def do_42(): rsaparams = generate_rsa_key(1024, e=3) message = b'hi mom' signature = do_db_e3(message) print('message', message) print('signature', signature) assert (bad_rsa_sha1_verify(message, signature, rsaparams))
def do_42(): rsaparams = generate_rsa_key(1024, e=3); message = b'hi mom' signature = do_db_e3(message); print('message',message) print('signature',signature) assert(bad_rsa_sha1_verify(message, signature, rsaparams))
# plain = mypow(cipher, key['d'], key['N']); # check for 0 if ((plain.bit_length() + 15) //8) != ((key['N'].bit_length() + 7)//8): return False; # hex(plain) will start '0x2' if the second by is either 0x20 or 0x02 # if 02, then len(hex) will be odd if (len(hex(plain)) % 2) == 0: return False; if (hex(plain)[0:3] != '0x2'): return False; return True; # * Generate a 256 bit keypair (that is, p and q will each be 128 bit # primes), [n, e, d]. prob47_key = generate_rsa_key(256); # * Plug d and n into your oracle function. # * PKCS1.5-pad a short message, like "kick it, CC", and call it # "m". Encrypt to to get "c". # ............ = 0x0001020304050607080910111213141516171819202122232425262728293031 prob47_message = 0x00029843216464613acd6546e3131eacd6634213650030313233343536373839 # Decrypt "c" using your padding oracle. # For this challenge, we've used an untenably small RSA modulus (you # could factor this keypair instantly). That's because this exercise # targets a specific step in the Bleichenbacher paper --- Step 2c, which # implements a fast, nearly O(log n) search for the plaintext.
#!/usr/bin/env python # Written against python 3.3.1 # Matasano Problem 48 # Bleichenbacher's PKCS 1.5 Padding Oracle (Complete) from prob41 import generate_rsa_key from prob33 import mypow from prob47 import bb98_2a, bb98_2b, bb98_2c, bb98_3 # This is a continuation of challenge #47; it implements the complete # BB'98 attack. # Set yourself up the way you did in #47, but this time generate a 768 # bit modulus. prob48_key = generate_rsa_key(768) # ............ = 0x000102030405060708091011121314151617181920212223242526272829303100010203040506070809101112131415161718192021222324252627282930310001020304050607080910111213141516171819202122232425262728293031 prob48_message = 0x00029843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613a0030313233343536373839 # To make the attack work with a realistic RSA keypair, you need to # reproduce step 2b from the paper, and your implementation of Step 3 # needs to handle multiple ranges. '''Note: I wrote step 2b for problem 47 when trying to debug.''' # The full Bleichenbacher attack works basically like this: # * Starting from the smallest 's' that could possibly produce # a plaintext bigger than 2B, iteratively search for an 's' that # produces a conformant plaintext. # * For our known 's1' and 'n', solve m1=m0s1-rn (again: just a # definition of modular multiplication) for 'r', the number of
#!/usr/bin/env python # Written against python 3.3.1 # Matasano Problem 46 # Decrypt RSA From One-Bit Oracle from prob41 import generate_rsa_key from prob33 import mypow from prob1 import base64toRaw # This is a bit of a toy problem, but it's very helpful for # understanding what RSA is doing (and also for why pure # number-theoretic encryption is terrifying). # Generate a 1024 bit RSA key pair. prob46_key = generate_rsa_key(1024); # Write an oracle function that uses the private key to answer the # question "is the plaintext of this message even or odd" (is the last # bit of the message 0 or 1). Imagine for instance a server that # accepted RSA-encrypted messages and checked the parity of their # decryption to validate them, and spat out an error if they were of the # wrong parity. def rsa_oracle_isodd(key, cipher): plain = mypow(cipher, key['d'], key['N']); return (plain & 1); # Anyways: function returning true or false based on whether the # decrypted plaintext was even or odd, and nothing else. # Take the following string and un-Base64 it in your code (without # looking at it!) and encrypt it to the public key, creating a # ciphertext:
#!/usr/bin/env python # Written against python 3.3.1 # Matasano Problem 46 # Decrypt RSA From One-Bit Oracle from prob41 import generate_rsa_key from prob33 import mypow from prob1 import base64toRaw # This is a bit of a toy problem, but it's very helpful for # understanding what RSA is doing (and also for why pure # number-theoretic encryption is terrifying). # Generate a 1024 bit RSA key pair. prob46_key = generate_rsa_key(1024) # Write an oracle function that uses the private key to answer the # question "is the plaintext of this message even or odd" (is the last # bit of the message 0 or 1). Imagine for instance a server that # accepted RSA-encrypted messages and checked the parity of their # decryption to validate them, and spat out an error if they were of the # wrong parity. def rsa_oracle_isodd(key, cipher): plain = mypow(cipher, key['d'], key['N']) return (plain & 1) # Anyways: function returning true or false based on whether the # decrypted plaintext was even or odd, and nothing else. # Take the following string and un-Base64 it in your code (without
#!/usr/bin/env python # Written against python 3.3.1 # Matasano Problem 48 # Bleichenbacher's PKCS 1.5 Padding Oracle (Complete) from prob41 import generate_rsa_key from prob33 import mypow from prob47 import bb98_2a, bb98_2b, bb98_2c, bb98_3 # This is a continuation of challenge #47; it implements the complete # BB'98 attack. # Set yourself up the way you did in #47, but this time generate a 768 # bit modulus. prob48_key = generate_rsa_key(768); # ............ = 0x000102030405060708091011121314151617181920212223242526272829303100010203040506070809101112131415161718192021222324252627282930310001020304050607080910111213141516171819202122232425262728293031 prob48_message = 0x00029843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613acd6546e3131eacd6634213659843216464613a0030313233343536373839 # To make the attack work with a realistic RSA keypair, you need to # reproduce step 2b from the paper, and your implementation of Step 3 # needs to handle multiple ranges. '''Note: I wrote step 2b for problem 47 when trying to debug.''' # The full Bleichenbacher attack works basically like this: # * Starting from the smallest 's' that could possibly produce # a plaintext bigger than 2B, iteratively search for an 's' that # produces a conformant plaintext. # * For our known 's1' and 'n', solve m1=m0s1-rn (again: just a