def attack_rsa(message):
"""
Performs the e=3 broadcast attack as described above.
Args:
message (bytes): The message to send 3 times.
Returns:
The message that was sent in, but decrypted from the crazy math.
"""
server = BadRSAServer()
c_0, (_, n_0) = server.encrypt_message(message)
c_1, (_, n_1) = server.encrypt_message(message)
c_2, (_, n_2) = server.encrypt_message(message)
m_0 = n_1 * n_2
m_1 = n_0 * n_2
m_2 = n_0 * n_1
c_0 = int.from_bytes(c_0, 'big')
c_1 = int.from_bytes(c_1, 'big')
c_2 = int.from_bytes(c_2, 'big')
result = c_0 * m_0 * c39.invmod(m_0, n_0)
result += c_1 * m_1 * c39.invmod(m_1, n_1)
result += c_2 * m_2 * c39.invmod(m_2, n_2)
result = result % (n_0 * n_1 * n_2)
result = find_invpow(result, 3)[0]
return c36.int_to_bytes(result)
def login(self, email, password, A):
"""
Attempts to log into the SRP server with the given credentials.
Args:
email: The email of the user
password: The password of the user
A: A malicious A value. Must be 0, or multiple of N
Returns:
True if successful login
"""
# Send I, A
out = queue.Queue()
inp = queue.Queue()
self.server.authenticate(email, A, out, inp)
# S->C salt, B
salt, B = inp.get()
if DEBUG:
print('CLIENT: salt: ' + str(c1.asciitohex(salt)))
print('CLIENT: B: ' + str(B))
if A % self.N != 0:
raise ValueError('Not a valid malicious A value')
K = sha256(int_to_bytes(0)).digest()
hmac = hmac_sha256(salt, K)
if DEBUG:
print('CLIENT: K: ' + str(c1.asciitohex(K)))
print('CLIENT: HMAC: ' + str(c1.asciitohex(hmac)))
out.put(hmac)
auth = inp.get()
return auth
def __dictionary_attack(self, client_hmac, salt, A, u):
for password in self.password_list:
xH = sha256(salt + password).digest()
x = int.from_bytes(xH, byteorder='big')
v = pow(self.g, x, self.N)
S = (A * v) % self.N
K = sha256(int_to_bytes(S)).digest()
hmac = hmac_sha256(salt, K)
if hmac == client_hmac:
self.password = password
return
raise RuntimeError('Password not found')
def __auth(self, email, A, inp, output):
# Send salt, B
b = int.from_bytes(os.urandom(8), byteorder='big')
B = pow(self.g, b, self.N)
if DEBUG:
print('SERVER: B: ' + str(B))
u = int.from_bytes(os.urandom(16), byteorder='big')
output.put([self.salt, B, u])
# Generate S = (A * v**u)**b % N, K
S = pow(A * pow(self.v, u, self.N), b, self.N)
K = sha256(int_to_bytes(S)).digest()
hmac = hmac_sha256(self.salt, K)
if DEBUG:
print('SERVER: S: ' + str(S))
print('SERVER: K: ' + str(c1.asciitohex(K)))
print('SERVER: hmac: ' + str(c1.asciitohex(hmac)))
client_hmac = inp.get()
output.put(hmac == client_hmac)
def login(self, email, password):
"""
Attempts to log into the SRP server with the given credentials.
Args:
email: The email of the user
password: The password of the user
Returns:
True if successful login
"""
a = int.from_bytes(os.urandom(8), byteorder='big')
A = pow(self.g, a, self.N)
# Send I, A
out = queue.Queue()
inp = queue.Queue()
self.server.authenticate(email, A, out, inp)
# S->C salt, B, u
salt, B, u = inp.get()
if DEBUG:
print('CLIENT: salt: ' + str(c1.asciitohex(salt)))
print('CLIENT: B: ' + str(B))
print('CLIENT: u: ' + str(u))
# Generate xH, K, S= (B - k * g**x)**(a + u*x) % N
xH = sha256(salt + password).digest()
x = int.from_bytes(xH, byteorder='big')
S = pow(B, (a + u * x), self.N)
K = sha256(int_to_bytes(S)).digest()
hmac = hmac_sha256(salt, K)
if DEBUG:
print('CLIENT: xH: ' + str(c1.asciitohex(xH)))
print('CLIENT: S: ' + str(S))
print('CLIENT: K: ' + str(c1.asciitohex(K)))
print('CLIENT: HMAC: ' + str(c1.asciitohex(hmac)))
out.put(hmac)
auth = inp.get()
return auth