def dsa_parameter_tampering(): # g = 0 % p # so r = 0 ** k mod p mod q == 0 # normally r == 0 would be rejected, but let's assume that there is no error checking # then s = k ** -1 * H(m) mod q # Do not need secret key x to sign # g = p + 1 bad_params, pub, priv = dsa.dsa_keygen(dsa.P, dsa.Q, dsa.P+1) p, q, g = bad_params z = 3 z_inv = dsa.invmod(z, q) r = dsa.modexp(pub, z, p) % q s = r * z_inv % q # validate msg = 'Hello, world' print "Verifying %s " % msg print dsa.dsa_verify(bad_params, pub, msg, (r, s)) # validate msg = 'Goodbye, world' print "Verifying %s " % msg print dsa.dsa_verify(bad_params, pub, msg, (r, s))
def recover_dsa_nonce_repeated(params=(dsa.P, dsa.Q, dsa.G)):
p, q, g = params
# read messages
f = open('44.txt','r')
lines = f.readlines()
f.close()
y = '2d026f4bf30195ede3a088da85e398ef869611d0f68f07'+\
'13d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b8'+\
'5519b1c23cc3ecdc6062650462e3063bd179c2a6581519'+\
'f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430'+\
'f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d3'+\
'2971c3de5084cce04a2e147821'
y = long(y, 16)
x_sha1 = 'ca8f6f7c66fa362d40760d135b763eb8527d3d52'
# r = g^{k} mod p mod q
# s = k ^ -1 * (H(m) + x*r) mod q
# repeated k means that r is the same
# s1 - s2 = k ^ -1 * (H(m1) - H(m2)) mod q
# so k = (H(m1) - H(m2))/(s1 - s2) mod q
# search for a repeated r
r_dict = {}
for i in range(0, len(lines), 4):
msg = lines[i][5:].strip('\n')
s = lines[i+1][2:].strip()
r = lines[i+2][2:].strip()
h = lines[i+3][2:].strip()
if r in r_dict:
print "Found repeated r =", r
# we found a repeat, so calculate k
h1 = long(h, 16)
s1 = long(s)
s2, h2 = r_dict[r]
h2 = long(h2, 16)
s2 = long(s2)
numerator = (h1 - h2) % q
denominator = (s1 - s2) % q
denom_inv = dsa.invmod(denominator, q)
assert denom_inv
k = (numerator * denom_inv) % q
print "Found k: %d" % k
r2 = dsa.modexp(g, k, p) % q
print "Checking k ... ", long(r)==r2
# calculate x, the private key
x = dsa.recover_priv_from_k(params, k, msg, (long(r),long(s)))
if x_sha1 == hashlib.sha1(binascii.hexlify(dsa._tohex(x))).hexdigest():
print "Found x == %d" % x
return
else:
print "Could not find correct x"
r_dict[r] = (s, h)
return "Could not find a repeated use of k"
