def find_a(p, q, g, A, M, r, s):
print(sha1(M))
h = int(sha1(M), 16) % q
r_inverse = modinv(r, q)
s = s % q
for k in range((1 << 16) + 1):
a = (((k * s) - h) * r_inverse) % q
if A == modexp(g, a, p):
return a
def hmac_sha1(key, text) : block_size = 64 output_size = 20 if len(key) > block_size : key = sha1MAC.sha1(key) while len(key) < block_size : key += b'\x00' outer_key_pad = xor(key, b'\x5c'*64) inner_key_pad = xor(key, b'\x36'*64) return sha1MAC.sha1(outer_key_pad + bytes.fromhex(sha1MAC.sha1(inner_key_pad + text)))
def forge(text: str, digest: str, keylen: int, new_text: str) -> tuple:
forged_text = md_padding(b'A' * keylen + text) + new_text
forged_text = forged_text[keylen:]
a, b, c, d, e = split_five_words(digest)
forged_digest = sha1MAC.sha1(new_text, (keylen + len(forged_text))*8,\
a, b, c, d, e)
return forged_text, forged_digest
def attack(message, keylen):
block = b'\x00\x01\xff\x00' + ASN1_SHA1 + bytes.fromhex(sha1(message))
block += b'\x00' * (((keylen + 7) // 8) - len(block))
sig = int.from_bytes(block, 'big')
forged_sig = int_cube_root(sig)
forged_sig = forged_sig.to_bytes((forged_sig.bit_length() + 7) // 8, 'big')
print('Forged signature -', forged_sig)
RSA_Verifier(keylen).verify(forged_sig, message)
def dsa_verify(p, q, g, A, M, r, s):
if r not in range(1, q) or s not in range(1, q): return 'Reject'
w = modinv(s, q)
h = sha1(M)
h = int(h, 16) % q
u1, u2 = (h * w) % q, (r * w) % q
X = (modexp(g, u1, p) * modexp(A, u2, p)) % p
v = X % q
if v == r: return 'Accept'
return 'Reject'
def dsa_sign(p, q, g, a, M):
r, s = 0, 0
while s == 0:
r, k = 0, randint(1, q - 1)
while r == 0:
X = modexp(g, k, p)
r = X % q
k_inverse = modinv(k, q)
h = sha1(M)
h = int(h, 16) % q
s = (k_inverse * ((h + a * r) % q)) % q
return r, s
def verify(self, signature, message):
signature = b'\x00' + self.rsa.encrypt(signature)
r = re.compile(b'\x00\x01\xff+?\x00.{15}(.{20})', re.DOTALL)
m = r.match(signature)
if not m:
print('Signature format wrong')
return
hash = m.group(1)
if hash == bytes.fromhex(sha1(message)):
print('Signatures matched')
else:
print('Signatures did not match')
def attacker():
global state_attack, d_attack
if state_attack == 0:
p, g, A = queue.pop()
d_attack['p'] = p
print('[*] Got p, g, A -', p, g, A)
print('[*] Replacing A with p')
queue.append((p, g, p))
state_attack = (state_attack + 1) % 4
elif state_attack == 1:
B = queue.pop()
print('[*] Got B -', B)
print('[*] Replacing B with p')
queue.append(d_attack['p'])
state_attack = (state_attack + 1) % 4
elif state_attack == 2:
ciphertext = queue[0]
iv = ciphertext[-16:]
ciphertext = ciphertext[:-16]
print('[*] Got ciphertext and iv -', ciphertext, iv)
key = sha1(b'')[:32]
d_attack['key'] = bytes.fromhex(key)
print('[*] From Diffie-Hellman, actual key -', d_attack['key'])
cipher = aesCBC(d_attack['key'], iv)
print('[*] Actual plaintext -', remove_padding(cipher.decrypt(\
ciphertext)))
state_attack = (state_attack + 1) % 4
elif state_attack == 3:
ciphertext = queue[0]
iv = ciphertext[-16:]
ciphertext = ciphertext[:-16]
print('[*] Got ciphertext and iv -', ciphertext, iv)
cipher = aesCBC(d_attack['key'], iv)
print('[*] Actual plaintext -', remove_padding(cipher.decrypt(\
ciphertext)))
state_attack = (state_attack + 1) % 4
def get_key_diffie_hellman(capital: int, small: int, prime: int):
s = modexp(capital, small, prime)
key = sha1(s.to_bytes((s.bit_length() + 7) // 8, 'big'))[:32]
key = bytes.fromhex(key)
return key
h = int(sha1(M), 16) % q
r_inverse = modinv(r, q)
s = s % q
for k in range((1 << 16) + 1):
a = (((k * s) - h) * r_inverse) % q
if A == modexp(g, a, p):
return a
if __name__ == '__main__':
'''a, A = diffie_hellman(p, g)
M = b'Trap Nation'
r, s = dsa_sign(p, q, g, a, M)
print(dsa_verify(p, q, g, A, M, r, s))'''
A = int(
'84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07bbb283e6633451e535c45513b2d33c99ea17',
16)
M = b'For those that envy a MC it can be hazardous to your health\nSo be friendly, a matter of life and death, just like a etch-a-sketch\n'
r, s = 548099063082341131477253921760299949438196259240, 857042759984254168557880549501802188789837994940
a = find_a(p, q, g, A, M, r, s)
print('a is -', a)
print(
'For the real a, the sha1 fingerprint is - 0954edd5e0afe5542a4adf012611a91912a3ec16'
)
h = sha1(hex(a)[2:].encode())
print('Sha1 for this a -', h)
print('Is sha1 fingerprint the same -',
h == '0954edd5e0afe5542a4adf012611a91912a3ec16')