Professional Documents
Culture Documents
6 - 1 - T6 Hash HMAC MAC
6 - 1 - T6 Hash HMAC MAC
Tutorial
Cryptographic Hashes & HMAC
Create a text file, e.g. open the text editor by clicking on the "edit" icon. Type something and
save with a name e.g. "test1.txt" in your testDir.
You also create a text file:
$ echo “This is some text file” > test1.txt
You can also use the pico text editor:
$ pico test1.txt
(b) Make a small change in your file such as adding a space, dot, etc.
Save the file a with a new name, e.g. "test2.txt" and obtain the new md5 hash. Compare
them. Are they same, different, or very different? You can do this visually:
$ cat test1.txt
$ cat test2.txt
2. Use md5 to check for file integrity. Using your browser, go to https://156.62.140.124 to
download a file and its md5 counterpart in the software folder, e.g. putty-0.70-
installer.msi and putty-0.70-installer.msi.md5.txt
(a) Run the md5 sum on the downloaded file and save the output to a file called
putty.md5
$ md5sum puttyputty-0.70-installer.msi > putty.md5
(b) Now compare your new md5 with that on the server. You either view md5 manually.
$ cat putty.md5
and compare to what you see on the website by clicking on the .md5.txt file
3. Hash passwords.
Obtain the hash of the password "myPass" using the -apr1 method.
$ openssl passwd -apr1
Identify the method, salt, and the hash.
Obtain another hash using of the same password "myPass". Is the hash the same as before?
Try with other methods.
4. There are two files in http://156.62.140.124 info folder, notice1.txt and notice2.txtthe related
HMACs (and also in /home/pub/). One of the notices is fake because it did not use the correct
secret key which is comp607. Download and their HMACs into your direcrory.
$ cp /home/pub/notice*.* .
Use openssl tools to determine their HMACs and determine which is the authentic one.
$ openssl dgst -hmac comp607 notice1.txt > notice1.new.hmac
Suppose you send the files: test1.txt and test1.txt.hmac to your friend. How
would he/she verify that the file test1.txt is authentic and intact?
Try with different hash algorithm, e.g. sha1, whirlpool, etc. see the options:
$ openssl dgst --help