feat: a3

feat: a2
Edit explanation.txt
2026-05-22 11:52:02 +02:00 · 2026-05-22 11:46:10 +02:00 · 2026-05-21 19:18:15 +00:00 · 2026-05-21 19:14:24 +00:00 · 2026-05-21 19:12:14 +00:00 · 2026-05-21 19:10:49 +00:00
44 changed files with 703 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
 *.pdf
 sheet01/a2/Hash.java
 *.class
 passwd
 sheet04/AuthWithTOTP.java
 sheet04/key-exchange.pcap
--- a/sheet02/a1/b-aeskey.txt
+++ b/sheet02/a1/b-aeskey.txt
@@ -0,0 +1,2 @@
 AES Key: cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89
 IV: 30579741743af76bdd06ec45b12ee6d7
--- a/sheet02/a1/b-dec-aes.txt
+++ b/sheet02/a1/b-dec-aes.txt
@@ -0,0 +1,3 @@
 Viktoria
 Leo
 Julian
--- a/sheet02/a1/b-enc-aes.txt
+++ b/sheet02/a1/b-enc-aes.txt
@@ -0,0 +1 @@
 o5Ö¦Íß*òþk‚¼¾I¦BîÜr<C39C>Œ´<C592>6@hün5Ø
--- a/sheet02/a1/b.txt
+++ b/sheet02/a1/b.txt
@@ -0,0 +1,5 @@
 Generate 256bit aes key and 128 bit iv:
 openssl rand -hex 32
 openssl rand -hex 16
 Encrypt the file plaintext.txt with the key and iv
 openssl enc -aes-256-cbc -in plaintext.txt -out b-enc-aes.txt -K cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89 -iv 30579741743af76bdd06ec45b12ee6d7
--- a/sheet02/a1/c-dec-rsa.txt
+++ b/sheet02/a1/c-dec-rsa.txt
@@ -0,0 +1,3 @@
 Viktoria
 Leo
 Julian
--- a/sheet02/a1/c-enc-rsa.txt
+++ b/sheet02/a1/c-enc-rsa.txt
@@ -0,0 +1,2 @@
 ’Ìnç‰á~Á>hì`£aÿ*‘Ú#ÒÒh‹å4ò,>«ôÓ„ì÷9&†…%´c,¤tNØR‰“5sŠq
 ˜°+$úd!E½Í·‘3£y£<79>3Ÿ|#Ù2ÒÈ„¬ÜºÕLÍ^é¢L9ÊApØîfDV<44>kX´¨^æeh\É£H«~y	ÆµýdÀK½I\€óf>I5EÿcÛ,‹I+s<>
--- a/sheet02/a1/c-rsa-priv.key
+++ b/sheet02/a1/c-rsa-priv.key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1S64EHWciPKk+
 6kTV3QGe97oGsO4pAbeAvqqzFtOulkIy1cEYlQIP+Ie9LL1i1tOjkx8v3j0Foq7T
 DQkwCpTodJRl50hOdjOdhcjENU1GoZ2xHYb+sNwuVo7Rzl8rEP99p1N9slaq/d4L
 jV4c6PWDjd2vGxcnPpihYtZOgq7XNN026Iu+E3v7z8MAcMxy2RAQyw2PeqgxJwyh
 Pg1E6sz4OjnUQOhS0nwqz2XwG+XPfH8ytf3XjQPLnvUtmIscP1W4wjeJDJuvym5p
 qr8Nr71yjYLm9tefQLONHxXUOJuxiJatJj9M5yKs6Z/gB2RRA26as6wyIuQ6WFu4
 HTrUrgdrAgMBAAECggEABef0QFAQ5w2g2drZ6Tms7tfVKJik+ZMDvl73wqPQu5RL
 jcpm4v0ftxN6oJAPj2O+O0r0riOIS2G0Xk3Dadw+Y6BAoV06fsvc/Jm6I6I05UMo
 lveGSU/LrHrHZlBZy1ZfbGGCF8syhZmFnUy6ryhrryB1A1pXk8C3SjKlFqOtPHd/
 V1GW/ww3p7VL/HOmCNTr6nvlw6MJGzlZ08JpcwguGu/DuSCFSQwlhcqPsOQdr20o
 maGYIBEwkwOmk5CAjr3jJnmQlPQ8QtAsYCIjHrmiA0zyserGN7K3hhSDIJ19uK3F
 2BIglSYrSViwq2DIHbQgeHuoM3ziaFKVczwVaL7w8QKBgQDm901Wq2B/vO2lCgb8
 6cofnhJYa6T8w4SXuLDoNmrZuPw2VepR6L/HxgPS9t14LkIVZXIc0tdHkqHHfnHY
 O2m/5sEqYTGifAseLLPdgy7QC6ZvLq6CMzvl8rQ7ITj18+tyMnUYfw2Ts+9GwE4m
 X5Zvx+zROIP8gMoJhGqvpSdl0wKBgQDI8iezI1csN5Miq0aerQkYFqfkFEVVTeys
 LAep+sJ7U6RVpHBwGJrZkngucBgb6JdWZvY1eRnmZ7m4Y9cvq+b8DpdJhrkiUv2k
 YCfFvUDtxQimvb3yFTbluoxIhKP/pmmj1qng/EiKHU/1l++AErsIlSEuxbDnVx0o
 Ivdpod/hCQKBgQCBKKCmK/Yt2NAob+AShQbUAYiOy7ua4hd+5PiBExVTpd/c3tTH
 c1nz9Kbkzcpxz6SC5JUYy0s6KiSwM+SkIC119CvncCzaiXWKLUN0R0zhaPJs0HUk
 OFRxtfTV8DEzUXFEDjVvOnW0OHZBYX8SdHfjELE9GtasWLUi91rV2IycowKBgAM8
 GrWAiSO2FVFGjpF5WZ8gpj0+sksIQRoYb1smJUFU/F1Ak2rKipucBwFAXrL8UItc
 hvQfafJSkyPLv6gNzV8bYQYW/B34VgryXVGKlWP+ewAsJ8Wg38xc72svb3BrHmI7
 z2pGxWgrxqC+fGWEZ6xgsjMNjaZ7uYVu4qq5p1/5AoGBANm05M8tH5aD4+cNVCGp
 EiHiw4JyCbbkHHyuGi44Ul6CsX7Ib6vYyApI9+0wJHDddspFGve+sGdzQ3yc79/S
 QcaOMQC+/dEG3oOY+j76lSDM5Xa4Ie5ekn6dwYU96iiPBK0D+wcjiZv/qott2xsr
 dOPUdEes0Tj6vqVvDQLyXi1R
 -----END PRIVATE KEY-----
--- a/sheet02/a1/c-rsa-pub.key
+++ b/sheet02/a1/c-rsa-pub.key
@@ -0,0 +1,9 @@
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtUuuBB1nIjypPupE1d0B
 nve6BrDuKQG3gL6qsxbTrpZCMtXBGJUCD/iHvSy9YtbTo5MfL949BaKu0w0JMAqU
 6HSUZedITnYznYXIxDVNRqGdsR2G/rDcLlaO0c5fKxD/fadTfbJWqv3eC41eHOj1
 g43drxsXJz6YoWLWToKu1zTdNuiLvhN7+8/DAHDMctkQEMsNj3qoMScMoT4NROrM
 +Do51EDoUtJ8Ks9l8Bvlz3x/MrX9140Dy571LZiLHD9VuMI3iQybr8puaaq/Da+9
 co2C5vbXn0CzjR8V1DibsYiWrSY/TOcirOmf4AdkUQNumrOsMiLkOlhbuB061K4H
 awIDAQAB
 -----END PUBLIC KEY-----
--- a/sheet02/a1/c.txt
+++ b/sheet02/a1/c.txt
@@ -0,0 +1,8 @@
 Generate rsa private key:
 openssl genpkey -algorithm RSA -out c-rsa-priv.key -pkeyopt rsa_keygen_bits:2048
 Extract the public key from the private key
 openssl pkey -in c-rsa-priv.key -pubout -out c-rsa-pub.key
 Encrypt the file using the rsa pubkey
 openssl pkeyutl -encrypt -pubin -inkey c-rsa-pub.key -in plaintext.txt -out c-enc-rsa.txt
--- a/sheet02/a1/d.txt
+++ b/sheet02/a1/d.txt
--- a/sheet02/a1/e.txt
+++ b/sheet02/a1/e.txt
@@ -0,0 +1,9 @@
 Decrypt the aes-encrypted key with the aes-key and iv:
 openssl enc -d -aes-256-cbc -in b-enc-aes.txt -out b-dec-aes.txt -K cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89 -iv 30579741743af76bdd06ec45b12ee6d7
 Decrypt encrypted file using the rsa private key
 openssl pkeyutl -decrypt -inkey a1/c-rsa-priv.key -in a1/c-enc-rsa.txt -out a1/c-dec-rsa.txt
 Verify the same files with the tool diff
 diff plaintext.txt b-dec-aes.txt  -> Prints nothing, so its the same
 diff plaintext.txt c-dec-rsa.txt  -> Prints nothing, so its the same
--- a/sheet02/a1/plaintext.txt
+++ b/sheet02/a1/plaintext.txt
@@ -0,0 +1,3 @@
 Viktoria
 Leo
 Julian
--- a/sheet02/a2/SignECDSA.java
+++ b/sheet02/a2/SignECDSA.java
@@ -0,0 +1,23 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyPairGenerator;
 import java.security.Signature;
 import java.util.Base64;
 public class SignECDSA {
    public static void main(String[] args) throws Exception {
        final var gen = KeyPairGenerator.getInstance("EC");
        final var kp = gen.genKeyPair();
        final var bytes = Files.readAllBytes(Path.of("plaintext.txt"));
        final var sig = Signature.getInstance("SHA256withECDSA");
        sig.initVerify(kp.getPublic());
        sig.initSign(kp.getPrivate());
        sig.update(bytes);
        final var signature = sig.sign();
        Files.write(Path.of("b-signature.txt"), Base64.getEncoder().encode(signature));
        Files.write(Path.of("b-publickey.txt"), Base64.getEncoder().encode(kp.getPublic().getEncoded()));
        Files.write(Path.of("b-privatekey.txt"), Base64.getEncoder().encode(kp.getPrivate().getEncoded()));
    }
 }
--- a/sheet02/a2/VerifyECDSA.java
+++ b/sheet02/a2/VerifyECDSA.java
@@ -0,0 +1,26 @@
 import java.security.KeyFactory;
 import java.security.Signature;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 public class VerifyECDSA {
    public static void main(String[] args) throws Exception {
        if (args.length < 3) {
            System.out.println(
                    "Please specify in the following order: Public Key (X509), Signature (Base64), Message (plain text)");
            return;
        }
        final String PUBLIC_KEY = args[0];
        final String SIGNATURE = args[1];
        final String MESSAGE = args[2];
        final var kf = KeyFactory.getInstance("EC");
        final var pub = kf.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(PUBLIC_KEY)));
        final var sig = Signature.getInstance("SHA256withECDSA");
        sig.initVerify(pub);
        sig.update(MESSAGE.getBytes());
        System.out.println("Correct: " + sig.verify(Base64.getDecoder().decode(SIGNATURE)));
    }
 }
--- a/sheet02/a2/b-privatekey.txt
+++ b/sheet02/a2/b-privatekey.txt
@@ -0,0 +1 @@
 ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDA/BgxBUzJUc3MfZVBIdPTbQfIdf4SABYZJlno8rUPkhBRrK3VkpEhyGdviYUPViz4=
--- a/sheet02/a2/b-publickey.txt
+++ b/sheet02/a2/b-publickey.txt
@@ -0,0 +1 @@
 MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEVHteuMnscItIHycwEZ80P44WyIWmL7PmeN6HLRAu8IJsLKX6BTDawN0MezskF68oQ9Ft7zy2u4v2aaYB4tgUv+0YG7zEwFr0ofqSqFFPSLr0qrVRvXi/H7Bux8tYVgaN
--- a/sheet02/a2/b-signature.txt
+++ b/sheet02/a2/b-signature.txt
@@ -0,0 +1 @@
 MGQCMHq04CPgDiSaWPXb3LiuBrb97aV4JjinA5gIuEIFjFYLD1jYdECBdV/aHLLYsyMYnAIwedsP6qJKK4Y2uLgn3XLxbHgDKxf+eq07Rptmn/LttHTpWjtTfaLERM+Uh2BUGmMt
--- a/sheet02/a2/c.txt
+++ b/sheet02/a2/c.txt
@@ -0,0 +1,5 @@
 copy the publickey into a .pem file that starts with -----BEGIN PUBLIC KEY----- and ends with -----END PUBLIC KEY----- and has linebreaks after 64 chars.
 then decode the base64 signature
 base64 -d b-signature.txt > signature.bin
 verify using openssl
 openssl dgst -sha256 -verify c-pubkey.pem -signature signature.bin plaintext.txt 
--- a/sheet02/a2/plaintext.txt
+++ b/sheet02/a2/plaintext.txt
@@ -0,0 +1,3 @@
 Julian
 Leonard
 Viktoria
--- a/sheet02/a2/verify-example.sh
+++ b/sheet02/a2/verify-example.sh
@@ -0,0 +1 @@
 java VerifyECDSA.java "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnSgO/uuSq9QHH/rrnSgXeQTKPMI8tjLhyJzevl9fLQZW/zXuHk9iThiKY/c2k52quUby3czAwL2l2HaRqcBXEg==" "MEUCIAzRvK3CNFqMTZxIgMd1uQ/XybtRKXFht9S4q8qUy/IbAiEA7EcFYuRbViVC/zzIRW78HekjRHZVn3DjHVUcKyJ5sXw=" "hello world"
--- a/sheet03/a1/a.txt
+++ b/sheet03/a1/a.txt
@@ -0,0 +1,98 @@
 1.
 positives:
 - The password is very hard to guess / bruteforce
 - There are no physical ways to obtain the password except for hacking one of the services where you have an account
 - You don't have to remember a lot and the effort is low compared to other methods
 negatives:
 - If one service gets hacked and your password is found out, all your accounts are compromised
 - If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
 - Even though your password is pretty strong, you are still a pretty easy target
 2.
 positives:
 - The password is very hard to guess / bruteforce
 - There are no physical ways to obtain the password except for hacking one of the services where you have an account
 - You don't have to remember a lot and additionally to 1 only the method you're using (that you append the first letter of every service to it)
 negatives:
 - If one service gets hacked and your password is found out, getting into other accounts is harder than 1, but still pretty easy if they figure out your method
 - If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
 - Even though your password is pretty strong, you are still a pretty easy target (although a tougher one than 1)
 3.
 positives:
 - Your passwords are very hard to guess / bruteforce
 - If one of your accounts gets hacked, none of your others compromised
 - You don't have to remember a lot, except for the secure place / the means to get to the secure place
 negatives:
 - If someone finds and steals your password book, you don't have any means of getting your accounts back
 - If you need to access your passwords from somewhere where you don't have access to your password book, you can't log into any of your accounts
 - Keeping the password book around is a huge maintenance burden (compared to 1 + 2 for example)
 4.
 positives:
 - Your passwords are very hard to guess / bruteforce
 - If one of your accounts gets hacked, none of your others are compromised
 - You can easily take all of your passwords with you
 negatives:
 - If someone finds and steals your USB stick, you don't have any means of getting your accounts back
 - If you need to access your passwords from somewhere where you don't have access to your USB stick, you can't log into any of your accounts
 - Keeping the USB stick around is a little bit of a burden (compared to 1 + 2 for example, 3 is a bigger burden of course)
 5.
 positives:
 - Your passwords are very hard to guess / bruteforce
 - If one of your accounts gets hacked, none of your others are compromised
 - Finding all of your passwords is really easy and convenient
 negatives:
 - If your PC breaks, you don't have access to any of your passwords anymore
 - If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
 - If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident or something)
 6.
 positives:
 - Your passwords are very hard to guess / bruteforce
 - If one of your accounts gets hacked, none of your others are compromised
 - Taking your passwords with you is really easy
 negatives:
 - If the service storing your passwords gets hacked (and is not properly protected), all of your passwords could be vulnerable
 - Depending on how you access this password manager, your account may not be so secure
 - You need to keep around an extra password for your password manager (that you need a good strategy for as well)
 7.
 positives:
 - Bruteforcing one of your passwords doesn't leak your main password (assuming the password derivation is good)
 - If one of your accounts gets hacked, none of your others are compromised
 - Knowing your main password, means you know all of your passwords (because they are simply derived, they are not unrelated to your main password)
 negatives:
 - You need to keep around an extra password for your password derivation service (that you need a good strategy for as well)
 - If your main password is found out, all of your accounts are compromised
 - You are a relatively easy target since all it takes is cracking your main password (and knowing one site you have an account for)
 8.
 positives:
 - Your passwords are very hard to guess / bruteforce
 - If one of your accounts gets hacked, none of your others are compromised
 - Finding all of your passwords is really easy and convenient
 negatives:
 - If your PC breaks, you don't have access to any of your passwords anymore
 - If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
 - If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident)
 9.
 positives:
 - You don't have to remember a lot of passwords
 - If one of your accounts gets hacked (and are unrelated to the password reset method), none of your others are compromised
 - Getting into your accounts is really easy
 negatives:
 - If your reset password method gets compromised, you don't have a way of getting back your account
 - Not all services may have a reset password function
 - You are a relatively easy target since all it takes is cracking your reset password method (if it is an email address for example)
--- a/sheet03/a1/b.txt
+++ b/sheet03/a1/b.txt
@@ -0,0 +1,3 @@
 A potential strategy is to use a password manager, like Proton Pass, that encrypts all of your passwords when they are uploaded to the cloud. With this approach, you have to remember one password for your password manager and get a really convenient solution that won't break down even if the provider were to be compromised (as in the service itself). With a good recovery strategy like keeping something like a recovery token in a secure place in your house, you can make sure you never lose access to your password manager.
 This approach of course has downsides, if the password you use for the password manager is weak, you are still an easy target. Like you would be with 1 or 2, but you would still have a recovery method. Compared to 7 however, you still never have a way of knowing your passwords without authenticating with the provider you're using. On top of that, keeping the recovery token at home makes you vulnerable to physical attacks similar to 3 or 4. These attacks are usually a hard thing to perform though, so I think it's still better than using a cloud password manager or one provided by your operating system.   
--- a/sheet03/a2/Auth.java
+++ b/sheet03/a2/Auth.java
@@ -0,0 +1,71 @@
 import java.io.Console;
 import java.util.Map;
 import java.util.HexFormat;
 import java.util.stream.Collectors;
 import java.nio.file.Path;
 import java.nio.file.Files;
 import java.security.MessageDigest;
 public class Auth {
    private static final byte[] INVALID_HASH = "----------------------------------------------------------------".getBytes();
    public static void main(String[] args) {
        try {
            Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
                .stream()
                .filter(line -> line.indexOf(":") > 1 && line.length() > 3)
                .collect(Collectors.toMap(
                    line -> line.substring(0, line.indexOf(':')),
                    line -> HexFormat.of().parseHex(line.substring(line.indexOf(':') + 1))
                ));
            System.out.println("Chocolate Factory SCADA Command Line Interface v2.2.144");
            System.out.println();
            System.out.println("Please, enter your authentication credentials.");
            System.out.println();
            Console cons = System.console();
            String username;
            String password;
            long timeout = 500;
            while (true) {
                username = cons.readLine("> Username: ");
                password = new String(cons.readPassword("> Password: "));
                MessageDigest digest = MessageDigest.getInstance("SHA-256");
                byte[] encodedHash = digest.digest(password.getBytes());
                // constant time comparison to prevent timing attacks
                if (MessageDigest.isEqual(
                    passwd.getOrDefault(username, INVALID_HASH),
                    encodedHash
                )) {
                    System.out.println();
                    System.out.printf("Welcome %s!%n", username);
                    Thread.sleep(150);
                    break;
                } else {
                    // exponential timeout to prevent brute force attacks
                    System.out.println("Incorrect username and/or password.");
                    Thread.sleep(timeout);
                    timeout *= 2;
                }
            }
            printSystemStatus();
            printSecretRecipe();
        } catch (Exception e) {
            // ignore
        }
    }
    private static void printSystemStatus() throws Exception {
        // TOP SECRET
    }
    private static void printSecretRecipe() throws Exception {
        // TOP SECRET
    }
 }
--- a/sheet03/a2/a.txt
+++ b/sheet03/a2/a.txt
@@ -0,0 +1,5 @@
 The Code uses unsalted hashes of the passwords.
 That way there is no random data added to the hashes and it is very easy to find identical hashes using
 pre-computed lookup tables.
 Using such a tool we found that the password admin123 has the same hash that is stored for the username admin.
--- a/sheet03/a2/b.txt
+++ b/sheet03/a2/b.txt
@@ -0,0 +1,77 @@
 07:46:38 leo@group-20 ~ → cat .ssh/config 
 Host chocolate
  User chocolate
  Hostname 10.42.23.1
 07:46:13 leo@group-20 ~ → ssh chocolate
 chocolate@10.42.23.1's password: chocolate
 Chocolate Factory SCADA Command Line Interface v2.2.144
 Please, enter your authentication credentials.
 > Username: admin
 > Password: admin123
 Welcome admin!
 We are currently clean on OPSEC.
 Current System Status:
 🏭 Production Line 1:               [🟢 ONLINE] - Idle
 🏭 Production Line 2:               [🟢 ONLINE] - Running (Secretly Sweet Chocolate Batch #42)
 🏭 Ingredient Hopper (Cocoa):       [🟢 ONLINE] - Level: 85%
 🏭 Ingredient Hopper (Sugar):       [🟢 ONLINE] - Level: 92%
 🏭 Ingredient Hopper (Milk Powder): [🟢 ONLINE] - Level: 78%
 🌡️ Temperature Control System:      [🟢 ONLINE] - Target: 45°C (±0.5°C)
 ⚙️ Mixing Unit A:                   [🟢 ONLINE] - Standby
 ⚙️ Mixing Unit B:                   [🟢 ONLINE] - Active
 🍫 Molding Machine Alpha:           [🟢 ONLINE] - Ready
 🍫 Molding Machine Beta:            [🟢 ONLINE] - Processing
 🧊 Cooling Tunnel System:           [🟢 ONLINE] - Target: 10°C (±1°C)
 📦 Packaging Unit Delta:            [🟢 ONLINE] - Awaiting Output
 🤖 Quality Control Bot v3.2:        [🟢 ONLINE] - Monitoring
 ⚡ Power Supply:                    [🟢 ONLINE] - Stable
 🌐 Network Connectivity:            [🟢 ONLINE] - Good
 🔒 Security System:                 [🟢 ONLINE] - Active
 ----------------------------------------------------
 ✅ ALL SYSTEMS GREEN. Chocolate production is nominal. ✅
 📝 Recipe for 'Secretly Sweet Chocolate Batch #42
  Ingredients:
  1 'Bargain Bin Chocolate Chunk'
    (obtained from ... questionable sources)
  3 'Heaping Spoonfuls of Questionable Granules'
    (definitely not pure sugar)
  A splash of 'Mysterious Gloss'
     (something called vasline, maybe inedible,
      but it makes things shiny!)
  Instructions:
  Acquire the Goods:
     Locate and 'liberate' the cheapest-looking chocolate
     you can get from the competition.
  The Melt Down:
     Subject the 'Bargain Bin Chocolate Chunk' to intense heat.
     The goal is a questionable, slightly lumpy liquid.
  Sweeten the Deal:
     Introduce the 'Heaping Spoonfuls of Questionable Granules'
     to the melted chocolate. Stir vigorously (or just shake the
     container violently). The mixture should become alarmingly
     sweet.
  The Glossy Finish:
     Add a dash of 'Mysterious Gloss.' This will give the product
     an unsettlingly shiny appearance.
  Mold it (Sort Of):
     Pour the concoction into a vaguely bar-shaped container (the
     packaging of the input chocolate might work?).
  The Pay Off:
     Pay tons of influencers to advertise this as the best
     chocolate they have ever tasted, and price this chocolate
     at a ridiculous high price!!1! 🤑💰💸
 Connection to 10.42.23.1 closed.
--- a/sheet03/a2/c.txt
+++ b/sheet03/a2/c.txt
--- a/sheet03/a2/passwd
+++ b/sheet03/a2/passwd
@@ -0,0 +1,3 @@
 admin:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
 alice:57a975ec110f89a7ca6a8c39aec856890b10488006106fb12c3a5fe063b1e7d5
 bob:2a3cc87f95b4363a1e6483d4659671361f86239735d31e8c4a9be893a2427c19
--- a/sheet04/a1/a.txt
+++ b/sheet04/a1/a.txt
@@ -0,0 +1,37 @@
 We found this Client Hello Handshake with the filter: tls.handshake.type == 1:
 TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    Handshake Protocol: Client Hello (last fragment)
    [2 Reassembled Handshake Fragments (1496 bytes): #1(1158), #2(338)]
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        ...
        Extension: key_share (len=1258) X25519MLKEM768, x25519
            Type: key_share (51)
            Length: 1258
            Key Share extension
                Client Key Share Length: 1256
                Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
                    Group: X25519MLKEM768 (4588)
                    Key Exchange Length: 1216
                    Key Exchange […]: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
 it contains the publickey: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
 And we also fount this Server Hello Handshake with the filter: tls.handshake.type == 2:
 Handshake Protocol: Server Hello
    Handshake Type: Server Hello (2)
    ...
    Extension: key_share (len=1124) X25519MLKEM768
        Type: key_share (51)
        Length: 1124
        Key Share extension
            Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1120
                Group: X25519MLKEM768 (4588)
                Key Exchange Length: 1120
                Key Exchange […]: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511
 it contains the publickey: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511
--- a/sheet04/a1/b.txt
+++ b/sheet04/a1/b.txt
@@ -0,0 +1,45 @@
 We looked for the packet containing the certificate handshake with the filter: 
 tls.handshake.type == 11 and found the following certificates:
 Certificate 1:
    Issuer: Let's Encrypt
    Subject: www.mozilla.org
    Valid until: 2025-07-28 10:02:46 (UTC)
    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
    RSA Public Key: 3082010a0282010100e422db3b32d5efbcc3b8b840760fdc8352561f8c50d830c488272571593bd4f96b43de8bcf6ede62042d1d5da6ae274f14906e97f306abec51d3a9a62663adf76ff960be247a898161093395f37a091f31e1536857a8deca4ed9aac9ce16d7f6c4e6d983224447fb1ebbcb5abecadf41a82b41d6bd4ea0de2b5153f8a273ab754b4b07241a49c2251c1c4f5055c3074f0b5476c88e0781d02af1f37a81a4fd0a1c1773b1dc8fc0596ff913f9b6f6fa2f40d1903319f6b312b7c23ded69176647a3bd7ff6a182b833b69309445123eb60a88c6de83b8da9d755ecafee52651e9a112ab5734021c2e0c1b30c83954cee138d639efc2abf78a48524c68d5942661d020300010001
 Certificate 2:
    Issuer: Internet Security Research Group
    Subject: Let's Encrypt
    Valid until: 2027-03-12 23:59:59 (UTC)
    Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
    RSA Public Key: 3082010a0282010100ba87bc5c1b0039cbca0acdd46710f9013ca54ea561cb26ca52fb1501b7b928f5281eed27b324183967090c08ece03ab03b770ebdf3e53954410c4eae41d69974de51dbef7bff58bda8b713f6de31d5f272c9726a0b8374959c4600641499f3b1d922d9cda892aa1c267a3ffeef58057b089581db710f8efbe33109bb09be504d5f8f91763d5a9d9e83f2e9c466b3e106664348188065a037189a9b843297b1b2bdc4f815009d2788fbe26317966c9b27674bc4db285e69c279f0495ce02450e1c4bca105ac7b406d00b4c2413fa758b82fc55c9ba5bb099ef1feebb08539fda80aef45c478eb652ac2cf5f3cdee35c4d1bf70b272baa0b4277534f796a1d87d90203010001
 echo "HEX-KEY" | tr -d ' \n\r' | xxd -r -p > key.der
 openssl rsa -in key.der -inform der -pubin -out key.pem
 gave us the publickeys: 
 Cert 1:
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5CLbOzLV77zDuLhAdg/c
 g1JWH4xQ2DDEiCclcVk71PlrQ96Lz27eYgQtHV2mridPFJBul/MGq+xR06mmJmOt
 92/5YL4keomBYQkzlfN6CR8x4VNoV6jeyk7ZqsnOFtf2xObZgyJER/seu8tavsrf
 QagrQda9TqDeK1FT+KJzq3VLSwckGknCJRwcT1BVwwdPC1R2yI4HgdAq8fN6gaT9
 ChwXc7Hcj8BZb/kT+bb2+i9A0ZAzGfazErfCPe1pF2ZHo71/9qGCuDO2kwlEUSPr
 YKiMbeg7janXVeyv7lJlHpoRKrVzQCHC4MGzDIOVTO4TjWOe/Cq/eKSFJMaNWUJm
 HQIDAQAB
 -----END PUBLIC KEY-----
 Cert 2:
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoe8XBsAOcvKCs3UZxD5
 ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJDAjs4DqwO3cOvfPlOVRBDE6uQdaZ
 dN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxGAGQUmfOx2SLZzaiSqhwmej/+71gF
 ewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy6cRms+EGZkNIGIBloDcYmpuEMpex
 sr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnwSVzgJFDhxLyhBax7QG0AtMJBP6dY
 uC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLPXzze41xNG/cLJyuqC0J3U095ah2H
 2QIDAQAB
 -----END PUBLIC KEY-----
--- a/sheet04/a1/c.txt
+++ b/sheet04/a1/c.txt
@@ -0,0 +1,6 @@
 Let's Encrypt: 
 Let's Encrypt is a Certificate Authority that provides free TLS certificates, making it easy for websites to enable HTTPS encryption and create a more secure Internet for everyone. Let's Encrypt is a project of the nonprofit Internet Security Research Group
 Internet Security Research Group:
 The Internet Security Research Group (ISRG) is a public-benefit non-profit corporation based in California which focuses on Internet security.
--- a/sheet04/a2/AuthWithTOTP.java
+++ b/sheet04/a2/AuthWithTOTP.java
@@ -0,0 +1,149 @@
 import java.nio.ByteBuffer;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.MessageDigest;
 import java.time.Instant;
 import java.util.HexFormat;
 import java.util.Map;
 import java.util.Scanner;
 import java.util.stream.Collectors;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 public class AuthWithTOTP {
 	private static final byte[] INVALID_HASH =
 		"----------------------------------------------------------------".getBytes();
 	// hex-encoded: 3c2bc45f2de6568bb285aa1c6fcac1b6965cc770
 	// base32-encoded: HQV4IXZN4ZLIXMUFVIOG7SWBW2LFZR3Q
 	private static final byte[] K = new byte[] {
 		60,
 		43,
 		-60,
 		95,
 		45,
 		-26,
 		86,
 		-117,
 		-78,
 		-123,
 		-86,
 		28,
 		111,
 		-54,
 		-63,
 		-74,
 		-106,
 		92,
 		-57,
 		112,
 	};
 	public static void main(String[] args) {
 		// I changed it to a scanner cause my terminal had issues with the other thingy
 		try (Scanner sc = new Scanner(System.in)) {
 			Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
 				.stream()
 				.filter(line -> line.indexOf(":") > 1 && line.length() > 3)
 				.collect(
 					Collectors.toMap(
 						line -> line.substring(0, line.indexOf(':')),
 						line ->
 							HexFormat.of().parseHex(
 								line.substring(line.indexOf(':') + 1)
 							)
 					)
 				);
 			System.out.println(
 				"Chocolate Factory SCADA Command Line Interface v2.2.144"
 			);
 			System.out.println();
 			System.out.println(
 				"Please, enter your authentication credentials."
 			);
 			System.out.println();
 			String username;
 			String password;
 			String totpCode;
 			long timeout = 500;
 			while (true) {
 				System.out.print("> Username: ");
 				username = sc.nextLine();
 				System.out.print("> Password: ");
 				password = sc.nextLine();
 				System.out.print("> TOTP Code: ");
 				totpCode = sc.nextLine();
 				MessageDigest digest = MessageDigest.getInstance("SHA-256");
 				byte[] encodedHash = digest.digest(password.getBytes());
 				// constant time comparison to prevent timing attacks
 				if (
 					MessageDigest.isEqual(
 						passwd.getOrDefault(username, INVALID_HASH),
 						encodedHash
 					)
 				) {
 					// Get the counter from the unix seconds
 					final var counter = (int) Math.floor(
 						Instant.now().getEpochSecond() / 30.0
 					);
 					// Compute the hmac
 					final var mac = Mac.getInstance("HmacSHA1");
 					mac.init(new SecretKeySpec(K, "HmacSHA1"));
 					mac.update(ByteBuffer.allocate(8).putLong(counter).array());
 					final var hmacResult = mac.doFinal();
 					// Do the truncating + modulo
 					int offset = hmacResult[19] & 0x0f;
 					int binaryCode =
 						((hmacResult[offset] & 0x7f) << 24) |
 						((hmacResult[offset + 1] & 0xff) << 16) |
 						((hmacResult[offset + 2] & 0xff) << 8) |
 						(hmacResult[offset + 3] & 0xff);
 					binaryCode = binaryCode % 1000000;
 					// Validate the code + padding
 					final var code = String.format("%06d", binaryCode);
 					if (!code.equals(totpCode)) {
 						System.out.println(
 							"Invalid username, password and/or TOTP code."
 						);
 						Thread.sleep(timeout);
 						timeout *= 2;
 						continue;
 					}
 					System.out.printf("Welcome %s!%n", username);
 					Thread.sleep(150);
 					break;
 				} else {
 					// exponential timeout to prevent brute force attacks
 					System.out.println(
 						"Invalid username, password and/or TOTP code."
 					);
 					Thread.sleep(timeout);
 					timeout *= 2;
 				}
 			}
 			printSystemStatus();
 			printSecretRecipe();
 		} catch (Exception e) {
 			e.printStackTrace();
 		}
 	}
 	private static void printSystemStatus() throws Exception {
 		// SECRET
 	}
 	private static void printSecretRecipe() throws Exception {
 		// SECRET
 	}
 }
--- a/sheet04/a2/a.txt
+++ b/sheet04/a2/a.txt
@@ -0,0 +1,26 @@
 After some search these are my most used services (with number of visits):
 7191|gitlab.uni-ulm.de
 7409|github.com
 8307|www.youtube.com
 10696|duckduckgo.com
 11337|www.wanikani.com
 1. Wanikani is a Japanese learning app and does not support any kind of multi-factor-authentication. You can log in with your email address and also reset your password using your email address. They only removed username login in 2023: https://community.wanikani.com/t/updating-wanikani-password-recovery-options/61437.
 2. DuckDuckGo does not even have a login, so no need for authentication. I guess in a way, the most secure account is the account that doesn't exist. However, since it felt like cheating: I also use Proton a lot, and they have a lot of options for login. Speaking from personal experience here are the ones I know:
 - TOTP: Active for my account as well (they even have their own Authenticator app)
 - Security keys: Also available for two-factor authentication
 - In case of Proton Pass: You can set a second password that unlocks the password manager to make sure someone doesn't get access when they get your main password (just additional security).
 - For recovery, you can also set emergency contacts and stuff (so people could get access to your account even if you died), they have a pretty comprehensive system in total and I think they're really doing a good job with authentication
 3. YouTube: Well, here it gets a little complicated, but it's basically the same as for any Google account and because it's a big platform there are so many security options that you can't even count them all.
 - TOTP
 - Pass keys
 - Email 2FA
 - Google's own autentication system that works with any Android device (the one where a code is sent to your phone instead of by email)
 - Security codes: Offline credentials similar to TOTP that can be viewed in the Google app on a phone when logged in (as a compliment to Google's own code sending)
 - You can also chain any of those together to make your account more secure
 4. GitHub: Also really solid here: TOTP, Security keys, GitHub Mobile and SMS/Text (marked as insecure) messages are supported. However, no multi-factor authentication, you can only configure a second factor.
 5. University GitLab: Also a lot available: Login usually works through the University's account system, but you can additionally add TOTP and WebAuthn devices (so passkeys).
--- a/sheet04/a2/c.txt
+++ b/sheet04/a2/c.txt
@@ -0,0 +1,5 @@
 Without the time interval entering the codes would be really difficult. Imagine having only one second to enter the code + the request having to travel to some server for it to verify (can take up to 200ms around the world) + the server having to process the request and verify the code.
 There could be measures to make sure the code is still valid even when entering a little old code, but then you're really just introducing an interval. So why not do it from the start?
 That's why you need a 30s interval. For user experience, to make sure the system can actually work even when grandma has to type it in and reopen the authenticator 10x because she forgot the code or typed something wrong.
--- a/sheet05/a1/archive.sh
+++ b/sheet05/a1/archive.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 # $1 = directory path
 chmod -R a-w "$1"
--- a/sheet05/a1/create_user.sh
+++ b/sheet05/a1/create_user.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 # $1 = username, $2 = comma-separated groups
 useradd -G "$2" "$1" || usermod -aG "$2" "$1"
--- a/sheet05/a1/explanation.txt
+++ b/sheet05/a1/explanation.txt
@@ -0,0 +1,6 @@
 UNIX permissions only support one Owner, one Group, and Other (UGO). 
 The 'Group' slot is already taken by the specific lecture group to give students write access.
 If we use 'Other' to give the supervisor read access, every user on the system could read it, which would violate the requirements.
 If we add the supervisor to the lecture group, they get write access, which also violates the requirements.
 Because a file cannot have multiple groups or user-specific overrides under standard UNIX permissions, this cannot be solved.
--- a/sheet05/a1/supervisor.sh
+++ b/sheet05/a1/supervisor.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 # $1 = supervisor username
 echo "not possible with the standard UNIX permissions. See explanation.txt."
--- a/sheet05/a2/archive.sh
+++ b/sheet05/a2/archive.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 TARGET_DIR=$1
 chmod -R a-w "$TARGET_DIR"
--- a/sheet05/a2/create_user.sh
+++ b/sheet05/a2/create_user.sh
@@ -0,0 +1,4 @@
 #!/bin/bash
 USERNAME=$1
 GROUPS=$2
 useradd -G "$GROUPS" "$USERNAME" || usermod -aG "$GROUPS" "$USERNAME"
--- a/sheet05/a2/explanation.txt
+++ b/sheet05/a2/explanation.txt
@@ -0,0 +1,3 @@
 The supervisor's read access would fail with UNIX permissions, since they are limited to one owner, one group, and "others". 
 Access Control Lists (ACLs) resolve this problem by allowing permissions beyond the standard three. 
 Using `setfacl`, we can append specific read and execute rights (r-x) for individual users (the supervisors) directly to the files and directories.
--- a/sheet05/a2/supervisor.sh
+++ b/sheet05/a2/supervisor.sh
@@ -0,0 +1,6 @@
 #!/bin/bash
 SUPERVISOR=$1
 # Grant read and execute permissions to the supervisor user recursively
 setfacl -R -m u:"$SUPERVISOR":r-x .
 # Set the default ACL
 setfacl -R -d -m u:"$SUPERVISOR":r-x .
--- a/sheet05/a3/a.txt
+++ b/sheet05/a3/a.txt
@@ -0,0 +1,4 @@
 Passwords are stored in the /etc/shadow file, which is restricted to the root user. 
 A standard user cannot write to it directly. However, the passwd executable is owned by root and has the SUID permission set. 
 When a standard user runs passwd, the SUID bit tells the system to execute the program with the privileges of root, 
 giving the program the temporary permissions to update /etc/shadow
--- a/sheet05/a3/b.txt
+++ b/sheet05/a3/b.txt
@@ -0,0 +1,5 @@
 The script runs with root privileges because the setuid bit is set. 
 Since it just asks for a username and saves the new hash to /etc/shadow, 
 and there is no validation checking if the user running the program is actually changing their own password, 
 someone could simply run the program, type root as the username, and set a new password for the root user. 
 The script would then overwrite the actual root password in /etc/shadow.
Author	SHA1	Message	Date
Leo	58553b688a	feat: a3 All checks were successful zip and release / build-and-release (push) Successful in 3s Details	2026-05-22 11:52:02 +02:00
Leo	b118e163b2	feat: a2	2026-05-22 11:46:10 +02:00
Viktoria Konschuh	266df5d32c	Edit explanation.txt	2026-05-21 19:18:15 +00:00
Viktoria Konschuh	a2d5d23307	Edit supervisor.sh	2026-05-21 19:14:24 +00:00
Viktoria Konschuh	e40906a933	Edit archive.sh	2026-05-21 19:12:14 +00:00
Viktoria Konschuh	f29fbed900	Edit create_user.sh	2026-05-21 19:10:49 +00:00
Leo Habrom	ea32ada42d	feat: create files	2026-05-21 13:47:54 +02:00
Unbreathable	6676f07705	feat(4): task 2c	2026-05-15 10:15:55 +02:00
Unbreathable	62fb088403	feat(4): task 2b	2026-05-15 10:15:55 +02:00
Leo	64ae54469d	a1 c	2026-05-15 10:06:30 +02:00
Leo	b3f7f42ab0	a1 a+b	2026-05-15 10:04:03 +02:00
Unbreathable	9b0467677a	feat: task 2a	2026-05-15 09:40:28 +02:00
Julian Golenhofen	203f68ea1b	feat: task b done	2026-05-06 11:11:27 +00:00
Julian Golenhofen	20bdc23597	feat: finish task a	2026-05-06 11:03:09 +00:00
Julian Golenhofen	92820ce20c	feat: parts of task a	2026-05-06 10:55:52 +00:00
Leo	07568edbcd	feat: found the exploit in the code and attaced the server	2026-05-02 19:48:28 +02:00
Leo	a23ec65d30	feat: init sheet03	2026-05-02 19:00:49 +02:00
Leo	d3aa96fa84	feat: a2 c All checks were successful zip and release / build-and-release (push) Successful in 4s Details	2026-05-01 01:32:01 +02:00
Leo	9c2b167d3a	feat: a1 without d	2026-05-01 01:31:53 +02:00
Leo	4784a15866	fix: remove package and rename files	2026-05-01 01:31:17 +02:00
Julian	76d4003957	feat(sheet2): task 2 solution	2026-04-29 13:28:34 +02:00
Leo	3b9e9034ba	chore: create empty files for ex2	2026-04-28 20:14:21 +02:00
		`@@ -0,0 +1,2 @@`
							`AES Key: cddf0c7f664624fd0b604c622a2c670dffc3fdd7859a7cdd2377d1ba2ab86f89`
							`IV: 30579741743af76bdd06ec45b12ee6d7`
		`@@ -0,0 +1 @@`
							`o5Ö¦Íß*òþk‚¼¾I¦BîÜr<C39C>Œ´<C592>6@hün5Ø`
		`@@ -0,0 +1,2 @@`
							’Ìnç‰á~Á>hì`£aÿ*‘Ú#ÒÒh‹å4ò,>«ôÓ„ì÷9&†…%´c,¤tNØR‰“5sŠq
							`˜°+$úd!E½Í·‘3£y£<79>3Ÿ\|#Ù2ÒÈ„¬ÜºÕLÍ^é¢L9ÊApØîfDV<44>kX´¨^æeh\É£H«~y ÆµýdÀK½I\€óf>I5EÿcÛ,‹I+s<>`
		`@@ -0,0 +1 @@`
							`ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDA/BgxBUzJUc3MfZVBIdPTbQfIdf4SABYZJlno8rUPkhBRrK3VkpEhyGdviYUPViz4=`
		`@@ -0,0 +1 @@`
							`MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEVHteuMnscItIHycwEZ80P44WyIWmL7PmeN6HLRAu8IJsLKX6BTDawN0MezskF68oQ9Ft7zy2u4v2aaYB4tgUv+0YG7zEwFr0ofqSqFFPSLr0qrVRvXi/H7Bux8tYVgaN`
		`@@ -0,0 +1 @@`
							`MGQCMHq04CPgDiSaWPXb3LiuBrb97aV4JjinA5gIuEIFjFYLD1jYdECBdV/aHLLYsyMYnAIwedsP6qJKK4Y2uLgn3XLxbHgDKxf+eq07Rptmn/LttHTpWjtTfaLERM+Uh2BUGmMt`
		`@@ -0,0 +1 @@`
							`java VerifyECDSA.java "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnSgO/uuSq9QHH/rrnSgXeQTKPMI8tjLhyJzevl9fLQZW/zXuHk9iThiKY/c2k52quUby3czAwL2l2HaRqcBXEg==" "MEUCIAzRvK3CNFqMTZxIgMd1uQ/XybtRKXFht9S4q8qUy/IbAiEA7EcFYuRbViVC/zzIRW78HekjRHZVn3DjHVUcKyJ5sXw=" "hello world"`
		`@@ -0,0 +1,3 @@`
							A potential strategy is to use a password manager, like Proton Pass, that encrypts all of your passwords when they are uploaded to the cloud. With this approach, you have to remember one password for your password manager and get a really convenient solution that won't break down even if the provider were to be compromised (as in the service itself). With a good recovery strategy like keeping something like a recovery token in a secure place in your house, you can make sure you never lose access to your password manager.

							This approach of course has downsides, if the password you use for the password manager is weak, you are still an easy target. Like you would be with 1 or 2, but you would still have a recovery method. Compared to 7 however, you still never have a way of knowing your passwords without authenticating with the provider you're using. On top of that, keeping the recovery token at home makes you vulnerable to physical attacks similar to 3 or 4. These attacks are usually a hard thing to perform though, so I think it's still better than using a cloud password manager or one provided by your operating system.