def generate_c(bits, randfunc, progress_func = None):
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
p = pubkey.getPrime(bits/2, randfunc)
q = pubkey.getPrime(bits/2, randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q)=(q, p)
if progress_func:
progress_func('u\n')
u=pubkey.inverse(p, q)
n=p*q
e = 65537L
if progress_func:
progress_func('d\n')
d=pubkey.inverse(e, (p-1)*(q-1))
key = _fastmath.rsa_construct(n,e,d,p,q,u)
obj = RSAobj_c(key)
## print p
## print q
## print number.size(p), number.size(q), number.size(q*p),
## print obj.size(), bits
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def generate_c(bits, randfunc, progress_func=None):
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p * q) < bits:
p = pubkey.getPrime(bits / 2, randfunc)
q = pubkey.getPrime(bits / 2, randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q) = (q, p)
if progress_func:
progress_func('u\n')
u = pubkey.inverse(p, q)
n = p * q
e = 65537L
if progress_func:
progress_func('d\n')
d = pubkey.inverse(e, (p - 1) * (q - 1))
key = _fastmath.rsa_construct(n, e, d, p, q, u)
obj = RSAobj_c(key)
## print p
## print q
## print number.size(p), number.size(q), number.size(q*p),
## print obj.size(), bits
assert bits <= 1 + obj.size(), "Generated key is too small"
return obj
def _attack_single(self,hA,sigA,hB,sigB,q=None):
q = q or self.pubkey.q
rA,sA=sigA
rB,sB=sigB
k = (hA - hB)* inverse(sA -sB,q) %q
x = ((k*sA-hA)* inverse( rA,q) )% q
return k,x
def _attack_single(self,hA,sigA,hB,sigB,q=None):
q = q or self.pubkey.q
rA,sA=sigA
rB,sB=sigB
k = (hA - hB)* inverse(sA -sB,q) %q
x = ((k*sA-hA)* inverse( rA,q) )% q
return k,x
def recover_nonce_reuse(self, other):
assert (self.pubkey.q == other.pubkey.q)
assert (self.sig.r == other.sig.r) # reused *k* implies same *r*
self.k = (self.h - other.h) * inverse(self.sig.s - other.sig.s,
self.pubkey.q) % self.pubkey.q
self.x = ((self.k * self.sig.s - self.h) *
inverse(self.sig.r, self.pubkey.q)) % self.pubkey.q
# other.k, other.x = self.k, self.x # update other object as well?
return self
def generate_py(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an RSA key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj=RSAobj()
obj.e = 65537L
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
# Note that q might be one bit longer than p if somebody specifies an odd
# number of bits for the key. (Why would anyone do that? You don't get
# more security.)
#
# Note also that we ensure that e is coprime to (p-1) and (q-1).
# This is needed for encryption to work properly, according to the 1997
# paper by Robert D. Silverman of RSA Labs, "Fast generation of random,
# strong RSA primes", available at
# http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.17.2713&rep=rep1&type=pdf
# Since e=65537 is prime, it is sufficient to check that e divides
# neither (p-1) nor (q-1).
p = 1L
while (p - 1) % obj.e == 0:
if progress_func:
progress_func('p\n')
p = pubkey.getPrime(bits/2, randfunc)
q = 1L
while (q - 1) % obj.e == 0:
if progress_func:
progress_func('q\n')
q = pubkey.getPrime(bits - (bits/2), randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q)=(q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p*obj.q
if progress_func:
progress_func('d\n')
obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1))
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def make_private_key(public_config, private_config):
'''
Args:
public_config (dict): Contains public modulus p, q
private_config (dict): Contains private exponent e
Returns:
An RSA key object (`_RSAobj`).
'''
# public key contains public modulus
# in production, use a local public key file
p = long(public_config['encryption']['p'])
q = long(public_config['encryption']['q'])
# private key contains private exponent
e = long(private_config['encryption']['e'])
# Enforce constraint that p must be bigger.
# http://crypto.stackexchange.com/questions/18084/in-rsa-why-does-p-have-to-be-bigger-than-q-where-n-p-times-q
if p < q:
p, q = q, p
# in practice, not needed
n = p * q
phi = (p - 1) * (q - 1)
d = pubkey.inverse(e, phi)
rsaInit = (n, e, d, p, q)
# rsaInit = (n, e, d)
# print "n {}, e {}, d {}, p {}, q {}".format(n, e, d, p, q)
return RSA.construct(rsaInit)
def main():
# collect a few public keys
keys = []
flags = []
for i in range(20):
conn = remote(HOST, PORT)
conn.recvuntil("key:\n")
keystr = conn.recvuntil("And here", drop=True)
key = RSA.importKey(keystr)
keys.append(key)
conn.recvuntil(":)\n")
flagstr = conn.recvline().strip()
flag = binascii.unhexlify(flagstr)
flags.append(flag)
conn.close()
# Try to find two n's with a common GCD
nums = [k.n for k in keys]
i, j, gcd = find_common_gcd(nums)
log.info("Found GCD! gcd({:d}, {:d}) = {:d}".format(i, j, gcd))
p = gcd
q = keys[i].n / gcd
d = pubkey.inverse(65537, (p - 1) * (q - 1))
privkey = RSA.construct((keys[i].n, 65537L, d))
cipher = PKCS1_OAEP.new(privkey)
flag = cipher.decrypt(flags[i])
log.success("Flag: {:s}".format(flag))
def generate_py(bits, randfunc, progress_func=None, e=65537):
"""generate(bits:int, randfunc:callable, progress_func:callable, e:int)
Generate an RSA key of length 'bits', public exponent 'e'(which must be
odd), using 'randfunc' to get random data and 'progress_func',
if present, to display the progress of the key generation.
"""
obj=RSAobj()
obj.e = long(e)
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
# Note that q might be one bit longer than p if somebody specifies an odd
# number of bits for the key. (Why would anyone do that? You don't get
# more security.)
p = pubkey.getStrongPrime(bits>>1, obj.e, 1e-12, randfunc)
q = pubkey.getStrongPrime(bits - (bits>>1), obj.e, 1e-12, randfunc)
# It's OK for p to be larger than q, but let's be
# kind to the function that will invert it for
# th calculation of u.
if p > q:
(p, q)=(q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p*obj.q
if progress_func:
progress_func('d\n')
obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1))
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def generate_py(bits, randfunc, progress_func=None, e=65537):
"""generate(bits:int, randfunc:callable, progress_func:callable, e:int)
Generate an RSA key of length 'bits', public exponent 'e'(which must be
odd), using 'randfunc' to get random data and 'progress_func',
if present, to display the progress of the key generation.
"""
obj=RSAobj()
obj.e = long(e)
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
# Note that q might be one bit longer than p if somebody specifies an odd
# number of bits for the key. (Why would anyone do that? You don't get
# more security.)
p = pubkey.getStrongPrime(bits>>1, obj.e, 1e-12, randfunc)
q = pubkey.getStrongPrime(bits - (bits>>1), obj.e, 1e-12, randfunc)
# It's OK for p to be larger than q, but let's be
# kind to the function that will invert it for
# th calculation of u.
if p > q:
(p, q)=(q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p*obj.q
if progress_func:
progress_func('d\n')
obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1))
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def generate_py(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an RSA key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj=RSAobj()
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
# Note that q might be one bit longer than p if somebody specifies an odd
# number of bits for the key. (Why would anyone do that? You don't get
# more security.)
p = pubkey.getPrime(bits/2, randfunc)
q = pubkey.getPrime(bits - (bits/2), randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q)=(q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p*obj.q
obj.e = 65537L
if progress_func:
progress_func('d\n')
obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1))
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def generate_py(bits, randfunc, progress_func=None, e=65537):
obj = RSAobj()
obj.e = long(e)
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p * q) < bits:
p = pubkey.getStrongPrime(bits >> 1, obj.e, 1e-12, randfunc)
q = pubkey.getStrongPrime(bits - (bits >> 1), obj.e, 1e-12, randfunc)
if p > q:
p, q = q, p
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p * obj.q
if progress_func:
progress_func('d\n')
obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1))
return obj
def generate_py(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an RSA key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj = RSAobj()
obj.e = 65537L
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p * q) < bits:
# Note that q might be one bit longer than p if somebody specifies an odd
# number of bits for the key. (Why would anyone do that? You don't get
# more security.)
p = pubkey.getStrongPrime(bits >> 1, obj.e, 1e-12, randfunc)
q = pubkey.getStrongPrime(bits - (bits >> 1), obj.e, 1e-12, randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q) = (q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p * obj.q
if progress_func:
progress_func('d\n')
obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1))
assert bits <= 1 + obj.size(), "Generated key is too small"
return obj
def _attack(self,samples,q=None):
'''
samples = r,s,long(hash)
'''
q = q or self.pubkey.q
rA,sA,hA = samples[0]
k_h_diff = hA
k_s_diff = sA
first = True
for r,s,hash in samples:
if first:
first=False
continue #skip first one due to autofill
k_h_diff -=hash
k_s_diff -=s
k = (k_h_diff)* inverse(k_s_diff,q) %q
x = ((k*sA-hA)* inverse( rA,q) )% q
LOG.debug("privkey reconstructed: k=%s; x=%s;"%(k,x))
return k,x
def _attack(self,samples,q=None):
'''
samples = r,s,long(hash)
'''
q = q or self.pubkey.q
rA,sA,hA = samples[0]
k_h_diff = hA
k_s_diff = sA
first = True
for r,s,hash in samples:
if first:
first=False
continue #skip first one due to autofill
k_h_diff -=hash
k_s_diff -=s
k = (k_h_diff)* inverse(k_s_diff,q) %q
x = ((k*sA-hA)* inverse( rA,q) )% q
LOG.debug("privkey reconstructed: k=%s; x=%s;"%(k,x))
return k,x
def generate(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an RSA key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj=RSAobj()
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p*q) < bits:
p = pubkey.getPrime(bits/2, randfunc)
q = pubkey.getPrime(bits/2, randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q)=(q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p*obj.q
obj.e = 65537L
if progress_func:
progress_func('d\n')
obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1))
assert bits <= 1+obj.size(), "Generated key is too small"
return obj
def generate(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an RSA key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj = RSAobj()
# Generate the prime factors of n
if progress_func:
progress_func('p,q\n')
p = q = 1L
while number.size(p * q) < bits:
p = pubkey.getPrime(bits / 2, randfunc)
q = pubkey.getPrime(bits / 2, randfunc)
# p shall be smaller than q (for calc of u)
if p > q:
(p, q) = (q, p)
obj.p = p
obj.q = q
if progress_func:
progress_func('u\n')
obj.u = pubkey.inverse(obj.p, obj.q)
obj.n = obj.p * obj.q
obj.e = 65537L
if progress_func:
progress_func('d\n')
obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1))
assert bits <= 1 + obj.size(), "Generated key is too small"
return obj
def handle(self):
print("[*] Connection from {:s}:{:d}".format(*self.client_address))
e = 65537
p, q = random.sample(PRIMES, 2)
n = p * q
d = pubkey.inverse(e, (p - 1) * (q - 1))
public = RSA.construct((n, e))
privkey = RSA.construct((n, e, d))
cipher = PKCS1_OAEP.new(privkey)
self.request.sendall(b"Here's your public key:\n")
self.request.sendall(public.exportKey() + b"\n")
self.request.sendall(b"And here's the flag! :)\n")
with open("flag.txt", "rb") as f:
flag = f.read()
ct = cipher.encrypt(flag)
self.request.sendall(binascii.hexlify(ct) + b"\n")
def generateKey(self, key_size, pq=None):
if pq is None:
p = getStrongPrime(key_size)
q = getStrongPrime(key_size)
else:
p, q = pq
n = p * q
while True:
# Keep trying random numbers for e until one is valid.
e = random.randrange(2**(key_size - 1), 2**key_size)
if pubkey.GCD(e, (p - 1) * (q - 1)) == 1:
break
d = pubkey.inverse(e, (p - 1) * (q - 1))
self.n = n
self.e = e
self.d = d
self.pq = (p, q)
def _brute_k(self,sample,p=None,q=None,g=None,maxTries=None):
'''
sample = (r,s,h(m))
'''
# 1 < k < q
p = p or self.pubkey.p
q = q or self.pubkey.q
g = g or self.pubkey.g
r,s,h = sample
k= 2
while k< q-1:
if maxTries and k >= maxTries+2:
break
# calc r = g^k mod p mod q
if r == pow(g,k,p)%q:
x = ((k*s-h)* inverse( r,q) )% q
return k,x
k+=1 #next k
raise Exception("Max tries reached! - %d/%d"%(k-2,maxTries))
def _brute_k(self,sample,p=None,q=None,g=None,maxTries=None):
'''
sample = (r,s,h(m))
'''
# 1 < k < q
p = p or self.pubkey.p
q = q or self.pubkey.q
g = g or self.pubkey.g
r,s,h = sample
k= 2
while k< q-1:
if maxTries and k >= maxTries+2:
break
# calc r = g^k mod p mod q
if r == pow(g,k,p)%q:
x = ((k*s-h)* inverse( r,q) )% q
return k,x
k+=1 #next k
raise Exception("Max tries reached! - %d/%d"%(k-2,maxTries))
def construct(tuple):
"""construct(tuple:(long,) : RSAobj
Construct an RSA object from a 2-, 3-, 5-, or 6-tuple of numbers.
"""
obj=RSAobj()
if len(tuple) not in [2,3,5,6]:
raise error, 'argument for construct() wrong length'
for i in range(len(tuple)):
field = obj.keydata[i]
setattr(obj, field, tuple[i])
if len(tuple) >= 5:
# Ensure p is smaller than q
if obj.p>obj.q:
(obj.p, obj.q)=(obj.q, obj.p)
if len(tuple) == 5:
# u not supplied, so we're going to have to compute it.
obj.u=pubkey.inverse(obj.p, obj.q)
return obj
def construct(tuple):
"""construct(tuple:(long,) : RSAobj
Construct an RSA object from a 2-, 3-, 5-, or 6-tuple of numbers.
"""
obj = RSAobj()
if len(tuple) not in [2, 3, 5, 6]:
raise error, 'argument for construct() wrong length'
for i in range(len(tuple)):
field = obj.keydata[i]
setattr(obj, field, tuple[i])
if len(tuple) >= 5:
# Ensure p is smaller than q
if obj.p > obj.q:
(obj.p, obj.q) = (obj.q, obj.p)
if len(tuple) == 5:
# u not supplied, so we're going to have to compute it.
obj.u = pubkey.inverse(obj.p, obj.q)
return obj
p = int('df633b7301871415bef5017d0c0910c7072222433a309d69ffd012f9d3e208e4d31ebdfd0aa30dfb4a7d13ef7832d363d855e2169df89e60acbfc4137a59c3945eb494650913b6087f2e2700eb3b4294eb4377e9cea6d35ddf232519624cc3bd1e7e534aa9379ded37ff6ddff10758124250e3e5a40a1f789f2c0cc16cb96e0f5261b98b01689dbad6f62842a6c3365fcf25fd3def7baad7bfd99bd70dbe067a5b2af7737caba77787537f1c406338b1c3b86c3875563a03024156bf92a6c770010c63e123a0b2b4661970bf522034ea1e376406c5194c5bb82d1c69d77dcca4b8e04d4a347fcc5bd8c91504458c0eb086a0bf10fa7cc8caa11af2e22f32d06f', 16)
q = int('9f3710274717b060dee9fef0aaf01572e9cc53ba6ac10492bd5446bb41a248a9',16)
g = int('93b411063c7d3b82189c7ea2624be9087a6e40e79020801367a9bc13012630ae2778244492cca9cd86a07dee31163713a2623f3c418b19e7e8fb3ba5e2db359cc6e5efa1c35c37a16bb2dbfe7c8b6bb123bd26a8f299acdd5c6886748d3db1ffa5ce439571de7efac3482ebf5b4a45324963d99506af9e210988c0a26c443659172df05e094572421ca1c5005f4a1650081c532663dd0e5812f4b8ea43f6cdca317755aac3c3f63754be18c0063b919a7a547cb04d44dba2f67154339eaddfadbd8398c94ba5565d7a2d07c1d20e39befee427346e630f5f72176444fed7d8314ca7c472261f8311974da2ddcafab1ee63c6c7377e7592161e1d31b32abaa3bd', 16)
y =20636836524380396244196072696577569262126621637693518417515831389588156010110727694179220341766312812167934840038173702512714672935256591366304513258964123770331403988242338829851121917054712366378000466271493525015744412519308988145299857577333546970037261427973290256403898499766279180979277265983341722384272524689611144938145070671581385845523894185215290296247151150557881827136342152143825772770126693742120775894397288900938364960208586264826886039992581043142765638948169372930513082826136892625732961853419727731657648155505907704183872630951714970690302024937399383304248276584035831599631104415986634886780
'''
DEBUG:DSAregenK:privkey reconstructed:
k=25768127004975721051099847404129291547143434939937043331286111399159730732336;
x=66982082206795733973204253209195163373920331769528646357832825612336892590101;
'''
k = 25768127004975721051099847404129291547143434939937043331286111399159730732336
x = 66982082206795733973204253209195163373920331769528646357832825612336892590101
# https://github.com/zydeon/DSA/blob/master/DSA.py
k_ = inverse(k,q)
def calculate_s(x, r, q, z, k_):
return (k_*(z+x*r)) % q
filename = sys.argv[1]
with file(filename) as f:
m = f.read()
name_of_game = m[6:262]
game = m[796:]
print 'Signature of', name_of_game, ':'
try:
# r = g^k mod p mod q
# s = k-1 (H(m) + x*r) mod q
# ============================================================
LOG.debug("---- Verify by r ----")
k = input("Insert k from output message: ")
verify_r = pow(priv_key.g,k,priv_key.p) % priv_key.q
LOG.debug("Calculated r: %s"%verify_r)
h, (r,s) = mA
LOG.debug("Inserted r: %s"%r)
if verify_r == r :
LOG.info("Verified! Successfully reconstructed r!!!")
else :
LOG.info("Fail to find real r...QQ")
# ============================================================
#
# Verify attack result by calculating s
# ============================================================
verify_s = ( inverse(k,priv_key.q) * (h + priv_key.x * verify_r) ) % priv_key.q
LOG.debug("Calculated s: %s"%verify_s)
LOG.debug("Inserted s: %s"%s)
if verify_s == s :
LOG.info("Verified! Successfully reconstructed s!!!")
else :
LOG.info("Fail to find real s...QQ")
# Output answer
print "r = ",verify_r
H = int(sha1("FLAG").hexdigest(),16)
S = ( inverse(k,priv_key.q) * (H + priv_key.x * verify_r) ) % priv_key.q
print "s = ",S
def _unblind(self, M, B):
tmp = pubkey.inverse(B, self.n)
return (M * tmp) % self.n
p = long(config.get("encryption", "p"))
q = long(config.get("encryption", "q"))
# get private key
if not pconfig.has_option("encryption", "private_key"):
die("Error: private key must be defined in private config")
e = long(pconfig.get("encryption", "private_key"))
if p > q:
(p, q) = (q, p)
phi = (p - 1) * (q - 1)
n = p * q
d = pubkey.inverse(e, phi)
tuple = n, e, d, p, q
if verbose:
print "p=", p
print "q=", q
print "n=", n
print "e=", e
print "d=", d
# encrypt without armouring (PKCS)
key = RSA.construct(tuple)
#print(key)
if (cmp(sys.argv[-1], "-") == 0):
def _unblind(self, M, B):
tmp = pubkey.inverse(B, self.n)
return (M * tmp) % self.n
p = long(config.get("encryption", "p"))
q = long(config.get("encryption", "q"))
# get private key
if not pconfig.has_option("encryption", "private_key"):
die("Error: private key must be defined in private config")
e = long(pconfig.get("encryption", "private_key"))
if p > q:
(p, q)=(q, p)
phi = (p - 1)*(q - 1)
n = p*q
d=pubkey.inverse(e, phi)
tuple = n, e, d, p, q
if verbose:
print "p=", p
print "q=", q
print "n=", n
print "e=", e
print "d=", d
# encrypt without armouring (PKCS)
key = RSA.construct(tuple)
#print(key)
if (cmp(sys.argv[-1], "-") == 0):
