def challenge_46():
print()
# Get message, create RSA keypair, generate ciphertext
message = base64.b64decode('VGhhdCdzIHdoeSBJIGZvdW5kIHlvdSBkb24ndCBwbGF5IGFyb3VuZCB3aXRoIHRoZSBGdW5reSBDb2xkIE1lZGluYQ==')
pub, priv = set5.set_up_rsa(e=3, keysize=1024)
ciphertext = set5.encrypt_rsa(set5.bytes_to_int(message), pub)
# Set up our Oracle
oracle = lambda x: rsa_oracle_plaintext_even(x, priv)
# Verify the keypair works
assert set5.int_to_bytes(set5.encrypt_rsa(ciphertext, priv)) == message
# Set initial lower and upper bound, as well as intermediate ciphertext
lower_bound, upper_bound = 0, pub[1]
ciphertext_ = ciphertext
# Perform the below until the lower and upper bound converge
while upper_bound != lower_bound:
# Multiply plaintext by multiplying ciphertext by 2**`e` mod `N`
ciphertext_ = (ciphertext_ * set5.modexp(2, pub[0], pub[1])) % pub[1]
# If the oracle says True, update the upper bound; if False, update the lower bound
if oracle(ciphertext_):
upper_bound = floor(upper_bound + lower_bound, 2)
else:
lower_bound = floor(upper_bound + lower_bound, 2)
# Create 'Holywood style' output
intermediate_result = str(set5.int_to_bytes(upper_bound))[:os.get_terminal_size().columns - 1]
fill = " " * (os.get_terminal_size().columns - 1 - len(intermediate_result))
print(colorama.Cursor.UP(1) + intermediate_result + fill)
# Print final outputs
print(colorama.Cursor.UP(1) + "Result: {}".format(set5.int_to_bytes(upper_bound)))
print("Original: {}".format(message))
def challenge_48():
# Set up new RSA instance, this time with bigger key length
pub, priv = set5.set_up_rsa(e=3, keysize=768)
# Prepare message
message = pad_PKCS(b'I don\'t know, Marge. Trying is the first step towards failure - Homer Simpson', k=(pub[1].bit_length() + 7) // 8)
# Get ciphertext using generated RSA instance
ciphertext = set5.encrypt_rsa(set5.bytes_to_int(message), pub)
# Set up our Oracle
oracle = lambda x: rsa_oracle_02(x, priv)
assert oracle(ciphertext)
# Perform the actual attack: set up bleichenbacher98 instance
bb98 = bleichenbacher98(ciphertext, pub, oracle)
# Run the attack
found_message = bb98.solve()
print("Found message:", found_message)
# Verify the found message equals our original plaintext
assert_true(found_message == message)
def challenge_47():
# Set up new RSA instance
pub, priv = set5.set_up_rsa(e=3, keysize=256)
# Prepare message
message = pad_PKCS(b'kick it, CC', k=(pub[1].bit_length() + 7) // 8)
# Get ciphertext using generated RSA instance
ciphertext = set5.encrypt_rsa(set5.bytes_to_int(message), pub)
# Set up our Oracle
oracle = lambda x: rsa_oracle_02(x, priv)
assert oracle(ciphertext)
# Perform the actual attack: set up bleichenbacher98 instance
bb98 = bleichenbacher98(ciphertext, pub, oracle)
# Run the attack
found_message = bb98.solve()
print("Found message:", found_message)
# Verify the found message equals our original plaintext
assert_true(found_message == message)
def challenge_42():
# Create new RSA Sign/Verify instance
m = RsaSignVerify()
print('> Signed message')
# Part 1: try to verify a valid signature
signature = m.sign(b'Hello world')
assert m.verify(b'Hello world', signature)
# Part 2: forge a signature
print('\n> Forged message')
# Find digest for message to forge
forged_message = b'hi mom'
digest = hashlib.sha1(forged_message).digest()
# Set the contents of the (fake) message to forge
fake_message = b'\x00\x01\xff\x00' + digest
fake_message = set5.bytes_to_int(fake_message + (b'\x00' * (128 - len(fake_message))))
# The actual trick: find the cube root
fake_signed_message = cuberoot(fake_message)
# Check that the forged message passes verification
assert_true(m.verify(forged_message, fake_signed_message))
def sign(self, msg):
digest = hashlib.sha1(msg).digest()
sgn = set5.bytes_to_int(b'\x00\x01' + (b'\xff' * (128 - len(digest) - 3)) + b'\x00' + digest)
if sgn > self.public[1]:
raise ValueError("Message to big for public key")
return set5.encrypt_rsa(sgn, self.__private__)