Hash Functions and Message Integrity

In this warm-up challenge, you are required to implement the SHA3-256 algorithm and compute the digest of a message. You will find a file called input.txt in the /challenge directory. It contains a message that you take as input. You need to compute the digest and check its correctness using /challenge/solve.

In this challenge, you are required to implement the SHAKE256 algorithm. It is a SHA3-family algorithm that allows arbitrary-length outputs. You will find a file called input.txt in the /challenge directory. It contains a message that you take as input and compute a 16-byte output. You can check its correctness using /challenge/solve.

In this challenge, you will break the preimage resistance of a weak hash instance. This weak hash function is built from the SHAKE256 algorithm. It takes input a 32-byte message and only produces 3-byte output. You will find a file called digest.txt in the /challenge directory. It contains a digest that you take as input and need to find a preimage collision. You can check its correctness using /challenge/solve hexadecimal_message.

In this challenge, you will break the collision resistance of a weak hash instance. This weak hash function is built from the SHAKE256 algorithm. It takes input a message that is at least 32-byte, and only produces 5-byte output. You can submit your answers using /challenge/solve message_a message_b.

In this challenge, you will apply the length extension attack. You will receive a digest h1 at h1.txt and a message m at adv_message.txt. It is known that h1 is a SHA-256 digest of a 55-byte message m0 padded to 64-byte using the rule we mentioned in class. As an attacker, you need to generate a new digest for the message previous_message_block || m. You can submit your answers using /challenge/solve digest.

In this warm-up challenge, you are required to implement the AES-CBC-MAC and compute a tag for a designated message. Both the message and MAC key can be found in mac_info.txt. You need to compute the digest and check its correctness using /challenge/solve.

CBC-MAC uses a fixed IV, otherwise, the adversary could break its unforgeability. In this challenge, you will find a message and IV stored in mac_info.txt. You need to compute a new IV that allows you to replace the first 16-byte block of the message with cse_539_applied_. You can check its correctness using /challenge/solve.

CBC-MAC requires the length of the message known to the receiver. Otherwise, the attacker can easily implement a length-extension attack. In this challenge, you will find two pairs of message-tag, namely (m0,t0) and (m1,t1) stored in mac_info.txt. You need to construct a new from them that allows you to pass the MAC verification algorithm with tag t1. You can check its correctness using /challenge/solve.

The security of message authentication codes relies on the unpredictability of its private keys. In this challenge, you will receive a MAC tag for the message "wire 100,000 dollars to Bob. -Alice". Additionally, you obtain Alice's personal information and know that Alice's MAC key is a password that combines some data from her information and some special characters. You will leverage these information to guess Alice's MAC key.

It is known that Alice's password is filled with 4 fields from info.txt and 4 special characters from ! @ # $ % ^ & *. They are arranged in the form of info1+char1+info2+char2+info3+char3+info4+char4, where + represents concatenation. An example is Alice!Alice!Alice!Alice!. These private info fields and the characters may repeat.

The MAC scheme that Alice uses is HMAC and it's implemented using Python's hmac interface and sha256 from hashlib. Once you get a password, you can check its correctness using /challenge/solve.