def full_simulation_counts(key_template, hospital_counts):
'''Runs a full simulation of an encrypted sum'''
padded_size = int(np.round(key_template.p.size_in_bits() / 8))
num_hospitals = len(hospital_counts)
round0a = [hospital_round0a(key_template) for _ in range(num_hospitals)]
round0a_transmissions = [x['transmit'] for x in round0a]
round0b = hub_round0b(key_template, round0a_transmissions)
key_public = round0b['key_public']
hospital_keys = [x['private_key'] for x in round0a]
round1a_start = time.perf_counter()
round1a = [
encrypt(key_public, pow(Integer(4), Integer(int(count)),
key_public.p)).export_val()
for count in hospital_counts
]
round1a_time = time.perf_counter() - round1a_start
round1b_start = time.perf_counter()
round1b = sum([CipherText.byte_init(key_public, x)
for x in round1a]).export_val()
round1b_time = time.perf_counter() - round1b_start
round2a_start = time.perf_counter()
round2a = [
shared_secret(hk, CipherText.byte_init(key_public,
round1b)).to_bytes(padded_size)
for hk in hospital_keys
]
round2a_time = time.perf_counter() - round2a_start
round2b_start = time.perf_counter()
round2b_sec = Integer(1)
encrypted_sum = CipherText.byte_init(key_public, round1b)
for k in range(num_hospitals):
round2b_sec = (round2b_sec *
Integer.from_bytes(round2a[k])) % key_public.p
s_inv = pow(
round2b_sec, key_public.p - 2, key_public.p
) # modular multiplicative inverse https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python
decrypted_sum = (s_inv * encrypted_sum.c2) % key_public.p
load_precomputed_discrete_log4_table(
) # using precomputation instead of naive method
logged_sum = discrete_log4(key_public, decrypted_sum)
round2b_time = time.perf_counter() - round2b_start
ans_dict = {}
ans_dict['round0a_time'] = sum(x['time'] for x in round0a)
ans_dict['round0b_time'] = round0b['time']
ans_dict['round1a_time'] = round1a_time
ans_dict['round1b_time'] = round1b_time
ans_dict['round2a_time'] = round2a_time
ans_dict['round2b_time'] = round2b_time
return logged_sum, ans_dict
def xy(self):
modulus_bytes = self.size_in_bytes()
xb = bytearray(modulus_bytes)
yb = bytearray(modulus_bytes)
result = _ec_lib.ec_ws_get_xy(c_uint8_ptr(xb), c_uint8_ptr(yb),
c_size_t(modulus_bytes),
self._point.get())
if result:
raise ValueError("Error %d while encoding an EC point" % result)
return (Integer(bytes_to_long(xb)), Integer(bytes_to_long(yb)))
def _generate_domain(L, randfunc):
"""Generate a new set of DSA domain parameters"""
N = {1024: 160, 2048: 224, 3072: 256}.get(L)
if N is None:
raise ValueError("Invalid modulus length (%d)" % L)
outlen = SHA256.digest_size * 8
n = (L + outlen - 1) // outlen - 1 # ceil(L/outlen) -1
b_ = L - 1 - (n * outlen)
# Generate q (A.1.1.2)
q = Integer(4)
upper_bit = 1 << (N - 1)
while test_probable_prime(q, randfunc) != PROBABLY_PRIME:
seed = randfunc(64)
U = Integer.from_bytes(SHA256.new(seed).digest()) & (upper_bit - 1)
q = U | upper_bit | 1
assert (q.size_in_bits() == N)
# Generate p (A.1.1.2)
offset = 1
upper_bit = 1 << (L - 1)
while True:
V = [
SHA256.new(seed + Integer(offset + j).to_bytes()).digest()
for j in range(n + 1)
]
V = [Integer.from_bytes(v) for v in V]
W = sum([V[i] * (1 << (i * outlen)) for i in range(n)],
(V[n] & (1 << b_ - 1)) * (1 << (n * outlen)))
X = Integer(W + upper_bit) # 2^{L-1} < X < 2^{L}
assert (X.size_in_bits() == L)
c = X % (q * 2)
p = X - (c - 1) # 2q divides (p-1)
if p.size_in_bits() == L and \
test_probable_prime(p, randfunc) == PROBABLY_PRIME:
break
offset += n + 1
# Generate g (A.2.3, index=1)
e = (p - 1) // q
for count in itertools.count(1):
U = seed + b("ggen") + bchr(1) + Integer(count).to_bytes()
W = Integer.from_bytes(SHA256.new(U).digest())
g = pow(W, e, p)
if g != 1:
break
return (p, q, g, seed)
def _sign(self, M, K):
if (not hasattr(self, 'x')):
raise TypeError('Private key not available in this object')
p1=self.p-1
K = Integer(K)
if (K.gcd(p1)!=1):
raise ValueError('Bad K value: GCD(K,p-1)!=1')
a=pow(self.g, K, self.p)
t=(Integer(M)-self.x*a) % p1
while t<0: t=t+p1
b=(t*K.inverse(p1)) % p1
return map(int, (a, b))
def _generateRSAKey(bits, randfunc=None, e=65537):
"""Modified version of pycryptodome's Crypto.RSA.generate to allow keys of any size."""
if e % 2 == 0 or e < 3:
raise ValueError(
"RSA public exponent must be a positive, odd integer larger than 2."
)
if randfunc is None:
randfunc = Random.get_random_bytes
d = n = Integer(1)
e = Integer(e)
while n.size_in_bits() != bits and d < (1 << (bits // 2)):
# Generate the prime factors of n: p and q.
# By construciton, their product is always
# 2^{bits-1} < p*q < 2^bits.
size_q = bits // 2
size_p = bits - size_q
min_p = min_q = (Integer(1) << (2 * size_q - 1)).sqrt()
if size_q != size_p:
min_p = (Integer(1) << (2 * size_p - 1)).sqrt()
def filter_p(candidate):
return candidate > min_p and (candidate - 1).gcd(e) == 1
p = _generateProbablePrime(exact_bits=size_p,
randfunc=randfunc,
prime_filter=filter_p)
min_distance = Integer(1) << max(0, bits // 2 - 100)
def filter_q(candidate):
return (candidate > min_q and (candidate - 1).gcd(e) == 1
and abs(candidate - p) > min_distance)
q = _generateProbablePrime(exact_bits=size_q,
randfunc=randfunc,
prime_filter=filter_q)
n = p * q
lcm = (p - 1).lcm(q - 1)
d = e.inverse(lcm)
if p > q:
p, q = q, p
u = p.inverse(q)
return RSA.RsaKey(n=n, e=e, d=d, p=p, q=q, u=u)
def private_equality_test(self, other):
# https://crypto.stackexchange.com/questions/9527/how-does-an-oblivious-test-of-plaintext-equality-work
assert (self.key.p == other.key.p)
assert (self.key.g == other.key.g)
assert (self.key.y == other.key.y)
other_c1_inv = pow(other.c1, self.key.p - 2, self.key.p)
other_c2_inv = pow(other.c2, self.key.p - 2, self.key.p)
new_c1 = (self.c1 * other_c1_inv) % self.key.p
new_c2 = (self.c2 * other_c2_inv) % self.key.p
z = randint(2, int(key.p - 1)) # To blind the ciphertext
new_c1_z = pow(new_c1, Integer(z), self.key.p)
new_c2_z = pow(new_c2, Integer(z), self.key.p)
return CipherText(self.key, new_c1_z, new_c2_z)
def generate_p_q_g(): p = Integer(4) while p.size_in_bits() != 1024 or Primality.test_probable_prime(p) != Primality.PROBABLY_PRIME: q=random.randrange(1 << 159, 1 << 160) if(is_prime(q)): z = Integer.random(exact_bits=1024-160) p = z * q + 1 h = Integer(2) g = 1 while g == 1: g = pow(h, z, p) h += 1 return (p, q, g)
def construct(**kwargs):
"""Build a new ECC key (private or public) starting
from some base components.
Args:
curve (string):
Mandatory. It must be "P-256", "prime256v1" or "secp256r1".
d (integer):
Only for a private key. It must be in the range ``[1..order-1]``.
point_x (integer):
Mandatory for a public key. X coordinate (affine) of the ECC point.
point_y (integer):
Mandatory for a public key. Y coordinate (affine) of the ECC point.
Returns:
:class:`EccKey` : a new ECC key object
"""
point_x = kwargs.pop("point_x", None)
point_y = kwargs.pop("point_y", None)
if "point" in kwargs:
raise TypeError("Unknown keyword: point")
if None not in (point_x, point_y):
kwargs["point"] = EccPoint(point_x, point_y)
# Validate that the point is on the P-256 curve
eq1 = pow(Integer(point_y), 2, _curve.p)
x = Integer(point_x)
eq2 = pow(x, 3, _curve.p)
x *= -3
eq2 += x
eq2 += _curve.b
eq2 %= _curve.p
if eq1 != eq2:
raise ValueError("The point is not on the curve")
# Validate that the private key matches the public one
d = kwargs.get("d", None)
if d is not None and "point" in kwargs:
pub_key = _curve.G * d
if pub_key.x != point_x or pub_key.y != point_y:
raise ValueError("Private and public ECC keys do not match")
return EccKey(**kwargs)
def verify(self, msg_hash, signature):
"""Check if a certain (EC)DSA signature is authentic.
:parameter msg_hash:
The hash that was carried out over the message.
This is an object belonging to the :mod:`Cryptodome.Hash` module.
Under mode *'fips-186-3'*, the hash must be a FIPS
approved secure hash (SHA-1 or a member of the SHA-2 family),
of cryptographic strength appropriate for the DSA key.
For instance, a 3072/256 DSA key can only be used in
combination with SHA-512.
:type msg_hash: hash object
:parameter signature:
The signature that needs to be validated
:type signature: byte string
:raise ValueError: if the signature is not authentic
"""
if not self._valid_hash(msg_hash):
raise ValueError("Hash is not sufficiently strong")
if self._encoding == 'binary':
if len(signature) != (2 * self._order_bytes):
raise ValueError("The signature is not authentic (length)")
r_prime, s_prime = [
Integer.from_bytes(x) for x in (signature[:self._order_bytes],
signature[self._order_bytes:])
]
else:
try:
der_seq = DerSequence().decode(signature, strict=True)
except (ValueError, IndexError):
raise ValueError("The signature is not authentic (DER)")
if len(der_seq) != 2 or not der_seq.hasOnlyInts():
raise ValueError(
"The signature is not authentic (DER content)")
r_prime, s_prime = Integer(der_seq[0]), Integer(der_seq[1])
if not (0 < r_prime < self._order) or not (0 < s_prime < self._order):
raise ValueError("The signature is not authentic (d)")
z = Integer.from_bytes(msg_hash.digest()[:self._order_bytes])
result = self._key._verify(z, (r_prime, s_prime))
if not result:
raise ValueError("The signature is not authentic")
# Make PyCryptodome code to fail
return False
def test_scalar_multiply(self):
d = 0xa78ccc30eaca0fcc8e36b2dd6fbb03df06d37f52711e6363aaf1d73b
pointRx = 0x96a7625e92a8d72bff1113abdb95777e736a14c6fdaacc392702bca4
pointRy = 0x0f8e5702942a3c5e13cd2fd5801915258b43dfadc70d15dbada3ed10
pointR = self.pointS * d
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
# 0*S
pai = self.pointS.point_at_infinity()
pointR = self.pointS * 0
self.assertEqual(pointR, pai)
# -1*S
self.assertRaises(ValueError, lambda: self.pointS * -1)
# Reverse order
pointR = d * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
pointR = Integer(d) * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
def test_scalar_multiply(self):
d = 0xa78a236d60baec0c5dd41b33a542463a8255391af64c74ee
pointRx = 0x1faee4205a4f669d2d0a8f25e3bcec9a62a6952965bf6d31
pointRy = 0x5ff2cdfa508a2581892367087c696f179e7a4d7e8260fb06
pointR = self.pointS * d
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
# 0*S
pai = self.pointS.point_at_infinity()
pointR = self.pointS * 0
self.assertEqual(pointR, pai)
# -1*S
self.assertRaises(ValueError, lambda: self.pointS * -1)
# Reverse order
pointR = d * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
pointR = Integer(d) * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
def toElPoint(self):
if (self.z == 0):
return self.curve.O
z_inv = int(Integer(self.z).inverse(self.curve.p))
x = self.x * z_inv % self.curve.p
y = self.y * z_inv % self.curve.p
return ElPoint(x, y, self.curve)
def _encrypt(key, message):
mod_bits = size(key.n)
k = ceil_div(mod_bits, 8)
m_len = len(message)
# Step 1
if m_len > k - 11:
raise ValueError("Plaintext is too long.")
# Step 2a
ps = []
while len(ps) != k - m_len - 3:
new_byte = bchr(0xFF)
if bord(new_byte[0]) == 0x00:
continue
ps.append(new_byte)
ps = b("").join(ps)
assert (len(ps) == k - m_len - 3)
# Step 2b
em = b('\x00\x01') + ps + bchr(0x00) + message
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
if not 0 < em_int < key._n:
raise ValueError("Plaintext too large")
m_int = int(pow(Integer(em_int), key._d, key._n))
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def _decrypt(self, ciphertext):
if not 0 < ciphertext < self._n:
raise ValueError("Ciphertext too large")
if not self.has_private():
raise TypeError("This is not a private key")
# Blinded RSA decryption (to prevent timing attacks):
# Step 1: Generate random secret blinding factor r,
# such that 0 < r < n-1
r = Integer.random_range(min_inclusive=1, max_exclusive=self._n)
# Step 2: Compute c' = c * r**e mod n
cp = Integer(ciphertext) * pow(r, self._e, self._n) % self._n
# Step 3: Compute m' = c'**d mod n (ordinary RSA decryption)
m1 = pow(cp, self._d % (self._p - 1), self._p)
m2 = pow(cp, self._d % (self._q - 1), self._q)
h = m2 - m1
while h < 0:
h += self._q
h = (h * self._u) % self._q
mp = h * self._p + m1
# Step 4: Compute m = m**(r-1) mod n
result = (r.inverse(self._n) * mp) % self._n
# Verify no faults occured
if ciphertext != pow(result, self._e, self._n):
raise ValueError("Fault detected in RSA decryption")
return result
def __init__(self, **kwargs):
"""Create a new ECC key
Keywords:
curve : string
It must be *"P-256"*, *"prime256v1"* or *"secp256r1"*.
d : integer
Only for a private key. It must be in the range ``[1..order-1]``.
point : EccPoint
Mandatory for a public key. If provided for a private key,
the implementation will NOT check whether it matches ``d``.
"""
kwargs_ = dict(kwargs)
self.curve = kwargs_.pop("curve", None)
self._d = kwargs_.pop("d", None)
self._point = kwargs_.pop("point", None)
if kwargs_:
raise TypeError("Unknown parameters: " + str(kwargs_))
if self.curve not in _curve.names:
raise ValueError("Unsupported curve (%s)", self.curve)
if self._d is None:
if self._point is None:
raise ValueError(
"Either private or public ECC component must be specified")
else:
self._d = Integer(self._d)
if not 1 <= self._d < _curve.order:
raise ValueError("Invalid ECC private component")
def test_scalar_multiply(self):
d = 0xc51e4753afdec1e6b6c6a5b992f43f8dd0c7a8933072708b6522468b2ffb06fd
pointRx = 0x51d08d5f2d4278882946d88d83c97d11e62becc3cfc18bedacc89ba34eeca03f
pointRy = 0x75ee68eb8bf626aa5b673ab51f6e744e06f8fcf8a6c0cf3035beca956a7b41d5
pointR = self.pointS * d
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
# 0*S
pai = self.pointS.point_at_infinity()
pointR = self.pointS * 0
self.assertEqual(pointR, pai)
# -1*S
self.assertRaises(ValueError, lambda: self.pointS * -1)
# Reverse order
pointR = d * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
pointR = Integer(d) * self.pointS
self.assertEqual(pointR.x, pointRx)
self.assertEqual(pointR.y, pointRy)
def discrete_log4_naive(key, x):
'''Finds the discrete log with respect to 4 for a really big number.
Does it naively be counting up by powers of two until we get to x'''
key_public = key
s_inv = pow(
Integer(4), key_public.p - 2, key_public.p
) # modular multiplicative inverse https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python
tmp = Integer(x)
ans = 0
while tmp != 1:
tmp = tmp * s_inv % key_public.p
ans = ans + 1
if ans % 100000 == 0:
print('.', end='', flush=True)
return ans
def verify(self, msg_hash, signature):
"""Check if a certain (EC)DSA signature is authentic.
Args:
msg_hash (hash object):
The hash that was carried out over the message.
This is an object belonging to the :mod:`Cryptodome.Hash` module.
Under mode ``'fips-186-3'``, the hash must be a FIPS
approved secure hash (SHA-2 or SHA-3).
signature (``bytes``):
The signature that needs to be validated.
:raise ValueError: if the signature is not authentic
"""
if not self._valid_hash(msg_hash):
raise ValueError("Hash is not sufficiently strong")
if self._encoding == 'binary':
if len(signature) != (2 * self._order_bytes):
raise ValueError("The signature is not authentic (length)")
r_prime, s_prime = [
Integer.from_bytes(x) for x in (signature[:self._order_bytes],
signature[self._order_bytes:])
]
else:
try:
der_seq = DerSequence().decode(signature, strict=True)
except (ValueError, IndexError):
raise ValueError("The signature is not authentic (DER)")
if len(der_seq) != 2 or not der_seq.hasOnlyInts():
raise ValueError(
"The signature is not authentic (DER content)")
r_prime, s_prime = Integer(der_seq[0]), Integer(der_seq[1])
if not (0 < r_prime < self._order) or not (0 < s_prime < self._order):
raise ValueError("The signature is not authentic (d)")
z = Integer.from_bytes(msg_hash.digest()[:self._order_bytes])
result = self._key._verify(z, (r_prime, s_prime))
if not result:
raise ValueError("The signature is not authentic")
# Make PyCryptodome code to fail
return False
def __init__(self, key, encoding, order, randfunc):
super(FipsDsaSigScheme, self).__init__(key, encoding, order)
self._randfunc = randfunc
L = Integer(key.p).size_in_bits()
if (L, self._order_bits) not in self._fips_186_3_L_N:
error = ("L/N (%d, %d) is not compliant to FIPS 186-3" %
(L, self._order_bits))
raise ValueError(error)
def __init__(self, key, n):
self.key = key
self.n = n
# Figure out sizes needed for array
for t in 'BHILQ':
if array.array(t).itemsize * 8 > np.log(n) / np.log(2):
typecode = t
break
y = Integer(1)
table = [array.array(typecode) for _ in range(2**16)]
for x in range(n):
h = xxh64_intdigest(str(y)) % 2**16
table[h].append(x)
y = Integer(y) * Integer(4) % key.p
if x % 1000000 == 0:
print(x)
self.table = table
def __add__(self, other):
if (self == self.curve.O):
return other
if (other == self.curve.O):
return self
p = self.curve.p
if (self.x == other.x):
if ((self.y + other.y) % p == 0):
return self.curve.O
else:
l = (((3 * self.x**2 + self.curve.A) % p) *
int(Integer(2 * self.y).inverse(p))) % p
else:
l = ((other.y - self.y) *
int(Integer(other.x - self.x).inverse(p))) % p
x = (pow(l, 2, p) - self.x - other.x) % p
y = (l * (self.x - x) - self.y) % p
return ElPoint(x, y, self.curve)
def test_probable_prime(candidate, randfunc=None):
"""Test if a number is prime.
A number is qualified as prime if it passes a certain
number of Miller-Rabin tests (dependent on the size
of the number, but such that probability of a false
positive is less than 10^-30) and a single Lucas test.
For instance, a 1024-bit candidate will need to pass
4 Miller-Rabin tests.
:Parameters:
candidate : integer
The number to test for primality.
randfunc : callable
The routine to draw random bytes from to select Miller-Rabin bases.
:Returns:
``PROBABLE_PRIME`` if the number if prime with very high probability.
``COMPOSITE`` if the number is a composite.
For efficiency reasons, ``COMPOSITE`` is also returned for small primes.
"""
if randfunc is None:
randfunc = Random.new().read
if not isinstance(candidate, Integer):
candidate = Integer(candidate)
# First, check trial division by the smallest primes
if int(candidate) in _sieve_base:
return PROBABLY_PRIME
try:
map(candidate.fail_if_divisible_by, _sieve_base)
except ValueError:
return COMPOSITE
# These are the number of Miller-Rabin iterations s.t. p(k, t) < 1E-30,
# with p(k, t) being the probability that a randomly chosen k-bit number
# is composite but still survives t MR iterations.
mr_ranges = ((220, 30), (280, 20), (390, 15), (512, 10),
(620, 7), (740, 6), (890, 5), (1200, 4),
(1700, 3), (3700, 2))
bit_size = candidate.size_in_bits()
try:
mr_iterations = list(filter(lambda x: bit_size < x[0],
mr_ranges))[0][1]
except IndexError:
mr_iterations = 1
if miller_rabin_test(candidate, mr_iterations,
randfunc=randfunc) == COMPOSITE:
return COMPOSITE
if lucas_test(candidate) == COMPOSITE:
return COMPOSITE
return PROBABLY_PRIME
def _verify(self, m, sig):
r, s = sig
y, q, p, g = [self._key[comp] for comp in ['y', 'q', 'p', 'g']]
if not (0 < r < q) or not (0 < s < q):
return False
w = Integer(s).inverse(q)
u1 = (w * m) % q
u2 = (w * r) % q
v = (pow(g, u1, p) * pow(y, u2, p) % p) % q
return v == r
def _verify(self, M, sig):
sig = [Integer(x) for x in sig]
if sig[0] < 1 or sig[0] > self.p - 1:
return 0
v1 = pow(self.y, sig[0], self.p)
v1 = (v1 * pow(sig[0], sig[1], self.p)) % self.p
v2 = pow(self.g, M, self.p)
if v1 == v2:
return 1
return 0
def _get_weak_domain(self):
from Cryptodome.Math.Numbers import Integer
from Cryptodome.Math import Primality
p = Integer(4)
while p.size_in_bits() != 1024 or Primality.test_probable_prime(p) != Primality.PROBABLY_PRIME:
q1 = Integer.random(exact_bits=80)
q2 = Integer.random(exact_bits=80)
q = q1 * q2
z = Integer.random(exact_bits=1024-160)
p = z * q + 1
h = Integer(2)
g = 1
while g == 1:
g = pow(h, z, p)
h += 1
return (p, q, g)
def add_ssh_keys(params, endpoint, record, temp_files, non_shared):
# type: (KeeperParams, str, Record, [str], dict) -> [bytes]
rs = []
key_prefix = 'connect:{0}:ssh-key'.format(endpoint)
ssh_socket_path = os.environ.get('SSH_AUTH_SOCK')
for cf in record.custom_fields:
cf_name = cf['name'] # type: str
if cf_name.startswith(key_prefix):
key_name = cf_name[len(key_prefix)+1:] or 'Commander'
cf_value = cf['value'] # type: str
parsed_values = []
while True:
m = endpoint_parameter_pattern.search(cf_value)
if not m:
break
p = m.group(1)
val = ConnectCommand.get_parameter_value(params, record, p, temp_files, non_shared)
if not val:
raise Exception('Add ssh-key. Failed to resolve key parameter: {0}'.format(p))
parsed_values.append(val)
cf_value = cf_value[m.end():]
if len(parsed_values) > 0:
cf_value = cf_value.strip()
if cf_value:
parsed_values.append(cf_value)
private_key = RSA.importKey(parsed_values[0], parsed_values[1] if len(parsed_values) > 0 else None)
with ConnectSshAgent(ssh_socket_path) as fd:
payload = SSH2_AGENTC_ADD_IDENTITY.to_bytes(1, byteorder='big')
payload += ConnectCommand.ssh_agent_encode_str('ssh-rsa')
payload += ConnectCommand.ssh_agent_encode_long(private_key.n)
payload += ConnectCommand.ssh_agent_encode_long(private_key.e)
payload += ConnectCommand.ssh_agent_encode_long(private_key.d)
payload += ConnectCommand.ssh_agent_encode_long(int(Integer(private_key.q).inverse(private_key.p)))
payload += ConnectCommand.ssh_agent_encode_long(private_key.p)
payload += ConnectCommand.ssh_agent_encode_long(private_key.q)
payload += ConnectCommand.ssh_agent_encode_str(key_name)
# windows ssh implementation does not support constrained identities
#payload += SSH_AGENT_CONSTRAIN_LIFETIME.to_bytes(1, byteorder='big')
#payload += int(10).to_bytes(4, byteorder='big')
recv_payload = fd.send(payload)
if recv_payload and recv_payload[0] == SSH_AGENT_FAILURE:
raise Exception('Add ssh-key. Failed to add ssh key \"{0}\" to ssh-agent'.format(key_name))
payload = ConnectCommand.ssh_agent_encode_str('ssh-rsa')
payload += ConnectCommand.ssh_agent_encode_long(private_key.e)
payload += ConnectCommand.ssh_agent_encode_long(private_key.n)
payload = SSH2_AGENTC_REMOVE_IDENTITY.to_bytes(1, byteorder='big') + ConnectCommand.ssh_agent_encode_bytes(payload)
rs.append(payload)
return rs
def generate_p_q_g():
start2 = timeit.default_timer()
p = Integer(4)
while p.size_in_bits() != 1024 or Primality.test_probable_prime(
p) != Primality.PROBABLY_PRIME:
q = random.randrange(1 << 159, 1 << 160)
if (is_prime_4(q)):
z = Integer.random(exact_bits=1024 - 160)
p = z * q + 1
stop2 = timeit.default_timer()
print("Time Reqiued_1: " + str(stop2 - start2))
start1 = timeit.default_timer()
h = Integer(2)
g = 1
while g == 1:
g = power(int(h), int(z), int(p))
h += 1
stop1 = timeit.default_timer()
print("Time Reqiued_2: " + str(stop1 - start1))
return (p, q, g)
def encrypt(key, message):
"""Encrypts an integer message using the provided ElGamal key
Includes a copy of key in the output (so be sure to use a public key; will assert error out otherwise)
Note that this is stochastic because we randomly generate an ephemeral key each time
******VERY IMPORTANT*******
The message must be a quadratic residue for DDH to hold.
We do not ensure this in this encrypt function, because we carefully control what input messages are possible.
Do *NOT* use this for general purpose encryption unless you first encode the message as a quadratic residue.
Using a non-quadratic residue will look like it works, but will not be secure.
***************************
"""
assert (not key.has_private())
z = randint(2, int(key.p - 1)) # Ephemeral key
c_1 = pow(key.g, z, key.p) # first part of ciphertext
s = pow(key.y, z, key.p) # shared secret
m = message
c_2 = (Integer(m) * Integer(s)) % key.p
return CipherText(key, c_1, c_2)
def generate_rsa_key_pair():
rsa_key = RSA.generate(2048)
private_key = DerSequence([
0, rsa_key.n, rsa_key.e, rsa_key.d, rsa_key.p, rsa_key.q,
rsa_key.d % (rsa_key.p - 1), rsa_key.d % (rsa_key.q - 1),
Integer(rsa_key.q).inverse(rsa_key.p)
]).encode()
pub_key = rsa_key.publickey()
public_key = DerSequence([pub_key.n, pub_key.e]).encode()
return private_key, public_key
def __repr__(self):
attrs = []
for k in self._keydata:
if k == 'p':
bits = Integer(self.p).size_in_bits()
attrs.append("p(%d)" % (bits, ))
elif hasattr(self, k):
attrs.append(k)
if self.has_private():
attrs.append("private")
# PY3K: This is meant to be text, do not change to bytes (data)
return "<%s @0x%x %s>" % (self.__class__.__name__, id(self),
",".join(attrs))
