Smashing RSA for fun and profit

RSArmageddon is a free software project released under GPL-3.0 license aiming to bring a powerful tool to attack the RSA cryptosystem and to manage ciphertexts and keys.

Many common attacks are provided as part of the default package and new ones can be added in an extensible fashion. Attacks are written in Sage, an extension of the Python programming language providing improved math capabilities and greater execution speed for computation-heavy tasks.

For Arch users, this software is easily installed from the AUR

$ yaourt -S rsarmageddon

Packages will be provided for Ubuntu/Debian and Windows in the releases section of the GitHub page.

A python package is available on PyPI for installation through pip on unsupported systems (but Sage has to be installed manually, see section Sage

$ pip install rsarmageddon

The main python script can also be used or installed straight out from a clone of this repo, although using the provided packages is more advisable.

On UNIX and Linux a supported version of Sage (9.x) must be present in the system's PATH. In case multiple versions are installed, the correct one should be the first one found. When installing via one of the provided packages this will generally be taken care of automatically.

Sometimes though Sage requires manual installation, such as when running from a cloned repo or on Windows, when installing through pip, or on *nix systems that do not ship Sage 9.x in their official repositories (confirmed on Debian version 10 and below). For these and more, see the instructions in the next paragraphs.

In some situations, including when:

• running RSArmageddon from a cloned repo
• running RSArmageddon on Windows
• running RSArmageddon on *nix systems that do not ship Sage 9.x
• installing RSArmageddon through pip

and others, Sage requires manual installation. See the instructions in the next paragraphs for directions on how to do that.

There are many ways to install Sage on a Linux system, and some are harder than others. First of all, you should check if a supported version is available through your distro's package manager. The way to do this will be different on every system, but as an example on Ubuntu you would

$ sudo apt update && sudo apt install sagemath-common

Check with your distro for specific instructions. After installing through your package manager, check that the version installed is supported with:

$ sage -v

You should see something like SageMath version 9.2, Release Date: 2020-10-24. If your version is not in the 9.x series, it is advised to uninstall it and try one of the other methods below.

On Debian 10, Sage 9 is currently unavailable in the stable repositories. One option could be switching to Debian unstable, which at the time of writing ships Sage 9.2. If you are willing to do so, you can use the following commands to replace the contents of your /etc/apt/sources.list (doing a backup first) and install Sage 9 while upgrading your system to Debian unstable in the process

$ sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
$ echo 'deb http://deb.debian.org/debian/ sid main contrib non-free' | sudo tee /etc/apt/sources.list
$ echo 'deb-src http://deb.debian.org/debian/ sid main contrib non-free' | sudo tee -a /etc/apt/sources.list
$ sudo apt update && sudo apt dist-upgrade && sudo apt install sagemath

Your system should then be rebooted.

When a system package is not available, Sage must be installed from upstream. You can follow the instructions found in the official guide, section 2.1.

Download and run one of the installers for the latest supported version (9.x) from the sage-windows GitHub page. RSArmageddon should now be able to find the Sage installation automatically.

Crack a key vulnerable to Wiener factorization

$ rsarmageddon attack wiener -k examples/wiener.pub

Compute whole keys from partial information

$ rsarmageddon pem --dumpvalues -e 65537 -p 59324049994823056990807521915169702002197665897051782389894568149461077528733573161772021466179722704578809854939465445017077058505643271895926748239061359104208689455055208330141778200932280078304275269116573373683890335591263445317053081574622277328277733269675848414776648578497072273924489742291466663664728135782470217482641655776586326036779608751043056008882799192671053855818424895726100126833103213177923610642055953481374647391755694567628770583606826727132842668407118774498338841740271125482904779282687648543113216718032163573461465800663302702757738475592812012962616560400622190059897874533689263969513 -q 56214247180961101472418904084010866028721084750603538850912412988629938657856050506199747131481758687951394659255916498984648545468149966951075957118009649410947195509540243734626631437077632294920348877778126106857190799098500548702150792996731448944864546089813716649988246458024209115269339139700713248173765122394228136275663424166384192546495220986511506395231230712368557643028950758002822402061597625771649228811312719338006284781996960825317128843424255164212087586472800077894183144689764968774192993792706953206432004848853187269871408285302806880768934306325931793314083485686465813811090736334222919041553

Find and break keys from a set that share one or more factors with one another

$ rsarmageddon attack common_factor -k examples/common_factor --exts pem,pub -r --okd cracked_keys

Attack a key using two different methods with a timeout of 30 seconds each

$ rsarmageddon attack fermat,wiener -k examples/wiener.pub --timeout 30 --ok

Attack a key using all available methods with a timeout of 1 minute each

$ rsarmageddon attack all -k examples/fermat.pub --timeout 1m

Create a private key from e, p and q and print it to stdout in PEM format

$ rsarmageddon pem -e 65537 -p 12779877140635552275193974526927174906313992988726945426212616053383820179306398832891367199026816638983953765799977121840616466620283861630627224899026453 -q 12779877140635552275193974526927174906313992988726945426212616053383820179306398832891367199026816638983953765799977121840616466620283861630627224899027521 --cpr -

Factor a number using PARI

$ rsarmageddon factor 9837918379182

Encrypt the bytes string hello_bob using the OAEP encryption standard

$ rsarmageddon encrypt --ptr hello_bob --std oaep -k examples/wiener.pub

RSArmageddon supports the execution of user-created attacks in an extensible fashion. New attacks can be added to an RSArmageddon installation by dropping their files in user-wide and system-wide configuration directories. These are $XDG_CONFIG_HOME/rsarmageddon/attacks and /usr/share/rsarmageddon/attacks on *nix systems, and %LOCALAPPDATA%\RSArmageddon\attacks on Windows. System-wide attacks will shadow builtin attacks of the same name, and user-wide attacks will shadow both system-wide and builtin ones.

Attack files are Sage scripts written using RSArmageddon's attack API. The name of the attack will be equal to the attack file's name with the trailing .sage extension removed. To properly integrate with RSArmageddon, every attack should:

• import attack
• Call attack.init() with the full attack name, and a shorthand name to use as prefix for multiple key outputs. This returns the lists of keys and of ciphertexts to work on, in a tuple. attack.init takes optional keyword arguments min_keys to specify the minimum number of keys the attack needs to work, min_ciphertexts for the minimum number of ciphertexts, and deduplicate which can be set to "keys" or "ns" to filter out wholly duplicate keys or multiple keys with the same public modulus.
• Get any user interaction by calling attack.input, which takes one optional argument prompt and two keyword arguments default and validator. default provides a default value that will be used if the user presses enter without writing anything; when prompt is set to a string, it will be displayed to the user when asking for input while also showing the default value if one is provided. validator takes a callable that can be used to validate and type convert user input before attack.input returns it; it should raise ValueError on malformed input.
• Proceed to execute the required key or ciphertext cracking operations leveraging the full computational and expressive power of Sage's math primitives, printing any useful or interesting informations along the way with attack.info, such as intermediate values and heuristics.
• Every time one or more private keys or cleartexts are found, call the attack.keys and attack.cleartexts to send them to RSArmageddon. attack.keys takes any number of 5-tuples or 6-tuples in the form (n, e, d, p, q, [name]) with the optional 6th element being the key name, only used for multi-key outputs to override the default auto-generated key names. attack.cleartexts takes any number of integer cleartexts, or tuples in the form (cleartext, name) where name overrides the default cleartext name for multiple cleartext outputs in the same way as for keys.
• When the attack has done all it can to recover every possible key and cleartext, it should call attack.success or attack.fail to signal the outcome and terminate the script. attack.fail takes an optional message and a boolean keyword bad_key which signals RSArmageddon one of the keys the attack was given is invalid.

Note: Attacks may freely use any feature of the Python programming language version 3.7 and of SageMath 9 but they should not interact with the standard file descriptors directly (e.g. using the print function to print data to standard output or input to get lines from standard input), as those are reserved for use by the attack API, and RSArmageddon makes no guarantee they will be connected to a terminal or anything sensible at all. Remember to use attack.info and attack.input for all user interactions instead.

Note: interactive input should generally be avoided because it hinders RSArmageddon's ability to try out many consecutive attacks on a given set of keys, basically brute-forcing the attack method while running unsupervised.

Note: Should a multiprocessing Pool need to be created (to greatly improve computational performance of parallelizable computing tasks on multicore hardware), make sure to use the attack.Pool wrapper to ensure signals are properly handled in the attack script's execution environment.