def process(): I = request.args.get('email') A = int(request.args.get('A')) b = randint(0, N) B = k * d[I]['v'] + pow(g, b, N) # Response r = str(d[I]['salt']) + ';' + str(B) # Doing the next steps uH = sha256(int_to_bytes(A) + int_to_bytes(B)).hexdigest() u = int(uH, 16) temp = pow(d[I]['v'], u, N) S = pow(A * temp, b, N) K = sha256(int_to_bytes(S)).digest() salt = struct.pack('<I', d[I]['salt']) hmac = HMAC_SHA256(K, salt) d[I]['hmac'] = hmac return r
def fake_verify(): I = request.args.get('email') hmac = request.args.get('hmac') A = d[I]['A'] b = d[I]['b'] u = d[I]['u'] salt = struct.pack('<I', d[I]['salt']) wordlist = "/usr/share/wordlists/dirb/others/best1050.txt" with open(wordlist, 'r') as f: w = f.read().splitlines() for P in w: xH = sha256(salt + bytearray(P, "ascii")).hexdigest() x = int(xH, 16) v = pow(g, x, N) temp = pow(v, u, N) S = pow(A * temp, b, N) K = sha256(int_to_bytes(S)).digest() if HMAC_SHA256(K, salt) == hmac: print("CRACKED!!!!") print(P) return P
#Generating RSA public and private keys p = generate_rsa_prime() q = generate_rsa_prime() while (test_primes(p, q, e) != True): p = generate_rsa_prime() q = generate_rsa_prime() pub_key, priv_key = rsa_key_gen(p, q, e) #Encrypting message e = pub_key[0] n = pub_key[1] c = rsa_encrypt(m, e, n) print("Original message:", int_to_bytes(decryption(c, priv_key), order="big")) print(decryption(c, priv_key)) #Showing that it can't be done twice # Attacker: captured_cipher = c captured_e = pub_key[0] captured_n = pub_key[1] S = randint(2, 0xFFFFFFFF) attacker_c = (pow(S, captured_e, captured_n) * captured_cipher) % captured_n attacker_p = decryption(attacker_c, priv_key) s_inv = modinv(S, captured_n) recovered_p = attacker_p * s_inv % captured_n
def main(): p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff g = 2 ################################################################################ ###### MITM attack - Scenario 01: g = 1 ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = 1 b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #the result will be 1 #User B sends B to M m_data2 = B a_data = m_data2 #let's send this 1 forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a = 1 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can recalculate the key and decrypt the message: key_m = sha1(b"\x01")[:16] #print key_m aes_ecb_m = AES.new(key_m, AES.MODE_ECB) msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) print("Retrieved by M (scenario 1):", msg_m) ################################################################################ ###### MITM attack - Scenario 02: g = p ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = p b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #the result will be 0 #User B sends B to M m_data2 = B a_data = m_data2 #let's send this 0 forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a = 0 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can recalculate the key and decrypt the message: key_m = sha1(b'\x00')[:16] #print key_m aes_ecb_m = AES.new(key_m, AES.MODE_ECB) msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) print("Retrieved by M (scenario 2):", msg_m) ################################################################################ ###### MITM attack - Scenario 03: g = p-1 ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = p - 1 b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #(p-1)^x % p == (-1)^x % p # if x is even: 1, if x is odd, p-1 #User B sends B to M m_data2 = B a_data = m_data2 #sending the information forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a is either p-1 or 1 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can calculate both possible keys and decrypt the message: key_m1 = sha1(b'\x01')[:16] key_m2 = sha1(int_to_bytes(g_m))[:16] for key_m in (key_m1, key_m2): aes_ecb_m = AES.new(key_m, AES.MODE_ECB) try: msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) except: #this is me being lazy. Note that it might break if the wrong key decrypts some garbage with the right padding pass print("Retrieved by M (scenario 3):", msg_m)
pub_key, priv_key = rsa_key_gen(p, q, e) e = pub_key[0] n = pub_key[1] d = priv_key[0] m = 42 print(rsa_decrypt(rsa_encrypt(m, e, n), d, n)) # "Serious stuff" e = 3 p = generate_rsa_prime() q = generate_rsa_prime() while (test_primes(p, q, e) != True): p = generate_rsa_prime() q = generate_rsa_prime() pub_key, priv_key = rsa_key_gen(p, q, e) message = b"This is a super S3cr3t message!!!!" m = int.from_bytes(message, byteorder='big') e = pub_key[0] n = pub_key[1] d = priv_key[0] c = rsa_encrypt(m, e, n) decrypted_int = rsa_decrypt(c, d, n) decrypted = int_to_bytes(decrypted_int, order="big") print(decrypted)
# Legitimate server a = randint(0,N) A = pow(g,a,N) query = f"http://127.0.0.1:5000/process?email={I}&A={A}" r = requests.get(query) temp = r.text.split(';') salt = int(temp[0]) B = int(temp[1]) u = int(temp[2]) xH = sha256(struct.pack('<I',salt)+bytearray(P, "ascii")).hexdigest() x = int(xH,16) S = pow(B,a+(u*x),N) K = sha256(int_to_bytes(S)).digest() hmac = HMAC_SHA256(K,struct.pack('<I',salt)) query = f"http://127.0.0.1:5000/verify?email={I}&hmac={hmac}" r = requests.get(query) print ("Response from legitimate server:",r.text) # Fake server query = f"http://127.0.0.1:6666/process?email={I}&A={A}" r = requests.get(query) temp = r.text.split(';') salt = int(temp[0]) B = int(temp[1]) u = int(temp[2])
#Encrypted the message using 3 different public keys encrypted = [] for i in range(3): pub_key = keys[i][0] e = pub_key[0] n = pub_key[1] c = rsa_encrypt(m,e,n) encrypted.append(c) n_0 = keys[0][0][1] n_1 = keys[1][0][1] n_2 = keys[2][0][1] c_0 = encrypted[0] % n_0 c_1 = encrypted[1] % n_1 c_2 = encrypted[2] % n_2 m_s_0 = n_1 * n_2 m_s_1 = n_0 * n_2 m_s_2 = n_0 * n_1 N_012 = n_0 * n_1 * n_2 result = ((c_0 * m_s_0 * modinv(m_s_0, n_0)) + (c_1 * m_s_1 * modinv(m_s_1, n_1)) + (c_2 * m_s_2 * modinv(m_s_2, n_2))) % N_012 a = precise_cube_root(result) print(int_to_bytes(int(a),order="big"))
print("Something went wrong!!!") exit() requests.get("http://127.0.0.1:5000/query") a = randint(0,N) A = pow(g,a,N) query = f"http://127.0.0.1:5000/process?email={I}&A={A}" r = requests.get(query) print (r.text) temp = r.text.split(';') salt = int(temp[0]) B = int(temp[1]) uH = sha256(int_to_bytes(A)+int_to_bytes(B)).hexdigest() u = int(uH,16) xH = sha256(struct.pack('<I',salt)+bytearray(P, "ascii")).hexdigest() x = int(xH,16) temp = pow(g,x,N) S = pow(B-(k*temp),a+(u*x),N) K = sha256(int_to_bytes(S)).digest() hmac = HMAC_SHA256(K,struct.pack('<I',salt)) query = f"http://127.0.0.1:5000/verify?email={I}&hmac={hmac}" r = requests.get(query) print (r.text)