def do_dsa_g0(message_hash):
x = 8675309
k = 24601
y = mypow(prob45_g0, x, prob45_p)
r = mypow(prob45_g0, k, prob45_p) % prob45_q
s = (invmod(k, prob45_p) * (message_hash + x * r)) % prob45_q
return (y, r, s)
def rsa_demo2():
e = 3;
p = 4;
q = 4;
while ((p % e) == 1):
p = generatePrime(1024);
while ((q % e) == 1):
q = generatePrime(1024);
N = p*q;
phi = (p-1)*(q-1);
assert((phi%e) != 0);
d = invmod(e, phi);
message = 42;
encrypted = mypow(message, e, N);
decrypted = mypow(encrypted, d, N);
assert(message == decrypted);
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage);
intMessage = int(hexMessage, 16);
encrypted = mypow(intMessage, e, N);
decrypted = mypow(encrypted, d, N);
assert(intMessage == decrypted);
assert(hexToRaw(hex(intMessage)[2:]) == rawMessage);
def rsa_demo2():
e = 3
p = 4
q = 4
while ((p % e) == 1):
p = generatePrime(1024)
while ((q % e) == 1):
q = generatePrime(1024)
N = p * q
phi = (p - 1) * (q - 1)
assert ((phi % e) != 0)
d = invmod(e, phi)
message = 42
encrypted = mypow(message, e, N)
decrypted = mypow(encrypted, d, N)
print('p = %d;q = %d; N = %d; e=%d; d=%d; message = %d; encrypted=%d' %
(p, q, N, e, d, message, encrypted))
assert (message == decrypted)
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage)
intMessage = int(hexMessage, 16)
encrypted = mypow(intMessage, e, N)
decrypted = mypow(encrypted, d, N)
assert (intMessage == decrypted)
assert (hexToRaw(hex(intMessage)[2:]) == rawMessage)
def validate_dsa_g1(y, r, s, message_hash):
w = invmod(s, prob45_q)
u1 = (message_hash * w) % prob45_q
u2 = (r * w) % prob45_q
v = (mypow(prob45_g1, u1, prob43_p) * mypow(y, u2, prob45_p) %
prob45_p) % prob45_q
return v == r
def SRP_step5(state):
xH = sha256(intToBytes(state["salt"]) + state["P"]).hexdigest()
x = int(xH, 16)
S = mypow((state["B"] - state["k"] * mypow(state["g"], x, state["p"])),
(state["a"] + state["u"] * x), state["p"])
state["C_K"] = sha256(intToBytes(S)).digest()
return state
def do_dsa_g0(message_hash):
x = 8675309;
k = 24601;
y = mypow(prob45_g0, x, prob45_p);
r = mypow(prob45_g0, k, prob45_p) % prob45_q;
s = (invmod(k, prob45_p) * (message_hash + x*r)) % prob45_q;
return (y,r,s)
def bb98_2b(key, c0, prev_s):
s = prev_s + 1;
cipher = (c0 * mypow(s, key['e'], key['N'])) % key['N'];
while (not is_pkcs1_formatted(key, cipher)):
s += 1;
cipher = (c0 * mypow(s, key['e'], key['N'])) % key['N'];
#print(s, hex(cipher))
#print("Step 2b returning ", s)
return s;
def bb98_2a(key, c0):
k = (key['N'].bit_length()+7)//8
B = pow(2, 8*(k-2));
key['B'] = B;
s = myceil(key['N'], 3*B);
cipher = (c0 * mypow(s, key['e'], key['N'])) % key['N'];
while (not is_pkcs1_formatted(key, cipher)):
s += 1;
cipher = (c0 * mypow(s, key['e'], key['N'])) % key['N'];
#print(s, hex(cipher))
#print("Step 2a returning ", s)
return s;
def try_simplified_SRP_password(state, guess):
# hmac(K, salt) =
# hmac(sha256(S), salt) =
# hmac(sha256((A * v ** u)**b % n), salt) =
# hmac(sha256((A * ((g**x)** u))**b % n), salt) =
# hmac(sha256((A * ((g**SHA256(salt|password))** u))**b % n), salt) =
# and now we're down to thinks we know (minus password)
x = sha256(intToBytes(state["salt"]) + guess).hexdigest();
v = mypow(state["g"], int(x, 16), state["p"]);
v_u = mypow(v, state["u"], state["p"]);
S = mypow(state["A"] * v_u, state["b"], state["p"]);
mychal = myhmac(sha256, sha256(intToBytes(S)).digest(), intToBytes(state["salt"]));
return mychal == state["challenge"];
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!";
secret = mypow(state["B"], state["a"], group5_p);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret));
state["a_iv"] = generateAESKey();
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], state["a_iv"]);
return state;
def do_prob46(key, cipher):
original_cipher = cipher;
plain_min = 0;
plain_max = key['N'] - 1;
print_range(0, plain_min, plain_max);
i = 0;
while (int(plain_min) != int(plain_max)):
cipher = (2**key['e'] * cipher) % key['N'];
if rsa_oracle_isodd(key, cipher):
# plaintext in upper half of range
if (plain_max - plain_min == 1):
plain_min = plain_max;
plain_min += (plain_max - plain_min) // 2;
else:
# plaintext in the lower half
if (plain_max - plain_min == 1):
plain_max = plain_min;
plain_max -= (plain_max - plain_min) // 2;
i += 1;
print_range(i, plain_min, plain_max)
# This seems to have errors on one of the lower bits,
# I suspect this is due to rounding errors when
# bounding the range. So instead of accepting the
# answer found, try to encrypt answers within
# 4 of the "answwer", and see if they encrypt to
# the original cipher
for i in range(-4, 5):
this_cipher = mypow(plain_min + i, key['e'], key['N']);
if (this_cipher == original_cipher):
print("Plaintext: ", hex(plain_min + i));
return;
raise Exception;
def recover_dsa_key():
for k in range(65537):
potential_x = get_dsa_key_from_known_k(prob43_r, prob43_s, k, prob43_msg_hash)
if (mypow(prob43_g, potential_x, prob43_p) == prob43_y):
return (potential_x, k);
# failure if here
raise Exception;
def do_prob46(key, cipher):
original_cipher = cipher
plain_min = 0
plain_max = key['N'] - 1
print_range(0, plain_min, plain_max)
i = 0
while (int(plain_min) != int(plain_max)):
cipher = (2**key['e'] * cipher) % key['N']
if rsa_oracle_isodd(key, cipher):
# plaintext in upper half of range
if (plain_max - plain_min == 1):
plain_min = plain_max
plain_min += (plain_max - plain_min) // 2
else:
# plaintext in the lower half
if (plain_max - plain_min == 1):
plain_max = plain_min
plain_max -= (plain_max - plain_min) // 2
i += 1
print_range(i, plain_min, plain_max)
# This seems to have errors on one of the lower bits,
# I suspect this is due to rounding errors when
# bounding the range. So instead of accepting the
# answer found, try to encrypt answers within
# 4 of the "answwer", and see if they encrypt to
# the original cipher
for i in range(-4, 5):
this_cipher = mypow(plain_min + i, key['e'], key['N'])
if (this_cipher == original_cipher):
print("Plaintext: ", hex(plain_min + i))
return
raise Exception
def recover_dsa_key():
for k in range(65537):
potential_x = get_dsa_key_from_known_k(prob43_r, prob43_s, k, prob43_msg_hash)
if (mypow(prob43_g, potential_x, prob43_p) == prob43_y):
return (potential_x, k);
# failure if here
raise Exception;
def bad_rsa_sha1_verify(message, signature, rsaparams):
decrypt = mypow(signature, rsaparams['e'], rsaparams['N']);
decryptBytes = decrypt.to_bytes((rsaparams['N'].bit_length() + 7) // 8, byteorder="big");
# check leading 0
if (decryptBytes[0] != 0):
return False;
# block type 1
if (decryptBytes[1] != 1):
return False;
# at least 1 0xff...
if (decryptBytes[2] != 0xff):
return False;
# find end of ff's
i = 3;
while (i < len(decryptBytes)):
if (decryptBytes[i] != 0xff):
break;
i+=1
# make sure there's enough room for 00, oid, hash
if ((len(decryptBytes) - i) < (len(sha1oid) + 21)):
return False;
if (decryptBytes[i] != 0):
return False;
if (decryptBytes[i+1:i+1+len(sha1oid)] != sha1oid):
return False;
expectedHash = sha1(message).digest()
if (decryptBytes[i+1+len(sha1oid):i+21+len(sha1oid)] != expectedHash):
return False;
return True;
def bad_rsa_sha1_verify(message, signature, rsaparams):
decrypt = mypow(signature, rsaparams['e'], rsaparams['N'])
decryptBytes = decrypt.to_bytes((rsaparams['N'].bit_length() + 7) // 8,
byteorder="big")
# check leading 0
if (decryptBytes[0] != 0):
return False
# block type 1
if (decryptBytes[1] != 1):
return False
# at least 1 0xff...
if (decryptBytes[2] != 0xff):
return False
# find end of ff's
i = 3
while (i < len(decryptBytes)):
if (decryptBytes[i] != 0xff):
break
i += 1
# make sure there's enough room for 00, oid, hash
if ((len(decryptBytes) - i) < (len(sha1oid) + 21)):
return False
if (decryptBytes[i] != 0):
return False
if (decryptBytes[i + 1:i + 1 + len(sha1oid)] != sha1oid):
return False
expectedHash = sha1(message).digest()
if (decryptBytes[i + 1 + len(sha1oid):i + 21 + len(sha1oid)] !=
expectedHash):
return False
return True
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!"
secret = mypow(state["B"], state["a"], group5_p)
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret))
state["a_iv"] = generateAESKey()
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16),
state["a_cipherkey"], state["a_iv"])
return state
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!";
secret = mypow(state["B"], state["a"], group5_p);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret));
state["a_iv"] = generateAESKey();
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], state["a_iv"]);
print('A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv');
return state;
def SRP_step1(state):
salt = randrange(2, state["p"]-2);
xH = sha256(intToBytes(salt) + state["P"]).hexdigest();
x = int(xH, 16);
v = mypow(state["g"], x, state["p"]);
state["v"] = v;
state["salt"] = salt;
return state;
def SRP_step1(state):
salt = randrange(2, state["p"] - 2)
xH = sha256(intToBytes(salt) + state["P"]).hexdigest()
x = int(xH, 16)
v = mypow(state["g"], x, state["p"])
state["v"] = v
state["salt"] = salt
return state
def message2(state):
b = randrange(2, state["p"]-2);
B = mypow(state["g"], b, state["p"]);
state["b"] = b;
state["B"] = B;
print('2.B->A Send "B"');
#print(state);
print('-'*64);
return state;
def message1():
a = randrange(2, group5_p-2);
A = mypow(group5_g, a, group5_p);
state = { "p" : group5_p, "g" : group5_g,
"a" : a, "A" : A };
print('1.A->B Send "p", "g", "A"');
#print(state);
print('-'*64);
return state;
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"]);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(a_shared));
a_iv = generateAESKey();
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], a_iv);
state["a_cipher"] = a_cipher;
state["a_iv"] = a_iv;
return state;
def message2(state):
b = randrange(2, state["p"] - 2)
B = mypow(state["g"], b, state["p"])
state["b"] = b
state["B"] = B
print('2.B->A Send "B"')
#print(state);
print('-' * 64)
return state
def message1():
a = randrange(2, group5_p - 2)
A = mypow(group5_g, a, group5_p)
state = {
"p": group5_p,
"g": group5_g,
"a": a,
"A": A
}
return state
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!"
secret = mypow(state["B"], state["a"], group5_p)
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret))
state["a_iv"] = generateAESKey()
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16),
state["a_cipherkey"], state["a_iv"])
print(
'A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv')
return state
def message6(state):
secret = mypow(state["A"], state["b"], state["p"]);
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret));
b_iv = generateAESKey();
received_message = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]));
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16), state["b_cipherkey"], b_iv);
state["b_cipher"] = b_cipher;
state["b_iv"] = b_iv;
state["b_received_plain"] = received_message;
return state;
def message6(state):
secret = mypow(state["A"], state["b"], state["p"]);
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret));
b_iv = generateAESKey();
received_message = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]));
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16), state["b_cipherkey"], b_iv);
state["b_cipher"] = b_cipher;
state["b_iv"] = b_iv;
state["b_received_plain"] = received_message;
print("B->A Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv");
return state;
def rsa_demo1():
p = 71;
q = 77;
# - Let n be p * q. Your RSA math is modulo n.
N = p*q;
# - Let et be (p-1)*(q-1) (the "totient"). You need this value only for
# keygen.
et = (p-1)*(q-1);
# - Let e be 3.
e = 3;
assert((et%e) != 0); #sufficient given a prime e
#- Compute d = invmod(e, et). invmod(17, 3120) is 2753.
d = invmod(e,et)
# Your public key is [e, n]. Your private key is [d, n].
#To encrypt: c = m**e%n. To decrypt: m = c**d%n
#Test this out with a number, like "42".
message = 42;
encrypted = mypow(message, e, N);
decrypted = mypow(encrypted, d, N);
assert(message == decrypted);
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"])
state["a_cipherkey"], state["a_mackey"] = secretToKeys(
intToBytes(a_shared))
a_iv = generateAESKey()
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"],
a_iv)
state["a_cipher"] = a_cipher
state["a_iv"] = a_iv
return state
def message6(state):
secret = mypow(state["A"], state["b"], state["p"])
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret))
b_iv = generateAESKey()
received_message = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]))
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16),
state["b_cipherkey"], b_iv)
state["b_cipher"] = b_cipher
state["b_iv"] = b_iv
state["b_received_plain"] = received_message
return state
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"]);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(a_shared));
a_iv = generateAESKey();
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], a_iv);
state["a_cipher"] = a_cipher;
state["a_iv"] = a_iv;
print("3.A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv");
#print(state);
print('-'*64);
return state;
def bb98_2c(intervals, s_prev, key, c0):
assert(len(intervals) == 1);
(a,b) = intervals[0];
r = myceil(2*(b*s_prev - 2*key['B']), key['N']);
s = myceil((2*key['B'] + r*key['N']), b);
while (True):
cipher = (c0 * mypow(s, key['e'], key['N'])) % key['N'];
if (is_pkcs1_formatted(key, cipher)):
return (r,s);
s = s+1;
if (s > myfloor(3*key['B'] + r*key['N'], a)):
r += 1;
s = myceil((2*key['B'] + r*key['N']), b);
def is_pkcs1_formatted(key, cipher):
#
plain = mypow(cipher, key['d'], key['N']);
# check for 0
if ((plain.bit_length() + 15) //8) != ((key['N'].bit_length() + 7)//8):
return False;
# hex(plain) will start '0x2' if the second by is either 0x20 or 0x02
# if 02, then len(hex) will be odd
if (len(hex(plain)) % 2) == 0:
return False;
if (hex(plain)[0:3] != '0x2'):
return False;
return True;
def do_unpadded_rsa_attack():
rsaparams = generate_rsa_key(2048)
e = rsaparams['e']
N = rsaparams['N']
messageBytes = b'Oh captain my captain'
messageInt = int.from_bytes(messageBytes, byteorder="big")
capturedCipher = capture_ciphertext(messageInt, N, e)
S = 8675309
C_prime = (mypow(S, e, N) * capturedCipher) % N
P_prime = decrypt_cipher(C_prime, rsaparams)
plain = (P_prime * invmod(S, N)) % N
assert (plain == messageInt)
def do_unpadded_rsa_attack():
rsaparams = generate_rsa_key(2048);
e = rsaparams['e']
N = rsaparams['N']
messageBytes = b'Oh captain my captain'
messageInt = int.from_bytes(messageBytes, byteorder="big")
capturedCipher = capture_ciphertext(messageInt, N, e);
S = 8675309
C_prime = (mypow(S, e, N) * capturedCipher) % N;
P_prime = decrypt_cipher(C_prime, rsaparams);
plain = (P_prime * invmod(S, N)) % N;
assert(plain == messageInt);
def message1():
a = randrange(2, group5_p - 2)
A = mypow(group5_g, a, group5_p)
state = {
"p": group5_p,
"g": group5_g,
"a": a,
"A": A
}
print('1.A->B Send "p", "g", "A"')
#print(state);
print('-' * 64)
return state
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"])
state["a_cipherkey"], state["a_mackey"] = secretToKeys(
intToBytes(a_shared))
a_iv = generateAESKey()
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"],
a_iv)
state["a_cipher"] = a_cipher
state["a_iv"] = a_iv
print("3.A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv")
#print(state);
print('-' * 64)
return state
def rsa_demo1():
p = 71
q = 77
# - Let n be p * q. Your RSA math is modulo n.
N = p * q
# - Let et be (p-1)*(q-1) (the "totient"). You need this value only for
# keygen.
et = (p - 1) * (q - 1)
# - Let e be 3.
e = 3
assert ((et % e) != 0)
#sufficient given a prime e
#- Compute d = invmod(e, et). invmod(17, 3120) is 2753.
d = invmod(e, et)
# Your public key is [e, n]. Your private key is [d, n].
#To encrypt: c = m**e%n. To decrypt: m = c**d%n
#Test this out with a number, like "42".
message = 42
encrypted = mypow(message, e, N)
decrypted = mypow(encrypted, d, N)
print('p = %d;q = %d; N = %d; e=%d; d=%d; message = %d; encrypted=%d' %
(p, q, N, e, d, message, encrypted))
assert (message == decrypted)
def message6(state):
secret = mypow(state["A"], state["b"], state["p"])
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret))
b_iv = generateAESKey()
received_message = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]))
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16),
state["b_cipherkey"], b_iv)
state["b_cipher"] = b_cipher
state["b_iv"] = b_iv
state["b_received_plain"] = received_message
print(
"B->A Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv"
)
return state
def capture_ciphertext(message, modulus, e):
return mypow(message, e, modulus);
# change hash as well -- still works
assert(validate_dsa_g0(32432423, 0, 342423432423, 0x3daf05ce546d1));
# Now, try (p+1) as "g". With this "g", you can generate a magic
# signature s, r for any DSA public key that will validate against any
# string. For arbitrary z:
# r = ((y**z) % p) % q
# r
# s = --- % q
# z
prob45_g1_x = 8675309
prob45_g1_y = mypow(prob43_g, prob45_g1_x, prob43_p) # key generation uses legit params
prob45_g1 = (prob43_p + 1)
prob45_g1_r = prob45_g1_y % prob45_q # set z to 1
prob45_gr_s = prob45_g1_r # set z to 1
# Sign "Hello, world". And "Goodbye, world".
''' Just need to validate (r,s) as valid'''
def validate_dsa_g1(y, r, s, message_hash):
w = invmod(s, prob45_q);
u1 = (message_hash * w) % prob45_q;
u2 = (r*w) % prob45_q;
v = (mypow(prob45_g1, u1, prob43_p) * mypow(y, u2, prob45_p) % prob45_p) % prob45_q
return v == r;
def SRP_step6(state):
S = mypow(state["A"] * mypow(state["v"], state["u"], state["p"]), state["b"], state["p"]);
state["S_K"] = sha256(intToBytes(S)).digest();
return state;
def SRP_step6(state):
S = mypow(state["A"] * mypow(state["v"], state["u"], state["p"]),
state["b"], state["p"])
state["S_K"] = sha256(intToBytes(S)).digest()
return state
bb98_append(intervals, lower_bound, upper_bound);
return;
# if we reach here, then no overlap found -- just add interval
intervals.append([lower_bound, upper_bound]);
# Your Step 3 code is probably not going to need to handle multiple
# ranges.
# We recommend you just use the raw math from paper (check, check,
# double check your translation to code) and not spend too much time
# trying to grok how the math works.
if __name__ == "__main__":
cipher = mypow(prob47_message, prob47_key['e'], prob47_key['N']);
s = bb98_2a(prob47_key, cipher);
prev_intervals = [[2*prob47_key['B'], 3*prob47_key['B']-1]];
prev_intervals = bb98_3(prev_intervals, prob47_key, s);
while (True):
#print("intervals: " , prev_intervals);
if (len(prev_intervals) == 1):
(a,b) = prev_intervals[0];
if (a == b):
print("Message: " + hex(a));
break;
r, s = bb98_2c(prev_intervals, s, prob47_key, cipher);
else:
s = bb98_2b(prob47_key, cipher, s)
prev_intervals = bb98_3(prev_intervals, prob47_key, s);
def SRP_step3(state):
state["b"] = randrange(2, state["p"] - 2)
state["B"] = (state["k"] * state["v"] +
mypow(state["g"], state["b"], state["p"]))
return state
def SRP_step2(state):
state["a"] = randrange(2, state["p"] - 2)
state["A"] = mypow(state["g"], state["a"], state["p"])
return state
def message2(state):
b = randrange(2, state["p"] - 2)
B = mypow(state["g"], b, state["p"])
state["b"] = b
state["B"] = B
return state
return v == r
def demo_dsa_g0():
message_hash = 0x0102030405060708091011121314151617181920
(y, r, s) = do_dsa_g0(message_hash)
assert (r == 0)
assert (validate_dsa_g0(y, r, s, message_hash))
# change public key, s -- still works
assert (validate_dsa_g0(13, 0, 23423423432, message_hash))
# change hash as well -- still works
assert (validate_dsa_g0(32432423, 0, 342423432423, 0x3daf05ce546d1))
prob45_g1_x = 8675309
prob45_g1_y = mypow(prob43_g, prob45_g1_x,
prob43_p) # key generation uses legit params
prob45_g1 = (prob43_p + 1)
prob45_g1_r = prob45_g1_y % prob45_q # set z to 1
prob45_gr_s = prob45_g1_r # set z to 1
print(prob45_g1_r)
# Sign "Hello, world". And "Goodbye, world".
''' Just need to validate (r,s) as valid'''
def validate_dsa_g1(y, r, s, message_hash):
w = invmod(s, prob45_q)
u1 = (message_hash * w) % prob45_q
u2 = (r * w) % prob45_q
v = (mypow(prob45_g1, u1, prob43_p) * mypow(y, u2, prob45_p) %
prob45_p) % prob45_q
def SRP_step5(state):
xH = sha256(intToBytes(state["salt"]) + state["P"]).hexdigest();
x = int(xH, 16);
S = mypow((state["B"] - state["k"] * mypow(state["g"], x, state["p"])), (state["a"] + state["u"] * x), state["p"]);
state["C_K"] = sha256(intToBytes(S)).digest();
return state;
def validate_dsa_g1(y, r, s, message_hash):
w = invmod(s, prob45_q);
u1 = (message_hash * w) % prob45_q;
u2 = (r*w) % prob45_q;
v = (mypow(prob45_g1, u1, prob43_p) * mypow(y, u2, prob45_p) % prob45_p) % prob45_q
return v == r;
def message3(state):
state["a"] = randrange(2, group5_p-2);
state["A"] = mypow(group5_g, state["a"], group5_p);
return state;
def message4(state):
state["b"] = randrange(2, state["p"]-2)
state["B"] = mypow(state["g"], state["b"], state["p"])
return state;
def decrypt_cipher(cipher, rsaparams):
return mypow(cipher, rsaparams['d'], rsaparams['N'])
def SRP_step3(state):
state["b"] = randrange(2, state["p"]-2);
state["B"] = (state["k"] * state["v"] + mypow(state["g"], state["b"], state["p"]));
return state;
