a1 a+b

sheet02/a1/b-aeskey.txt

@@ -0,0 +1,2 @@
+AES Key: cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89
+IV: 30579741743af76bdd06ec45b12ee6d7

sheet02/a1/b-dec-aes.txt

@@ -0,0 +1,3 @@
+Viktoria
+Leo
+Julian

sheet02/a1/b-enc-aes.txt

@@ -0,0 +1 @@
+o5Ö¦Íß*òþk‚¼¾I¦BîÜr<C39C>Œ´<C592>6@hün5Ø

sheet02/a1/b.txt

@@ -0,0 +1,5 @@
+Generate 256bit aes key and 128 bit iv:
+openssl rand -hex 32
+openssl rand -hex 16
+Encrypt the file plaintext.txt with the key and iv
+openssl enc -aes-256-cbc -in plaintext.txt -out b-enc-aes.txt -K cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89 -iv 30579741743af76bdd06ec45b12ee6d7

sheet02/a1/c-dec-rsa.txt

@@ -0,0 +1,3 @@
+Viktoria
+Leo
+Julian

sheet02/a1/c-enc-rsa.txt

@@ -0,0 +1,2 @@
+’Ìnç‰á~Á>hì`£aÿ*‘Ú#ÒÒh‹å4ò,>«ôÓ„ì÷9&†…%´c,¤tNØR‰“5sŠq
+˜°+$úd!E½Í·‘3£y£<79>3Ÿ|#Ù2ÒÈ„¬ÜºÕLÍ^é¢L9ÊApØîfDV<44>kX´¨^æeh\É£H
«~y	ƵýdÀK½I\€óf>I5EÿcÛ,‹I+s<>

sheet02/a1/c-rsa-priv.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1S64EHWciPKk+
+6kTV3QGe97oGsO4pAbeAvqqzFtOulkIy1cEYlQIP+Ie9LL1i1tOjkx8v3j0Foq7T
+DQkwCpTodJRl50hOdjOdhcjENU1GoZ2xHYb+sNwuVo7Rzl8rEP99p1N9slaq/d4L
+jV4c6PWDjd2vGxcnPpihYtZOgq7XNN026Iu+E3v7z8MAcMxy2RAQyw2PeqgxJwyh
+Pg1E6sz4OjnUQOhS0nwqz2XwG+XPfH8ytf3XjQPLnvUtmIscP1W4wjeJDJuvym5p
+qr8Nr71yjYLm9tefQLONHxXUOJuxiJatJj9M5yKs6Z/gB2RRA26as6wyIuQ6WFu4
+HTrUrgdrAgMBAAECggEABef0QFAQ5w2g2drZ6Tms7tfVKJik+ZMDvl73wqPQu5RL
+jcpm4v0ftxN6oJAPj2O+O0r0riOIS2G0Xk3Dadw+Y6BAoV06fsvc/Jm6I6I05UMo
+lveGSU/LrHrHZlBZy1ZfbGGCF8syhZmFnUy6ryhrryB1A1pXk8C3SjKlFqOtPHd/
+V1GW/ww3p7VL/HOmCNTr6nvlw6MJGzlZ08JpcwguGu/DuSCFSQwlhcqPsOQdr20o
+maGYIBEwkwOmk5CAjr3jJnmQlPQ8QtAsYCIjHrmiA0zyserGN7K3hhSDIJ19uK3F
+2BIglSYrSViwq2DIHbQgeHuoM3ziaFKVczwVaL7w8QKBgQDm901Wq2B/vO2lCgb8
+6cofnhJYa6T8w4SXuLDoNmrZuPw2VepR6L/HxgPS9t14LkIVZXIc0tdHkqHHfnHY
+O2m/5sEqYTGifAseLLPdgy7QC6ZvLq6CMzvl8rQ7ITj18+tyMnUYfw2Ts+9GwE4m
+X5Zvx+zROIP8gMoJhGqvpSdl0wKBgQDI8iezI1csN5Miq0aerQkYFqfkFEVVTeys
+LAep+sJ7U6RVpHBwGJrZkngucBgb6JdWZvY1eRnmZ7m4Y9cvq+b8DpdJhrkiUv2k
+YCfFvUDtxQimvb3yFTbluoxIhKP/pmmj1qng/EiKHU/1l++AErsIlSEuxbDnVx0o
+Ivdpod/hCQKBgQCBKKCmK/Yt2NAob+AShQbUAYiOy7ua4hd+5PiBExVTpd/c3tTH
+c1nz9Kbkzcpxz6SC5JUYy0s6KiSwM+SkIC119CvncCzaiXWKLUN0R0zhaPJs0HUk
+OFRxtfTV8DEzUXFEDjVvOnW0OHZBYX8SdHfjELE9GtasWLUi91rV2IycowKBgAM8
+GrWAiSO2FVFGjpF5WZ8gpj0+sksIQRoYb1smJUFU/F1Ak2rKipucBwFAXrL8UItc
+hvQfafJSkyPLv6gNzV8bYQYW/B34VgryXVGKlWP+ewAsJ8Wg38xc72svb3BrHmI7
+z2pGxWgrxqC+fGWEZ6xgsjMNjaZ7uYVu4qq5p1/5AoGBANm05M8tH5aD4+cNVCGp
+EiHiw4JyCbbkHHyuGi44Ul6CsX7Ib6vYyApI9+0wJHDddspFGve+sGdzQ3yc79/S
+QcaOMQC+/dEG3oOY+j76lSDM5Xa4Ie5ekn6dwYU96iiPBK0D+wcjiZv/qott2xsr
+dOPUdEes0Tj6vqVvDQLyXi1R
+-----END PRIVATE KEY-----

sheet02/a1/c-rsa-pub.key

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtUuuBB1nIjypPupE1d0B
+nve6BrDuKQG3gL6qsxbTrpZCMtXBGJUCD/iHvSy9YtbTo5MfL949BaKu0w0JMAqU
+6HSUZedITnYznYXIxDVNRqGdsR2G/rDcLlaO0c5fKxD/fadTfbJWqv3eC41eHOj1
+g43drxsXJz6YoWLWToKu1zTdNuiLvhN7+8/DAHDMctkQEMsNj3qoMScMoT4NROrM
++Do51EDoUtJ8Ks9l8Bvlz3x/MrX9140Dy571LZiLHD9VuMI3iQybr8puaaq/Da+9
+co2C5vbXn0CzjR8V1DibsYiWrSY/TOcirOmf4AdkUQNumrOsMiLkOlhbuB061K4H
+awIDAQAB
+-----END PUBLIC KEY-----

sheet02/a1/c.txt

@@ -0,0 +1,8 @@
+Generate rsa private key:
+openssl genpkey -algorithm RSA -out c-rsa-priv.key -pkeyopt rsa_keygen_bits:2048
+
+Extract the public key from the private key
+openssl pkey -in c-rsa-priv.key -pubout -out c-rsa-pub.key
+
+Encrypt the file using the rsa pubkey
+openssl pkeyutl -encrypt -pubin -inkey c-rsa-pub.key -in plaintext.txt -out c-enc-rsa.txt

sheet02/a1/e.txt

@@ -0,0 +1,9 @@
+Decrypt the aes-encrypted key with the aes-key and iv:
+openssl enc -d -aes-256-cbc -in b-enc-aes.txt -out b-dec-aes.txt -K cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89 -iv 30579741743af76bdd06ec45b12ee6d7
+
+Decrypt encrypted file using the rsa private key
+openssl pkeyutl -decrypt -inkey a1/c-rsa-priv.key -in a1/c-enc-rsa.txt -out a1/c-dec-rsa.txt
+
+Verify the same files with the tool diff
+diff plaintext.txt b-dec-aes.txt  -> Prints nothing, so its the same
+diff plaintext.txt c-dec-rsa.txt  -> Prints nothing, so its the same

sheet02/a1/plaintext.txt

@@ -0,0 +1,3 @@
+Viktoria
+Leo
+Julian

sheet02/a2/SignECDSA.java

@@ -0,0 +1,23 @@
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+import java.util.Base64;
+
+public class SignECDSA {
+    public static void main(String[] args) throws Exception {
+        final var gen = KeyPairGenerator.getInstance("EC");
+        final var kp = gen.genKeyPair();
+
+        final var bytes = Files.readAllBytes(Path.of("plaintext.txt"));
+        final var sig = Signature.getInstance("SHA256withECDSA");
+        sig.initVerify(kp.getPublic());
+        sig.initSign(kp.getPrivate());
+        sig.update(bytes);
+        final var signature = sig.sign();
+
+        Files.write(Path.of("b-signature.txt"), Base64.getEncoder().encode(signature));
+        Files.write(Path.of("b-publickey.txt"), Base64.getEncoder().encode(kp.getPublic().getEncoded()));
+        Files.write(Path.of("b-privatekey.txt"), Base64.getEncoder().encode(kp.getPrivate().getEncoded()));
+    }
+}

sheet02/a2/VerifyECDSA.java

@@ -0,0 +1,26 @@
+import java.security.KeyFactory;
+import java.security.Signature;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+public class VerifyECDSA {
+    public static void main(String[] args) throws Exception {
+        if (args.length < 3) {
+            System.out.println(
+                    "Please specify in the following order: Public Key (X509), Signature (Base64), Message (plain text)");
+            return;
+        }
+
+        final String PUBLIC_KEY = args[0];
+        final String SIGNATURE = args[1];
+        final String MESSAGE = args[2];
+
+        final var kf = KeyFactory.getInstance("EC");
+        final var pub = kf.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(PUBLIC_KEY)));
+
+        final var sig = Signature.getInstance("SHA256withECDSA");
+        sig.initVerify(pub);
+        sig.update(MESSAGE.getBytes());
+        System.out.println("Correct: " + sig.verify(Base64.getDecoder().decode(SIGNATURE)));
+    }
+}

sheet02/a2/b-privatekey.txt

@@ -0,0 +1 @@
+ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDA/BgxBUzJUc3MfZVBIdPTbQfIdf4SABYZJlno8rUPkhBRrK3VkpEhyGdviYUPViz4=

sheet02/a2/b-publickey.txt

@@ -0,0 +1 @@
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEVHteuMnscItIHycwEZ80P44WyIWmL7PmeN6HLRAu8IJsLKX6BTDawN0MezskF68oQ9Ft7zy2u4v2aaYB4tgUv+0YG7zEwFr0ofqSqFFPSLr0qrVRvXi/H7Bux8tYVgaN

sheet02/a2/b-signature.txt

@@ -0,0 +1 @@
+MGQCMHq04CPgDiSaWPXb3LiuBrb97aV4JjinA5gIuEIFjFYLD1jYdECBdV/aHLLYsyMYnAIwedsP6qJKK4Y2uLgn3XLxbHgDKxf+eq07Rptmn/LttHTpWjtTfaLERM+Uh2BUGmMt

sheet02/a2/c.txt

@@ -0,0 +1,5 @@
+copy the publickey into a .pem file that starts with -----BEGIN PUBLIC KEY----- and ends with -----END PUBLIC KEY----- and has linebreaks after 64 chars.
+then decode the base64 signature
+base64 -d b-signature.txt > signature.bin
+verify using openssl
+openssl dgst -sha256 -verify c-pubkey.pem -signature signature.bin plaintext.txt 

sheet02/a2/plaintext.txt

@@ -0,0 +1,3 @@
+Julian
+Leonard
+Viktoria

sheet02/a2/verify-example.sh

@@ -0,0 +1 @@
+java VerifyECDSA.java "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnSgO/uuSq9QHH/rrnSgXeQTKPMI8tjLhyJzevl9fLQZW/zXuHk9iThiKY/c2k52quUby3czAwL2l2HaRqcBXEg==" "MEUCIAzRvK3CNFqMTZxIgMd1uQ/XybtRKXFht9S4q8qUy/IbAiEA7EcFYuRbViVC/zzIRW78HekjRHZVn3DjHVUcKyJ5sXw=" "hello world"

sheet03/a1/a.txt

@@ -0,0 +1,98 @@
+1.
+positives:
+- The password is very hard to guess / bruteforce
+- There are no physical ways to obtain the password except for hacking one of the services where you have an account
+- You don't have to remember a lot and the effort is low compared to other methods
+
+negatives:
+- If one service gets hacked and your password is found out, all your accounts are compromised
+- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
+- Even though your password is pretty strong, you are still a pretty easy target
+
+2.
+positives:
+- The password is very hard to guess / bruteforce
+- There are no physical ways to obtain the password except for hacking one of the services where you have an account
+- You don't have to remember a lot and additionally to 1 only the method you're using (that you append the first letter of every service to it)
+
+negatives:
+- If one service gets hacked and your password is found out, getting into other accounts is harder than 1, but still pretty easy if they figure out your method
+- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
+- Even though your password is pretty strong, you are still a pretty easy target (although a tougher one than 1)
+
+3.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others compromised
+- You don't have to remember a lot, except for the secure place / the means to get to the secure place
+
+negatives:
+- If someone finds and steals your password book, you don't have any means of getting your accounts back
+- If you need to access your passwords from somewhere where you don't have access to your password book, you can't log into any of your accounts
+- Keeping the password book around is a huge maintenance burden (compared to 1 + 2 for example)
+
+4.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- You can easily take all of your passwords with you
+
+negatives:
+- If someone finds and steals your USB stick, you don't have any means of getting your accounts back
+- If you need to access your passwords from somewhere where you don't have access to your USB stick, you can't log into any of your accounts
+- Keeping the USB stick around is a little bit of a burden (compared to 1 + 2 for example, 3 is a bigger burden of course)
+
+5.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Finding all of your passwords is really easy and convenient
+
+negatives:
+- If your PC breaks, you don't have access to any of your passwords anymore
+- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
+- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident or something)
+
+6.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Taking your passwords with you is really easy
+
+negatives:
+- If the service storing your passwords gets hacked (and is not properly protected), all of your passwords could be vulnerable
+- Depending on how you access this password manager, your account may not be so secure
+- You need to keep around an extra password for your password manager (that you need a good strategy for as well)
+
+7.
+positives:
+- Bruteforcing one of your passwords doesn't leak your main password (assuming the password derivation is good)
+- If one of your accounts gets hacked, none of your others are compromised
+- Knowing your main password, means you know all of your passwords (because they are simply derived, they are not unrelated to your main password)
+
+negatives:
+- You need to keep around an extra password for your password derivation service (that you need a good strategy for as well)
+- If your main password is found out, all of your accounts are compromised
+- You are a relatively easy target since all it takes is cracking your main password (and knowing one site you have an account for)
+
+8.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Finding all of your passwords is really easy and convenient
+
+negatives:
+- If your PC breaks, you don't have access to any of your passwords anymore
+- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
+- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident)
+
+9.
+positives:
+- You don't have to remember a lot of passwords
+- If one of your accounts gets hacked (and are unrelated to the password reset method), none of your others are compromised
+- Getting into your accounts is really easy
+
+negatives:
+- If your reset password method gets compromised, you don't have a way of getting back your account
+- Not all services may have a reset password function
+- You are a relatively easy target since all it takes is cracking your reset password method (if it is an email address for example)

sheet03/a1/b.txt

@@ -0,0 +1,3 @@
+A potential strategy is to use a password manager, like Proton Pass, that encrypts all of your passwords when they are uploaded to the cloud. With this approach, you have to remember one password for your password manager and get a really convenient solution that won't break down even if the provider were to be compromised (as in the service itself). With a good recovery strategy like keeping something like a recovery token in a secure place in your house, you can make sure you never lose access to your password manager.
+
+This approach of course has downsides, if the password you use for the password manager is weak, you are still an easy target. Like you would be with 1 or 2, but you would still have a recovery method. Compared to 7 however, you still never have a way of knowing your passwords without authenticating with the provider you're using. On top of that, keeping the recovery token at home makes you vulnerable to physical attacks similar to 3 or 4. These attacks are usually a hard thing to perform though, so I think it's still better than using a cloud password manager or one provided by your operating system.   

sheet03/a2/Auth.java

@@ -0,0 +1,71 @@
+import java.io.Console;
+import java.util.Map;
+import java.util.HexFormat;
+import java.util.stream.Collectors;
+import java.nio.file.Path;
+import java.nio.file.Files;
+import java.security.MessageDigest;
+
+public class Auth {
+    private static final byte[] INVALID_HASH = "----------------------------------------------------------------".getBytes();
+
+    public static void main(String[] args) {
+        try {
+            Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
+                .stream()
+                .filter(line -> line.indexOf(":") > 1 && line.length() > 3)
+                .collect(Collectors.toMap(
+                    line -> line.substring(0, line.indexOf(':')),
+                    line -> HexFormat.of().parseHex(line.substring(line.indexOf(':') + 1))
+                ));
+
+            System.out.println("Chocolate Factory SCADA Command Line Interface v2.2.144");
+            System.out.println();
+            System.out.println("Please, enter your authentication credentials.");
+            System.out.println();
+
+            Console cons = System.console();
+
+            String username;
+            String password;
+
+            long timeout = 500;
+            while (true) {
+                username = cons.readLine("> Username: ");
+                password = new String(cons.readPassword("> Password: "));
+
+                MessageDigest digest = MessageDigest.getInstance("SHA-256");
+                byte[] encodedHash = digest.digest(password.getBytes());
+
+                // constant time comparison to prevent timing attacks
+                if (MessageDigest.isEqual(
+                    passwd.getOrDefault(username, INVALID_HASH),
+                    encodedHash
+                )) {
+                    System.out.println();
+                    System.out.printf("Welcome %s!%n", username);
+                    Thread.sleep(150);
+                    break;
+                } else {
+                    // exponential timeout to prevent brute force attacks
+                    System.out.println("Incorrect username and/or password.");
+                    Thread.sleep(timeout);
+                    timeout *= 2;
+                }
+            }
+
+            printSystemStatus();
+            printSecretRecipe();
+        } catch (Exception e) {
+            // ignore
+        }
+    }
+
+    private static void printSystemStatus() throws Exception {
+        // TOP SECRET
+    }
+
+    private static void printSecretRecipe() throws Exception {
+        // TOP SECRET
+    }
+}

sheet03/a2/a.txt

@@ -0,0 +1,5 @@
+The Code uses unsalted hashes of the passwords.
+That way there is no random data added to the hashes and it is very easy to find identical hashes using
+pre-computed lookup tables.
+
+Using such a tool we found that the password admin123 has the same hash that is stored for the username admin.

sheet03/a2/b.txt

@@ -0,0 +1,77 @@
+07:46:38 leo@group-20 ~ → cat .ssh/config 
+Host chocolate
+  User chocolate
+  Hostname 10.42.23.1
+
+07:46:13 leo@group-20 ~ → ssh chocolate
+chocolate@10.42.23.1's password: chocolate
+Chocolate Factory SCADA Command Line Interface v2.2.144
+
+Please, enter your authentication credentials.
+
+> Username: admin
+> Password: admin123
+
+Welcome admin!
+
+We are currently clean on OPSEC.
+
+Current System Status:
+ 🏭 Production Line 1:               [🟢 ONLINE] - Idle
+ 🏭 Production Line 2:               [🟢 ONLINE] - Running (Secretly Sweet Chocolate Batch #42)
+ 🏭 Ingredient Hopper (Cocoa):       [🟢 ONLINE] - Level: 85%
+ 🏭 Ingredient Hopper (Sugar):       [🟢 ONLINE] - Level: 92%
+ 🏭 Ingredient Hopper (Milk Powder): [🟢 ONLINE] - Level: 78%
+ 🌡️ Temperature Control System:      [🟢 ONLINE] - Target: 45°C (±0.5°C)
+ ⚙️ Mixing Unit A:                   [🟢 ONLINE] - Standby
+ ⚙️ Mixing Unit B:                   [🟢 ONLINE] - Active
+ 🍫 Molding Machine Alpha:           [🟢 ONLINE] - Ready
+ 🍫 Molding Machine Beta:            [🟢 ONLINE] - Processing
+ 🧊 Cooling Tunnel System:           [🟢 ONLINE] - Target: 10°C (±1°C)
+ 📦 Packaging Unit Delta:            [🟢 ONLINE] - Awaiting Output
+ 🤖 Quality Control Bot v3.2:        [🟢 ONLINE] - Monitoring
+ ⚡ Power Supply:                    [🟢 ONLINE] - Stable
+ 🌐 Network Connectivity:            [🟢 ONLINE] - Good
+ 🔒 Security System:                 [🟢 ONLINE] - Active
+----------------------------------------------------
+✅ ALL SYSTEMS GREEN. Chocolate production is nominal. ✅
+
+
+📝 Recipe for 'Secretly Sweet Chocolate Batch #42
+
+  Ingredients:
+
+  1 'Bargain Bin Chocolate Chunk'
+    (obtained from ... questionable sources)
+  3 'Heaping Spoonfuls of Questionable Granules'
+    (definitely not pure sugar)
+  A splash of 'Mysterious Gloss'
+     (something called vasline, maybe inedible,
+      but it makes things shiny!)
+
+
+  Instructions:
+
+  Acquire the Goods:
+     Locate and 'liberate' the cheapest-looking chocolate
+     you can get from the competition.
+  The Melt Down:
+     Subject the 'Bargain Bin Chocolate Chunk' to intense heat.
+     The goal is a questionable, slightly lumpy liquid.
+  Sweeten the Deal:
+     Introduce the 'Heaping Spoonfuls of Questionable Granules'
+     to the melted chocolate. Stir vigorously (or just shake the
+     container violently). The mixture should become alarmingly
+     sweet.
+  The Glossy Finish:
+     Add a dash of 'Mysterious Gloss.' This will give the product
+     an unsettlingly shiny appearance.
+  Mold it (Sort Of):
+     Pour the concoction into a vaguely bar-shaped container (the
+     packaging of the input chocolate might work?).
+  The Pay Off:
+     Pay tons of influencers to advertise this as the best
+     chocolate they have ever tasted, and price this chocolate
+     at a ridiculous high price!!1! 🤑💰💸
+  
+Connection to 10.42.23.1 closed.

sheet03/a2/passwd

@@ -0,0 +1,3 @@
+admin:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
+alice:57a975ec110f89a7ca6a8c39aec856890b10488006106fb12c3a5fe063b1e7d5
+bob:2a3cc87f95b4363a1e6483d4659671361f86239735d31e8c4a9be893a2427c19

sheet04/a1/a.txt

@@ -0,0 +1,37 @@
+We found this Client Hello Handshake with the filter: tls.handshake.type == 1:
+
+TLSv1.3 Record Layer: Handshake Protocol: Client Hello
+    Handshake Protocol: Client Hello (last fragment)
+    [2 Reassembled Handshake Fragments (1496 bytes): #1(1158), #2(338)]
+    Handshake Protocol: Client Hello
+        Handshake Type: Client Hello (1)
+        ...
+        Extension: key_share (len=1258) X25519MLKEM768, x25519
+            Type: key_share (51)
+            Length: 1258
+            Key Share extension
+                Client Key Share Length: 1256
+                Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
+                    Group: X25519MLKEM768 (4588)
+                    Key Exchange Length: 1216
+                    Key Exchange […]: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
+
+
+it contains the publickey: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
+
+And we also fount this Server Hello Handshake with the filter: tls.handshake.type == 2:
+
+Handshake Protocol: Server Hello
+    Handshake Type: Server Hello (2)
+    ...
+    Extension: key_share (len=1124) X25519MLKEM768
+        Type: key_share (51)
+        Length: 1124
+        Key Share extension
+            Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1120
+                Group: X25519MLKEM768 (4588)
+                Key Exchange Length: 1120
+                Key Exchange […]: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511
+
+
+it contains the publickey: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511

sheet04/a1/b.txt

@@ -0,0 +1,45 @@
+We looked for the packet containing the certificate handshake with the filter: 
+tls.handshake.type == 11 and found the following certificates:
+
+
+Certificate 1:
+    Issuer: Let's Encrypt
+    Subject: www.mozilla.org
+    Valid until: 2025-07-28 10:02:46 (UTC)
+    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
+    RSA Public Key: 3082010a0282010100e422db3b32d5efbcc3b8b840760fdc8352561f8c50d830c488272571593bd4f96b43de8bcf6ede62042d1d5da6ae274f14906e97f306abec51d3a9a62663adf76ff960be247a898161093395f37a091f31e1536857a8deca4ed9aac9ce16d7f6c4e6d983224447fb1ebbcb5abecadf41a82b41d6bd4ea0de2b5153f8a273ab754b4b07241a49c2251c1c4f5055c3074f0b5476c88e0781d02af1f37a81a4fd0a1c1773b1dc8fc0596ff913f9b6f6fa2f40d1903319f6b312b7c23ded69176647a3bd7ff6a182b833b69309445123eb60a88c6de83b8da9d755ecafee52651e9a112ab5734021c2e0c1b30c83954cee138d639efc2abf78a48524c68d5942661d020300010001
+
+
+Certificate 2:
+    Issuer: Internet Security Research Group
+    Subject: Let's Encrypt
+    Valid until: 2027-03-12 23:59:59 (UTC)
+    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
+    RSA Public Key: 3082010a0282010100ba87bc5c1b0039cbca0acdd46710f9013ca54ea561cb26ca52fb1501b7b928f5281eed27b324183967090c08ece03ab03b770ebdf3e53954410c4eae41d69974de51dbef7bff58bda8b713f6de31d5f272c9726a0b8374959c4600641499f3b1d922d9cda892aa1c267a3ffeef58057b089581db710f8efbe33109bb09be504d5f8f91763d5a9d9e83f2e9c466b3e106664348188065a037189a9b843297b1b2bdc4f815009d2788fbe26317966c9b27674bc4db285e69c279f0495ce02450e1c4bca105ac7b406d00b4c2413fa758b82fc55c9ba5bb099ef1feebb08539fda80aef45c478eb652ac2cf5f3cdee35c4d1bf70b272baa0b4277534f796a1d87d90203010001
+
+
+echo "HEX-KEY" | tr -d ' \n\r' | xxd -r -p > key.der
+openssl rsa -in key.der -inform der -pubin -out key.pem
+
+gave us the publickeys: 
+Cert 1:
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5CLbOzLV77zDuLhAdg/c
+g1JWH4xQ2DDEiCclcVk71PlrQ96Lz27eYgQtHV2mridPFJBul/MGq+xR06mmJmOt
+92/5YL4keomBYQkzlfN6CR8x4VNoV6jeyk7ZqsnOFtf2xObZgyJER/seu8tavsrf
+QagrQda9TqDeK1FT+KJzq3VLSwckGknCJRwcT1BVwwdPC1R2yI4HgdAq8fN6gaT9
+ChwXc7Hcj8BZb/kT+bb2+i9A0ZAzGfazErfCPe1pF2ZHo71/9qGCuDO2kwlEUSPr
+YKiMbeg7janXVeyv7lJlHpoRKrVzQCHC4MGzDIOVTO4TjWOe/Cq/eKSFJMaNWUJm
+HQIDAQAB
+-----END PUBLIC KEY-----
+
+Cert 2:
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoe8XBsAOcvKCs3UZxD5
+ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJDAjs4DqwO3cOvfPlOVRBDE6uQdaZ
+dN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxGAGQUmfOx2SLZzaiSqhwmej/+71gF
+ewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy6cRms+EGZkNIGIBloDcYmpuEMpex
+sr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnwSVzgJFDhxLyhBax7QG0AtMJBP6dY
+uC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLPXzze41xNG/cLJyuqC0J3U095ah2H
+2QIDAQAB
+-----END PUBLIC KEY-----

sheet04/a2/a.txt

@@ -0,0 +1,26 @@
+After some search these are my most used services (with number of visits):
+7191|gitlab.uni-ulm.de
+7409|github.com
+8307|www.youtube.com
+10696|duckduckgo.com
+11337|www.wanikani.com
+
+1. Wanikani is a Japanese learning app and does not support any kind of multi-factor-authentication. You can log in with your email address and also reset your password using your email address. They only removed username login in 2023: https://community.wanikani.com/t/updating-wanikani-password-recovery-options/61437.
+
+2. DuckDuckGo does not even have a login, so no need for authentication. I guess in a way, the most secure account is the account that doesn't exist. However, since it felt like cheating: I also use Proton a lot, and they have a lot of options for login. Speaking from personal experience here are the ones I know:
+- TOTP: Active for my account as well (they even have their own Authenticator app)
+- Security keys: Also available for two-factor authentication
+- In case of Proton Pass: You can set a second password that unlocks the password manager to make sure someone doesn't get access when they get your main password (just additional security).
+- For recovery, you can also set emergency contacts and stuff (so people could get access to your account even if you died), they have a pretty comprehensive system in total and I think they're really doing a good job with authentication
+
+3. YouTube: Well, here it gets a little complicated, but it's basically the same as for any Google account and because it's a big platform there are so many security options that you can't even count them all.
+- TOTP
+- Pass keys
+- Email 2FA
+- Google's own autentication system that works with any Android device (the one where a code is sent to your phone instead of by email)
+- Security codes: Offline credentials similar to TOTP that can be viewed in the Google app on a phone when logged in (as a compliment to Google's own code sending)
+- You can also chain any of those together to make your account more secure
+
+4. GitHub: Also really solid here: TOTP, Security keys, GitHub Mobile and SMS/Text (marked as insecure) messages are supported. However, no multi-factor authentication, you can only configure a second factor.
+
+5. University GitLab: Also a lot available: Login usually works through the University's account system, but you can additionally add TOTP and WebAuthn devices (so passkeys).