def verify(m, g, p, q, r, s, y):
for j in [r, s]:
if j <= 0:
pass # Bad! Should reject, but breaking on purpose.
if j >= q:
return False
w = invmod(s, q)
u1 = s2i(sha1(m).digest()) * w % q
u2 = r * w % q
v = (pow(g, u1, p) * pow(y, u2, p)) % p % q
return v == r
def verify(m, g, p, q, r, s, y):
for j in [r, s]:
if j <= 0:
pass # Bad! Should reject, but breaking on purpose.
if j >= q:
return False
w = invmod(s, q)
u1 = s2i(sha1(m).digest()) * w % q
u2 = r * w % q
v = (pow(g, u1, p) * pow(y, u2, p)) % p % q
return v == r
def sign(message, g, p, q, x):
"""DSA signing. Deliberately bad max value for k, the nonce. Really,
max should be = q. Also deliberately bad to give up and allow r =
0.
"""
r = 0
s = 0
i = 0
while r == 0 or s == 0:
i += 1
if i > 60000:
return [r,s] # bad!
k = random.randint(1, 2 ** 16) # bad !
r = pow(g, k, p) % q
H = s2i(sha1(message).digest())
s = ((H + x * r) * invmod(k, q)) % q
return [r, s]
def sign(message, g, p, q, x):
"""DSA signing. Deliberately bad max value for k, the nonce. Really,
max should be = q. Also deliberately bad to give up and allow r =
0.
"""
r = 0
s = 0
i = 0
while r == 0 or s == 0:
i += 1
if i > 60000:
return [r, s] # bad!
k = random.randint(1, 2**16) # bad !
r = pow(g, k, p) % q
H = s2i(sha1(message).digest())
s = ((H + x * r) * invmod(k, q)) % q
return [r, s]
print "Along with signature..."
print signature
print "Does it verify?"
print verify(signature, message, U)
print
#### Forging
msg_to_forge = "hi mom"
hash_mom = sha1(msg_to_forge).digest()
block_mom = ("\x00\x01\xff\xff\x00ASN.1" +
chr(len(hash_mom)) +
hash_mom)
bytes_to_add = (bits / 8) - len(block_mom)
block_mom += "\x00" * bytes_to_add
block_mom_cube = "\x00" + rsa.i2s(cuberoot(rsa.s2i(block_mom)) ** 3)
forged_sig = cuberoot(rsa.s2i(block_mom_cube))
#### Check the sig
print "A poor fool received message:", msg_to_forge
print "Along with signature..."
print forged_sig
print "Does it verify?"
result = verify(forged_sig, msg_to_forge, U)
print result
print
#### tests ####
assert result
assert unpad(pkcs_1_5("Hello", 1024)) == "Hello"
bounds = [0, n]
start = time.time()
for i in range(2048):
p = parity(multiply(ciphertext, 2**(i + 1), e, n))
half_the_dist = (bounds[1] - bounds[0]) / 2
if p == 0:
bounds = [bounds[0], bounds[1] - half_the_dist]
elif p == 1:
bounds = [bounds[0] + half_the_dist, bounds[1]]
if i % 16 == 0:
print p, i, cleanup(rsa.i2s(bounds[1]),
'_') # get 256 char wide screen
end = time.time()
dur = round(end - start, 1)
print "--------"
for b in bounds:
print rsa.i2s(b)
print "2048 oracularities in", dur, "s =", round(2048 / dur, 1), "per s."
#### tests ####
hi = 'Hi'
c_hi = rsa.encrypt_string(hi, pubkey)
D = multiply(c_hi, 2, pubkey[0], pubkey[1])
assert rsa.s2i(hi) * 2 == rsa.crypt(D, privkey)
warn("Passed assertions:", __file__)
# theory, I think we could just cube-root it, but oh well.
bounds = [0, n]
start = time.time()
for i in range(2048):
p = parity(multiply(ciphertext, 2**(i+1), e, n))
half_the_dist = (bounds[1] - bounds[0]) / 2
if p == 0:
bounds = [bounds[0], bounds[1] - half_the_dist]
elif p == 1:
bounds = [bounds[0] + half_the_dist, bounds[1]]
if i % 16 == 0:
print p, i, cleanup(rsa.i2s(bounds[1]), '_') # get 256 char wide screen
end = time.time()
dur = round(end - start, 1)
print "--------"
for b in bounds:
print rsa.i2s(b)
print "2048 oracularities in", dur, "s =", round(2048 / dur, 1), "per s."
#### tests ####
hi = 'Hi'
c_hi = rsa.encrypt_string(hi, pubkey)
D = multiply(c_hi, 2, pubkey[0], pubkey[1])
assert rsa.s2i(hi) * 2 == rsa.crypt(D, privkey)
warn("Passed assertions:", __file__)
breakme = alice.encrypt(secret_for_bob)
E = breakme["pubkey"][0] # pub key exponent
N = breakme["pubkey"][1] # public key modulus
C = breakme["ciphertext"] # long integer, not string
print "Bob calls Alice and receives..."
print alice.decrypt(C)
print
#### Mallory
print "Mallory calls Alice the 1st time and receives..."
print alice.decrypt(C)
print "Mallory calls w/ seemingly different string & receives..."
S = random.randint(2, 100000)
assert S % N > 1
Cp = (pow(S, E, N) * C) % N
Pp_string = alice.decrypt(Cp)
print Pp_string
Pp = rsa.s2i(Pp_string)
print "Alice's hash table suspects nothing..."
print alice.log
P = (Pp * rsa.invmod(S, N)) % N
print "But Mallory now knows..."
print rsa.i2s(P)
#### tests ####
assert rsa.i2s(P) == secret_for_bob
warn("Passed assertions:", __file__)
breakme = alice.encrypt(secret_for_bob)
E = breakme['pubkey'][0] # pub key exponent
N = breakme['pubkey'][1] # public key modulus
C = breakme['ciphertext'] # long integer, not string
print "Bob calls Alice and receives..."
print alice.decrypt(C)
print
#### Mallory
print "Mallory calls Alice the 1st time and receives..."
print alice.decrypt(C)
print "Mallory calls w/ seemingly different string & receives..."
S = random.randint(2, 100000)
assert S % N > 1
Cp = (pow(S, E, N) * C) % N
Pp_string = alice.decrypt(Cp)
print Pp_string
Pp = rsa.s2i(Pp_string)
print "Alice's hash table suspects nothing..."
print alice.log
P = (Pp * rsa.invmod(S, N) ) % N
print "But Mallory now knows..."
print rsa.i2s(P)
#### tests ####
assert rsa.i2s(P) == secret_for_bob
warn("Passed assertions:", __file__)
