def process():
I = request.args.get('email')
A = int(request.args.get('A'))
b = randint(0, N)
B = k * d[I]['v'] + pow(g, b, N)
# Response
r = str(d[I]['salt']) + ';' + str(B)
# Doing the next steps
uH = sha256(int_to_bytes(A) + int_to_bytes(B)).hexdigest()
u = int(uH, 16)
temp = pow(d[I]['v'], u, N)
S = pow(A * temp, b, N)
K = sha256(int_to_bytes(S)).digest()
salt = struct.pack('<I', d[I]['salt'])
hmac = HMAC_SHA256(K, salt)
d[I]['hmac'] = hmac
return r
def fake_verify():
I = request.args.get('email')
hmac = request.args.get('hmac')
A = d[I]['A']
b = d[I]['b']
u = d[I]['u']
salt = struct.pack('<I', d[I]['salt'])
wordlist = "/usr/share/wordlists/dirb/others/best1050.txt"
with open(wordlist, 'r') as f:
w = f.read().splitlines()
for P in w:
xH = sha256(salt + bytearray(P, "ascii")).hexdigest()
x = int(xH, 16)
v = pow(g, x, N)
temp = pow(v, u, N)
S = pow(A * temp, b, N)
K = sha256(int_to_bytes(S)).digest()
if HMAC_SHA256(K, salt) == hmac:
print("CRACKED!!!!")
print(P)
return P
#Generating RSA public and private keys
p = generate_rsa_prime()
q = generate_rsa_prime()
while (test_primes(p, q, e) != True):
p = generate_rsa_prime()
q = generate_rsa_prime()
pub_key, priv_key = rsa_key_gen(p, q, e)
#Encrypting message
e = pub_key[0]
n = pub_key[1]
c = rsa_encrypt(m, e, n)
print("Original message:", int_to_bytes(decryption(c, priv_key), order="big"))
print(decryption(c, priv_key)) #Showing that it can't be done twice
# Attacker:
captured_cipher = c
captured_e = pub_key[0]
captured_n = pub_key[1]
S = randint(2, 0xFFFFFFFF)
attacker_c = (pow(S, captured_e, captured_n) * captured_cipher) % captured_n
attacker_p = decryption(attacker_c, priv_key)
s_inv = modinv(S, captured_n)
recovered_p = attacker_p * s_inv % captured_n
def main():
p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
g = 2
################################################################################
###### MITM attack - Scenario 01: g = 1
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = 1
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #the result will be 1
#User B sends B to M
m_data2 = B
a_data = m_data2 #let's send this 1 forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a = 1
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can recalculate the key and decrypt the message:
key_m = sha1(b"\x01")[:16]
#print key_m
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
print("Retrieved by M (scenario 1):", msg_m)
################################################################################
###### MITM attack - Scenario 02: g = p
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = p
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #the result will be 0
#User B sends B to M
m_data2 = B
a_data = m_data2 #let's send this 0 forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a = 0
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can recalculate the key and decrypt the message:
key_m = sha1(b'\x00')[:16]
#print key_m
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
print("Retrieved by M (scenario 2):", msg_m)
################################################################################
###### MITM attack - Scenario 03: g = p-1
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = p - 1
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #(p-1)^x % p == (-1)^x % p
# if x is even: 1, if x is odd, p-1
#User B sends B to M
m_data2 = B
a_data = m_data2 #sending the information forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a is either p-1 or 1
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can calculate both possible keys and decrypt the message:
key_m1 = sha1(b'\x01')[:16]
key_m2 = sha1(int_to_bytes(g_m))[:16]
for key_m in (key_m1, key_m2):
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
try:
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
except: #this is me being lazy. Note that it might break if the wrong key decrypts some garbage with the right padding
pass
print("Retrieved by M (scenario 3):", msg_m)
pub_key, priv_key = rsa_key_gen(p, q, e)
e = pub_key[0]
n = pub_key[1]
d = priv_key[0]
m = 42
print(rsa_decrypt(rsa_encrypt(m, e, n), d, n))
# "Serious stuff"
e = 3
p = generate_rsa_prime()
q = generate_rsa_prime()
while (test_primes(p, q, e) != True):
p = generate_rsa_prime()
q = generate_rsa_prime()
pub_key, priv_key = rsa_key_gen(p, q, e)
message = b"This is a super S3cr3t message!!!!"
m = int.from_bytes(message, byteorder='big')
e = pub_key[0]
n = pub_key[1]
d = priv_key[0]
c = rsa_encrypt(m, e, n)
decrypted_int = rsa_decrypt(c, d, n)
decrypted = int_to_bytes(decrypted_int, order="big")
print(decrypted)
# Legitimate server
a = randint(0,N)
A = pow(g,a,N)
query = f"http://127.0.0.1:5000/process?email={I}&A={A}"
r = requests.get(query)
temp = r.text.split(';')
salt = int(temp[0])
B = int(temp[1])
u = int(temp[2])
xH = sha256(struct.pack('<I',salt)+bytearray(P, "ascii")).hexdigest()
x = int(xH,16)
S = pow(B,a+(u*x),N)
K = sha256(int_to_bytes(S)).digest()
hmac = HMAC_SHA256(K,struct.pack('<I',salt))
query = f"http://127.0.0.1:5000/verify?email={I}&hmac={hmac}"
r = requests.get(query)
print ("Response from legitimate server:",r.text)
# Fake server
query = f"http://127.0.0.1:6666/process?email={I}&A={A}"
r = requests.get(query)
temp = r.text.split(';')
salt = int(temp[0])
B = int(temp[1])
u = int(temp[2])
#Encrypted the message using 3 different public keys
encrypted = []
for i in range(3):
pub_key = keys[i][0]
e = pub_key[0]
n = pub_key[1]
c = rsa_encrypt(m,e,n)
encrypted.append(c)
n_0 = keys[0][0][1]
n_1 = keys[1][0][1]
n_2 = keys[2][0][1]
c_0 = encrypted[0] % n_0
c_1 = encrypted[1] % n_1
c_2 = encrypted[2] % n_2
m_s_0 = n_1 * n_2
m_s_1 = n_0 * n_2
m_s_2 = n_0 * n_1
N_012 = n_0 * n_1 * n_2
result = ((c_0 * m_s_0 * modinv(m_s_0, n_0)) + (c_1 * m_s_1 * modinv(m_s_1, n_1)) + (c_2 * m_s_2 * modinv(m_s_2, n_2))) % N_012
a = precise_cube_root(result)
print(int_to_bytes(int(a),order="big"))
print("Something went wrong!!!")
exit()
requests.get("http://127.0.0.1:5000/query")
a = randint(0,N)
A = pow(g,a,N)
query = f"http://127.0.0.1:5000/process?email={I}&A={A}"
r = requests.get(query)
print (r.text)
temp = r.text.split(';')
salt = int(temp[0])
B = int(temp[1])
uH = sha256(int_to_bytes(A)+int_to_bytes(B)).hexdigest()
u = int(uH,16)
xH = sha256(struct.pack('<I',salt)+bytearray(P, "ascii")).hexdigest()
x = int(xH,16)
temp = pow(g,x,N)
S = pow(B-(k*temp),a+(u*x),N)
K = sha256(int_to_bytes(S)).digest()
hmac = HMAC_SHA256(K,struct.pack('<I',salt))
query = f"http://127.0.0.1:5000/verify?email={I}&hmac={hmac}"
r = requests.get(query)
print (r.text)
