def compute(self, I, A):
uH = sha256(str(A) + str(self.B)).hexdigest()
u = int(uH, 16)
S = modexp(A * modexp(self.v, u, self.N), self.b, self.N)
self.K = sha256(str(S)).hexdigest()
def compute(self, salt, B):
uH = sha256(str(self.A) + str(B)).hexdigest()
u = int(uH, 16)
xH = sha256(salt + self.P).hexdigest()
x = int(xH, 16)
S = modexp(B - self.k * modexp(self.g, x, self.N), self.a + u * x,
self.N)
self.K = sha256(str(S)).hexdigest()
def __init__(self, P, g, k, N):
self.salt = str(randomNumber())
xH = sha256(self.salt + P).hexdigest()
x = int(xH, 16)
self.v = modexp(g, x, N)
self.g = g
self.N = N
self.b = randomNumber()
self.B = k * self.v + modexp(g, self.b, N)
def check_DSA(signature, p, q, g, y, message):
r, s = signature
assert 0 < r < q
assert 0 < s < q
w = modinv(s, q) % q
u1 = (int(sha1(message), 16) * w) % q
u2 = (r * w) % q
v = ((modexp(g, u1, p) * modexp(y, u2, p)) % p) % q
return v == r
def bruteforceSRP(guess, hmac, salt, g, b, N, A, u):
xH = sha256(salt + guess).hexdigest()
x = int(xH, 16)
v = modexp(g, x, N)
S = modexp(A * modexp(v, u, N), b, N)
K = sha256(str(S)).hexdigest()
hmacTest = HMAC_sha256(K, "message")
if hmacTest == hmac:
return 1
return 0
def bruteforce_repeated_k(args, dataList):
p, q, g, y = args
for i in range(0, len(dataList)):
for j in range(i + 1, len(dataList)):
try:
msg1, s1, r1, m1 = dataList[i]
msg2, s2, r2, m2 = dataList[j]
num = int(m1, 16) - int(m2, 16)
tmpDivisor = int(s1) - int(s2)
div = modinv(tmpDivisor, q)
k = (num * div) % q
x = ((int(s1) * k - int(sha1(msg1), 16)) *
modinv(int(r1), q)) % q
assert y == modexp(g, x, p)
if sha1(hex(x)
[2:-1]) == "ca8f6f7c66fa362d40760d135b763eb8527d3d52":
return (k, x)
except:
pass
print "[*] No k was repeated (possibly)"
return (0, 0)
def compute(self, salt, B, u):
xH = sha256(salt + self.P).hexdigest()
x = int(xH, 16)
S = modexp(B, self.a + u * x, self.N)
self.K = sha256(str(S)).hexdigest()
def __init__(self, P, I, g, k, N):
self.g = g
self.k = k
self.P = P
self.N = N
self.I = I
self.a = randomNumber()
self.A = modexp(g, self.a, N)
def sign_DSA(p, q, g, x, message):
k = random.randint(1, q - 1)
r = modexp(g, k, p) % q
s = (modinv(k, q) * (int(sha1(message), 16) + x * r)) % q
if s == 0 or r == 0:
s, r = sign_DSA(p, q, g)
return [r, s]
def DSA_test():
message = "DSA is fun!"
p = 0x800000000000000089e1855218a0e7dac38136ffafa72eda7859f2171e25e65eac698c1702578b07dc2a1076da241c76c62d374d8389ea5aeffd3226a0530cc565f3bf6b50929139ebeac04f48c3c84afb796d61e5a4f9a8fda812ab59494232c7d2b4deb50aa18ee9e132bfa85ac4374d7f9091abc3d015efc871a584471bb1
q = 0xf4f47f05794b256174bba6e9b396a7707e563c5b
g = 0x5958c9d3898b224b12672c0b98e06c60df923cb8bc999d119458fef538b8fa4046c8db53039db620c094c9fa077ef389b5322a559946a71903f990f1f7e0e025e2d7f7cf494aff1a0470f5b64c36b625a097f1651fe775323556fe00b3608c887892878480e99041be601a62166ca6894bdd41a7054ec89f756ba9fc95302291
x = random.randint(1, q - 1)
y = modexp(g, x, p)
signature = sign_DSA(p, q, g, x, message)
assert check_DSA(signature, p, q, g, y, message)
def messageRecovery():
original = "HELLO"
oracle = recoveryOracle()
cipher = oracle.encrypt(original)
message = oracle.decrypt(cipher) # HELLO
failed = oracle.decrypt(cipher) # [*] failed decryption with error
# get all necessary data for attack
N = oracle.n
e = oracle.e
S = 0
while S < 1:
S = MT19937(int(time.time())).getNumber() % N
# start attack intercepting ciphertext
cipherPrime = (modexp(S, e, N) * cipher) % N
plainPrime = bytes_to_long(oracle.decrypt(cipherPrime))
recovered = long_to_bytes(plainPrime * modinv(S, N) % N)
assert recovered == message == original
def compute(self, I, A):
S = modexp(A * modexp(self.v, self.u, self.N), self.b, self.N)
self.K = sha256(str(S)).hexdigest()
def decrypt(self, data):
dec = modexp(data, self.d, self.n)
return long_to_bytes(dec)
def encrypt(self, data):
return modexp(bytes_to_long(data), self.e, self.n)