.aes-ecb.bmp -nosalt -pbkdf2 -k secret
ls -l ./images/USD_logo.aes-ecb.bmp 

This graphic file is now encrypted, but so is the .bmp format header. To make it a viewable file, copy the header from a valid .bmp file.

In [None]:
dd  if=./images/USD_logo.bmp of=./images/USD_logo.aes-ecb.bmp bs=1 count=54 conv=notrunc

Find the encrypted file and view using the image viewer. 
Copy and paste the file into a markdown cell, and run the cell to display the image.

{paste image in this cell}

Now repeat the above, but use aes-128-cbc as the cipher. Save the encrypted file to a different name (USD_logo.aes-cbc.bmp), and fix the header using dd like you did before. Paste that image into a markdown window to display it.

In [None]:
openssl ...
dd ...

{paste image in this cell}

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
Explain the difference between the two and why.

Now repeat the process using the Blowfish cipher:

`openssl enc -bf-ecb -in ./images/USD_logo.bmp -out ./images/USD_logo.bf-ecb.bmp -k foo -pbkdf2 -nosalt -provider legacy -provider default`

`dd  if=./images/USD_logo.bmp of=./images/USD_logo.bf-ecb.bmp bs=1 count=54 conv=notrunc`


{paste image in this cell}

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
Compare the image encrypted with AES to that of Blowfish. Notice that more information is leaked using Blowfish. Why is that?

Now lets look at the file sizes generated using different modes of operation.

Run the following cells then look at the resulting file sizes.

In [None]:
openssl aes-128-ecb -e -in ./images/USD_logo.bmp -out ./images/USD_logo.x-ecb.bmp -pbkdf2 -k secret -nosalt

In [None]:
openssl aes-128-cbc -e -in ./images/USD_logo.bmp -out ./images/USD_logo.x-cbc.bmp -pbkdf2 -k secret -nosalt

In [None]:
openssl aes-128-ofb -e -in ./images/USD_logo.bmp -out ./images/USD_logo.x-ofb.bmp -pbkdf2 -k secret -nosalt

In [None]:
openssl aes-128-cfb -e -in ./images/USD_logo.bmp -out ./images/USD_logo.x-cfb.bmp -pbkdf2 -k secret -nosalt

In [None]:
openssl aes-128-ctr -e -in ./images/USD_logo.bmp -out ./images/USD_logo.x-ctr.bmp -pbkdf2 -k secret -nosalt

In [None]:
ll -Sr ./images/USD_logo.bmp ./images/USD_logo.x-*

Notice that the size of the files encrypted in OFB, CFB, and CTR mode are the same size as the original file, while those that used ECB and CBC are larger.

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
Why is that?</div>

---
## Error Propogation

Next we'll look at how a single bit error in the encrypted data can effect the decrypted output, and compare this over different modes of operation.

The procedure will be to encrypt a test file using a particular mode of operation, then corrupt the ciphertext by changing 1 bit in the encrypted output, and save this to a different file), then decrypt the original and corrupted ciphertext files, then compare the two to see what happened.

Let's start with ECB.


In [None]:
openssl aes-128-ecb -e -in ./message.txt -out ./message.ecb -pbkdf2 -k foo

Running "ghex" will pop up a window where you can edit the bits in your files. We want to change a single bit. Do so in the low-order bit of the 3rd byte of the 3rd row; click on it, then enter th new value. (each pair of hex values is a byte).

If the low-order bit is even (last bit is zero), add 1; if it is odd (last bit is one), subtract 1. That will ensure you only change one bit. If you are not sure, look for where the bytes value is shown in binary.

After, save the altered file AS under a new name. Use the original file with a ".x" appended, e.g., "message.ecb" as "message.ecb.x"

In [None]:
ghex ./message.ecb

Now decrypt the original ciphertext and the version you altered.

In [None]:
openssl aes-128-ecb -d -in ./message.ecb -out ./message.ecb.dcr -pbkdf2 -k foo

In [None]:
openssl aes-128-ecb -d -in ./message.ecb.x -out ./message.ecb.x.dcr -pbkdf2 -k foo

In [None]:
diff -a message.ecb.dcr message.ecb.x.dcr


Notice the exactly 16 bytes were corrupted. That's because ECB decrypts blocks independently.

Now do the same using CBC mode.

In [None]:
openssl aes-128-cbc -e -in ./message.txt -out ./message.cbc -pbkdf2 -k foo

In [None]:
ghex ./message.cbc

In [None]:
openssl aes-128-cbc -d -in ./message.cbc -out ./message.cbc.dcr -pbkdf2 -k foo

In [None]:
openssl aes-128-cbc -d -in ./message.cbc.x -out ./message.cbc.x.dcr -pbkdf2 -k foo

In [None]:
diff -a message.cbc.dcr message.cbc.x.dcr


Now notice that 16 bytes were again changed, but look close. Can you find anther byte that changed? 

That happens because with CBC mode, the decryption of a block depends on its ciphertext plus that of the prior block.

Now let's try using OFB. Use the same sequence as before, but substitute 'ofb' ofr 'cbc'.

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
One bit was changed in the ciphertext. What changed in the decrypted text? Explain why.</div>

Try again but with CFB mode.

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
One bit was changed in the ciphertext. What changed in the decrypted text? Explain why.</div>

Try again but with CTR mode.

<div style="background-color:rgba(225,135,0,.85); color:black; font-weight:bold; padding:6px;">
One bit was changed in the ciphertext. What changed in the decrypted text? Explain why.</div>

---
### This concludes the lab.

Use File > Save and Export Notebook as... > PDF