feat: a3

.gitignore

@@ -1,3 +1,6 @@
 *.pdf
 sheet01/a2/Hash.java
-*.class
+*.class
+passwd
+sheet04/AuthWithTOTP.java
+sheet04/key-exchange.pcap

sheet04/a1/a.txt

@@ -0,0 +1,37 @@
+We found this Client Hello Handshake with the filter: tls.handshake.type == 1:
+
+TLSv1.3 Record Layer: Handshake Protocol: Client Hello
+    Handshake Protocol: Client Hello (last fragment)
+    [2 Reassembled Handshake Fragments (1496 bytes): #1(1158), #2(338)]
+    Handshake Protocol: Client Hello
+        Handshake Type: Client Hello (1)
+        ...
+        Extension: key_share (len=1258) X25519MLKEM768, x25519
+            Type: key_share (51)
+            Length: 1258
+            Key Share extension
+                Client Key Share Length: 1256
+                Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
+                    Group: X25519MLKEM768 (4588)
+                    Key Exchange Length: 1216
+                    Key Exchange […]: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
+
+
+it contains the publickey: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
+
+And we also fount this Server Hello Handshake with the filter: tls.handshake.type == 2:
+
+Handshake Protocol: Server Hello
+    Handshake Type: Server Hello (2)
+    ...
+    Extension: key_share (len=1124) X25519MLKEM768
+        Type: key_share (51)
+        Length: 1124
+        Key Share extension
+            Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1120
+                Group: X25519MLKEM768 (4588)
+                Key Exchange Length: 1120
+                Key Exchange […]: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511
+
+
+it contains the publickey: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511

sheet04/a1/b.txt

@@ -0,0 +1,45 @@
+We looked for the packet containing the certificate handshake with the filter: 
+tls.handshake.type == 11 and found the following certificates:
+
+
+Certificate 1:
+    Issuer: Let's Encrypt
+    Subject: www.mozilla.org
+    Valid until: 2025-07-28 10:02:46 (UTC)
+    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
+    RSA Public Key: 3082010a0282010100e422db3b32d5efbcc3b8b840760fdc8352561f8c50d830c488272571593bd4f96b43de8bcf6ede62042d1d5da6ae274f14906e97f306abec51d3a9a62663adf76ff960be247a898161093395f37a091f31e1536857a8deca4ed9aac9ce16d7f6c4e6d983224447fb1ebbcb5abecadf41a82b41d6bd4ea0de2b5153f8a273ab754b4b07241a49c2251c1c4f5055c3074f0b5476c88e0781d02af1f37a81a4fd0a1c1773b1dc8fc0596ff913f9b6f6fa2f40d1903319f6b312b7c23ded69176647a3bd7ff6a182b833b69309445123eb60a88c6de83b8da9d755ecafee52651e9a112ab5734021c2e0c1b30c83954cee138d639efc2abf78a48524c68d5942661d020300010001
+
+
+Certificate 2:
+    Issuer: Internet Security Research Group
+    Subject: Let's Encrypt
+    Valid until: 2027-03-12 23:59:59 (UTC)
+    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
+    RSA Public Key: 3082010a0282010100ba87bc5c1b0039cbca0acdd46710f9013ca54ea561cb26ca52fb1501b7b928f5281eed27b324183967090c08ece03ab03b770ebdf3e53954410c4eae41d69974de51dbef7bff58bda8b713f6de31d5f272c9726a0b8374959c4600641499f3b1d922d9cda892aa1c267a3ffeef58057b089581db710f8efbe33109bb09be504d5f8f91763d5a9d9e83f2e9c466b3e106664348188065a037189a9b843297b1b2bdc4f815009d2788fbe26317966c9b27674bc4db285e69c279f0495ce02450e1c4bca105ac7b406d00b4c2413fa758b82fc55c9ba5bb099ef1feebb08539fda80aef45c478eb652ac2cf5f3cdee35c4d1bf70b272baa0b4277534f796a1d87d90203010001
+
+
+echo "HEX-KEY" | tr -d ' \n\r' | xxd -r -p > key.der
+openssl rsa -in key.der -inform der -pubin -out key.pem
+
+gave us the publickeys: 
+Cert 1:
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5CLbOzLV77zDuLhAdg/c
+g1JWH4xQ2DDEiCclcVk71PlrQ96Lz27eYgQtHV2mridPFJBul/MGq+xR06mmJmOt
+92/5YL4keomBYQkzlfN6CR8x4VNoV6jeyk7ZqsnOFtf2xObZgyJER/seu8tavsrf
+QagrQda9TqDeK1FT+KJzq3VLSwckGknCJRwcT1BVwwdPC1R2yI4HgdAq8fN6gaT9
+ChwXc7Hcj8BZb/kT+bb2+i9A0ZAzGfazErfCPe1pF2ZHo71/9qGCuDO2kwlEUSPr
+YKiMbeg7janXVeyv7lJlHpoRKrVzQCHC4MGzDIOVTO4TjWOe/Cq/eKSFJMaNWUJm
+HQIDAQAB
+-----END PUBLIC KEY-----
+
+Cert 2:
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoe8XBsAOcvKCs3UZxD5
+ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJDAjs4DqwO3cOvfPlOVRBDE6uQdaZ
+dN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxGAGQUmfOx2SLZzaiSqhwmej/+71gF
+ewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy6cRms+EGZkNIGIBloDcYmpuEMpex
+sr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnwSVzgJFDhxLyhBax7QG0AtMJBP6dY
+uC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLPXzze41xNG/cLJyuqC0J3U095ah2H
+2QIDAQAB
+-----END PUBLIC KEY-----

sheet04/a1/c.txt

@@ -0,0 +1,6 @@
+Let's Encrypt: 
+Let's Encrypt is a Certificate Authority that provides free TLS certificates, making it easy for websites to enable HTTPS encryption and create a more secure Internet for everyone. Let's Encrypt is a project of the nonprofit Internet Security Research Group
+
+
+Internet Security Research Group:
+The Internet Security Research Group (ISRG) is a public-benefit non-profit corporation based in California which focuses on Internet security.

sheet04/a2/AuthWithTOTP.java

@@ -0,0 +1,149 @@
+import java.nio.ByteBuffer;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.MessageDigest;
+import java.time.Instant;
+import java.util.HexFormat;
+import java.util.Map;
+import java.util.Scanner;
+import java.util.stream.Collectors;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+public class AuthWithTOTP {
+
+	private static final byte[] INVALID_HASH =
+		"----------------------------------------------------------------".getBytes();
+
+	// hex-encoded: 3c2bc45f2de6568bb285aa1c6fcac1b6965cc770
+	// base32-encoded: HQV4IXZN4ZLIXMUFVIOG7SWBW2LFZR3Q
+	private static final byte[] K = new byte[] {
+		60,
+		43,
+		-60,
+		95,
+		45,
+		-26,
+		86,
+		-117,
+		-78,
+		-123,
+		-86,
+		28,
+		111,
+		-54,
+		-63,
+		-74,
+		-106,
+		92,
+		-57,
+		112,
+	};
+
+	public static void main(String[] args) {
+		// I changed it to a scanner cause my terminal had issues with the other thingy
+		try (Scanner sc = new Scanner(System.in)) {
+			Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
+				.stream()
+				.filter(line -> line.indexOf(":") > 1 && line.length() > 3)
+				.collect(
+					Collectors.toMap(
+						line -> line.substring(0, line.indexOf(':')),
+						line ->
+							HexFormat.of().parseHex(
+								line.substring(line.indexOf(':') + 1)
+							)
+					)
+				);
+
+			System.out.println(
+				"Chocolate Factory SCADA Command Line Interface v2.2.144"
+			);
+			System.out.println();
+			System.out.println(
+				"Please, enter your authentication credentials."
+			);
+			System.out.println();
+
+			String username;
+			String password;
+			String totpCode;
+
+			long timeout = 500;
+			while (true) {
+				System.out.print("> Username: ");
+				username = sc.nextLine();
+				System.out.print("> Password: ");
+				password = sc.nextLine();
+				System.out.print("> TOTP Code: ");
+				totpCode = sc.nextLine();
+
+				MessageDigest digest = MessageDigest.getInstance("SHA-256");
+				byte[] encodedHash = digest.digest(password.getBytes());
+
+				// constant time comparison to prevent timing attacks
+				if (
+					MessageDigest.isEqual(
+						passwd.getOrDefault(username, INVALID_HASH),
+						encodedHash
+					)
+				) {
+					// Get the counter from the unix seconds
+					final var counter = (int) Math.floor(
+						Instant.now().getEpochSecond() / 30.0
+					);
+
+					// Compute the hmac
+					final var mac = Mac.getInstance("HmacSHA1");
+					mac.init(new SecretKeySpec(K, "HmacSHA1"));
+					mac.update(ByteBuffer.allocate(8).putLong(counter).array());
+					final var hmacResult = mac.doFinal();
+
+					// Do the truncating + modulo
+					int offset = hmacResult[19] & 0x0f;
+					int binaryCode =
+						((hmacResult[offset] & 0x7f) << 24) |
+						((hmacResult[offset + 1] & 0xff) << 16) |
+						((hmacResult[offset + 2] & 0xff) << 8) |
+						(hmacResult[offset + 3] & 0xff);
+					binaryCode = binaryCode % 1000000;
+
+					// Validate the code + padding
+					final var code = String.format("%06d", binaryCode);
+					if (!code.equals(totpCode)) {
+						System.out.println(
+							"Invalid username, password and/or TOTP code."
+						);
+						Thread.sleep(timeout);
+						timeout *= 2;
+						continue;
+					}
+
+					System.out.printf("Welcome %s!%n", username);
+					Thread.sleep(150);
+					break;
+				} else {
+					// exponential timeout to prevent brute force attacks
+					System.out.println(
+						"Invalid username, password and/or TOTP code."
+					);
+					Thread.sleep(timeout);
+					timeout *= 2;
+				}
+			}
+
+			printSystemStatus();
+			printSecretRecipe();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+
+	private static void printSystemStatus() throws Exception {
+		// SECRET
+	}
+
+	private static void printSecretRecipe() throws Exception {
+		// SECRET
+	}
+}

sheet04/a2/a.txt

@@ -0,0 +1,26 @@
+After some search these are my most used services (with number of visits):
+7191|gitlab.uni-ulm.de
+7409|github.com
+8307|www.youtube.com
+10696|duckduckgo.com
+11337|www.wanikani.com
+
+1. Wanikani is a Japanese learning app and does not support any kind of multi-factor-authentication. You can log in with your email address and also reset your password using your email address. They only removed username login in 2023: https://community.wanikani.com/t/updating-wanikani-password-recovery-options/61437.
+
+2. DuckDuckGo does not even have a login, so no need for authentication. I guess in a way, the most secure account is the account that doesn't exist. However, since it felt like cheating: I also use Proton a lot, and they have a lot of options for login. Speaking from personal experience here are the ones I know:
+- TOTP: Active for my account as well (they even have their own Authenticator app)
+- Security keys: Also available for two-factor authentication
+- In case of Proton Pass: You can set a second password that unlocks the password manager to make sure someone doesn't get access when they get your main password (just additional security).
+- For recovery, you can also set emergency contacts and stuff (so people could get access to your account even if you died), they have a pretty comprehensive system in total and I think they're really doing a good job with authentication
+
+3. YouTube: Well, here it gets a little complicated, but it's basically the same as for any Google account and because it's a big platform there are so many security options that you can't even count them all.
+- TOTP
+- Pass keys
+- Email 2FA
+- Google's own autentication system that works with any Android device (the one where a code is sent to your phone instead of by email)
+- Security codes: Offline credentials similar to TOTP that can be viewed in the Google app on a phone when logged in (as a compliment to Google's own code sending)
+- You can also chain any of those together to make your account more secure
+
+4. GitHub: Also really solid here: TOTP, Security keys, GitHub Mobile and SMS/Text (marked as insecure) messages are supported. However, no multi-factor authentication, you can only configure a second factor.
+
+5. University GitLab: Also a lot available: Login usually works through the University's account system, but you can additionally add TOTP and WebAuthn devices (so passkeys).

sheet04/a2/c.txt

@@ -0,0 +1,5 @@
+Without the time interval entering the codes would be really difficult. Imagine having only one second to enter the code + the request having to travel to some server for it to verify (can take up to 200ms around the world) + the server having to process the request and verify the code.
+
+There could be measures to make sure the code is still valid even when entering a little old code, but then you're really just introducing an interval. So why not do it from the start?
+
+That's why you need a 30s interval. For user experience, to make sure the system can actually work even when grandma has to type it in and reopen the authenticator 10x because she forgot the code or typed something wrong.

sheet05/a1/archive.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# $1 = directory path
+chmod -R a-w "$1"

sheet05/a1/create_user.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# $1 = username, $2 = comma-separated groups
+useradd -G "$2" "$1" || usermod -aG "$2" "$1"

sheet05/a1/explanation.txt

@@ -0,0 +1,6 @@
+UNIX permissions only support one Owner, one Group, and Other (UGO). 
+The 'Group' slot is already taken by the specific lecture group to give students write access.
+If we use 'Other' to give the supervisor read access, every user on the system could read it, which would violate the requirements.
+If we add the supervisor to the lecture group, they get write access, which also violates the requirements.
+
+Because a file cannot have multiple groups or user-specific overrides under standard UNIX permissions, this cannot be solved.

sheet05/a1/supervisor.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# $1 = supervisor username
+echo "not possible with the standard UNIX permissions. See explanation.txt."

sheet05/a2/archive.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+TARGET_DIR=$1
+chmod -R a-w "$TARGET_DIR"

sheet05/a2/create_user.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+USERNAME=$1
+GROUPS=$2
+useradd -G "$GROUPS" "$USERNAME" || usermod -aG "$GROUPS" "$USERNAME"

sheet05/a2/explanation.txt

@@ -0,0 +1,3 @@
+The supervisor's read access would fail with UNIX permissions, since they are limited to one owner, one group, and "others". 
+Access Control Lists (ACLs) resolve this problem by allowing permissions beyond the standard three. 
+Using `setfacl`, we can append specific read and execute rights (r-x) for individual users (the supervisors) directly to the files and directories.

sheet05/a2/supervisor.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+SUPERVISOR=$1
+# Grant read and execute permissions to the supervisor user recursively
+setfacl -R -m u:"$SUPERVISOR":r-x .
+# Set the default ACL
+setfacl -R -d -m u:"$SUPERVISOR":r-x .

sheet05/a3/a.txt

@@ -0,0 +1,4 @@
+Passwords are stored in the /etc/shadow file, which is restricted to the root user. 
+A standard user cannot write to it directly. However, the passwd executable is owned by root and has the SUID permission set. 
+When a standard user runs passwd, the SUID bit tells the system to execute the program with the privileges of root, 
+giving the program the temporary permissions to update /etc/shadow

sheet05/a3/b.txt

@@ -0,0 +1,5 @@
+The script runs with root privileges because the setuid bit is set. 
+Since it just asks for a username and saves the new hash to /etc/shadow, 
+and there is no validation checking if the user running the program is actually changing their own password, 
+someone could simply run the program, type root as the username, and set a new password for the root user. 
+The script would then overwrite the actual root password in /etc/shadow.