def tworker3(hpass,a,start,step,g,N,q):
'''
this BF password
'''
sc = ord('a')+start
ec = ord('z')
cc = [sc]
while True:
h_c = "".join([chr(c) for c in cc])
x = s2i(hashlib.sha256(h_c).digest())
S = pow(2,a+x,N)
K = hashlib.sha256(i2s(S)).digest()
if hmac.HMAC(K,"",hashlib.sha256).digest() == hpass:
q.put(h_c)
break
cc[0] += step
for i in range(0,len(cc)):
if cc[i] > ec:
try:
cc[i+1] += 1
except:
cc.append(sc)
cc[i] %= (ec+1)
cc[i] += sc
else:
break
def recv2(self,hks):
S = pow(self.A * pow(self.v,self.u,self.N),self.b,self.N)
K = hashlib.sha256(i2s(S)).digest()
if hks == hmac.HMAC(K,self.salt,hashlib.sha256).digest() and self.I == self.Ic:
return "OK"
else:
return "No way"
def forging(mesg,key):
e = key[0]
n = key[1]
if e != 3:
raise Exception("e not equal 3")
pkcs15 = PKCS15()
dgst = hashlib.sha1(mesg).digest()
keylen = len(i2s(n))
getcontext().prec = keylen * 8
# this is the valid beginning
forge = "\x00\x01%s\x00%s" % ("\xff" * 8, dgst)
# this will be garbge
garbage = "\x00" * (keylen - 8 - len(dgst) - 13)
whole = s2i(forge+garbage)
cr = int(pow(whole,Decimal(1)/Decimal(3)))+1
return i2s(cr)
def attack(enc,key,iseven):
e = key[0] # e - from the pub key
n = key[1] # n - from the pub key
ct = s2i(enc[0]) # encrypted message
c2 = pow(2,e,n) # (2**e)%n)
ct = (ct * c2) % n # we need to do this before we start counting
limit = int(math.log(n,2))+1 # number of bits in the key
getcontext().prec = limit # how precise our floats should be
a = Decimal(0)
b = Decimal(n)
for x in range(limit):
t = (a+b)/2
if iseven([i2s(ct)]):
b = t
else:
a = t
ct = (ct * c2) % n
return i2s(int(b)).encode('string_escape')
def tworker2(hpass,a,words,start,step,g,N,q):
'''
dictionary attack
'''
i = start
while i < len(words):
x = s2i(hashlib.sha256(words[i]).digest())
S = pow(2,a+x,N)
K = hashlib.sha256(i2s(S)).digest()
if hmac.HMAC(K,"",hashlib.sha256).digest() == hpass:
q.put(words[i])
break
i += step
def b_step2a (pubkey, prvkey, c, oracle):
"""
Bleichenbacher step 2a
"""
e = pubkey[0]
n = pubkey[1]
c = s2i("".join(c))
c0 = (c * modexp(1, e, n)) % n
s1 = n // 0x3B
count = 0
while True:
c1 = (c0 * modexp(s1, e, n)) % n
if oracle(prvkey, list(i2s(c1))):
break
s1 += 1
if count % 10 == 0:
sys.stdout.write("%s \r" % (count))
sys.stdout.flush()
count += 1
return s1
#!/usr/bin/env python
from c39 import RSA # RSA
from c36 import i2s, s2i
if __name__ == "__main__":
msg = "attack after the breakfast"
rsa = RSA()
pub,priv = rsa.keygen()
C = rsa.encrypt(msg,pub)
assert rsa.decrypt(C,priv) == msg, "bug in my RSA, decryption didn't provide the same clear text"
S = 3 # lowest possible S
C1 = list() # the cipher text is a list
for ct in C: # lets iterate over the ciphertext
C1.append(i2s((pow(S,pub[0],pub[1])*s2i(ct)) % pub[1])) #
if C1 != C: # the C1 has to be different the C
P1 = rsa.decrypt(C1,priv)
print i2s((s2i(P1)/S)%pub[1])
else:
print "something wrong C1 and C should be different"
# initiate and test
d = DSA()
d.test()
# challenge 43
y = long("84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4"+\
"abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004"+\
"e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed"+\
"1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07b"+\
"bb283e6633451e535c45513b2d33c99ea17", 16)
m = "For those that envy a MC it can be hazardous to your health\n"+\
"So be friendly, a matter of life and death, just like a etch-a-sketch\n"
r = 548099063082341131477253921760299949438196259240
s = 857042759984254168557880549501802188789837994940
msg_check_hash = "d2d0714f014a9784047eaeccf956520045c45265"
assert (hashlib.sha1(m).hexdigest() == msg_check_hash), "hash doesn't match"
h_expected = "0954edd5e0afe5542a4adf012611a91912a3ec16"
# broken implementation k is between 0 and 2^16
for k in range(0, 2**16):
x = d.x_recovery(m, r, s, k)
if hashlib.sha1(i2s(x).encode('hex')).hexdigest() == h_expected:
(r1, s1) = d.sign(m, x)
d.verify(m, r1, s1, y)
print "k : %s" % (k)
print "x : %s" % (x)
break
def make(self,msg,key): pkcs15 = PKCS15() rsa = RSA() dgst = hashlib.sha1(message).digest() paddgst = pkcs15.pad(dgst,len(i2s(key[1]))) return rsa.encrypt(paddgst,key)
def recv1(self,salt,B,u): self.salt = salt x = s2i(hashlib.sha256(self.salt+self.P).digest()) S = pow(B,(self.a+u*x),self.N) self.K = hashlib.sha256(i2s(S)).digest()
ct1 = RSA().encrypt(cleartext,pub1) print "2. key generation" pub2,priv2 = RSA().keygen(l=2048,s=False) # s=False gives e=3 print "2. encrypting using pub key" ct2 = RSA().encrypt(cleartext,pub2) assert RSA().decrypt(ct0,priv0) == cleartext, "error on key0" assert RSA().decrypt(ct1,priv1) == cleartext, "error on key1" assert RSA().decrypt(ct2,priv2) == cleartext, "error on key2" # https://en.wikipedia.org/wiki/Coppersmith%27s_Attack#H.C3.A5stad.27s_Broadcast_Attack # https://en.wikipedia.org/wiki/Chinese_remainder_theorem c_0 = s2i(ct0[0]) c_1 = s2i(ct1[0]) c_2 = s2i(ct2[0]) n_0 = pub0[1] n_1 = pub1[1] n_2 = pub2[1] m_s_0 = n_1 * n_2 m_s_1 = n_0 * n_2 m_s_2 = n_0 * n_1 result = (c_0 * m_s_0 * invmod(m_s_0, n_0)) result += (c_1 * m_s_1 * invmod(m_s_1, n_1)) result += (c_2 * m_s_2 * invmod(m_s_2, n_2)) result %= (n_0 * n_1 * n_2) print i2s(int(pow(Decimal(result),Decimal(1)/Decimal(3)))+1)
client.send(str(I)+","+str(A))
data = client.recv(4096)
salt,B = data.split(",")
c.recv1(salt,int(B))
client.send(c.send2())
print client.recv(4096)
client.shutdown(2)
print "Attack A=0 (because of this S = 0):",
client1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client1.connect(("127.0.0.1", 9001))
client1.send("[email protected],0")
data = client1.recv(4096)
salt = data.split(",")[0]
K = hashlib.sha256(i2s(0)).digest()
client1.send(hmac.HMAC(K,salt,hashlib.sha256).digest())
print client1.recv(4096)
client1.shutdown(2)
print "Attack A=N (because of this S = 0):",
client2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client2.connect(("127.0.0.1", 9001))
client2.send("[email protected],"+str(NISTprime))
data = client2.recv(4096)
salt = data.split(",")[0]
K = hashlib.sha256(i2s(0)).digest()
client2.send(hmac.HMAC(K,salt,hashlib.sha256).digest())
print client2.recv(4096)
client2.shutdown(2)
len_n = len(i2s(n)) - 1
len_m = len(m)
if len_n > len_m:
return [i2s(pow(s2i(m), e, n))]
else:
cs = []
i = 0
while len_n * i < len_m:
cs.append(i2s(pow(s2i(m[len_n * i : len_n * (i + 1)]), e, n)))
i += 1
return cs
def decrypt(self, cs, (d, n)):
m = ""
for c in cs:
m += i2s(pow(s2i(c), d, n))
return m
if __name__ == "__main__":
k1, k2 = RSA().keygen()
cleartext = "this is just a test of a message that will be encrypted using RSA private/public key cryptography, lets try something very long to see how this may woRk.\
We may also try to add some random things here and here, and here. Just a test like I said,"
# cleartext = open("c39.py").read() # <<-- this also works, but this actually needs padding
print cleartext
ciphertext = RSA().encrypt(cleartext, k1)
print ciphertext
decryptedtext = RSA().decrypt(ciphertext, k2)
print decryptedtext
client.send(str(I)+","+str(A)) #发送I和A
data = client.recv(4096)
salt,B = data.split(",") #接收服务器的数据传回的salt 和服务器公钥B
c.recv1(salt,int(B)) #生成 u x s k
client.send(c.send2()) #计算mac并发送
print client.recv(4096) #显示服务器返回的结果
client.shutdown(2)
print "Attack A=0 (because of this S = 0):",
client1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client1.connect(("127.0.0.1", 9001))
client1.send("[email protected],0") #发送A = 0
data = client1.recv(4096)
salt = data.split(",")[0]
K = hashlib.sha256(i2s(0)).digest() #计算K
client1.send(hmac.HMAC(K,salt,hashlib.sha256).digest()) #计算mac并发送
print client1.recv(4096)
client1.shutdown(2)
print "Attack A=N (because of this S = 0):",
client2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client2.connect(("127.0.0.1", 9001))
client2.send("[email protected],"+str(NISTprime)) #发送A = N
data = client2.recv(4096)
salt = data.split(",")[0]
K = hashlib.sha256(i2s(0)).digest()
client2.send(hmac.HMAC(K,salt,hashlib.sha256).digest())
print client2.recv(4096)
client2.shutdown(2)
if count % 10 == 0:
sys.stdout.write("%s \r" % (count))
sys.stdout.flush()
count += 1
return s1
if __name__ == "__main__":
rsa = RSA()
pkcs = PKCS15t2()
# clear text message
text = "kick it, CC"
# 256 bit key generation
(pubkey, prvkey) = rsa.keygen(256)
# padding PKCS#1 1.5
m = pkcs.pad(text, len(i2s(pubkey[1])))
# encrypting
c = rsa.encrypt(m, pubkey)
m1 = rsa.decrypt(c, prvkey)
assert (m == "\x00"+m1), "PKCS#1 1.5 implementation failure"
assert (text == pkcs.unpad("\x00"+m1)), "RSA implementation failure"
# Bleichenbacher
print b_step2a(pubkey, prvkey, c, oracle)
