Barakat/resumable_sha256.py

## resumable_sha256.py
#!python3

import struct
import binascii
import hashlib


def resumable_sha256(message_with_pad: bytes, state: [int]) -> str:
    """
    Modified implementation of sha256 that allows resuming from arbitrary hash state. The original sha256 hashing state
    begins with [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19]

    See: https://en.wikipedia.org/wiki/SHA-2#Pseudocode
    """

    # We are going to modify the list, so clone it.
    state = state[:]

    # Initialize array of round constants.
    _k = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
          0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
          0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
          0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
          0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
          0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
          0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
          0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
          0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
          0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
          0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
          0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
          0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
          0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
          0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
          0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]

    # Process the message in successive 64 bytes (512 bits) chunks.
    while message_with_pad:
        def _ror(_x, _y):
            return ((_x >> _y) | (_x << (32 - _y))) & 0xffffffff

        w = [0] * 64
        w[0:16] = struct.unpack_from('!16L', message_with_pad)

        for j in range(16, 64):
            s0 = _ror(w[j - 15], 7) ^ _ror(w[j - 15], 18) ^ (w[j - 15] >> 3)
            s1 = _ror(w[j - 2], 17) ^ _ror(w[j - 2], 19) ^ (w[j - 2] >> 10)
            w[j] = (w[j - 16] + s0 + w[j - 7] + s1) & 0xffffffff

        a = state[0]
        b = state[1]
        c = state[2]
        d = state[3]
        e = state[4]
        f = state[5]
        g = state[6]
        h = state[7]

        for j in range(64):
            s0 = _ror(a, 2) ^ _ror(a, 13) ^ _ror(a, 22)
            t2 = s0 + ((a & b) ^ (a & c) ^ (b & c))
            s1 = _ror(e, 6) ^ _ror(e, 11) ^ _ror(e, 25)
            t1 = h + s1 + ((e & f) ^ ((~e) & g)) + _k[j] + w[j]

            h = g
            g = f
            f = e
            e = (d + t1) & 0xffffffff
            d = c
            c = b
            b = a
            a = (t1 + t2) & 0xffffffff

        state[0] = (state[0] + a) & 0xffffffff
        state[1] = (state[1] + b) & 0xffffffff
        state[2] = (state[2] + c) & 0xffffffff
        state[3] = (state[3] + d) & 0xffffffff
        state[4] = (state[4] + e) & 0xffffffff
        state[5] = (state[5] + f) & 0xffffffff
        state[6] = (state[6] + g) & 0xffffffff
        state[7] = (state[7] + h) & 0xffffffff

        message_with_pad = message_with_pad[64:]

    # Produce the final hash value.
    return binascii.hexlify(b''.join(struct.pack('!L', i) for i in state)).decode('ascii')


def pad64(message_length: int) -> bytes:
    """ Pad sha256 message such that it is 64 bytes (512 bits) in length """
    padding = b'\x80'
    padding_length = (64 - 1 - message_length - 8) % 64
    padding += b'\x00' * padding_length
    message_length_in_bits = message_length * 8
    padding += struct.pack('!Q', message_length_in_bits)
    return padding


def attacker_sha256(prefix_length: int, infix_data: bytes, postfix_data: bytes, mac: str) -> (bytes, str):
    # Unpack the given MAC/hash to obtain the last round internal state of SHA256
    start_state = list(struct.unpack('!LLLLLLLL', binascii.unhexlify(mac)))

    # Compute previous message padding. We consider the previous padding to be part of the message and not 'true pad'
    previous_pad = pad64(prefix_length + len(infix_data))

    # Now recalculate the new padding length
    message = postfix_data + pad64(prefix_length + len(infix_data) + len(previous_pad) + len(postfix_data))

    # Compute the hash of the new message starting from the previous hash state
    extended_mac = resumable_sha256(message, start_state)

    # Construct and return the extended message and its hash
    return infix_data + previous_pad + postfix_data, extended_mac


def sign(secret: bytes, data: bytes) -> str:
    """
    Naive MAC (message authentication) function that uses Merkle–Damgard based hash function which is vulnerable to
    length extension attacks.
    """
    return hashlib.sha256(secret + data).hexdigest()


def verify(secret: bytes, data: bytes, claimed_mac: str):
    print(f'  data: {data}')
    print(f'   mac: {claimed_mac}')
    print(f'checks: {sign(secret, data) == claimed_mac}')


def main():
    # legit use
    secret = b'my-secret-key'
    data = b'this-data-cannot-be-modified'
    mac = sign(secret, data)

    # Verify legitimate data
    verify(secret, data, mac)

    # Attack
    secret_length = len(secret)  # Attacker needs to guess or brute-force secret key length

    malicious_data, malicious_mac = attacker_sha256(secret_length, data, b'except-i-can', mac)

    # Verify malicious data
    verify(secret, malicious_data, malicious_mac)


if __name__ == '__main__':
    main()
	#!python3

	import struct
	import binascii
	import hashlib


	def resumable_sha256(message_with_pad: bytes, state: [int]) -> str:
	"""
	Modified implementation of sha256 that allows resuming from arbitrary hash state. The original sha256 hashing state
	begins with [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19]

	See: https://en.wikipedia.org/wiki/SHA-2#Pseudocode
	"""

	# We are going to modify the list, so clone it.
	state = state[:]

	# Initialize array of round constants.
	_k = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]

	# Process the message in successive 64 bytes (512 bits) chunks.
	while message_with_pad:
	def _ror(_x, _y):
	return ((_x >> _y) \| (_x << (32 - _y))) & 0xffffffff

	w = [0] * 64
	w[0:16] = struct.unpack_from('!16L', message_with_pad)

	for j in range(16, 64):
	s0 = _ror(w[j - 15], 7) ^ _ror(w[j - 15], 18) ^ (w[j - 15] >> 3)
	s1 = _ror(w[j - 2], 17) ^ _ror(w[j - 2], 19) ^ (w[j - 2] >> 10)
	w[j] = (w[j - 16] + s0 + w[j - 7] + s1) & 0xffffffff

	a = state[0]
	b = state[1]
	c = state[2]
	d = state[3]
	e = state[4]
	f = state[5]
	g = state[6]
	h = state[7]

	for j in range(64):
	s0 = _ror(a, 2) ^ _ror(a, 13) ^ _ror(a, 22)
	t2 = s0 + ((a & b) ^ (a & c) ^ (b & c))
	s1 = _ror(e, 6) ^ _ror(e, 11) ^ _ror(e, 25)
	t1 = h + s1 + ((e & f) ^ ((~e) & g)) + _k[j] + w[j]

	h = g
	g = f
	f = e
	e = (d + t1) & 0xffffffff
	d = c
	c = b
	b = a
	a = (t1 + t2) & 0xffffffff

	state[0] = (state[0] + a) & 0xffffffff
	state[1] = (state[1] + b) & 0xffffffff
	state[2] = (state[2] + c) & 0xffffffff
	state[3] = (state[3] + d) & 0xffffffff
	state[4] = (state[4] + e) & 0xffffffff
	state[5] = (state[5] + f) & 0xffffffff
	state[6] = (state[6] + g) & 0xffffffff
	state[7] = (state[7] + h) & 0xffffffff

	message_with_pad = message_with_pad[64:]

	# Produce the final hash value.
	return binascii.hexlify(b''.join(struct.pack('!L', i) for i in state)).decode('ascii')


	def pad64(message_length: int) -> bytes:
	""" Pad sha256 message such that it is 64 bytes (512 bits) in length """
	padding = b'\x80'
	padding_length = (64 - 1 - message_length - 8) % 64
	padding += b'\x00' * padding_length
	message_length_in_bits = message_length * 8
	padding += struct.pack('!Q', message_length_in_bits)
	return padding


	def attacker_sha256(prefix_length: int, infix_data: bytes, postfix_data: bytes, mac: str) -> (bytes, str):
	# Unpack the given MAC/hash to obtain the last round internal state of SHA256
	start_state = list(struct.unpack('!LLLLLLLL', binascii.unhexlify(mac)))

	# Compute previous message padding. We consider the previous padding to be part of the message and not 'true pad'
	previous_pad = pad64(prefix_length + len(infix_data))

	# Now recalculate the new padding length
	message = postfix_data + pad64(prefix_length + len(infix_data) + len(previous_pad) + len(postfix_data))

	# Compute the hash of the new message starting from the previous hash state
	extended_mac = resumable_sha256(message, start_state)

	# Construct and return the extended message and its hash
	return infix_data + previous_pad + postfix_data, extended_mac


	def sign(secret: bytes, data: bytes) -> str:
	"""
	Naive MAC (message authentication) function that uses Merkle–Damgard based hash function which is vulnerable to
	length extension attacks.
	"""
	return hashlib.sha256(secret + data).hexdigest()


	def verify(secret: bytes, data: bytes, claimed_mac: str):
	print(f' data: {data}')
	print(f' mac: {claimed_mac}')
	print(f'checks: {sign(secret, data) == claimed_mac}')


	def main():
	# legit use
	secret = b'my-secret-key'
	data = b'this-data-cannot-be-modified'
	mac = sign(secret, data)

	# Verify legitimate data
	verify(secret, data, mac)

	# Attack
	secret_length = len(secret) # Attacker needs to guess or brute-force secret key length

	malicious_data, malicious_mac = attacker_sha256(secret_length, data, b'except-i-can', mac)

	# Verify malicious data
	verify(secret, malicious_data, malicious_mac)


	if __name__ == '__main__':
	main()