def generate_c(bits, randfunc, progress_func = None): # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p*q) < bits: p = pubkey.getPrime(bits/2, randfunc) q = pubkey.getPrime(bits/2, randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q)=(q, p) if progress_func: progress_func('u\n') u=pubkey.inverse(p, q) n=p*q e = 65537L if progress_func: progress_func('d\n') d=pubkey.inverse(e, (p-1)*(q-1)) key = _fastmath.rsa_construct(n,e,d,p,q,u) obj = RSAobj_c(key) ## print p ## print q ## print number.size(p), number.size(q), number.size(q*p), ## print obj.size(), bits assert bits <= 1+obj.size(), "Generated key is too small" return obj
def generate_c(bits, randfunc, progress_func=None): # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p * q) < bits: p = pubkey.getPrime(bits / 2, randfunc) q = pubkey.getPrime(bits / 2, randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q) = (q, p) if progress_func: progress_func('u\n') u = pubkey.inverse(p, q) n = p * q e = 65537L if progress_func: progress_func('d\n') d = pubkey.inverse(e, (p - 1) * (q - 1)) key = _fastmath.rsa_construct(n, e, d, p, q, u) obj = RSAobj_c(key) ## print p ## print q ## print number.size(p), number.size(q), number.size(q*p), ## print obj.size(), bits assert bits <= 1 + obj.size(), "Generated key is too small" return obj
def _attack_single(self,hA,sigA,hB,sigB,q=None): q = q or self.pubkey.q rA,sA=sigA rB,sB=sigB k = (hA - hB)* inverse(sA -sB,q) %q x = ((k*sA-hA)* inverse( rA,q) )% q return k,x
def recover_nonce_reuse(self, other): assert (self.pubkey.q == other.pubkey.q) assert (self.sig.r == other.sig.r) # reused *k* implies same *r* self.k = (self.h - other.h) * inverse(self.sig.s - other.sig.s, self.pubkey.q) % self.pubkey.q self.x = ((self.k * self.sig.s - self.h) * inverse(self.sig.r, self.pubkey.q)) % self.pubkey.q # other.k, other.x = self.k, self.x # update other object as well? return self
def generate_py(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an RSA key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=RSAobj() obj.e = 65537L # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p*q) < bits: # Note that q might be one bit longer than p if somebody specifies an odd # number of bits for the key. (Why would anyone do that? You don't get # more security.) # # Note also that we ensure that e is coprime to (p-1) and (q-1). # This is needed for encryption to work properly, according to the 1997 # paper by Robert D. Silverman of RSA Labs, "Fast generation of random, # strong RSA primes", available at # http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.17.2713&rep=rep1&type=pdf # Since e=65537 is prime, it is sufficient to check that e divides # neither (p-1) nor (q-1). p = 1L while (p - 1) % obj.e == 0: if progress_func: progress_func('p\n') p = pubkey.getPrime(bits/2, randfunc) q = 1L while (q - 1) % obj.e == 0: if progress_func: progress_func('q\n') q = pubkey.getPrime(bits - (bits/2), randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q)=(q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p*obj.q if progress_func: progress_func('d\n') obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1)) assert bits <= 1+obj.size(), "Generated key is too small" return obj
def make_private_key(public_config, private_config): ''' Args: public_config (dict): Contains public modulus p, q private_config (dict): Contains private exponent e Returns: An RSA key object (`_RSAobj`). ''' # public key contains public modulus # in production, use a local public key file p = long(public_config['encryption']['p']) q = long(public_config['encryption']['q']) # private key contains private exponent e = long(private_config['encryption']['e']) # Enforce constraint that p must be bigger. # http://crypto.stackexchange.com/questions/18084/in-rsa-why-does-p-have-to-be-bigger-than-q-where-n-p-times-q if p < q: p, q = q, p # in practice, not needed n = p * q phi = (p - 1) * (q - 1) d = pubkey.inverse(e, phi) rsaInit = (n, e, d, p, q) # rsaInit = (n, e, d) # print "n {}, e {}, d {}, p {}, q {}".format(n, e, d, p, q) return RSA.construct(rsaInit)
def main(): # collect a few public keys keys = [] flags = [] for i in range(20): conn = remote(HOST, PORT) conn.recvuntil("key:\n") keystr = conn.recvuntil("And here", drop=True) key = RSA.importKey(keystr) keys.append(key) conn.recvuntil(":)\n") flagstr = conn.recvline().strip() flag = binascii.unhexlify(flagstr) flags.append(flag) conn.close() # Try to find two n's with a common GCD nums = [k.n for k in keys] i, j, gcd = find_common_gcd(nums) log.info("Found GCD! gcd({:d}, {:d}) = {:d}".format(i, j, gcd)) p = gcd q = keys[i].n / gcd d = pubkey.inverse(65537, (p - 1) * (q - 1)) privkey = RSA.construct((keys[i].n, 65537L, d)) cipher = PKCS1_OAEP.new(privkey) flag = cipher.decrypt(flags[i]) log.success("Flag: {:s}".format(flag))
def generate_py(bits, randfunc, progress_func=None, e=65537): """generate(bits:int, randfunc:callable, progress_func:callable, e:int) Generate an RSA key of length 'bits', public exponent 'e'(which must be odd), using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=RSAobj() obj.e = long(e) # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p*q) < bits: # Note that q might be one bit longer than p if somebody specifies an odd # number of bits for the key. (Why would anyone do that? You don't get # more security.) p = pubkey.getStrongPrime(bits>>1, obj.e, 1e-12, randfunc) q = pubkey.getStrongPrime(bits - (bits>>1), obj.e, 1e-12, randfunc) # It's OK for p to be larger than q, but let's be # kind to the function that will invert it for # th calculation of u. if p > q: (p, q)=(q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p*obj.q if progress_func: progress_func('d\n') obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1)) assert bits <= 1+obj.size(), "Generated key is too small" return obj
def generate_py(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an RSA key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=RSAobj() # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p*q) < bits: # Note that q might be one bit longer than p if somebody specifies an odd # number of bits for the key. (Why would anyone do that? You don't get # more security.) p = pubkey.getPrime(bits/2, randfunc) q = pubkey.getPrime(bits - (bits/2), randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q)=(q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p*obj.q obj.e = 65537L if progress_func: progress_func('d\n') obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1)) assert bits <= 1+obj.size(), "Generated key is too small" return obj
def generate_py(bits, randfunc, progress_func=None, e=65537): obj = RSAobj() obj.e = long(e) if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p * q) < bits: p = pubkey.getStrongPrime(bits >> 1, obj.e, 1e-12, randfunc) q = pubkey.getStrongPrime(bits - (bits >> 1), obj.e, 1e-12, randfunc) if p > q: p, q = q, p obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p * obj.q if progress_func: progress_func('d\n') obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1)) return obj
def generate_py(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an RSA key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj = RSAobj() obj.e = 65537L # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p * q) < bits: # Note that q might be one bit longer than p if somebody specifies an odd # number of bits for the key. (Why would anyone do that? You don't get # more security.) p = pubkey.getStrongPrime(bits >> 1, obj.e, 1e-12, randfunc) q = pubkey.getStrongPrime(bits - (bits >> 1), obj.e, 1e-12, randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q) = (q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p * obj.q if progress_func: progress_func('d\n') obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1)) assert bits <= 1 + obj.size(), "Generated key is too small" return obj
def _attack(self,samples,q=None): ''' samples = r,s,long(hash) ''' q = q or self.pubkey.q rA,sA,hA = samples[0] k_h_diff = hA k_s_diff = sA first = True for r,s,hash in samples: if first: first=False continue #skip first one due to autofill k_h_diff -=hash k_s_diff -=s k = (k_h_diff)* inverse(k_s_diff,q) %q x = ((k*sA-hA)* inverse( rA,q) )% q LOG.debug("privkey reconstructed: k=%s; x=%s;"%(k,x)) return k,x
def generate(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an RSA key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=RSAobj() # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p*q) < bits: p = pubkey.getPrime(bits/2, randfunc) q = pubkey.getPrime(bits/2, randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q)=(q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p*obj.q obj.e = 65537L if progress_func: progress_func('d\n') obj.d=pubkey.inverse(obj.e, (obj.p-1)*(obj.q-1)) assert bits <= 1+obj.size(), "Generated key is too small" return obj
def generate(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an RSA key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj = RSAobj() # Generate the prime factors of n if progress_func: progress_func('p,q\n') p = q = 1L while number.size(p * q) < bits: p = pubkey.getPrime(bits / 2, randfunc) q = pubkey.getPrime(bits / 2, randfunc) # p shall be smaller than q (for calc of u) if p > q: (p, q) = (q, p) obj.p = p obj.q = q if progress_func: progress_func('u\n') obj.u = pubkey.inverse(obj.p, obj.q) obj.n = obj.p * obj.q obj.e = 65537L if progress_func: progress_func('d\n') obj.d = pubkey.inverse(obj.e, (obj.p - 1) * (obj.q - 1)) assert bits <= 1 + obj.size(), "Generated key is too small" return obj
def handle(self): print("[*] Connection from {:s}:{:d}".format(*self.client_address)) e = 65537 p, q = random.sample(PRIMES, 2) n = p * q d = pubkey.inverse(e, (p - 1) * (q - 1)) public = RSA.construct((n, e)) privkey = RSA.construct((n, e, d)) cipher = PKCS1_OAEP.new(privkey) self.request.sendall(b"Here's your public key:\n") self.request.sendall(public.exportKey() + b"\n") self.request.sendall(b"And here's the flag! :)\n") with open("flag.txt", "rb") as f: flag = f.read() ct = cipher.encrypt(flag) self.request.sendall(binascii.hexlify(ct) + b"\n")
def generateKey(self, key_size, pq=None): if pq is None: p = getStrongPrime(key_size) q = getStrongPrime(key_size) else: p, q = pq n = p * q while True: # Keep trying random numbers for e until one is valid. e = random.randrange(2**(key_size - 1), 2**key_size) if pubkey.GCD(e, (p - 1) * (q - 1)) == 1: break d = pubkey.inverse(e, (p - 1) * (q - 1)) self.n = n self.e = e self.d = d self.pq = (p, q)
def _brute_k(self,sample,p=None,q=None,g=None,maxTries=None): ''' sample = (r,s,h(m)) ''' # 1 < k < q p = p or self.pubkey.p q = q or self.pubkey.q g = g or self.pubkey.g r,s,h = sample k= 2 while k< q-1: if maxTries and k >= maxTries+2: break # calc r = g^k mod p mod q if r == pow(g,k,p)%q: x = ((k*s-h)* inverse( r,q) )% q return k,x k+=1 #next k raise Exception("Max tries reached! - %d/%d"%(k-2,maxTries))
def construct(tuple): """construct(tuple:(long,) : RSAobj Construct an RSA object from a 2-, 3-, 5-, or 6-tuple of numbers. """ obj=RSAobj() if len(tuple) not in [2,3,5,6]: raise error, 'argument for construct() wrong length' for i in range(len(tuple)): field = obj.keydata[i] setattr(obj, field, tuple[i]) if len(tuple) >= 5: # Ensure p is smaller than q if obj.p>obj.q: (obj.p, obj.q)=(obj.q, obj.p) if len(tuple) == 5: # u not supplied, so we're going to have to compute it. obj.u=pubkey.inverse(obj.p, obj.q) return obj
def construct(tuple): """construct(tuple:(long,) : RSAobj Construct an RSA object from a 2-, 3-, 5-, or 6-tuple of numbers. """ obj = RSAobj() if len(tuple) not in [2, 3, 5, 6]: raise error, 'argument for construct() wrong length' for i in range(len(tuple)): field = obj.keydata[i] setattr(obj, field, tuple[i]) if len(tuple) >= 5: # Ensure p is smaller than q if obj.p > obj.q: (obj.p, obj.q) = (obj.q, obj.p) if len(tuple) == 5: # u not supplied, so we're going to have to compute it. obj.u = pubkey.inverse(obj.p, obj.q) return obj
p = int('df633b7301871415bef5017d0c0910c7072222433a309d69ffd012f9d3e208e4d31ebdfd0aa30dfb4a7d13ef7832d363d855e2169df89e60acbfc4137a59c3945eb494650913b6087f2e2700eb3b4294eb4377e9cea6d35ddf232519624cc3bd1e7e534aa9379ded37ff6ddff10758124250e3e5a40a1f789f2c0cc16cb96e0f5261b98b01689dbad6f62842a6c3365fcf25fd3def7baad7bfd99bd70dbe067a5b2af7737caba77787537f1c406338b1c3b86c3875563a03024156bf92a6c770010c63e123a0b2b4661970bf522034ea1e376406c5194c5bb82d1c69d77dcca4b8e04d4a347fcc5bd8c91504458c0eb086a0bf10fa7cc8caa11af2e22f32d06f', 16) q = int('9f3710274717b060dee9fef0aaf01572e9cc53ba6ac10492bd5446bb41a248a9',16) g = int('93b411063c7d3b82189c7ea2624be9087a6e40e79020801367a9bc13012630ae2778244492cca9cd86a07dee31163713a2623f3c418b19e7e8fb3ba5e2db359cc6e5efa1c35c37a16bb2dbfe7c8b6bb123bd26a8f299acdd5c6886748d3db1ffa5ce439571de7efac3482ebf5b4a45324963d99506af9e210988c0a26c443659172df05e094572421ca1c5005f4a1650081c532663dd0e5812f4b8ea43f6cdca317755aac3c3f63754be18c0063b919a7a547cb04d44dba2f67154339eaddfadbd8398c94ba5565d7a2d07c1d20e39befee427346e630f5f72176444fed7d8314ca7c472261f8311974da2ddcafab1ee63c6c7377e7592161e1d31b32abaa3bd', 16) y =20636836524380396244196072696577569262126621637693518417515831389588156010110727694179220341766312812167934840038173702512714672935256591366304513258964123770331403988242338829851121917054712366378000466271493525015744412519308988145299857577333546970037261427973290256403898499766279180979277265983341722384272524689611144938145070671581385845523894185215290296247151150557881827136342152143825772770126693742120775894397288900938364960208586264826886039992581043142765638948169372930513082826136892625732961853419727731657648155505907704183872630951714970690302024937399383304248276584035831599631104415986634886780 ''' DEBUG:DSAregenK:privkey reconstructed: k=25768127004975721051099847404129291547143434939937043331286111399159730732336; x=66982082206795733973204253209195163373920331769528646357832825612336892590101; ''' k = 25768127004975721051099847404129291547143434939937043331286111399159730732336 x = 66982082206795733973204253209195163373920331769528646357832825612336892590101 # https://github.com/zydeon/DSA/blob/master/DSA.py k_ = inverse(k,q) def calculate_s(x, r, q, z, k_): return (k_*(z+x*r)) % q filename = sys.argv[1] with file(filename) as f: m = f.read() name_of_game = m[6:262] game = m[796:] print 'Signature of', name_of_game, ':' try:
# r = g^k mod p mod q # s = k-1 (H(m) + x*r) mod q # ============================================================ LOG.debug("---- Verify by r ----") k = input("Insert k from output message: ") verify_r = pow(priv_key.g,k,priv_key.p) % priv_key.q LOG.debug("Calculated r: %s"%verify_r) h, (r,s) = mA LOG.debug("Inserted r: %s"%r) if verify_r == r : LOG.info("Verified! Successfully reconstructed r!!!") else : LOG.info("Fail to find real r...QQ") # ============================================================ # # Verify attack result by calculating s # ============================================================ verify_s = ( inverse(k,priv_key.q) * (h + priv_key.x * verify_r) ) % priv_key.q LOG.debug("Calculated s: %s"%verify_s) LOG.debug("Inserted s: %s"%s) if verify_s == s : LOG.info("Verified! Successfully reconstructed s!!!") else : LOG.info("Fail to find real s...QQ") # Output answer print "r = ",verify_r H = int(sha1("FLAG").hexdigest(),16) S = ( inverse(k,priv_key.q) * (H + priv_key.x * verify_r) ) % priv_key.q print "s = ",S
def _unblind(self, M, B): tmp = pubkey.inverse(B, self.n) return (M * tmp) % self.n
p = long(config.get("encryption", "p")) q = long(config.get("encryption", "q")) # get private key if not pconfig.has_option("encryption", "private_key"): die("Error: private key must be defined in private config") e = long(pconfig.get("encryption", "private_key")) if p > q: (p, q) = (q, p) phi = (p - 1) * (q - 1) n = p * q d = pubkey.inverse(e, phi) tuple = n, e, d, p, q if verbose: print "p=", p print "q=", q print "n=", n print "e=", e print "d=", d # encrypt without armouring (PKCS) key = RSA.construct(tuple) #print(key) if (cmp(sys.argv[-1], "-") == 0):
p = long(config.get("encryption", "p")) q = long(config.get("encryption", "q")) # get private key if not pconfig.has_option("encryption", "private_key"): die("Error: private key must be defined in private config") e = long(pconfig.get("encryption", "private_key")) if p > q: (p, q)=(q, p) phi = (p - 1)*(q - 1) n = p*q d=pubkey.inverse(e, phi) tuple = n, e, d, p, q if verbose: print "p=", p print "q=", q print "n=", n print "e=", e print "d=", d # encrypt without armouring (PKCS) key = RSA.construct(tuple) #print(key) if (cmp(sys.argv[-1], "-") == 0):