def full_simulation_counts(key_template, hospital_counts): '''Runs a full simulation of an encrypted sum''' padded_size = int(np.round(key_template.p.size_in_bits() / 8)) num_hospitals = len(hospital_counts) round0a = [hospital_round0a(key_template) for _ in range(num_hospitals)] round0a_transmissions = [x['transmit'] for x in round0a] round0b = hub_round0b(key_template, round0a_transmissions) key_public = round0b['key_public'] hospital_keys = [x['private_key'] for x in round0a] round1a_start = time.perf_counter() round1a = [ encrypt(key_public, pow(Integer(4), Integer(int(count)), key_public.p)).export_val() for count in hospital_counts ] round1a_time = time.perf_counter() - round1a_start round1b_start = time.perf_counter() round1b = sum([CipherText.byte_init(key_public, x) for x in round1a]).export_val() round1b_time = time.perf_counter() - round1b_start round2a_start = time.perf_counter() round2a = [ shared_secret(hk, CipherText.byte_init(key_public, round1b)).to_bytes(padded_size) for hk in hospital_keys ] round2a_time = time.perf_counter() - round2a_start round2b_start = time.perf_counter() round2b_sec = Integer(1) encrypted_sum = CipherText.byte_init(key_public, round1b) for k in range(num_hospitals): round2b_sec = (round2b_sec * Integer.from_bytes(round2a[k])) % key_public.p s_inv = pow( round2b_sec, key_public.p - 2, key_public.p ) # modular multiplicative inverse https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python decrypted_sum = (s_inv * encrypted_sum.c2) % key_public.p load_precomputed_discrete_log4_table( ) # using precomputation instead of naive method logged_sum = discrete_log4(key_public, decrypted_sum) round2b_time = time.perf_counter() - round2b_start ans_dict = {} ans_dict['round0a_time'] = sum(x['time'] for x in round0a) ans_dict['round0b_time'] = round0b['time'] ans_dict['round1a_time'] = round1a_time ans_dict['round1b_time'] = round1b_time ans_dict['round2a_time'] = round2a_time ans_dict['round2b_time'] = round2b_time return logged_sum, ans_dict
def xy(self): modulus_bytes = self.size_in_bytes() xb = bytearray(modulus_bytes) yb = bytearray(modulus_bytes) result = _ec_lib.ec_ws_get_xy(c_uint8_ptr(xb), c_uint8_ptr(yb), c_size_t(modulus_bytes), self._point.get()) if result: raise ValueError("Error %d while encoding an EC point" % result) return (Integer(bytes_to_long(xb)), Integer(bytes_to_long(yb)))
def _generate_domain(L, randfunc): """Generate a new set of DSA domain parameters""" N = {1024: 160, 2048: 224, 3072: 256}.get(L) if N is None: raise ValueError("Invalid modulus length (%d)" % L) outlen = SHA256.digest_size * 8 n = (L + outlen - 1) // outlen - 1 # ceil(L/outlen) -1 b_ = L - 1 - (n * outlen) # Generate q (A.1.1.2) q = Integer(4) upper_bit = 1 << (N - 1) while test_probable_prime(q, randfunc) != PROBABLY_PRIME: seed = randfunc(64) U = Integer.from_bytes(SHA256.new(seed).digest()) & (upper_bit - 1) q = U | upper_bit | 1 assert (q.size_in_bits() == N) # Generate p (A.1.1.2) offset = 1 upper_bit = 1 << (L - 1) while True: V = [ SHA256.new(seed + Integer(offset + j).to_bytes()).digest() for j in range(n + 1) ] V = [Integer.from_bytes(v) for v in V] W = sum([V[i] * (1 << (i * outlen)) for i in range(n)], (V[n] & (1 << b_ - 1)) * (1 << (n * outlen))) X = Integer(W + upper_bit) # 2^{L-1} < X < 2^{L} assert (X.size_in_bits() == L) c = X % (q * 2) p = X - (c - 1) # 2q divides (p-1) if p.size_in_bits() == L and \ test_probable_prime(p, randfunc) == PROBABLY_PRIME: break offset += n + 1 # Generate g (A.2.3, index=1) e = (p - 1) // q for count in itertools.count(1): U = seed + b("ggen") + bchr(1) + Integer(count).to_bytes() W = Integer.from_bytes(SHA256.new(U).digest()) g = pow(W, e, p) if g != 1: break return (p, q, g, seed)
def _sign(self, M, K): if (not hasattr(self, 'x')): raise TypeError('Private key not available in this object') p1=self.p-1 K = Integer(K) if (K.gcd(p1)!=1): raise ValueError('Bad K value: GCD(K,p-1)!=1') a=pow(self.g, K, self.p) t=(Integer(M)-self.x*a) % p1 while t<0: t=t+p1 b=(t*K.inverse(p1)) % p1 return map(int, (a, b))
def _generateRSAKey(bits, randfunc=None, e=65537): """Modified version of pycryptodome's Crypto.RSA.generate to allow keys of any size.""" if e % 2 == 0 or e < 3: raise ValueError( "RSA public exponent must be a positive, odd integer larger than 2." ) if randfunc is None: randfunc = Random.get_random_bytes d = n = Integer(1) e = Integer(e) while n.size_in_bits() != bits and d < (1 << (bits // 2)): # Generate the prime factors of n: p and q. # By construciton, their product is always # 2^{bits-1} < p*q < 2^bits. size_q = bits // 2 size_p = bits - size_q min_p = min_q = (Integer(1) << (2 * size_q - 1)).sqrt() if size_q != size_p: min_p = (Integer(1) << (2 * size_p - 1)).sqrt() def filter_p(candidate): return candidate > min_p and (candidate - 1).gcd(e) == 1 p = _generateProbablePrime(exact_bits=size_p, randfunc=randfunc, prime_filter=filter_p) min_distance = Integer(1) << max(0, bits // 2 - 100) def filter_q(candidate): return (candidate > min_q and (candidate - 1).gcd(e) == 1 and abs(candidate - p) > min_distance) q = _generateProbablePrime(exact_bits=size_q, randfunc=randfunc, prime_filter=filter_q) n = p * q lcm = (p - 1).lcm(q - 1) d = e.inverse(lcm) if p > q: p, q = q, p u = p.inverse(q) return RSA.RsaKey(n=n, e=e, d=d, p=p, q=q, u=u)
def private_equality_test(self, other): # https://crypto.stackexchange.com/questions/9527/how-does-an-oblivious-test-of-plaintext-equality-work assert (self.key.p == other.key.p) assert (self.key.g == other.key.g) assert (self.key.y == other.key.y) other_c1_inv = pow(other.c1, self.key.p - 2, self.key.p) other_c2_inv = pow(other.c2, self.key.p - 2, self.key.p) new_c1 = (self.c1 * other_c1_inv) % self.key.p new_c2 = (self.c2 * other_c2_inv) % self.key.p z = randint(2, int(key.p - 1)) # To blind the ciphertext new_c1_z = pow(new_c1, Integer(z), self.key.p) new_c2_z = pow(new_c2, Integer(z), self.key.p) return CipherText(self.key, new_c1_z, new_c2_z)
def generate_p_q_g(): p = Integer(4) while p.size_in_bits() != 1024 or Primality.test_probable_prime(p) != Primality.PROBABLY_PRIME: q=random.randrange(1 << 159, 1 << 160) if(is_prime(q)): z = Integer.random(exact_bits=1024-160) p = z * q + 1 h = Integer(2) g = 1 while g == 1: g = pow(h, z, p) h += 1 return (p, q, g)
def construct(**kwargs): """Build a new ECC key (private or public) starting from some base components. Args: curve (string): Mandatory. It must be "P-256", "prime256v1" or "secp256r1". d (integer): Only for a private key. It must be in the range ``[1..order-1]``. point_x (integer): Mandatory for a public key. X coordinate (affine) of the ECC point. point_y (integer): Mandatory for a public key. Y coordinate (affine) of the ECC point. Returns: :class:`EccKey` : a new ECC key object """ point_x = kwargs.pop("point_x", None) point_y = kwargs.pop("point_y", None) if "point" in kwargs: raise TypeError("Unknown keyword: point") if None not in (point_x, point_y): kwargs["point"] = EccPoint(point_x, point_y) # Validate that the point is on the P-256 curve eq1 = pow(Integer(point_y), 2, _curve.p) x = Integer(point_x) eq2 = pow(x, 3, _curve.p) x *= -3 eq2 += x eq2 += _curve.b eq2 %= _curve.p if eq1 != eq2: raise ValueError("The point is not on the curve") # Validate that the private key matches the public one d = kwargs.get("d", None) if d is not None and "point" in kwargs: pub_key = _curve.G * d if pub_key.x != point_x or pub_key.y != point_y: raise ValueError("Private and public ECC keys do not match") return EccKey(**kwargs)
def verify(self, msg_hash, signature): """Check if a certain (EC)DSA signature is authentic. :parameter msg_hash: The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. Under mode *'fips-186-3'*, the hash must be a FIPS approved secure hash (SHA-1 or a member of the SHA-2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA-512. :type msg_hash: hash object :parameter signature: The signature that needs to be validated :type signature: byte string :raise ValueError: if the signature is not authentic """ if not self._valid_hash(msg_hash): raise ValueError("Hash is not sufficiently strong") if self._encoding == 'binary': if len(signature) != (2 * self._order_bytes): raise ValueError("The signature is not authentic (length)") r_prime, s_prime = [ Integer.from_bytes(x) for x in (signature[:self._order_bytes], signature[self._order_bytes:]) ] else: try: der_seq = DerSequence().decode(signature, strict=True) except (ValueError, IndexError): raise ValueError("The signature is not authentic (DER)") if len(der_seq) != 2 or not der_seq.hasOnlyInts(): raise ValueError( "The signature is not authentic (DER content)") r_prime, s_prime = Integer(der_seq[0]), Integer(der_seq[1]) if not (0 < r_prime < self._order) or not (0 < s_prime < self._order): raise ValueError("The signature is not authentic (d)") z = Integer.from_bytes(msg_hash.digest()[:self._order_bytes]) result = self._key._verify(z, (r_prime, s_prime)) if not result: raise ValueError("The signature is not authentic") # Make PyCryptodome code to fail return False
def test_scalar_multiply(self): d = 0xa78ccc30eaca0fcc8e36b2dd6fbb03df06d37f52711e6363aaf1d73b pointRx = 0x96a7625e92a8d72bff1113abdb95777e736a14c6fdaacc392702bca4 pointRy = 0x0f8e5702942a3c5e13cd2fd5801915258b43dfadc70d15dbada3ed10 pointR = self.pointS * d self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) # 0*S pai = self.pointS.point_at_infinity() pointR = self.pointS * 0 self.assertEqual(pointR, pai) # -1*S self.assertRaises(ValueError, lambda: self.pointS * -1) # Reverse order pointR = d * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) pointR = Integer(d) * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy)
def test_scalar_multiply(self): d = 0xa78a236d60baec0c5dd41b33a542463a8255391af64c74ee pointRx = 0x1faee4205a4f669d2d0a8f25e3bcec9a62a6952965bf6d31 pointRy = 0x5ff2cdfa508a2581892367087c696f179e7a4d7e8260fb06 pointR = self.pointS * d self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) # 0*S pai = self.pointS.point_at_infinity() pointR = self.pointS * 0 self.assertEqual(pointR, pai) # -1*S self.assertRaises(ValueError, lambda: self.pointS * -1) # Reverse order pointR = d * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) pointR = Integer(d) * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy)
def toElPoint(self): if (self.z == 0): return self.curve.O z_inv = int(Integer(self.z).inverse(self.curve.p)) x = self.x * z_inv % self.curve.p y = self.y * z_inv % self.curve.p return ElPoint(x, y, self.curve)
def _encrypt(key, message): mod_bits = size(key.n) k = ceil_div(mod_bits, 8) m_len = len(message) # Step 1 if m_len > k - 11: raise ValueError("Plaintext is too long.") # Step 2a ps = [] while len(ps) != k - m_len - 3: new_byte = bchr(0xFF) if bord(new_byte[0]) == 0x00: continue ps.append(new_byte) ps = b("").join(ps) assert (len(ps) == k - m_len - 3) # Step 2b em = b('\x00\x01') + ps + bchr(0x00) + message # Step 3a (OS2IP) em_int = bytes_to_long(em) # Step 3b (RSAEP) if not 0 < em_int < key._n: raise ValueError("Plaintext too large") m_int = int(pow(Integer(em_int), key._d, key._n)) # Step 3c (I2OSP) c = long_to_bytes(m_int, k) return c
def _decrypt(self, ciphertext): if not 0 < ciphertext < self._n: raise ValueError("Ciphertext too large") if not self.has_private(): raise TypeError("This is not a private key") # Blinded RSA decryption (to prevent timing attacks): # Step 1: Generate random secret blinding factor r, # such that 0 < r < n-1 r = Integer.random_range(min_inclusive=1, max_exclusive=self._n) # Step 2: Compute c' = c * r**e mod n cp = Integer(ciphertext) * pow(r, self._e, self._n) % self._n # Step 3: Compute m' = c'**d mod n (ordinary RSA decryption) m1 = pow(cp, self._d % (self._p - 1), self._p) m2 = pow(cp, self._d % (self._q - 1), self._q) h = m2 - m1 while h < 0: h += self._q h = (h * self._u) % self._q mp = h * self._p + m1 # Step 4: Compute m = m**(r-1) mod n result = (r.inverse(self._n) * mp) % self._n # Verify no faults occured if ciphertext != pow(result, self._e, self._n): raise ValueError("Fault detected in RSA decryption") return result
def __init__(self, **kwargs): """Create a new ECC key Keywords: curve : string It must be *"P-256"*, *"prime256v1"* or *"secp256r1"*. d : integer Only for a private key. It must be in the range ``[1..order-1]``. point : EccPoint Mandatory for a public key. If provided for a private key, the implementation will NOT check whether it matches ``d``. """ kwargs_ = dict(kwargs) self.curve = kwargs_.pop("curve", None) self._d = kwargs_.pop("d", None) self._point = kwargs_.pop("point", None) if kwargs_: raise TypeError("Unknown parameters: " + str(kwargs_)) if self.curve not in _curve.names: raise ValueError("Unsupported curve (%s)", self.curve) if self._d is None: if self._point is None: raise ValueError( "Either private or public ECC component must be specified") else: self._d = Integer(self._d) if not 1 <= self._d < _curve.order: raise ValueError("Invalid ECC private component")
def test_scalar_multiply(self): d = 0xc51e4753afdec1e6b6c6a5b992f43f8dd0c7a8933072708b6522468b2ffb06fd pointRx = 0x51d08d5f2d4278882946d88d83c97d11e62becc3cfc18bedacc89ba34eeca03f pointRy = 0x75ee68eb8bf626aa5b673ab51f6e744e06f8fcf8a6c0cf3035beca956a7b41d5 pointR = self.pointS * d self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) # 0*S pai = self.pointS.point_at_infinity() pointR = self.pointS * 0 self.assertEqual(pointR, pai) # -1*S self.assertRaises(ValueError, lambda: self.pointS * -1) # Reverse order pointR = d * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy) pointR = Integer(d) * self.pointS self.assertEqual(pointR.x, pointRx) self.assertEqual(pointR.y, pointRy)
def discrete_log4_naive(key, x): '''Finds the discrete log with respect to 4 for a really big number. Does it naively be counting up by powers of two until we get to x''' key_public = key s_inv = pow( Integer(4), key_public.p - 2, key_public.p ) # modular multiplicative inverse https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python tmp = Integer(x) ans = 0 while tmp != 1: tmp = tmp * s_inv % key_public.p ans = ans + 1 if ans % 100000 == 0: print('.', end='', flush=True) return ans
def verify(self, msg_hash, signature): """Check if a certain (EC)DSA signature is authentic. Args: msg_hash (hash object): The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). signature (``bytes``): The signature that needs to be validated. :raise ValueError: if the signature is not authentic """ if not self._valid_hash(msg_hash): raise ValueError("Hash is not sufficiently strong") if self._encoding == 'binary': if len(signature) != (2 * self._order_bytes): raise ValueError("The signature is not authentic (length)") r_prime, s_prime = [ Integer.from_bytes(x) for x in (signature[:self._order_bytes], signature[self._order_bytes:]) ] else: try: der_seq = DerSequence().decode(signature, strict=True) except (ValueError, IndexError): raise ValueError("The signature is not authentic (DER)") if len(der_seq) != 2 or not der_seq.hasOnlyInts(): raise ValueError( "The signature is not authentic (DER content)") r_prime, s_prime = Integer(der_seq[0]), Integer(der_seq[1]) if not (0 < r_prime < self._order) or not (0 < s_prime < self._order): raise ValueError("The signature is not authentic (d)") z = Integer.from_bytes(msg_hash.digest()[:self._order_bytes]) result = self._key._verify(z, (r_prime, s_prime)) if not result: raise ValueError("The signature is not authentic") # Make PyCryptodome code to fail return False
def __init__(self, key, encoding, order, randfunc): super(FipsDsaSigScheme, self).__init__(key, encoding, order) self._randfunc = randfunc L = Integer(key.p).size_in_bits() if (L, self._order_bits) not in self._fips_186_3_L_N: error = ("L/N (%d, %d) is not compliant to FIPS 186-3" % (L, self._order_bits)) raise ValueError(error)
def __init__(self, key, n): self.key = key self.n = n # Figure out sizes needed for array for t in 'BHILQ': if array.array(t).itemsize * 8 > np.log(n) / np.log(2): typecode = t break y = Integer(1) table = [array.array(typecode) for _ in range(2**16)] for x in range(n): h = xxh64_intdigest(str(y)) % 2**16 table[h].append(x) y = Integer(y) * Integer(4) % key.p if x % 1000000 == 0: print(x) self.table = table
def __add__(self, other): if (self == self.curve.O): return other if (other == self.curve.O): return self p = self.curve.p if (self.x == other.x): if ((self.y + other.y) % p == 0): return self.curve.O else: l = (((3 * self.x**2 + self.curve.A) % p) * int(Integer(2 * self.y).inverse(p))) % p else: l = ((other.y - self.y) * int(Integer(other.x - self.x).inverse(p))) % p x = (pow(l, 2, p) - self.x - other.x) % p y = (l * (self.x - x) - self.y) % p return ElPoint(x, y, self.curve)
def test_probable_prime(candidate, randfunc=None): """Test if a number is prime. A number is qualified as prime if it passes a certain number of Miller-Rabin tests (dependent on the size of the number, but such that probability of a false positive is less than 10^-30) and a single Lucas test. For instance, a 1024-bit candidate will need to pass 4 Miller-Rabin tests. :Parameters: candidate : integer The number to test for primality. randfunc : callable The routine to draw random bytes from to select Miller-Rabin bases. :Returns: ``PROBABLE_PRIME`` if the number if prime with very high probability. ``COMPOSITE`` if the number is a composite. For efficiency reasons, ``COMPOSITE`` is also returned for small primes. """ if randfunc is None: randfunc = Random.new().read if not isinstance(candidate, Integer): candidate = Integer(candidate) # First, check trial division by the smallest primes if int(candidate) in _sieve_base: return PROBABLY_PRIME try: map(candidate.fail_if_divisible_by, _sieve_base) except ValueError: return COMPOSITE # These are the number of Miller-Rabin iterations s.t. p(k, t) < 1E-30, # with p(k, t) being the probability that a randomly chosen k-bit number # is composite but still survives t MR iterations. mr_ranges = ((220, 30), (280, 20), (390, 15), (512, 10), (620, 7), (740, 6), (890, 5), (1200, 4), (1700, 3), (3700, 2)) bit_size = candidate.size_in_bits() try: mr_iterations = list(filter(lambda x: bit_size < x[0], mr_ranges))[0][1] except IndexError: mr_iterations = 1 if miller_rabin_test(candidate, mr_iterations, randfunc=randfunc) == COMPOSITE: return COMPOSITE if lucas_test(candidate) == COMPOSITE: return COMPOSITE return PROBABLY_PRIME
def _verify(self, m, sig): r, s = sig y, q, p, g = [self._key[comp] for comp in ['y', 'q', 'p', 'g']] if not (0 < r < q) or not (0 < s < q): return False w = Integer(s).inverse(q) u1 = (w * m) % q u2 = (w * r) % q v = (pow(g, u1, p) * pow(y, u2, p) % p) % q return v == r
def _verify(self, M, sig): sig = [Integer(x) for x in sig] if sig[0] < 1 or sig[0] > self.p - 1: return 0 v1 = pow(self.y, sig[0], self.p) v1 = (v1 * pow(sig[0], sig[1], self.p)) % self.p v2 = pow(self.g, M, self.p) if v1 == v2: return 1 return 0
def _get_weak_domain(self): from Cryptodome.Math.Numbers import Integer from Cryptodome.Math import Primality p = Integer(4) while p.size_in_bits() != 1024 or Primality.test_probable_prime(p) != Primality.PROBABLY_PRIME: q1 = Integer.random(exact_bits=80) q2 = Integer.random(exact_bits=80) q = q1 * q2 z = Integer.random(exact_bits=1024-160) p = z * q + 1 h = Integer(2) g = 1 while g == 1: g = pow(h, z, p) h += 1 return (p, q, g)
def add_ssh_keys(params, endpoint, record, temp_files, non_shared): # type: (KeeperParams, str, Record, [str], dict) -> [bytes] rs = [] key_prefix = 'connect:{0}:ssh-key'.format(endpoint) ssh_socket_path = os.environ.get('SSH_AUTH_SOCK') for cf in record.custom_fields: cf_name = cf['name'] # type: str if cf_name.startswith(key_prefix): key_name = cf_name[len(key_prefix)+1:] or 'Commander' cf_value = cf['value'] # type: str parsed_values = [] while True: m = endpoint_parameter_pattern.search(cf_value) if not m: break p = m.group(1) val = ConnectCommand.get_parameter_value(params, record, p, temp_files, non_shared) if not val: raise Exception('Add ssh-key. Failed to resolve key parameter: {0}'.format(p)) parsed_values.append(val) cf_value = cf_value[m.end():] if len(parsed_values) > 0: cf_value = cf_value.strip() if cf_value: parsed_values.append(cf_value) private_key = RSA.importKey(parsed_values[0], parsed_values[1] if len(parsed_values) > 0 else None) with ConnectSshAgent(ssh_socket_path) as fd: payload = SSH2_AGENTC_ADD_IDENTITY.to_bytes(1, byteorder='big') payload += ConnectCommand.ssh_agent_encode_str('ssh-rsa') payload += ConnectCommand.ssh_agent_encode_long(private_key.n) payload += ConnectCommand.ssh_agent_encode_long(private_key.e) payload += ConnectCommand.ssh_agent_encode_long(private_key.d) payload += ConnectCommand.ssh_agent_encode_long(int(Integer(private_key.q).inverse(private_key.p))) payload += ConnectCommand.ssh_agent_encode_long(private_key.p) payload += ConnectCommand.ssh_agent_encode_long(private_key.q) payload += ConnectCommand.ssh_agent_encode_str(key_name) # windows ssh implementation does not support constrained identities #payload += SSH_AGENT_CONSTRAIN_LIFETIME.to_bytes(1, byteorder='big') #payload += int(10).to_bytes(4, byteorder='big') recv_payload = fd.send(payload) if recv_payload and recv_payload[0] == SSH_AGENT_FAILURE: raise Exception('Add ssh-key. Failed to add ssh key \"{0}\" to ssh-agent'.format(key_name)) payload = ConnectCommand.ssh_agent_encode_str('ssh-rsa') payload += ConnectCommand.ssh_agent_encode_long(private_key.e) payload += ConnectCommand.ssh_agent_encode_long(private_key.n) payload = SSH2_AGENTC_REMOVE_IDENTITY.to_bytes(1, byteorder='big') + ConnectCommand.ssh_agent_encode_bytes(payload) rs.append(payload) return rs
def generate_p_q_g(): start2 = timeit.default_timer() p = Integer(4) while p.size_in_bits() != 1024 or Primality.test_probable_prime( p) != Primality.PROBABLY_PRIME: q = random.randrange(1 << 159, 1 << 160) if (is_prime_4(q)): z = Integer.random(exact_bits=1024 - 160) p = z * q + 1 stop2 = timeit.default_timer() print("Time Reqiued_1: " + str(stop2 - start2)) start1 = timeit.default_timer() h = Integer(2) g = 1 while g == 1: g = power(int(h), int(z), int(p)) h += 1 stop1 = timeit.default_timer() print("Time Reqiued_2: " + str(stop1 - start1)) return (p, q, g)
def encrypt(key, message): """Encrypts an integer message using the provided ElGamal key Includes a copy of key in the output (so be sure to use a public key; will assert error out otherwise) Note that this is stochastic because we randomly generate an ephemeral key each time ******VERY IMPORTANT******* The message must be a quadratic residue for DDH to hold. We do not ensure this in this encrypt function, because we carefully control what input messages are possible. Do *NOT* use this for general purpose encryption unless you first encode the message as a quadratic residue. Using a non-quadratic residue will look like it works, but will not be secure. *************************** """ assert (not key.has_private()) z = randint(2, int(key.p - 1)) # Ephemeral key c_1 = pow(key.g, z, key.p) # first part of ciphertext s = pow(key.y, z, key.p) # shared secret m = message c_2 = (Integer(m) * Integer(s)) % key.p return CipherText(key, c_1, c_2)
def generate_rsa_key_pair(): rsa_key = RSA.generate(2048) private_key = DerSequence([ 0, rsa_key.n, rsa_key.e, rsa_key.d, rsa_key.p, rsa_key.q, rsa_key.d % (rsa_key.p - 1), rsa_key.d % (rsa_key.q - 1), Integer(rsa_key.q).inverse(rsa_key.p) ]).encode() pub_key = rsa_key.publickey() public_key = DerSequence([pub_key.n, pub_key.e]).encode() return private_key, public_key
def __repr__(self): attrs = [] for k in self._keydata: if k == 'p': bits = Integer(self.p).size_in_bits() attrs.append("p(%d)" % (bits, )) elif hasattr(self, k): attrs.append(k) if self.has_private(): attrs.append("private") # PY3K: This is meant to be text, do not change to bytes (data) return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs))