Exemple #1
0
def extract_bits(priv, pub, cipher):
    N = pub[1]
    c2 = rsa.raw_encrypt(pub, 2)
    cipher = (cipher * c2) % N
    
    for _ in range(1024):
        yield oracle(priv, cipher)
        cipher = (cipher * c2) % N
Exemple #2
0
def extract_bits(priv, pub, cipher):
    N = pub[1]
    c2 = rsa.raw_encrypt(pub, 2)
    cipher = (cipher * c2) % N

    for _ in range(1024):
        yield oracle(priv, cipher)
        cipher = (cipher * c2) % N
Exemple #3
0
def bad_pkcs1_verify(pub, sig, msg):
    e, n = pub
    modlen = rsa.byte_len(n)
    mr = rsa.raw_encrypt(pub, sig)
    h = sha1(msg).hexdigest().lower()
    
    mrh = ('%0' + str(modlen * 2) + 'x') % mr
    if match('^0001ff+00' + asn1_sha1_prefix + h, mrh):
        return 'ok'
    else:
        return 'bad signature'
Exemple #4
0
def bad_pkcs1_verify(pub, sig, msg):
    e, n = pub
    modlen = rsa.byte_len(n)
    mr = rsa.raw_encrypt(pub, sig)
    h = sha1(msg).hexdigest().lower()

    mrh = ("%0" + str(modlen * 2) + "x") % mr
    if match("^0001ff+00" + asn1_sha1_prefix + h, mrh):
        return "ok"
    else:
        return "bad signature"
Exemple #5
0
    v = hex(long(i))[2:-1]
    if len(v) & 1: v = '0' + v
    return v.decode('hex')


def extract_bits(priv, pub, cipher):
    N = pub[1]
    c2 = rsa.raw_encrypt(pub, 2)
    cipher = (cipher * c2) % N

    for _ in range(1024):
        yield oracle(priv, cipher)
        cipher = (cipher * c2) % N


if __name__ == '__main__':
    pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
    N = pub[1]
    cipher = rsa.raw_encrypt(pub, plain_i)

    lo, hi = 0, N
    for b in extract_bits(priv, pub, cipher):
        mid = (lo + hi) / 2
        if b == 1:
            lo = mid
        else:
            hi = mid

    # whoops, the last byte is trashed (div accuracy?). nevermind.
    print decode_int(hi)[:-1]
Exemple #6
0
def decode_int(i):
    v = hex(long(i))[2:-1]
    if len(v) & 1: v = '0' + v
    return v.decode('hex')

def extract_bits(priv, pub, cipher):
    N = pub[1]
    c2 = rsa.raw_encrypt(pub, 2)
    cipher = (cipher * c2) % N
    
    for _ in range(1024):
        yield oracle(priv, cipher)
        cipher = (cipher * c2) % N

if __name__ == '__main__':
    pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
    N = pub[1]
    cipher = rsa.raw_encrypt(pub, plain_i)
    
    lo, hi = 0, N
    for b in extract_bits(priv, pub, cipher):
        mid = (lo + hi) / 2
        if b == 1:
            lo = mid
        else:
            hi = mid

    # whoops, the last byte is trashed (div accuracy?). nevermind.
    print decode_int(hi)[:-1]
Exemple #7
0
 def attempt(s):
     return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
Exemple #8
0
    topbyte2 = (plain >> (modlen - 16)) & 0xff
    return topbyte == 0x00 and topbyte2 == 0x02


if __name__ == '__main__':
    modsz = int(sys.argv[1])
    pub, priv = rsa.gen_rsa(modsz, 3)
    e, n = pub
    n_bytes = modsz / 8
    B = 2**(8 * (n_bytes - 2))

    pt = 'kick it, CC'.encode('hex')
    pad = 'af' * (n_bytes - 3 - len(pt) / 2)
    msg = '0002' + pad + '00' + pt
    msg = long(msg, 16)
    ct = rsa.raw_encrypt(pub, msg)
    assert pkcs1_oracle(priv, ct)

    # don't need to do blinding here
    i = 1
    M0 = [(2 * B, 3 * B - 1)]
    s0 = 1
    c0 = (ct * rsa.raw_encrypt(pub, s0)) % n

    def attempt(s):
        return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)

    def ceil_div(a, b):
        return (a + b - 1) // b

    def floor_div(a, b):
Exemple #9
0
import rsa
    
if __name__ == '__main__':
    pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
    m = 0x1235123
    e = rsa.raw_encrypt(pub, m)
    assert rsa.raw_decrypt(priv, e) == m
    print 'ok'
    
Exemple #10
0
 def attempt(s):
     return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
Exemple #11
0
    topbyte = (plain >> (modlen - 8)) & 0xff
    topbyte2 = (plain >> (modlen - 16)) & 0xff
    return topbyte == 0x00 and topbyte2 == 0x02

if __name__ == '__main__':
    modsz = int(sys.argv[1])
    pub, priv = rsa.gen_rsa(modsz, 3)
    e, n = pub
    n_bytes = modsz / 8
    B = 2 ** (8 * (n_bytes - 2))

    pt = 'kick it, CC'.encode('hex')
    pad = 'af' * (n_bytes - 3 - len(pt) / 2)
    msg = '0002' + pad + '00' + pt
    msg = long(msg, 16)
    ct = rsa.raw_encrypt(pub, msg)
    assert pkcs1_oracle(priv, ct)

    # don't need to do blinding here
    i = 1
    M0 = [(2 * B, 3 * B - 1)]
    s0 = 1
    c0 = (ct * rsa.raw_encrypt(pub, s0)) % n

    def attempt(s):
        return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)

    def ceil_div(a, b):
        return (a + b - 1) // b

    def floor_div(a, b):
Exemple #12
0
import random

ciphers = []


def decrypt_once(priv, ct):
    global ciphers

    if ct in ciphers:
        return None
    ciphers.append(ct)

    return rsa.raw_decrypt(priv, ct)


if __name__ == "__main__":
    pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
    m = 0x12351234

    ct = rsa.raw_encrypt(pub, m)
    assert decrypt_once(priv, ct) == m
    assert decrypt_once(priv, ct) is None

    N = pub[1]
    S = random.randrange(1, N)
    S_ct = rsa.raw_encrypt(pub, S)
    S_pt = decrypt_once(priv, (S_ct * ct) % N)
    S_inv = rsa.invmod(S, N)
    assert (S_inv * S_pt) % N == m
    print "ok"
Exemple #13
0
import rsa
import random

ciphers = []

def decrypt_once(priv, ct):
    global ciphers
    
    if ct in ciphers:
        return None
    ciphers.append(ct)
    
    return rsa.raw_decrypt(priv, ct)

if __name__ == '__main__':
    pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
    m = 0x12351234
    
    ct = rsa.raw_encrypt(pub, m)
    assert decrypt_once(priv, ct) == m
    assert decrypt_once(priv, ct) is None
    
    N = pub[1]
    S = random.randrange(1, N)
    S_ct = rsa.raw_encrypt(pub, S)
    S_pt = decrypt_once(priv, (S_ct * ct) % N)
    S_inv = rsa.invmod(S, N)
    assert (S_inv * S_pt) % N == m
    print 'ok'