Example #1
0
def p44() -> Optional[str]:
    dsa = DSA()
    y = int(
        '2d026f4bf30195ede3a088da85e398ef869611d0f68f07'
        '13d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b8'
        '5519b1c23cc3ecdc6062650462e3063bd179c2a6581519'
        'f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430'
        'f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d3'
        '2971c3de5084cce04a2e147821', 16)

    fingerprint = 'ca8f6f7c66fa362d40760d135b763eb8527d3d52'
    sigs = _parse_signature_file()

    for i, j in combinations(range(len(sigs)), 2):
        s1, m1 = int(sigs[i][0]), int(sigs[i][2], 16)
        s2, m2 = int(sigs[j][0]), int(sigs[j][2], 16)

        s = (s1 - s2) % dsa.q
        m = (m1 - m2) % dsa.q
        k = (invmod(s, dsa.q) * m) % dsa.q

        r = int(sigs[i][1])
        x = (((s1 * k) - m1) * invmod(r, dsa.q)) % dsa.q

        if sha1(hex(x)[2:].encode()).hexdigest() == fingerprint:
            assert y == pow(dsa.g, x, dsa.p)
            return f'Private DSA key is {x}'
Example #2
0
def p40() -> str:
    msg = b'Assume you\'re a Javascript programmer. That is, you\'re using a naive handrolled ' \
          b'RSA to encrypt without padding.'
    print(f'Encrypting secret message "{msg.decode()}"')
    msg = int(hexlify(msg), 16)

    pairs = []
    for _ in range(3):
        rsa = RSA()
        c = rsa.enc(msg)
        pairs.append((c, rsa.N))
        print(
            f'Generated ciphertext = {str(c)[:15]}... for N = {str(rsa.N)[:15]}...'
        )

    c0, c1, c2 = [c for (c, _) in pairs]
    n0, n1, n2 = [N for (c, N) in pairs]
    m0, m1, m2 = n1 * n2, n0 * n2, n0 * n1

    t0 = (c0 * m0 * invmod(m0, n0))
    t1 = (c1 * m1 * invmod(m1, n1))
    t2 = (c2 * m2 * invmod(m2, n2))
    c = (t0 + t1 + t2) % (n0 * n1 * n2)

    m = kth_root(c, 3)
    m = unhexlify(hex(m)[2:])

    return f'Recovered message "{m.decode()}"'
Example #3
0
    def verify(self, m, r, s):
        w = invmod(s, self.q)
        u1 = (int(sha1(m).hexdigest(), 16) * w) % self.q
        u2 = (r * w) % self.q

        v1 = pow(self.g, u1, self.p)
        v2 = pow(self.y, u2, self.p)
        v = ((v1 * v2) % self.p) % self.q

        return v == r
Example #4
0
    def sign(self, m):
        r, s = 0, 0

        k = randint(1, self.q - 1)
        r = pow(self.g, k, self.p) % self.q

        hash_int = int(sha1(m).hexdigest(), 16)
        s = (invmod(k, self.q) * (hash_int + self.x * r)) % self.q

        return (r, s)
Example #5
0
    def verify(self, m:  bytes, r: int, s: int) -> bool:
        w = invmod(s, self.q)
        u1 = (int(sha1(m).hexdigest(), 16) * w) % self.q
        u2 = (r * w) % self.q

        v1 = pow(self.g, u1, self.p)
        v2 = pow(self.y, u2, self.p)
        v = ((v1 * v2) % self.p) % self.q

        return v == r
Example #6
0
def p45() -> str:
    dsa = DSA()

    dsa.g = 0
    r, s = dsa.sign(b'Original Message')
    assert dsa.verify(b'Bad Message', r, s)

    dsa.g = dsa.p + 1
    z = 2
    r = pow(dsa.y, z, dsa.p) % dsa.q
    s = (r * invmod(z, dsa.q)) % dsa.q
    assert dsa.verify(b'Hello World', r, s)
    assert dsa.verify(b'Goodbye World', r, s)

    return f'Signature for "Hello World" and "Goodbye World" - ({r}, {s})'
Example #7
0
def p45():
    dsa = DSA()

    dsa.g = 0
    r, s = dsa.sign('Original Message')
    assert dsa.verify('Bad Message', r, s)

    dsa.g = dsa.p + 1
    z = 2
    r = pow(dsa.y, z, dsa.p) % dsa.q
    s = (r * invmod(z, dsa.q)) % dsa.q
    assert dsa.verify('Hello World', r, s)
    assert dsa.verify('Goodbye World', r, s)

    return 'Signature for "Hello World" and "Goodbye World" - ({}, {})'.format(
        r, s)
Example #8
0
def p41() -> str:
    rsa = RSA()
    N, e = rsa.N, rsa.e

    ptxt = dumps({
        'time': 1356304276,
        'social': '867-00-5309',
    })
    ptxt = int(hexlify(ptxt.encode()), 16)
    ctxt = rsa.enc(ptxt)

    s = 2
    ctxt_ = pow(s, e, N) * ctxt % N
    ptxt_ = rsa.dec(ctxt_)

    recovered = invmod(s, N) * ptxt_ % N
    recovered = unhexlify(hex(recovered)[2:]).decode()
    return 'Recovered data {}'.format(loads(recovered))
Example #9
0
def p41():
    rsa = RSA()
    N, e = rsa.N, rsa.e

    ptxt = dumps({
        'time': 1356304276,
        'social': '555-55-5555',
    })
    ptxt = int(hexlify(ptxt), 16)
    ctxt = rsa.enc(ptxt)

    s = 2
    ctxt_ = pow(s, e, N) * ctxt % N
    ptxt_ = rsa.dec(ctxt_)

    recovered = invmod(s, N) * ptxt_ % N
    recovered = unhexlify(hex(recovered)[2:-1])
    return 'Recovered data {}'.format(loads(recovered))
Example #10
0
def p43():
    dsa = DSA()
    y = int(
        '84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4'
        'abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004'
        'e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed'
        '1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07b'
        'bb283e6633451e535c45513b2d33c99ea17', 16)

    m = 'For those that envy a MC it can be hazardous to your health\n' \
        'So be friendly, a matter of life and death, just like a etch-a-sketch\n'
    mhash = int(sha1(m).hexdigest(), 16)
    r = 548099063082341131477253921760299949438196259240
    s = 857042759984254168557880549501802188789837994940

    fingerprint = '0954edd5e0afe5542a4adf012611a91912a3ec16'

    for k in range(2**16):
        x = (((s * k) - mhash) * invmod(r, dsa.q)) % dsa.q

        if sha1(hex(x)[2:-1]).hexdigest() == fingerprint:
            assert y == pow(dsa.g, x, dsa.p)
            return 'Private DSA key is {}'.format(x)