17db96d56Sopenharmony_ci:mod:`hashlib` --- Secure hashes and message digests 27db96d56Sopenharmony_ci==================================================== 37db96d56Sopenharmony_ci 47db96d56Sopenharmony_ci.. module:: hashlib 57db96d56Sopenharmony_ci :synopsis: Secure hash and message digest algorithms. 67db96d56Sopenharmony_ci 77db96d56Sopenharmony_ci.. moduleauthor:: Gregory P. Smith <greg@krypto.org> 87db96d56Sopenharmony_ci.. sectionauthor:: Gregory P. Smith <greg@krypto.org> 97db96d56Sopenharmony_ci 107db96d56Sopenharmony_ci**Source code:** :source:`Lib/hashlib.py` 117db96d56Sopenharmony_ci 127db96d56Sopenharmony_ci.. index:: 137db96d56Sopenharmony_ci single: message digest, MD5 147db96d56Sopenharmony_ci single: secure hash algorithm, SHA1, SHA224, SHA256, SHA384, SHA512 157db96d56Sopenharmony_ci 167db96d56Sopenharmony_ci.. testsetup:: 177db96d56Sopenharmony_ci 187db96d56Sopenharmony_ci import hashlib 197db96d56Sopenharmony_ci 207db96d56Sopenharmony_ci 217db96d56Sopenharmony_ci-------------- 227db96d56Sopenharmony_ci 237db96d56Sopenharmony_ciThis module implements a common interface to many different secure hash and 247db96d56Sopenharmony_cimessage digest algorithms. Included are the FIPS secure hash algorithms SHA1, 257db96d56Sopenharmony_ciSHA224, SHA256, SHA384, and SHA512 (defined in FIPS 180-2) as well as RSA's MD5 267db96d56Sopenharmony_cialgorithm (defined in internet :rfc:`1321`). The terms "secure hash" and 277db96d56Sopenharmony_ci"message digest" are interchangeable. Older algorithms were called message 287db96d56Sopenharmony_cidigests. The modern term is secure hash. 297db96d56Sopenharmony_ci 307db96d56Sopenharmony_ci.. note:: 317db96d56Sopenharmony_ci 327db96d56Sopenharmony_ci If you want the adler32 or crc32 hash functions, they are available in 337db96d56Sopenharmony_ci the :mod:`zlib` module. 347db96d56Sopenharmony_ci 357db96d56Sopenharmony_ci.. warning:: 367db96d56Sopenharmony_ci 377db96d56Sopenharmony_ci Some algorithms have known hash collision weaknesses, refer to the "See 387db96d56Sopenharmony_ci also" section at the end. 397db96d56Sopenharmony_ci 407db96d56Sopenharmony_ci 417db96d56Sopenharmony_ci.. _hash-algorithms: 427db96d56Sopenharmony_ci 437db96d56Sopenharmony_ciHash algorithms 447db96d56Sopenharmony_ci--------------- 457db96d56Sopenharmony_ci 467db96d56Sopenharmony_ciThere is one constructor method named for each type of :dfn:`hash`. All return 477db96d56Sopenharmony_cia hash object with the same simple interface. For example: use :func:`sha256` to 487db96d56Sopenharmony_cicreate a SHA-256 hash object. You can now feed this object with :term:`bytes-like 497db96d56Sopenharmony_ciobjects <bytes-like object>` (normally :class:`bytes`) using the :meth:`update` method. 507db96d56Sopenharmony_ciAt any point you can ask it for the :dfn:`digest` of the 517db96d56Sopenharmony_ciconcatenation of the data fed to it so far using the :meth:`digest` or 527db96d56Sopenharmony_ci:meth:`hexdigest` methods. 537db96d56Sopenharmony_ci 547db96d56Sopenharmony_ci.. note:: 557db96d56Sopenharmony_ci 567db96d56Sopenharmony_ci For better multithreading performance, the Python :term:`GIL` is released for 577db96d56Sopenharmony_ci data larger than 2047 bytes at object creation or on update. 587db96d56Sopenharmony_ci 597db96d56Sopenharmony_ci.. note:: 607db96d56Sopenharmony_ci 617db96d56Sopenharmony_ci Feeding string objects into :meth:`update` is not supported, as hashes work 627db96d56Sopenharmony_ci on bytes, not on characters. 637db96d56Sopenharmony_ci 647db96d56Sopenharmony_ci.. index:: single: OpenSSL; (use in module hashlib) 657db96d56Sopenharmony_ci 667db96d56Sopenharmony_ciConstructors for hash algorithms that are always present in this module are 677db96d56Sopenharmony_ci:func:`sha1`, :func:`sha224`, :func:`sha256`, :func:`sha384`, 687db96d56Sopenharmony_ci:func:`sha512`, :func:`blake2b`, and :func:`blake2s`. 697db96d56Sopenharmony_ci:func:`md5` is normally available as well, though it 707db96d56Sopenharmony_cimay be missing or blocked if you are using a rare "FIPS compliant" build of Python. 717db96d56Sopenharmony_ciAdditional algorithms may also be available depending upon the OpenSSL 727db96d56Sopenharmony_cilibrary that Python uses on your platform. On most platforms the 737db96d56Sopenharmony_ci:func:`sha3_224`, :func:`sha3_256`, :func:`sha3_384`, :func:`sha3_512`, 747db96d56Sopenharmony_ci:func:`shake_128`, :func:`shake_256` are also available. 757db96d56Sopenharmony_ci 767db96d56Sopenharmony_ci.. versionadded:: 3.6 777db96d56Sopenharmony_ci SHA3 (Keccak) and SHAKE constructors :func:`sha3_224`, :func:`sha3_256`, 787db96d56Sopenharmony_ci :func:`sha3_384`, :func:`sha3_512`, :func:`shake_128`, :func:`shake_256`. 797db96d56Sopenharmony_ci 807db96d56Sopenharmony_ci.. versionadded:: 3.6 817db96d56Sopenharmony_ci :func:`blake2b` and :func:`blake2s` were added. 827db96d56Sopenharmony_ci 837db96d56Sopenharmony_ci.. _hashlib-usedforsecurity: 847db96d56Sopenharmony_ci 857db96d56Sopenharmony_ci.. versionchanged:: 3.9 867db96d56Sopenharmony_ci All hashlib constructors take a keyword-only argument *usedforsecurity* 877db96d56Sopenharmony_ci with default value ``True``. A false value allows the use of insecure and 887db96d56Sopenharmony_ci blocked hashing algorithms in restricted environments. ``False`` indicates 897db96d56Sopenharmony_ci that the hashing algorithm is not used in a security context, e.g. as a 907db96d56Sopenharmony_ci non-cryptographic one-way compression function. 917db96d56Sopenharmony_ci 927db96d56Sopenharmony_ci Hashlib now uses SHA3 and SHAKE from OpenSSL 1.1.1 and newer. 937db96d56Sopenharmony_ci 947db96d56Sopenharmony_ciFor example, to obtain the digest of the byte string ``b"Nobody inspects the 957db96d56Sopenharmony_cispammish repetition"``:: 967db96d56Sopenharmony_ci 977db96d56Sopenharmony_ci >>> import hashlib 987db96d56Sopenharmony_ci >>> m = hashlib.sha256() 997db96d56Sopenharmony_ci >>> m.update(b"Nobody inspects") 1007db96d56Sopenharmony_ci >>> m.update(b" the spammish repetition") 1017db96d56Sopenharmony_ci >>> m.digest() 1027db96d56Sopenharmony_ci b'\x03\x1e\xdd}Ae\x15\x93\xc5\xfe\\\x00o\xa5u+7\xfd\xdf\xf7\xbcN\x84:\xa6\xaf\x0c\x95\x0fK\x94\x06' 1037db96d56Sopenharmony_ci >>> m.hexdigest() 1047db96d56Sopenharmony_ci '031edd7d41651593c5fe5c006fa5752b37fddff7bc4e843aa6af0c950f4b9406' 1057db96d56Sopenharmony_ci 1067db96d56Sopenharmony_ciMore condensed: 1077db96d56Sopenharmony_ci 1087db96d56Sopenharmony_ci >>> hashlib.sha256(b"Nobody inspects the spammish repetition").hexdigest() 1097db96d56Sopenharmony_ci '031edd7d41651593c5fe5c006fa5752b37fddff7bc4e843aa6af0c950f4b9406' 1107db96d56Sopenharmony_ci 1117db96d56Sopenharmony_ci.. function:: new(name[, data], *, usedforsecurity=True) 1127db96d56Sopenharmony_ci 1137db96d56Sopenharmony_ci Is a generic constructor that takes the string *name* of the desired 1147db96d56Sopenharmony_ci algorithm as its first parameter. It also exists to allow access to the 1157db96d56Sopenharmony_ci above listed hashes as well as any other algorithms that your OpenSSL 1167db96d56Sopenharmony_ci library may offer. The named constructors are much faster than :func:`new` 1177db96d56Sopenharmony_ci and should be preferred. 1187db96d56Sopenharmony_ci 1197db96d56Sopenharmony_ciUsing :func:`new` with an algorithm provided by OpenSSL: 1207db96d56Sopenharmony_ci 1217db96d56Sopenharmony_ci >>> h = hashlib.new('sha256') 1227db96d56Sopenharmony_ci >>> h.update(b"Nobody inspects the spammish repetition") 1237db96d56Sopenharmony_ci >>> h.hexdigest() 1247db96d56Sopenharmony_ci '031edd7d41651593c5fe5c006fa5752b37fddff7bc4e843aa6af0c950f4b9406' 1257db96d56Sopenharmony_ci 1267db96d56Sopenharmony_ciHashlib provides the following constant attributes: 1277db96d56Sopenharmony_ci 1287db96d56Sopenharmony_ci.. data:: algorithms_guaranteed 1297db96d56Sopenharmony_ci 1307db96d56Sopenharmony_ci A set containing the names of the hash algorithms guaranteed to be supported 1317db96d56Sopenharmony_ci by this module on all platforms. Note that 'md5' is in this list despite 1327db96d56Sopenharmony_ci some upstream vendors offering an odd "FIPS compliant" Python build that 1337db96d56Sopenharmony_ci excludes it. 1347db96d56Sopenharmony_ci 1357db96d56Sopenharmony_ci .. versionadded:: 3.2 1367db96d56Sopenharmony_ci 1377db96d56Sopenharmony_ci.. data:: algorithms_available 1387db96d56Sopenharmony_ci 1397db96d56Sopenharmony_ci A set containing the names of the hash algorithms that are available in the 1407db96d56Sopenharmony_ci running Python interpreter. These names will be recognized when passed to 1417db96d56Sopenharmony_ci :func:`new`. :attr:`algorithms_guaranteed` will always be a subset. The 1427db96d56Sopenharmony_ci same algorithm may appear multiple times in this set under different names 1437db96d56Sopenharmony_ci (thanks to OpenSSL). 1447db96d56Sopenharmony_ci 1457db96d56Sopenharmony_ci .. versionadded:: 3.2 1467db96d56Sopenharmony_ci 1477db96d56Sopenharmony_ciThe following values are provided as constant attributes of the hash objects 1487db96d56Sopenharmony_cireturned by the constructors: 1497db96d56Sopenharmony_ci 1507db96d56Sopenharmony_ci 1517db96d56Sopenharmony_ci.. data:: hash.digest_size 1527db96d56Sopenharmony_ci 1537db96d56Sopenharmony_ci The size of the resulting hash in bytes. 1547db96d56Sopenharmony_ci 1557db96d56Sopenharmony_ci.. data:: hash.block_size 1567db96d56Sopenharmony_ci 1577db96d56Sopenharmony_ci The internal block size of the hash algorithm in bytes. 1587db96d56Sopenharmony_ci 1597db96d56Sopenharmony_ciA hash object has the following attributes: 1607db96d56Sopenharmony_ci 1617db96d56Sopenharmony_ci.. attribute:: hash.name 1627db96d56Sopenharmony_ci 1637db96d56Sopenharmony_ci The canonical name of this hash, always lowercase and always suitable as a 1647db96d56Sopenharmony_ci parameter to :func:`new` to create another hash of this type. 1657db96d56Sopenharmony_ci 1667db96d56Sopenharmony_ci .. versionchanged:: 3.4 1677db96d56Sopenharmony_ci The name attribute has been present in CPython since its inception, but 1687db96d56Sopenharmony_ci until Python 3.4 was not formally specified, so may not exist on some 1697db96d56Sopenharmony_ci platforms. 1707db96d56Sopenharmony_ci 1717db96d56Sopenharmony_ciA hash object has the following methods: 1727db96d56Sopenharmony_ci 1737db96d56Sopenharmony_ci 1747db96d56Sopenharmony_ci.. method:: hash.update(data) 1757db96d56Sopenharmony_ci 1767db96d56Sopenharmony_ci Update the hash object with the :term:`bytes-like object`. 1777db96d56Sopenharmony_ci Repeated calls are equivalent to a single call with the 1787db96d56Sopenharmony_ci concatenation of all the arguments: ``m.update(a); m.update(b)`` is 1797db96d56Sopenharmony_ci equivalent to ``m.update(a+b)``. 1807db96d56Sopenharmony_ci 1817db96d56Sopenharmony_ci .. versionchanged:: 3.1 1827db96d56Sopenharmony_ci The Python GIL is released to allow other threads to run while hash 1837db96d56Sopenharmony_ci updates on data larger than 2047 bytes is taking place when using hash 1847db96d56Sopenharmony_ci algorithms supplied by OpenSSL. 1857db96d56Sopenharmony_ci 1867db96d56Sopenharmony_ci 1877db96d56Sopenharmony_ci.. method:: hash.digest() 1887db96d56Sopenharmony_ci 1897db96d56Sopenharmony_ci Return the digest of the data passed to the :meth:`update` method so far. 1907db96d56Sopenharmony_ci This is a bytes object of size :attr:`digest_size` which may contain bytes in 1917db96d56Sopenharmony_ci the whole range from 0 to 255. 1927db96d56Sopenharmony_ci 1937db96d56Sopenharmony_ci 1947db96d56Sopenharmony_ci.. method:: hash.hexdigest() 1957db96d56Sopenharmony_ci 1967db96d56Sopenharmony_ci Like :meth:`digest` except the digest is returned as a string object of 1977db96d56Sopenharmony_ci double length, containing only hexadecimal digits. This may be used to 1987db96d56Sopenharmony_ci exchange the value safely in email or other non-binary environments. 1997db96d56Sopenharmony_ci 2007db96d56Sopenharmony_ci 2017db96d56Sopenharmony_ci.. method:: hash.copy() 2027db96d56Sopenharmony_ci 2037db96d56Sopenharmony_ci Return a copy ("clone") of the hash object. This can be used to efficiently 2047db96d56Sopenharmony_ci compute the digests of data sharing a common initial substring. 2057db96d56Sopenharmony_ci 2067db96d56Sopenharmony_ci 2077db96d56Sopenharmony_ciSHAKE variable length digests 2087db96d56Sopenharmony_ci----------------------------- 2097db96d56Sopenharmony_ci 2107db96d56Sopenharmony_ciThe :func:`shake_128` and :func:`shake_256` algorithms provide variable 2117db96d56Sopenharmony_cilength digests with length_in_bits//2 up to 128 or 256 bits of security. 2127db96d56Sopenharmony_ciAs such, their digest methods require a length. Maximum length is not limited 2137db96d56Sopenharmony_ciby the SHAKE algorithm. 2147db96d56Sopenharmony_ci 2157db96d56Sopenharmony_ci.. method:: shake.digest(length) 2167db96d56Sopenharmony_ci 2177db96d56Sopenharmony_ci Return the digest of the data passed to the :meth:`update` method so far. 2187db96d56Sopenharmony_ci This is a bytes object of size *length* which may contain bytes in 2197db96d56Sopenharmony_ci the whole range from 0 to 255. 2207db96d56Sopenharmony_ci 2217db96d56Sopenharmony_ci 2227db96d56Sopenharmony_ci.. method:: shake.hexdigest(length) 2237db96d56Sopenharmony_ci 2247db96d56Sopenharmony_ci Like :meth:`digest` except the digest is returned as a string object of 2257db96d56Sopenharmony_ci double length, containing only hexadecimal digits. This may be used to 2267db96d56Sopenharmony_ci exchange the value safely in email or other non-binary environments. 2277db96d56Sopenharmony_ci 2287db96d56Sopenharmony_ci 2297db96d56Sopenharmony_ciFile hashing 2307db96d56Sopenharmony_ci------------ 2317db96d56Sopenharmony_ci 2327db96d56Sopenharmony_ciThe hashlib module provides a helper function for efficient hashing of 2337db96d56Sopenharmony_cia file or file-like object. 2347db96d56Sopenharmony_ci 2357db96d56Sopenharmony_ci.. function:: file_digest(fileobj, digest, /) 2367db96d56Sopenharmony_ci 2377db96d56Sopenharmony_ci Return a digest object that has been updated with contents of file object. 2387db96d56Sopenharmony_ci 2397db96d56Sopenharmony_ci *fileobj* must be a file-like object opened for reading in binary mode. 2407db96d56Sopenharmony_ci It accepts file objects from builtin :func:`open`, :class:`~io.BytesIO` 2417db96d56Sopenharmony_ci instances, SocketIO objects from :meth:`socket.socket.makefile`, and 2427db96d56Sopenharmony_ci similar. The function may bypass Python's I/O and use the file descriptor 2437db96d56Sopenharmony_ci from :meth:`~io.IOBase.fileno` directly. *fileobj* must be assumed to be 2447db96d56Sopenharmony_ci in an unknown state after this function returns or raises. It is up to 2457db96d56Sopenharmony_ci the caller to close *fileobj*. 2467db96d56Sopenharmony_ci 2477db96d56Sopenharmony_ci *digest* must either be a hash algorithm name as a *str*, a hash 2487db96d56Sopenharmony_ci constructor, or a callable that returns a hash object. 2497db96d56Sopenharmony_ci 2507db96d56Sopenharmony_ci Example: 2517db96d56Sopenharmony_ci 2527db96d56Sopenharmony_ci >>> import io, hashlib, hmac 2537db96d56Sopenharmony_ci >>> with open(hashlib.__file__, "rb") as f: 2547db96d56Sopenharmony_ci ... digest = hashlib.file_digest(f, "sha256") 2557db96d56Sopenharmony_ci ... 2567db96d56Sopenharmony_ci >>> digest.hexdigest() # doctest: +ELLIPSIS 2577db96d56Sopenharmony_ci '...' 2587db96d56Sopenharmony_ci 2597db96d56Sopenharmony_ci >>> buf = io.BytesIO(b"somedata") 2607db96d56Sopenharmony_ci >>> mac1 = hmac.HMAC(b"key", digestmod=hashlib.sha512) 2617db96d56Sopenharmony_ci >>> digest = hashlib.file_digest(buf, lambda: mac1) 2627db96d56Sopenharmony_ci 2637db96d56Sopenharmony_ci >>> digest is mac1 2647db96d56Sopenharmony_ci True 2657db96d56Sopenharmony_ci >>> mac2 = hmac.HMAC(b"key", b"somedata", digestmod=hashlib.sha512) 2667db96d56Sopenharmony_ci >>> mac1.digest() == mac2.digest() 2677db96d56Sopenharmony_ci True 2687db96d56Sopenharmony_ci 2697db96d56Sopenharmony_ci .. versionadded:: 3.11 2707db96d56Sopenharmony_ci 2717db96d56Sopenharmony_ci 2727db96d56Sopenharmony_ciKey derivation 2737db96d56Sopenharmony_ci-------------- 2747db96d56Sopenharmony_ci 2757db96d56Sopenharmony_ciKey derivation and key stretching algorithms are designed for secure password 2767db96d56Sopenharmony_cihashing. Naive algorithms such as ``sha1(password)`` are not resistant against 2777db96d56Sopenharmony_cibrute-force attacks. A good password hashing function must be tunable, slow, and 2787db96d56Sopenharmony_ciinclude a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_. 2797db96d56Sopenharmony_ci 2807db96d56Sopenharmony_ci 2817db96d56Sopenharmony_ci.. function:: pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) 2827db96d56Sopenharmony_ci 2837db96d56Sopenharmony_ci The function provides PKCS#5 password-based key derivation function 2. It 2847db96d56Sopenharmony_ci uses HMAC as pseudorandom function. 2857db96d56Sopenharmony_ci 2867db96d56Sopenharmony_ci The string *hash_name* is the desired name of the hash digest algorithm for 2877db96d56Sopenharmony_ci HMAC, e.g. 'sha1' or 'sha256'. *password* and *salt* are interpreted as 2887db96d56Sopenharmony_ci buffers of bytes. Applications and libraries should limit *password* to 2897db96d56Sopenharmony_ci a sensible length (e.g. 1024). *salt* should be about 16 or more bytes from 2907db96d56Sopenharmony_ci a proper source, e.g. :func:`os.urandom`. 2917db96d56Sopenharmony_ci 2927db96d56Sopenharmony_ci The number of *iterations* should be chosen based on the hash algorithm and 2937db96d56Sopenharmony_ci computing power. As of 2022, hundreds of thousands of iterations of SHA-256 2947db96d56Sopenharmony_ci are suggested. For rationale as to why and how to choose what is best for 2957db96d56Sopenharmony_ci your application, read *Appendix A.2.2* of NIST-SP-800-132_. The answers 2967db96d56Sopenharmony_ci on the `stackexchange pbkdf2 iterations question`_ explain in detail. 2977db96d56Sopenharmony_ci 2987db96d56Sopenharmony_ci *dklen* is the length of the derived key. If *dklen* is ``None`` then the 2997db96d56Sopenharmony_ci digest size of the hash algorithm *hash_name* is used, e.g. 64 for SHA-512. 3007db96d56Sopenharmony_ci 3017db96d56Sopenharmony_ci >>> from hashlib import pbkdf2_hmac 3027db96d56Sopenharmony_ci >>> our_app_iters = 500_000 # Application specific, read above. 3037db96d56Sopenharmony_ci >>> dk = pbkdf2_hmac('sha256', b'password', b'bad salt'*2, our_app_iters) 3047db96d56Sopenharmony_ci >>> dk.hex() 3057db96d56Sopenharmony_ci '15530bba69924174860db778f2c6f8104d3aaf9d26241840c8c4a641c8d000a9' 3067db96d56Sopenharmony_ci 3077db96d56Sopenharmony_ci .. versionadded:: 3.4 3087db96d56Sopenharmony_ci 3097db96d56Sopenharmony_ci .. note:: 3107db96d56Sopenharmony_ci 3117db96d56Sopenharmony_ci A fast implementation of *pbkdf2_hmac* is available with OpenSSL. The 3127db96d56Sopenharmony_ci Python implementation uses an inline version of :mod:`hmac`. It is about 3137db96d56Sopenharmony_ci three times slower and doesn't release the GIL. 3147db96d56Sopenharmony_ci 3157db96d56Sopenharmony_ci .. deprecated:: 3.10 3167db96d56Sopenharmony_ci 3177db96d56Sopenharmony_ci Slow Python implementation of *pbkdf2_hmac* is deprecated. In the 3187db96d56Sopenharmony_ci future the function will only be available when Python is compiled 3197db96d56Sopenharmony_ci with OpenSSL. 3207db96d56Sopenharmony_ci 3217db96d56Sopenharmony_ci.. function:: scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) 3227db96d56Sopenharmony_ci 3237db96d56Sopenharmony_ci The function provides scrypt password-based key derivation function as 3247db96d56Sopenharmony_ci defined in :rfc:`7914`. 3257db96d56Sopenharmony_ci 3267db96d56Sopenharmony_ci *password* and *salt* must be :term:`bytes-like objects 3277db96d56Sopenharmony_ci <bytes-like object>`. Applications and libraries should limit *password* 3287db96d56Sopenharmony_ci to a sensible length (e.g. 1024). *salt* should be about 16 or more 3297db96d56Sopenharmony_ci bytes from a proper source, e.g. :func:`os.urandom`. 3307db96d56Sopenharmony_ci 3317db96d56Sopenharmony_ci *n* is the CPU/Memory cost factor, *r* the block size, *p* parallelization 3327db96d56Sopenharmony_ci factor and *maxmem* limits memory (OpenSSL 1.1.0 defaults to 32 MiB). 3337db96d56Sopenharmony_ci *dklen* is the length of the derived key. 3347db96d56Sopenharmony_ci 3357db96d56Sopenharmony_ci .. versionadded:: 3.6 3367db96d56Sopenharmony_ci 3377db96d56Sopenharmony_ci 3387db96d56Sopenharmony_ciBLAKE2 3397db96d56Sopenharmony_ci------ 3407db96d56Sopenharmony_ci 3417db96d56Sopenharmony_ci.. sectionauthor:: Dmitry Chestnykh 3427db96d56Sopenharmony_ci 3437db96d56Sopenharmony_ci.. index:: 3447db96d56Sopenharmony_ci single: blake2b, blake2s 3457db96d56Sopenharmony_ci 3467db96d56Sopenharmony_ciBLAKE2_ is a cryptographic hash function defined in :rfc:`7693` that comes in two 3477db96d56Sopenharmony_ciflavors: 3487db96d56Sopenharmony_ci 3497db96d56Sopenharmony_ci* **BLAKE2b**, optimized for 64-bit platforms and produces digests of any size 3507db96d56Sopenharmony_ci between 1 and 64 bytes, 3517db96d56Sopenharmony_ci 3527db96d56Sopenharmony_ci* **BLAKE2s**, optimized for 8- to 32-bit platforms and produces digests of any 3537db96d56Sopenharmony_ci size between 1 and 32 bytes. 3547db96d56Sopenharmony_ci 3557db96d56Sopenharmony_ciBLAKE2 supports **keyed mode** (a faster and simpler replacement for HMAC_), 3567db96d56Sopenharmony_ci**salted hashing**, **personalization**, and **tree hashing**. 3577db96d56Sopenharmony_ci 3587db96d56Sopenharmony_ciHash objects from this module follow the API of standard library's 3597db96d56Sopenharmony_ci:mod:`hashlib` objects. 3607db96d56Sopenharmony_ci 3617db96d56Sopenharmony_ci 3627db96d56Sopenharmony_ciCreating hash objects 3637db96d56Sopenharmony_ci^^^^^^^^^^^^^^^^^^^^^ 3647db96d56Sopenharmony_ci 3657db96d56Sopenharmony_ciNew hash objects are created by calling constructor functions: 3667db96d56Sopenharmony_ci 3677db96d56Sopenharmony_ci 3687db96d56Sopenharmony_ci.. function:: blake2b(data=b'', *, digest_size=64, key=b'', salt=b'', \ 3697db96d56Sopenharmony_ci person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, \ 3707db96d56Sopenharmony_ci node_depth=0, inner_size=0, last_node=False, \ 3717db96d56Sopenharmony_ci usedforsecurity=True) 3727db96d56Sopenharmony_ci 3737db96d56Sopenharmony_ci.. function:: blake2s(data=b'', *, digest_size=32, key=b'', salt=b'', \ 3747db96d56Sopenharmony_ci person=b'', fanout=1, depth=1, leaf_size=0, node_offset=0, \ 3757db96d56Sopenharmony_ci node_depth=0, inner_size=0, last_node=False, \ 3767db96d56Sopenharmony_ci usedforsecurity=True) 3777db96d56Sopenharmony_ci 3787db96d56Sopenharmony_ci 3797db96d56Sopenharmony_ciThese functions return the corresponding hash objects for calculating 3807db96d56Sopenharmony_ciBLAKE2b or BLAKE2s. They optionally take these general parameters: 3817db96d56Sopenharmony_ci 3827db96d56Sopenharmony_ci* *data*: initial chunk of data to hash, which must be 3837db96d56Sopenharmony_ci :term:`bytes-like object`. It can be passed only as positional argument. 3847db96d56Sopenharmony_ci 3857db96d56Sopenharmony_ci* *digest_size*: size of output digest in bytes. 3867db96d56Sopenharmony_ci 3877db96d56Sopenharmony_ci* *key*: key for keyed hashing (up to 64 bytes for BLAKE2b, up to 32 bytes for 3887db96d56Sopenharmony_ci BLAKE2s). 3897db96d56Sopenharmony_ci 3907db96d56Sopenharmony_ci* *salt*: salt for randomized hashing (up to 16 bytes for BLAKE2b, up to 8 3917db96d56Sopenharmony_ci bytes for BLAKE2s). 3927db96d56Sopenharmony_ci 3937db96d56Sopenharmony_ci* *person*: personalization string (up to 16 bytes for BLAKE2b, up to 8 bytes 3947db96d56Sopenharmony_ci for BLAKE2s). 3957db96d56Sopenharmony_ci 3967db96d56Sopenharmony_ciThe following table shows limits for general parameters (in bytes): 3977db96d56Sopenharmony_ci 3987db96d56Sopenharmony_ci======= =========== ======== ========= =========== 3997db96d56Sopenharmony_ciHash digest_size len(key) len(salt) len(person) 4007db96d56Sopenharmony_ci======= =========== ======== ========= =========== 4017db96d56Sopenharmony_ciBLAKE2b 64 64 16 16 4027db96d56Sopenharmony_ciBLAKE2s 32 32 8 8 4037db96d56Sopenharmony_ci======= =========== ======== ========= =========== 4047db96d56Sopenharmony_ci 4057db96d56Sopenharmony_ci.. note:: 4067db96d56Sopenharmony_ci 4077db96d56Sopenharmony_ci BLAKE2 specification defines constant lengths for salt and personalization 4087db96d56Sopenharmony_ci parameters, however, for convenience, this implementation accepts byte 4097db96d56Sopenharmony_ci strings of any size up to the specified length. If the length of the 4107db96d56Sopenharmony_ci parameter is less than specified, it is padded with zeros, thus, for 4117db96d56Sopenharmony_ci example, ``b'salt'`` and ``b'salt\x00'`` is the same value. (This is not 4127db96d56Sopenharmony_ci the case for *key*.) 4137db96d56Sopenharmony_ci 4147db96d56Sopenharmony_ciThese sizes are available as module `constants`_ described below. 4157db96d56Sopenharmony_ci 4167db96d56Sopenharmony_ciConstructor functions also accept the following tree hashing parameters: 4177db96d56Sopenharmony_ci 4187db96d56Sopenharmony_ci* *fanout*: fanout (0 to 255, 0 if unlimited, 1 in sequential mode). 4197db96d56Sopenharmony_ci 4207db96d56Sopenharmony_ci* *depth*: maximal depth of tree (1 to 255, 255 if unlimited, 1 in 4217db96d56Sopenharmony_ci sequential mode). 4227db96d56Sopenharmony_ci 4237db96d56Sopenharmony_ci* *leaf_size*: maximal byte length of leaf (0 to ``2**32-1``, 0 if unlimited or in 4247db96d56Sopenharmony_ci sequential mode). 4257db96d56Sopenharmony_ci 4267db96d56Sopenharmony_ci* *node_offset*: node offset (0 to ``2**64-1`` for BLAKE2b, 0 to ``2**48-1`` for 4277db96d56Sopenharmony_ci BLAKE2s, 0 for the first, leftmost, leaf, or in sequential mode). 4287db96d56Sopenharmony_ci 4297db96d56Sopenharmony_ci* *node_depth*: node depth (0 to 255, 0 for leaves, or in sequential mode). 4307db96d56Sopenharmony_ci 4317db96d56Sopenharmony_ci* *inner_size*: inner digest size (0 to 64 for BLAKE2b, 0 to 32 for 4327db96d56Sopenharmony_ci BLAKE2s, 0 in sequential mode). 4337db96d56Sopenharmony_ci 4347db96d56Sopenharmony_ci* *last_node*: boolean indicating whether the processed node is the last 4357db96d56Sopenharmony_ci one (``False`` for sequential mode). 4367db96d56Sopenharmony_ci 4377db96d56Sopenharmony_ci.. figure:: hashlib-blake2-tree.png 4387db96d56Sopenharmony_ci :alt: Explanation of tree mode parameters. 4397db96d56Sopenharmony_ci :class: invert-in-dark-mode 4407db96d56Sopenharmony_ci 4417db96d56Sopenharmony_ciSee section 2.10 in `BLAKE2 specification 4427db96d56Sopenharmony_ci<https://www.blake2.net/blake2_20130129.pdf>`_ for comprehensive review of tree 4437db96d56Sopenharmony_cihashing. 4447db96d56Sopenharmony_ci 4457db96d56Sopenharmony_ci 4467db96d56Sopenharmony_ciConstants 4477db96d56Sopenharmony_ci^^^^^^^^^ 4487db96d56Sopenharmony_ci 4497db96d56Sopenharmony_ci.. data:: blake2b.SALT_SIZE 4507db96d56Sopenharmony_ci.. data:: blake2s.SALT_SIZE 4517db96d56Sopenharmony_ci 4527db96d56Sopenharmony_ciSalt length (maximum length accepted by constructors). 4537db96d56Sopenharmony_ci 4547db96d56Sopenharmony_ci 4557db96d56Sopenharmony_ci.. data:: blake2b.PERSON_SIZE 4567db96d56Sopenharmony_ci.. data:: blake2s.PERSON_SIZE 4577db96d56Sopenharmony_ci 4587db96d56Sopenharmony_ciPersonalization string length (maximum length accepted by constructors). 4597db96d56Sopenharmony_ci 4607db96d56Sopenharmony_ci 4617db96d56Sopenharmony_ci.. data:: blake2b.MAX_KEY_SIZE 4627db96d56Sopenharmony_ci.. data:: blake2s.MAX_KEY_SIZE 4637db96d56Sopenharmony_ci 4647db96d56Sopenharmony_ciMaximum key size. 4657db96d56Sopenharmony_ci 4667db96d56Sopenharmony_ci 4677db96d56Sopenharmony_ci.. data:: blake2b.MAX_DIGEST_SIZE 4687db96d56Sopenharmony_ci.. data:: blake2s.MAX_DIGEST_SIZE 4697db96d56Sopenharmony_ci 4707db96d56Sopenharmony_ciMaximum digest size that the hash function can output. 4717db96d56Sopenharmony_ci 4727db96d56Sopenharmony_ci 4737db96d56Sopenharmony_ciExamples 4747db96d56Sopenharmony_ci^^^^^^^^ 4757db96d56Sopenharmony_ci 4767db96d56Sopenharmony_ciSimple hashing 4777db96d56Sopenharmony_ci"""""""""""""" 4787db96d56Sopenharmony_ci 4797db96d56Sopenharmony_ciTo calculate hash of some data, you should first construct a hash object by 4807db96d56Sopenharmony_cicalling the appropriate constructor function (:func:`blake2b` or 4817db96d56Sopenharmony_ci:func:`blake2s`), then update it with the data by calling :meth:`update` on the 4827db96d56Sopenharmony_ciobject, and, finally, get the digest out of the object by calling 4837db96d56Sopenharmony_ci:meth:`digest` (or :meth:`hexdigest` for hex-encoded string). 4847db96d56Sopenharmony_ci 4857db96d56Sopenharmony_ci >>> from hashlib import blake2b 4867db96d56Sopenharmony_ci >>> h = blake2b() 4877db96d56Sopenharmony_ci >>> h.update(b'Hello world') 4887db96d56Sopenharmony_ci >>> h.hexdigest() 4897db96d56Sopenharmony_ci '6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183' 4907db96d56Sopenharmony_ci 4917db96d56Sopenharmony_ci 4927db96d56Sopenharmony_ciAs a shortcut, you can pass the first chunk of data to update directly to the 4937db96d56Sopenharmony_ciconstructor as the positional argument: 4947db96d56Sopenharmony_ci 4957db96d56Sopenharmony_ci >>> from hashlib import blake2b 4967db96d56Sopenharmony_ci >>> blake2b(b'Hello world').hexdigest() 4977db96d56Sopenharmony_ci '6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183' 4987db96d56Sopenharmony_ci 4997db96d56Sopenharmony_ciYou can call :meth:`hash.update` as many times as you need to iteratively 5007db96d56Sopenharmony_ciupdate the hash: 5017db96d56Sopenharmony_ci 5027db96d56Sopenharmony_ci >>> from hashlib import blake2b 5037db96d56Sopenharmony_ci >>> items = [b'Hello', b' ', b'world'] 5047db96d56Sopenharmony_ci >>> h = blake2b() 5057db96d56Sopenharmony_ci >>> for item in items: 5067db96d56Sopenharmony_ci ... h.update(item) 5077db96d56Sopenharmony_ci >>> h.hexdigest() 5087db96d56Sopenharmony_ci '6ff843ba685842aa82031d3f53c48b66326df7639a63d128974c5c14f31a0f33343a8c65551134ed1ae0f2b0dd2bb495dc81039e3eeb0aa1bb0388bbeac29183' 5097db96d56Sopenharmony_ci 5107db96d56Sopenharmony_ci 5117db96d56Sopenharmony_ciUsing different digest sizes 5127db96d56Sopenharmony_ci"""""""""""""""""""""""""""" 5137db96d56Sopenharmony_ci 5147db96d56Sopenharmony_ciBLAKE2 has configurable size of digests up to 64 bytes for BLAKE2b and up to 32 5157db96d56Sopenharmony_cibytes for BLAKE2s. For example, to replace SHA-1 with BLAKE2b without changing 5167db96d56Sopenharmony_cithe size of output, we can tell BLAKE2b to produce 20-byte digests: 5177db96d56Sopenharmony_ci 5187db96d56Sopenharmony_ci >>> from hashlib import blake2b 5197db96d56Sopenharmony_ci >>> h = blake2b(digest_size=20) 5207db96d56Sopenharmony_ci >>> h.update(b'Replacing SHA1 with the more secure function') 5217db96d56Sopenharmony_ci >>> h.hexdigest() 5227db96d56Sopenharmony_ci 'd24f26cf8de66472d58d4e1b1774b4c9158b1f4c' 5237db96d56Sopenharmony_ci >>> h.digest_size 5247db96d56Sopenharmony_ci 20 5257db96d56Sopenharmony_ci >>> len(h.digest()) 5267db96d56Sopenharmony_ci 20 5277db96d56Sopenharmony_ci 5287db96d56Sopenharmony_ciHash objects with different digest sizes have completely different outputs 5297db96d56Sopenharmony_ci(shorter hashes are *not* prefixes of longer hashes); BLAKE2b and BLAKE2s 5307db96d56Sopenharmony_ciproduce different outputs even if the output length is the same: 5317db96d56Sopenharmony_ci 5327db96d56Sopenharmony_ci >>> from hashlib import blake2b, blake2s 5337db96d56Sopenharmony_ci >>> blake2b(digest_size=10).hexdigest() 5347db96d56Sopenharmony_ci '6fa1d8fcfd719046d762' 5357db96d56Sopenharmony_ci >>> blake2b(digest_size=11).hexdigest() 5367db96d56Sopenharmony_ci 'eb6ec15daf9546254f0809' 5377db96d56Sopenharmony_ci >>> blake2s(digest_size=10).hexdigest() 5387db96d56Sopenharmony_ci '1bf21a98c78a1c376ae9' 5397db96d56Sopenharmony_ci >>> blake2s(digest_size=11).hexdigest() 5407db96d56Sopenharmony_ci '567004bf96e4a25773ebf4' 5417db96d56Sopenharmony_ci 5427db96d56Sopenharmony_ci 5437db96d56Sopenharmony_ciKeyed hashing 5447db96d56Sopenharmony_ci""""""""""""" 5457db96d56Sopenharmony_ci 5467db96d56Sopenharmony_ciKeyed hashing can be used for authentication as a faster and simpler 5477db96d56Sopenharmony_cireplacement for `Hash-based message authentication code 5487db96d56Sopenharmony_ci<https://en.wikipedia.org/wiki/HMAC>`_ (HMAC). 5497db96d56Sopenharmony_ciBLAKE2 can be securely used in prefix-MAC mode thanks to the 5507db96d56Sopenharmony_ciindifferentiability property inherited from BLAKE. 5517db96d56Sopenharmony_ci 5527db96d56Sopenharmony_ciThis example shows how to get a (hex-encoded) 128-bit authentication code for 5537db96d56Sopenharmony_cimessage ``b'message data'`` with key ``b'pseudorandom key'``:: 5547db96d56Sopenharmony_ci 5557db96d56Sopenharmony_ci >>> from hashlib import blake2b 5567db96d56Sopenharmony_ci >>> h = blake2b(key=b'pseudorandom key', digest_size=16) 5577db96d56Sopenharmony_ci >>> h.update(b'message data') 5587db96d56Sopenharmony_ci >>> h.hexdigest() 5597db96d56Sopenharmony_ci '3d363ff7401e02026f4a4687d4863ced' 5607db96d56Sopenharmony_ci 5617db96d56Sopenharmony_ci 5627db96d56Sopenharmony_ciAs a practical example, a web application can symmetrically sign cookies sent 5637db96d56Sopenharmony_cito users and later verify them to make sure they weren't tampered with:: 5647db96d56Sopenharmony_ci 5657db96d56Sopenharmony_ci >>> from hashlib import blake2b 5667db96d56Sopenharmony_ci >>> from hmac import compare_digest 5677db96d56Sopenharmony_ci >>> 5687db96d56Sopenharmony_ci >>> SECRET_KEY = b'pseudorandomly generated server secret key' 5697db96d56Sopenharmony_ci >>> AUTH_SIZE = 16 5707db96d56Sopenharmony_ci >>> 5717db96d56Sopenharmony_ci >>> def sign(cookie): 5727db96d56Sopenharmony_ci ... h = blake2b(digest_size=AUTH_SIZE, key=SECRET_KEY) 5737db96d56Sopenharmony_ci ... h.update(cookie) 5747db96d56Sopenharmony_ci ... return h.hexdigest().encode('utf-8') 5757db96d56Sopenharmony_ci >>> 5767db96d56Sopenharmony_ci >>> def verify(cookie, sig): 5777db96d56Sopenharmony_ci ... good_sig = sign(cookie) 5787db96d56Sopenharmony_ci ... return compare_digest(good_sig, sig) 5797db96d56Sopenharmony_ci >>> 5807db96d56Sopenharmony_ci >>> cookie = b'user-alice' 5817db96d56Sopenharmony_ci >>> sig = sign(cookie) 5827db96d56Sopenharmony_ci >>> print("{0},{1}".format(cookie.decode('utf-8'), sig)) 5837db96d56Sopenharmony_ci user-alice,b'43b3c982cf697e0c5ab22172d1ca7421' 5847db96d56Sopenharmony_ci >>> verify(cookie, sig) 5857db96d56Sopenharmony_ci True 5867db96d56Sopenharmony_ci >>> verify(b'user-bob', sig) 5877db96d56Sopenharmony_ci False 5887db96d56Sopenharmony_ci >>> verify(cookie, b'0102030405060708090a0b0c0d0e0f00') 5897db96d56Sopenharmony_ci False 5907db96d56Sopenharmony_ci 5917db96d56Sopenharmony_ciEven though there's a native keyed hashing mode, BLAKE2 can, of course, be used 5927db96d56Sopenharmony_ciin HMAC construction with :mod:`hmac` module:: 5937db96d56Sopenharmony_ci 5947db96d56Sopenharmony_ci >>> import hmac, hashlib 5957db96d56Sopenharmony_ci >>> m = hmac.new(b'secret key', digestmod=hashlib.blake2s) 5967db96d56Sopenharmony_ci >>> m.update(b'message') 5977db96d56Sopenharmony_ci >>> m.hexdigest() 5987db96d56Sopenharmony_ci 'e3c8102868d28b5ff85fc35dda07329970d1a01e273c37481326fe0c861c8142' 5997db96d56Sopenharmony_ci 6007db96d56Sopenharmony_ci 6017db96d56Sopenharmony_ciRandomized hashing 6027db96d56Sopenharmony_ci"""""""""""""""""" 6037db96d56Sopenharmony_ci 6047db96d56Sopenharmony_ciBy setting *salt* parameter users can introduce randomization to the hash 6057db96d56Sopenharmony_cifunction. Randomized hashing is useful for protecting against collision attacks 6067db96d56Sopenharmony_cion the hash function used in digital signatures. 6077db96d56Sopenharmony_ci 6087db96d56Sopenharmony_ci Randomized hashing is designed for situations where one party, the message 6097db96d56Sopenharmony_ci preparer, generates all or part of a message to be signed by a second 6107db96d56Sopenharmony_ci party, the message signer. If the message preparer is able to find 6117db96d56Sopenharmony_ci cryptographic hash function collisions (i.e., two messages producing the 6127db96d56Sopenharmony_ci same hash value), then they might prepare meaningful versions of the message 6137db96d56Sopenharmony_ci that would produce the same hash value and digital signature, but with 6147db96d56Sopenharmony_ci different results (e.g., transferring $1,000,000 to an account, rather than 6157db96d56Sopenharmony_ci $10). Cryptographic hash functions have been designed with collision 6167db96d56Sopenharmony_ci resistance as a major goal, but the current concentration on attacking 6177db96d56Sopenharmony_ci cryptographic hash functions may result in a given cryptographic hash 6187db96d56Sopenharmony_ci function providing less collision resistance than expected. Randomized 6197db96d56Sopenharmony_ci hashing offers the signer additional protection by reducing the likelihood 6207db96d56Sopenharmony_ci that a preparer can generate two or more messages that ultimately yield the 6217db96d56Sopenharmony_ci same hash value during the digital signature generation process --- even if 6227db96d56Sopenharmony_ci it is practical to find collisions for the hash function. However, the use 6237db96d56Sopenharmony_ci of randomized hashing may reduce the amount of security provided by a 6247db96d56Sopenharmony_ci digital signature when all portions of the message are prepared 6257db96d56Sopenharmony_ci by the signer. 6267db96d56Sopenharmony_ci 6277db96d56Sopenharmony_ci (`NIST SP-800-106 "Randomized Hashing for Digital Signatures" 6287db96d56Sopenharmony_ci <https://csrc.nist.gov/publications/detail/sp/800-106/archive/2009-02-25>`_) 6297db96d56Sopenharmony_ci 6307db96d56Sopenharmony_ciIn BLAKE2 the salt is processed as a one-time input to the hash function during 6317db96d56Sopenharmony_ciinitialization, rather than as an input to each compression function. 6327db96d56Sopenharmony_ci 6337db96d56Sopenharmony_ci.. warning:: 6347db96d56Sopenharmony_ci 6357db96d56Sopenharmony_ci *Salted hashing* (or just hashing) with BLAKE2 or any other general-purpose 6367db96d56Sopenharmony_ci cryptographic hash function, such as SHA-256, is not suitable for hashing 6377db96d56Sopenharmony_ci passwords. See `BLAKE2 FAQ <https://www.blake2.net/#qa>`_ for more 6387db96d56Sopenharmony_ci information. 6397db96d56Sopenharmony_ci.. 6407db96d56Sopenharmony_ci 6417db96d56Sopenharmony_ci >>> import os 6427db96d56Sopenharmony_ci >>> from hashlib import blake2b 6437db96d56Sopenharmony_ci >>> msg = b'some message' 6447db96d56Sopenharmony_ci >>> # Calculate the first hash with a random salt. 6457db96d56Sopenharmony_ci >>> salt1 = os.urandom(blake2b.SALT_SIZE) 6467db96d56Sopenharmony_ci >>> h1 = blake2b(salt=salt1) 6477db96d56Sopenharmony_ci >>> h1.update(msg) 6487db96d56Sopenharmony_ci >>> # Calculate the second hash with a different random salt. 6497db96d56Sopenharmony_ci >>> salt2 = os.urandom(blake2b.SALT_SIZE) 6507db96d56Sopenharmony_ci >>> h2 = blake2b(salt=salt2) 6517db96d56Sopenharmony_ci >>> h2.update(msg) 6527db96d56Sopenharmony_ci >>> # The digests are different. 6537db96d56Sopenharmony_ci >>> h1.digest() != h2.digest() 6547db96d56Sopenharmony_ci True 6557db96d56Sopenharmony_ci 6567db96d56Sopenharmony_ci 6577db96d56Sopenharmony_ciPersonalization 6587db96d56Sopenharmony_ci""""""""""""""" 6597db96d56Sopenharmony_ci 6607db96d56Sopenharmony_ciSometimes it is useful to force hash function to produce different digests for 6617db96d56Sopenharmony_cithe same input for different purposes. Quoting the authors of the Skein hash 6627db96d56Sopenharmony_cifunction: 6637db96d56Sopenharmony_ci 6647db96d56Sopenharmony_ci We recommend that all application designers seriously consider doing this; 6657db96d56Sopenharmony_ci we have seen many protocols where a hash that is computed in one part of 6667db96d56Sopenharmony_ci the protocol can be used in an entirely different part because two hash 6677db96d56Sopenharmony_ci computations were done on similar or related data, and the attacker can 6687db96d56Sopenharmony_ci force the application to make the hash inputs the same. Personalizing each 6697db96d56Sopenharmony_ci hash function used in the protocol summarily stops this type of attack. 6707db96d56Sopenharmony_ci 6717db96d56Sopenharmony_ci (`The Skein Hash Function Family 6727db96d56Sopenharmony_ci <https://www.schneier.com/wp-content/uploads/2016/02/skein.pdf>`_, 6737db96d56Sopenharmony_ci p. 21) 6747db96d56Sopenharmony_ci 6757db96d56Sopenharmony_ciBLAKE2 can be personalized by passing bytes to the *person* argument:: 6767db96d56Sopenharmony_ci 6777db96d56Sopenharmony_ci >>> from hashlib import blake2b 6787db96d56Sopenharmony_ci >>> FILES_HASH_PERSON = b'MyApp Files Hash' 6797db96d56Sopenharmony_ci >>> BLOCK_HASH_PERSON = b'MyApp Block Hash' 6807db96d56Sopenharmony_ci >>> h = blake2b(digest_size=32, person=FILES_HASH_PERSON) 6817db96d56Sopenharmony_ci >>> h.update(b'the same content') 6827db96d56Sopenharmony_ci >>> h.hexdigest() 6837db96d56Sopenharmony_ci '20d9cd024d4fb086aae819a1432dd2466de12947831b75c5a30cf2676095d3b4' 6847db96d56Sopenharmony_ci >>> h = blake2b(digest_size=32, person=BLOCK_HASH_PERSON) 6857db96d56Sopenharmony_ci >>> h.update(b'the same content') 6867db96d56Sopenharmony_ci >>> h.hexdigest() 6877db96d56Sopenharmony_ci 'cf68fb5761b9c44e7878bfb2c4c9aea52264a80b75005e65619778de59f383a3' 6887db96d56Sopenharmony_ci 6897db96d56Sopenharmony_ciPersonalization together with the keyed mode can also be used to derive different 6907db96d56Sopenharmony_cikeys from a single one. 6917db96d56Sopenharmony_ci 6927db96d56Sopenharmony_ci >>> from hashlib import blake2s 6937db96d56Sopenharmony_ci >>> from base64 import b64decode, b64encode 6947db96d56Sopenharmony_ci >>> orig_key = b64decode(b'Rm5EPJai72qcK3RGBpW3vPNfZy5OZothY+kHY6h21KM=') 6957db96d56Sopenharmony_ci >>> enc_key = blake2s(key=orig_key, person=b'kEncrypt').digest() 6967db96d56Sopenharmony_ci >>> mac_key = blake2s(key=orig_key, person=b'kMAC').digest() 6977db96d56Sopenharmony_ci >>> print(b64encode(enc_key).decode('utf-8')) 6987db96d56Sopenharmony_ci rbPb15S/Z9t+agffno5wuhB77VbRi6F9Iv2qIxU7WHw= 6997db96d56Sopenharmony_ci >>> print(b64encode(mac_key).decode('utf-8')) 7007db96d56Sopenharmony_ci G9GtHFE1YluXY1zWPlYk1e/nWfu0WSEb0KRcjhDeP/o= 7017db96d56Sopenharmony_ci 7027db96d56Sopenharmony_ciTree mode 7037db96d56Sopenharmony_ci""""""""" 7047db96d56Sopenharmony_ci 7057db96d56Sopenharmony_ciHere's an example of hashing a minimal tree with two leaf nodes:: 7067db96d56Sopenharmony_ci 7077db96d56Sopenharmony_ci 10 7087db96d56Sopenharmony_ci / \ 7097db96d56Sopenharmony_ci 00 01 7107db96d56Sopenharmony_ci 7117db96d56Sopenharmony_ciThis example uses 64-byte internal digests, and returns the 32-byte final 7127db96d56Sopenharmony_cidigest:: 7137db96d56Sopenharmony_ci 7147db96d56Sopenharmony_ci >>> from hashlib import blake2b 7157db96d56Sopenharmony_ci >>> 7167db96d56Sopenharmony_ci >>> FANOUT = 2 7177db96d56Sopenharmony_ci >>> DEPTH = 2 7187db96d56Sopenharmony_ci >>> LEAF_SIZE = 4096 7197db96d56Sopenharmony_ci >>> INNER_SIZE = 64 7207db96d56Sopenharmony_ci >>> 7217db96d56Sopenharmony_ci >>> buf = bytearray(6000) 7227db96d56Sopenharmony_ci >>> 7237db96d56Sopenharmony_ci >>> # Left leaf 7247db96d56Sopenharmony_ci ... h00 = blake2b(buf[0:LEAF_SIZE], fanout=FANOUT, depth=DEPTH, 7257db96d56Sopenharmony_ci ... leaf_size=LEAF_SIZE, inner_size=INNER_SIZE, 7267db96d56Sopenharmony_ci ... node_offset=0, node_depth=0, last_node=False) 7277db96d56Sopenharmony_ci >>> # Right leaf 7287db96d56Sopenharmony_ci ... h01 = blake2b(buf[LEAF_SIZE:], fanout=FANOUT, depth=DEPTH, 7297db96d56Sopenharmony_ci ... leaf_size=LEAF_SIZE, inner_size=INNER_SIZE, 7307db96d56Sopenharmony_ci ... node_offset=1, node_depth=0, last_node=True) 7317db96d56Sopenharmony_ci >>> # Root node 7327db96d56Sopenharmony_ci ... h10 = blake2b(digest_size=32, fanout=FANOUT, depth=DEPTH, 7337db96d56Sopenharmony_ci ... leaf_size=LEAF_SIZE, inner_size=INNER_SIZE, 7347db96d56Sopenharmony_ci ... node_offset=0, node_depth=1, last_node=True) 7357db96d56Sopenharmony_ci >>> h10.update(h00.digest()) 7367db96d56Sopenharmony_ci >>> h10.update(h01.digest()) 7377db96d56Sopenharmony_ci >>> h10.hexdigest() 7387db96d56Sopenharmony_ci '3ad2a9b37c6070e374c7a8c508fe20ca86b6ed54e286e93a0318e95e881db5aa' 7397db96d56Sopenharmony_ci 7407db96d56Sopenharmony_ciCredits 7417db96d56Sopenharmony_ci^^^^^^^ 7427db96d56Sopenharmony_ci 7437db96d56Sopenharmony_ciBLAKE2_ was designed by *Jean-Philippe Aumasson*, *Samuel Neves*, *Zooko 7447db96d56Sopenharmony_ciWilcox-O'Hearn*, and *Christian Winnerlein* based on SHA-3_ finalist BLAKE_ 7457db96d56Sopenharmony_cicreated by *Jean-Philippe Aumasson*, *Luca Henzen*, *Willi Meier*, and 7467db96d56Sopenharmony_ci*Raphael C.-W. Phan*. 7477db96d56Sopenharmony_ci 7487db96d56Sopenharmony_ciIt uses core algorithm from ChaCha_ cipher designed by *Daniel J. Bernstein*. 7497db96d56Sopenharmony_ci 7507db96d56Sopenharmony_ciThe stdlib implementation is based on pyblake2_ module. It was written by 7517db96d56Sopenharmony_ci*Dmitry Chestnykh* based on C implementation written by *Samuel Neves*. The 7527db96d56Sopenharmony_cidocumentation was copied from pyblake2_ and written by *Dmitry Chestnykh*. 7537db96d56Sopenharmony_ci 7547db96d56Sopenharmony_ciThe C code was partly rewritten for Python by *Christian Heimes*. 7557db96d56Sopenharmony_ci 7567db96d56Sopenharmony_ciThe following public domain dedication applies for both C hash function 7577db96d56Sopenharmony_ciimplementation, extension code, and this documentation: 7587db96d56Sopenharmony_ci 7597db96d56Sopenharmony_ci To the extent possible under law, the author(s) have dedicated all copyright 7607db96d56Sopenharmony_ci and related and neighboring rights to this software to the public domain 7617db96d56Sopenharmony_ci worldwide. This software is distributed without any warranty. 7627db96d56Sopenharmony_ci 7637db96d56Sopenharmony_ci You should have received a copy of the CC0 Public Domain Dedication along 7647db96d56Sopenharmony_ci with this software. If not, see 7657db96d56Sopenharmony_ci https://creativecommons.org/publicdomain/zero/1.0/. 7667db96d56Sopenharmony_ci 7677db96d56Sopenharmony_ciThe following people have helped with development or contributed their changes 7687db96d56Sopenharmony_cito the project and the public domain according to the Creative Commons Public 7697db96d56Sopenharmony_ciDomain Dedication 1.0 Universal: 7707db96d56Sopenharmony_ci 7717db96d56Sopenharmony_ci* *Alexandr Sokolovskiy* 7727db96d56Sopenharmony_ci 7737db96d56Sopenharmony_ci.. _BLAKE2: https://www.blake2.net 7747db96d56Sopenharmony_ci.. _HMAC: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code 7757db96d56Sopenharmony_ci.. _BLAKE: https://web.archive.org/web/20200918190133/https://131002.net/blake/ 7767db96d56Sopenharmony_ci.. _SHA-3: https://en.wikipedia.org/wiki/NIST_hash_function_competition 7777db96d56Sopenharmony_ci.. _ChaCha: https://cr.yp.to/chacha.html 7787db96d56Sopenharmony_ci.. _pyblake2: https://pythonhosted.org/pyblake2/ 7797db96d56Sopenharmony_ci.. _NIST-SP-800-132: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf 7807db96d56Sopenharmony_ci.. _stackexchange pbkdf2 iterations question: https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pbkdf2-sha256/ 7817db96d56Sopenharmony_ci 7827db96d56Sopenharmony_ci 7837db96d56Sopenharmony_ci.. seealso:: 7847db96d56Sopenharmony_ci 7857db96d56Sopenharmony_ci Module :mod:`hmac` 7867db96d56Sopenharmony_ci A module to generate message authentication codes using hashes. 7877db96d56Sopenharmony_ci 7887db96d56Sopenharmony_ci Module :mod:`base64` 7897db96d56Sopenharmony_ci Another way to encode binary hashes for non-binary environments. 7907db96d56Sopenharmony_ci 7917db96d56Sopenharmony_ci https://www.blake2.net 7927db96d56Sopenharmony_ci Official BLAKE2 website. 7937db96d56Sopenharmony_ci 7947db96d56Sopenharmony_ci https://csrc.nist.gov/csrc/media/publications/fips/180/2/archive/2002-08-01/documents/fips180-2.pdf 7957db96d56Sopenharmony_ci The FIPS 180-2 publication on Secure Hash Algorithms. 7967db96d56Sopenharmony_ci 7977db96d56Sopenharmony_ci https://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_hash_algorithms 7987db96d56Sopenharmony_ci Wikipedia article with information on which algorithms have known issues and 7997db96d56Sopenharmony_ci what that means regarding their use. 8007db96d56Sopenharmony_ci 8017db96d56Sopenharmony_ci https://www.ietf.org/rfc/rfc8018.txt 8027db96d56Sopenharmony_ci PKCS #5: Password-Based Cryptography Specification Version 2.1 8037db96d56Sopenharmony_ci 8047db96d56Sopenharmony_ci https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf 8057db96d56Sopenharmony_ci NIST Recommendation for Password-Based Key Derivation. 806
