print "Along with signature..." print signature print "Does it verify?" print verify(signature, message, U) print #### Forging msg_to_forge = "hi mom" hash_mom = sha1(msg_to_forge).digest() block_mom = ("\x00\x01\xff\xff\x00ASN.1" + chr(len(hash_mom)) + hash_mom) bytes_to_add = (bits / 8) - len(block_mom) block_mom += "\x00" * bytes_to_add block_mom_cube = "\x00" + rsa.i2s(cuberoot(rsa.s2i(block_mom)) ** 3) forged_sig = cuberoot(rsa.s2i(block_mom_cube)) #### Check the sig print "A poor fool received message:", msg_to_forge print "Along with signature..." print forged_sig print "Does it verify?" result = verify(forged_sig, msg_to_forge, U) print result print #### tests #### assert result assert unpad(pkcs_1_5("Hello", 1024)) == "Hello"
plaintext = base64.b64decode(b64s) ciphertext = rsa.encrypt_string(plaintext, pubkey) # um, if e=3, I don't think this string wraps the modulus. So in # theory, I think we could just cube-root it, but oh well. bounds = [0, n] start = time.time() for i in range(2048): p = parity(multiply(ciphertext, 2**(i+1), e, n)) half_the_dist = (bounds[1] - bounds[0]) / 2 if p == 0: bounds = [bounds[0], bounds[1] - half_the_dist] elif p == 1: bounds = [bounds[0] + half_the_dist, bounds[1]] if i % 16 == 0: print p, i, cleanup(rsa.i2s(bounds[1]), '_') # get 256 char wide screen end = time.time() dur = round(end - start, 1) print "--------" for b in bounds: print rsa.i2s(b) print "2048 oracularities in", dur, "s =", round(2048 / dur, 1), "per s." #### tests #### hi = 'Hi' c_hi = rsa.encrypt_string(hi, pubkey) D = multiply(c_hi, 2, pubkey[0], pubkey[1]) assert rsa.s2i(hi) * 2 == rsa.crypt(D, privkey)
plaintext = base64.b64decode(b64s) ciphertext = rsa.encrypt_string(plaintext, pubkey) # um, if e=3, I don't think this string wraps the modulus. So in # theory, I think we could just cube-root it, but oh well. bounds = [0, n] start = time.time() for i in range(2048): p = parity(multiply(ciphertext, 2**(i + 1), e, n)) half_the_dist = (bounds[1] - bounds[0]) / 2 if p == 0: bounds = [bounds[0], bounds[1] - half_the_dist] elif p == 1: bounds = [bounds[0] + half_the_dist, bounds[1]] if i % 16 == 0: print p, i, cleanup(rsa.i2s(bounds[1]), '_') # get 256 char wide screen end = time.time() dur = round(end - start, 1) print "--------" for b in bounds: print rsa.i2s(b) print "2048 oracularities in", dur, "s =", round(2048 / dur, 1), "per s." #### tests #### hi = 'Hi' c_hi = rsa.encrypt_string(hi, pubkey) D = multiply(c_hi, 2, pubkey[0], pubkey[1])
decrypt = rsa.decrypt_string(ciphertext, R) print print "Bob gets this message:", decrypt #### Eve # Calculate products of the moduli (pubkeys) EXCEPT pubkey number i. ms = [None] * k for i in range(k): x = copy.copy(n) del x[i] ms[i] = reduce(lambda a, b: a * b, x) # Work thru Chinese Remainder Theorem result = 0 for i in range(k): result += c[i] * ms[i] * rsa.invmod(ms[i], n[i]) result = result % reduce(lambda a, b: a * b, n) # Get final text overheard = rsa.i2s(cuberoot(result)) print "Eve hears this message:", overheard #### tests #### assert message == decrypt assert message == overheard assert decrypt == overheard warn("Passed assertions:", __file__)
decrypt = rsa.decrypt_string(ciphertext, R) print print "Bob gets this message:", decrypt #### Eve # Calculate products of the moduli (pubkeys) EXCEPT pubkey number i. ms = [None]*k for i in range(k): x = copy.copy(n) del x[i] ms[i] = reduce(lambda a, b: a*b, x) # Work thru Chinese Remainder Theorem result = 0 for i in range(k): result += c[i] * ms[i] * rsa.invmod(ms[i], n[i]) result = result % reduce(lambda a, b: a*b, n) # Get final text overheard = rsa.i2s(cuberoot(result)) print "Eve hears this message:", overheard #### tests #### assert message == decrypt assert message == overheard assert decrypt == overheard warn("Passed assertions:", __file__)
breakme = alice.encrypt(secret_for_bob) E = breakme["pubkey"][0] # pub key exponent N = breakme["pubkey"][1] # public key modulus C = breakme["ciphertext"] # long integer, not string print "Bob calls Alice and receives..." print alice.decrypt(C) print #### Mallory print "Mallory calls Alice the 1st time and receives..." print alice.decrypt(C) print "Mallory calls w/ seemingly different string & receives..." S = random.randint(2, 100000) assert S % N > 1 Cp = (pow(S, E, N) * C) % N Pp_string = alice.decrypt(Cp) print Pp_string Pp = rsa.s2i(Pp_string) print "Alice's hash table suspects nothing..." print alice.log P = (Pp * rsa.invmod(S, N)) % N print "But Mallory now knows..." print rsa.i2s(P) #### tests #### assert rsa.i2s(P) == secret_for_bob warn("Passed assertions:", __file__)
mhigh = min(b, (3*B - 1 + r*n) // s[i]) assert mlow <= mhigh, [mlow, mhigh, mlow - a, b - mhigh, rlow, rhigh, r] this_interval = [mlow, mhigh] if this_interval not in m_set: m_set.append(this_interval) M.append(simplify(m_set)) #### Step 4 if len(M[i]) == 1 and M[i][0][0] == M[i][0][1]: a = M[i][0][0] m = a * rsa.invmod(s[0], n) % n print print print "Hooray! m=", m result = rsa.i2s(m) print "i2s=", [result] break else: if len(M[i]) > 1: print "Iterate because len", len(M[i]) else: if i % 20 == 0: print "Iterate because interval > 0" i += 1 #### tests #### nc = len(short_message) assert result[-nc:] == short_message short_message2 = "du" m2 = pkcs_1(short_message2, Bits*2)
breakme = alice.encrypt(secret_for_bob) E = breakme['pubkey'][0] # pub key exponent N = breakme['pubkey'][1] # public key modulus C = breakme['ciphertext'] # long integer, not string print "Bob calls Alice and receives..." print alice.decrypt(C) print #### Mallory print "Mallory calls Alice the 1st time and receives..." print alice.decrypt(C) print "Mallory calls w/ seemingly different string & receives..." S = random.randint(2, 100000) assert S % N > 1 Cp = (pow(S, E, N) * C) % N Pp_string = alice.decrypt(Cp) print Pp_string Pp = rsa.s2i(Pp_string) print "Alice's hash table suspects nothing..." print alice.log P = (Pp * rsa.invmod(S, N) ) % N print "But Mallory now knows..." print rsa.i2s(P) #### tests #### assert rsa.i2s(P) == secret_for_bob warn("Passed assertions:", __file__)