def tworker3(hpass,a,start,step,g,N,q): ''' this BF password ''' sc = ord('a')+start ec = ord('z') cc = [sc] while True: h_c = "".join([chr(c) for c in cc]) x = s2i(hashlib.sha256(h_c).digest()) S = pow(2,a+x,N) K = hashlib.sha256(i2s(S)).digest() if hmac.HMAC(K,"",hashlib.sha256).digest() == hpass: q.put(h_c) break cc[0] += step for i in range(0,len(cc)): if cc[i] > ec: try: cc[i+1] += 1 except: cc.append(sc) cc[i] %= (ec+1) cc[i] += sc else: break
def recv2(self,hks): S = pow(self.A * pow(self.v,self.u,self.N),self.b,self.N) K = hashlib.sha256(i2s(S)).digest() if hks == hmac.HMAC(K,self.salt,hashlib.sha256).digest() and self.I == self.Ic: return "OK" else: return "No way"
def forging(mesg,key): e = key[0] n = key[1] if e != 3: raise Exception("e not equal 3") pkcs15 = PKCS15() dgst = hashlib.sha1(mesg).digest() keylen = len(i2s(n)) getcontext().prec = keylen * 8 # this is the valid beginning forge = "\x00\x01%s\x00%s" % ("\xff" * 8, dgst) # this will be garbge garbage = "\x00" * (keylen - 8 - len(dgst) - 13) whole = s2i(forge+garbage) cr = int(pow(whole,Decimal(1)/Decimal(3)))+1 return i2s(cr)
def attack(enc,key,iseven): e = key[0] # e - from the pub key n = key[1] # n - from the pub key ct = s2i(enc[0]) # encrypted message c2 = pow(2,e,n) # (2**e)%n) ct = (ct * c2) % n # we need to do this before we start counting limit = int(math.log(n,2))+1 # number of bits in the key getcontext().prec = limit # how precise our floats should be a = Decimal(0) b = Decimal(n) for x in range(limit): t = (a+b)/2 if iseven([i2s(ct)]): b = t else: a = t ct = (ct * c2) % n return i2s(int(b)).encode('string_escape')
def tworker2(hpass,a,words,start,step,g,N,q): ''' dictionary attack ''' i = start while i < len(words): x = s2i(hashlib.sha256(words[i]).digest()) S = pow(2,a+x,N) K = hashlib.sha256(i2s(S)).digest() if hmac.HMAC(K,"",hashlib.sha256).digest() == hpass: q.put(words[i]) break i += step
def b_step2a (pubkey, prvkey, c, oracle): """ Bleichenbacher step 2a """ e = pubkey[0] n = pubkey[1] c = s2i("".join(c)) c0 = (c * modexp(1, e, n)) % n s1 = n // 0x3B count = 0 while True: c1 = (c0 * modexp(s1, e, n)) % n if oracle(prvkey, list(i2s(c1))): break s1 += 1 if count % 10 == 0: sys.stdout.write("%s \r" % (count)) sys.stdout.flush() count += 1 return s1
#!/usr/bin/env python from c39 import RSA # RSA from c36 import i2s, s2i if __name__ == "__main__": msg = "attack after the breakfast" rsa = RSA() pub,priv = rsa.keygen() C = rsa.encrypt(msg,pub) assert rsa.decrypt(C,priv) == msg, "bug in my RSA, decryption didn't provide the same clear text" S = 3 # lowest possible S C1 = list() # the cipher text is a list for ct in C: # lets iterate over the ciphertext C1.append(i2s((pow(S,pub[0],pub[1])*s2i(ct)) % pub[1])) # if C1 != C: # the C1 has to be different the C P1 = rsa.decrypt(C1,priv) print i2s((s2i(P1)/S)%pub[1]) else: print "something wrong C1 and C should be different"
# initiate and test d = DSA() d.test() # challenge 43 y = long("84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4"+\ "abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004"+\ "e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed"+\ "1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07b"+\ "bb283e6633451e535c45513b2d33c99ea17", 16) m = "For those that envy a MC it can be hazardous to your health\n"+\ "So be friendly, a matter of life and death, just like a etch-a-sketch\n" r = 548099063082341131477253921760299949438196259240 s = 857042759984254168557880549501802188789837994940 msg_check_hash = "d2d0714f014a9784047eaeccf956520045c45265" assert (hashlib.sha1(m).hexdigest() == msg_check_hash), "hash doesn't match" h_expected = "0954edd5e0afe5542a4adf012611a91912a3ec16" # broken implementation k is between 0 and 2^16 for k in range(0, 2**16): x = d.x_recovery(m, r, s, k) if hashlib.sha1(i2s(x).encode('hex')).hexdigest() == h_expected: (r1, s1) = d.sign(m, x) d.verify(m, r1, s1, y) print "k : %s" % (k) print "x : %s" % (x) break
def make(self,msg,key): pkcs15 = PKCS15() rsa = RSA() dgst = hashlib.sha1(message).digest() paddgst = pkcs15.pad(dgst,len(i2s(key[1]))) return rsa.encrypt(paddgst,key)
def recv1(self,salt,B,u): self.salt = salt x = s2i(hashlib.sha256(self.salt+self.P).digest()) S = pow(B,(self.a+u*x),self.N) self.K = hashlib.sha256(i2s(S)).digest()
ct1 = RSA().encrypt(cleartext,pub1) print "2. key generation" pub2,priv2 = RSA().keygen(l=2048,s=False) # s=False gives e=3 print "2. encrypting using pub key" ct2 = RSA().encrypt(cleartext,pub2) assert RSA().decrypt(ct0,priv0) == cleartext, "error on key0" assert RSA().decrypt(ct1,priv1) == cleartext, "error on key1" assert RSA().decrypt(ct2,priv2) == cleartext, "error on key2" # https://en.wikipedia.org/wiki/Coppersmith%27s_Attack#H.C3.A5stad.27s_Broadcast_Attack # https://en.wikipedia.org/wiki/Chinese_remainder_theorem c_0 = s2i(ct0[0]) c_1 = s2i(ct1[0]) c_2 = s2i(ct2[0]) n_0 = pub0[1] n_1 = pub1[1] n_2 = pub2[1] m_s_0 = n_1 * n_2 m_s_1 = n_0 * n_2 m_s_2 = n_0 * n_1 result = (c_0 * m_s_0 * invmod(m_s_0, n_0)) result += (c_1 * m_s_1 * invmod(m_s_1, n_1)) result += (c_2 * m_s_2 * invmod(m_s_2, n_2)) result %= (n_0 * n_1 * n_2) print i2s(int(pow(Decimal(result),Decimal(1)/Decimal(3)))+1)
client.send(str(I)+","+str(A)) data = client.recv(4096) salt,B = data.split(",") c.recv1(salt,int(B)) client.send(c.send2()) print client.recv(4096) client.shutdown(2) print "Attack A=0 (because of this S = 0):", client1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client1.connect(("127.0.0.1", 9001)) client1.send("[email protected],0") data = client1.recv(4096) salt = data.split(",")[0] K = hashlib.sha256(i2s(0)).digest() client1.send(hmac.HMAC(K,salt,hashlib.sha256).digest()) print client1.recv(4096) client1.shutdown(2) print "Attack A=N (because of this S = 0):", client2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client2.connect(("127.0.0.1", 9001)) client2.send("[email protected],"+str(NISTprime)) data = client2.recv(4096) salt = data.split(",")[0] K = hashlib.sha256(i2s(0)).digest() client2.send(hmac.HMAC(K,salt,hashlib.sha256).digest()) print client2.recv(4096) client2.shutdown(2)
len_n = len(i2s(n)) - 1 len_m = len(m) if len_n > len_m: return [i2s(pow(s2i(m), e, n))] else: cs = [] i = 0 while len_n * i < len_m: cs.append(i2s(pow(s2i(m[len_n * i : len_n * (i + 1)]), e, n))) i += 1 return cs def decrypt(self, cs, (d, n)): m = "" for c in cs: m += i2s(pow(s2i(c), d, n)) return m if __name__ == "__main__": k1, k2 = RSA().keygen() cleartext = "this is just a test of a message that will be encrypted using RSA private/public key cryptography, lets try something very long to see how this may woRk.\ We may also try to add some random things here and here, and here. Just a test like I said," # cleartext = open("c39.py").read() # <<-- this also works, but this actually needs padding print cleartext ciphertext = RSA().encrypt(cleartext, k1) print ciphertext decryptedtext = RSA().decrypt(ciphertext, k2) print decryptedtext
client.send(str(I)+","+str(A)) #发送I和A data = client.recv(4096) salt,B = data.split(",") #接收服务器的数据传回的salt 和服务器公钥B c.recv1(salt,int(B)) #生成 u x s k client.send(c.send2()) #计算mac并发送 print client.recv(4096) #显示服务器返回的结果 client.shutdown(2) print "Attack A=0 (because of this S = 0):", client1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client1.connect(("127.0.0.1", 9001)) client1.send("[email protected],0") #发送A = 0 data = client1.recv(4096) salt = data.split(",")[0] K = hashlib.sha256(i2s(0)).digest() #计算K client1.send(hmac.HMAC(K,salt,hashlib.sha256).digest()) #计算mac并发送 print client1.recv(4096) client1.shutdown(2) print "Attack A=N (because of this S = 0):", client2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client2.connect(("127.0.0.1", 9001)) client2.send("[email protected],"+str(NISTprime)) #发送A = N data = client2.recv(4096) salt = data.split(",")[0] K = hashlib.sha256(i2s(0)).digest() client2.send(hmac.HMAC(K,salt,hashlib.sha256).digest()) print client2.recv(4096) client2.shutdown(2)
if count % 10 == 0: sys.stdout.write("%s \r" % (count)) sys.stdout.flush() count += 1 return s1 if __name__ == "__main__": rsa = RSA() pkcs = PKCS15t2() # clear text message text = "kick it, CC" # 256 bit key generation (pubkey, prvkey) = rsa.keygen(256) # padding PKCS#1 1.5 m = pkcs.pad(text, len(i2s(pubkey[1]))) # encrypting c = rsa.encrypt(m, pubkey) m1 = rsa.decrypt(c, prvkey) assert (m == "\x00"+m1), "PKCS#1 1.5 implementation failure" assert (text == pkcs.unpad("\x00"+m1)), "RSA implementation failure" # Bleichenbacher print b_step2a(pubkey, prvkey, c, oracle)