def extract_bits(priv, pub, cipher):
N = pub[1]
c2 = rsa.raw_encrypt(pub, 2)
cipher = (cipher * c2) % N
for _ in range(1024):
yield oracle(priv, cipher)
cipher = (cipher * c2) % N
def extract_bits(priv, pub, cipher):
N = pub[1]
c2 = rsa.raw_encrypt(pub, 2)
cipher = (cipher * c2) % N
for _ in range(1024):
yield oracle(priv, cipher)
cipher = (cipher * c2) % N
def bad_pkcs1_verify(pub, sig, msg):
e, n = pub
modlen = rsa.byte_len(n)
mr = rsa.raw_encrypt(pub, sig)
h = sha1(msg).hexdigest().lower()
mrh = ('%0' + str(modlen * 2) + 'x') % mr
if match('^0001ff+00' + asn1_sha1_prefix + h, mrh):
return 'ok'
else:
return 'bad signature'
def bad_pkcs1_verify(pub, sig, msg):
e, n = pub
modlen = rsa.byte_len(n)
mr = rsa.raw_encrypt(pub, sig)
h = sha1(msg).hexdigest().lower()
mrh = ("%0" + str(modlen * 2) + "x") % mr
if match("^0001ff+00" + asn1_sha1_prefix + h, mrh):
return "ok"
else:
return "bad signature"
v = hex(long(i))[2:-1]
if len(v) & 1: v = '0' + v
return v.decode('hex')
def extract_bits(priv, pub, cipher):
N = pub[1]
c2 = rsa.raw_encrypt(pub, 2)
cipher = (cipher * c2) % N
for _ in range(1024):
yield oracle(priv, cipher)
cipher = (cipher * c2) % N
if __name__ == '__main__':
pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
N = pub[1]
cipher = rsa.raw_encrypt(pub, plain_i)
lo, hi = 0, N
for b in extract_bits(priv, pub, cipher):
mid = (lo + hi) / 2
if b == 1:
lo = mid
else:
hi = mid
# whoops, the last byte is trashed (div accuracy?). nevermind.
print decode_int(hi)[:-1]
def decode_int(i):
v = hex(long(i))[2:-1]
if len(v) & 1: v = '0' + v
return v.decode('hex')
def extract_bits(priv, pub, cipher):
N = pub[1]
c2 = rsa.raw_encrypt(pub, 2)
cipher = (cipher * c2) % N
for _ in range(1024):
yield oracle(priv, cipher)
cipher = (cipher * c2) % N
if __name__ == '__main__':
pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
N = pub[1]
cipher = rsa.raw_encrypt(pub, plain_i)
lo, hi = 0, N
for b in extract_bits(priv, pub, cipher):
mid = (lo + hi) / 2
if b == 1:
lo = mid
else:
hi = mid
# whoops, the last byte is trashed (div accuracy?). nevermind.
print decode_int(hi)[:-1]
def attempt(s):
return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
topbyte2 = (plain >> (modlen - 16)) & 0xff
return topbyte == 0x00 and topbyte2 == 0x02
if __name__ == '__main__':
modsz = int(sys.argv[1])
pub, priv = rsa.gen_rsa(modsz, 3)
e, n = pub
n_bytes = modsz / 8
B = 2**(8 * (n_bytes - 2))
pt = 'kick it, CC'.encode('hex')
pad = 'af' * (n_bytes - 3 - len(pt) / 2)
msg = '0002' + pad + '00' + pt
msg = long(msg, 16)
ct = rsa.raw_encrypt(pub, msg)
assert pkcs1_oracle(priv, ct)
# don't need to do blinding here
i = 1
M0 = [(2 * B, 3 * B - 1)]
s0 = 1
c0 = (ct * rsa.raw_encrypt(pub, s0)) % n
def attempt(s):
return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
def ceil_div(a, b):
return (a + b - 1) // b
def floor_div(a, b):
import rsa
if __name__ == '__main__':
pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
m = 0x1235123
e = rsa.raw_encrypt(pub, m)
assert rsa.raw_decrypt(priv, e) == m
print 'ok'
def attempt(s):
return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
topbyte = (plain >> (modlen - 8)) & 0xff
topbyte2 = (plain >> (modlen - 16)) & 0xff
return topbyte == 0x00 and topbyte2 == 0x02
if __name__ == '__main__':
modsz = int(sys.argv[1])
pub, priv = rsa.gen_rsa(modsz, 3)
e, n = pub
n_bytes = modsz / 8
B = 2 ** (8 * (n_bytes - 2))
pt = 'kick it, CC'.encode('hex')
pad = 'af' * (n_bytes - 3 - len(pt) / 2)
msg = '0002' + pad + '00' + pt
msg = long(msg, 16)
ct = rsa.raw_encrypt(pub, msg)
assert pkcs1_oracle(priv, ct)
# don't need to do blinding here
i = 1
M0 = [(2 * B, 3 * B - 1)]
s0 = 1
c0 = (ct * rsa.raw_encrypt(pub, s0)) % n
def attempt(s):
return pkcs1_oracle(priv, (c0 * rsa.raw_encrypt(pub, s)) % n)
def ceil_div(a, b):
return (a + b - 1) // b
def floor_div(a, b):
import random
ciphers = []
def decrypt_once(priv, ct):
global ciphers
if ct in ciphers:
return None
ciphers.append(ct)
return rsa.raw_decrypt(priv, ct)
if __name__ == "__main__":
pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
m = 0x12351234
ct = rsa.raw_encrypt(pub, m)
assert decrypt_once(priv, ct) == m
assert decrypt_once(priv, ct) is None
N = pub[1]
S = random.randrange(1, N)
S_ct = rsa.raw_encrypt(pub, S)
S_pt = decrypt_once(priv, (S_ct * ct) % N)
S_inv = rsa.invmod(S, N)
assert (S_inv * S_pt) % N == m
print "ok"
import rsa
import random
ciphers = []
def decrypt_once(priv, ct):
global ciphers
if ct in ciphers:
return None
ciphers.append(ct)
return rsa.raw_decrypt(priv, ct)
if __name__ == '__main__':
pub, priv = rsa.gen_rsa(1024, rsa.PUBLIC_EXP)
m = 0x12351234
ct = rsa.raw_encrypt(pub, m)
assert decrypt_once(priv, ct) == m
assert decrypt_once(priv, ct) is None
N = pub[1]
S = random.randrange(1, N)
S_ct = rsa.raw_encrypt(pub, S)
S_pt = decrypt_once(priv, (S_ct * ct) % N)
S_inv = rsa.invmod(S, N)
assert (S_inv * S_pt) % N == m
print 'ok'