[CryptoHack] Public-key Cryptography Partial Solutions

原创 已于 2023-05-14 21:46:58 修改 · 1.3k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#cryptography #cryptohack

于 2023-05-12 09:47:29 首次发布

文章目录

Factoring

So far we’ve been using the product of small primes for the modulus, but small primes aren’t much good for RSA as they can be factorised using modern methods.

What is a “small prime”? There was an RSA Factoring Challenge with cash prizes given to teams who could factorise RSA moduli. This gave insight to the public into how long various key sizes would remain safe. Computers get faster, algorithms get better, so in cryptography it’s always prudent to err on the side of caution.

These days, using primes that are at least 1024 bits long is recommended—multiplying two such 1024 primes gives you a modulus that is 2048 bits large. RSA with a 2048-bit modulus is called RSA-2048.

Some say that to really remain future-proof you should use RSA-4096 or even RSA-8192. However, there is a tradeoff here; it takes longer to generate large prime numbers, plus modular exponentiations are predictably slower with a large modulus.

Factorise the 150-bit number 510143758735509025530880200653196460532653147into its two constituent primes. Give the smaller one as your answer.

Resources:

方式1:质因数分解网站:http://factordb.com/
在这里插入图片描述

方式2:Using sagemath

# in SageMath
factor(510143758735509025530880200653196460532653147 )
# 19704762736204164635843 * 25889363174021185185929

相关视频:https://www.youtube.com/watch?v=SmJRKo4XL18&ab_channel=JohnHammond

这个视频内容是有关RSA整数分解的一道题,作用使用python的pwntools模块来维持一个http session 通过该session完成提交整数分解的结果。质因数分解用的是python primefac module。

summary:
现有的整数分解算法可以快速分解“小整数”。因此RSA中小模数N是不安全的。

Monoprime

Why is everyone so obsessed with multiplying two primes for RSA. Why not just use one?

Challenge files:

Resources:

#!/usr/bin/env python3
from Crypto.Util import number
n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591                                                                  
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942

if number.isPrime(n):
    phi_n = n - 1
    d = number.inverse(e, phi_n)
    pt = pow(ct, d, n)
    pt = number.long_to_bytes(pt).decode()
    print(pt)

Manyprime

题目描述
Using one prime factor was definitely a bad idea so I’ll try using over 30 instead.

If it’s taking forever to factorise, read up on factorisation algorithms and make sure you’re using one that’s optimised for this scenario.

Challenge files:

Resources:

首先对N进行素因子分解

# in sagemath
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
ct = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464
ecm.factor(n)

得到素分解之后,

  1. 计算N的Euler totient
  2. 求e的逆元,得到d
  3. 执行RSA解密算法
  4. 将数字转换为字符串,得到flag
#!/usr/bin/env python3
from Crypto.Util import number
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
ct = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464

# 通过sage对N进行分解得到
factors = [9282105380008121879,
           9303850685953812323,
           9389357739583927789,
           10336650220878499841,
           10638241655447339831,
           11282698189561966721,
           11328768673634243077,
           11403460639036243901,
           11473665579512371723,
           11492065299277279799,
           11530534813954192171,
           11665347949879312361,
           12132158321859677597,
           12834461276877415051,
           12955403765595949597,
           12973972336777979701,
           13099895578757581201,
           13572286589428162097,
           14100640260554622013,
           14178869592193599187,
           14278240802299816541,
           14523070016044624039,
           14963354250199553339,
           15364597561881860737,
           15669758663523555763,
           15824122791679574573,
           15998365463074268941,
           16656402470578844539,
           16898740504023346457,
           17138336856793050757,
           17174065872156629921,
           17281246625998849649]
phi_n = 1
for i in factors:
    phi_n *= i-1
d = number.inverse(e, phi_n)  # get private key
pt = number.long_to_bytes(pow(ct, d, n)).decode()
print(pt)

在线的sagemath: https://sagecell.sagemath.org/
sage lesson: https://github.com/fredstro/sage-lesson-nt
sage 官方教程https://doc.sagemath.org/html/en/index.html
博客教程1:https://cocalc.com/share/public_paths/embed/ee63291fa9aadeb8d5830f5c518cddb466501a70
博客教程2: https://blog.devgenius.io/sagemath-doing-math-in-python-8c34765254f7

Salty

题目描述:
Smallest exponent should be fastest, right?
Challenge files:

由于公钥 e = 1 e=1 e=1,因此无论 ϕ ( n ) \phi(n) ϕ(n)的值为多少,私钥 d d d始终为1。

#!/usr/bin/env python3
from Crypto.Util import number
n = 110581795715958566206600392161360212579669637391437097703685154237017351570464767725324182051199901920318211290404777259728923614917211291562555864753005179326101890427669819834642007924406862482343614488768256951616086287044725034412802176312273081322195866046098595306261781788276570920467840172004530873767                                                                  
e = 1
ct = 44981230718212183604274785925793145442655465025264554046028251311164494127485
d = 1

pt = pow(ct, d, n)
flag = number.long_to_bytes(pt).decode()
print(flag)

这道题告诉我们,RSA的公钥采用 e = 1 e=1 e=1不安全。

Modulus Inutilis

My primes should be more than large enough now!

Challenge files:

#!/usr/bin/env python3
import gmpy2
from Crypto.Util import number

"""
Because m is small, m^3 is close to n, so we can compute the 3-th root of  c + k*n where k=0,1,2...
"""

n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883
e = 3
ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957

def low_e_attack(ct,e,n):
    i = 0
    while True:
        
        y, r = gmpy2.iroot(ct + i * n, e) # Return the integer n-th root of x and boolean value that is True iff the root is exact. x >= 0. n > 0.
  
        if r == True:
            print(f"i = {i}")
            flag = number.long_to_bytes(y).decode()
            print(flag)
            exit()
        i = i + 1

if __name__ == "__main__":
    low_e_attack(ct,e,n)

Diffie-Hellman Starter 1

The set of integers modulo n, together with the operations of both addition and multiplication is a ring. This means that adding or multiplying any two elements in the set returns another element in the set.

When the modulus is prime: n = p, we are guaranteed an inverse of every element in the set, and so the ring is promoted to a field. We refer to this field as a finite field F p F_p Fp.

The Diffie-Hellman protocol works with elements of some finite field Fp, where the prime modulus is typically a large prime.

Given the prime p = 991, and the element g = 209, find the inverse element d such that g * d mod 991 = 1.

#!/usr/bin/env python3

from Crypto.Util import number

p = 991
g = 209
d = number.inverse(g, p)
print(f"d = {d}")
debaowang
关注
模拟登陆新版正方教务管理系统
爱你の大表哥的博客
08-20 2万+
引入 与很多高校一样,西安皇家邮电大学一直钟爱于正方教务管理系统。 前一段时间爬了学校的旧版的教务系统,旧版主页 想了解更多请点击这里:爬取学校教务系统获取学生信息 不知道学校是不是把装空调的拿去买新教务系统了,新教务系统主页 可以看出,学校用的仍然是正方教务系统,不过版本升级了,新教务系统是用Java写的后台,前端用了Bootstrap框架。与旧系统相比,界面美观大方,易用性也...
[CryptoHack] RSA-PRIMES PART1 Write-Up
dlfls0710的博客
06-05 1753
1. Factoring 利用factordb.com寻找prime
RSA加密算法,从实际应用到基础原理(一)
mashiqing的博客
03-01 1590
RSA加密算法,从实际应用到基础原理
RSA密钥文件(大整数的质数分解) (公钥)modulus+publicExponent (私钥)modulus+privateExponent
热门推荐
tuhuolong的专栏
01-14 1万+
Private-Key: (31 bit) modulus: 1911166693 (0x71ea16e5) publicExponent: 65537 (0x10001) privateExponent: 1068287013 (0x3facc425) prime1: 53267 (0xd013) prime2: 35879 (0x8c27) exponent1: 37383 (0x
35、Everlasting ROBOT: The Marvin Attack - A Deep Dive into RSA Vulnerabilities
f9g0h的博客
08-12 38
This blog post explores the persistence of RSA vulnerabilities in popular cryptographic libraries such as OpenSSL, NSS, GnuTLS, M2Crypto, and pyca/cryptography. It delves into the mechanics of adaptive chosen ciphertext attacks, particularly the Bleichenba
分别生成完整前端程序代码,后端程序代码,数据库,让我下载即可
最新发布
11-02
public ResponseEntity<?> authenticateUser(@RequestBody LoginRequest loginRequest) { Authentication authentication = authenticationManager.authenticate( new UsernamePasswordAuthenticationToken( ...
91、Web Applications, Software, and Programming Security Insights
yhn4567890的博客
10-06 34
本文深入探讨了Web应用、软件及编程安全的关键议题,涵盖主要威胁如网站篡改、DoS攻击、欺诈与网络入侵,并分析了应用层攻击的成因。文章详细介绍了Web应用保护措施,包括服务器加固、输入验证、会话管理以及OWASP框架的应用。同时,讨论了软件开发中的安全需求、开源与全披露争议、编程语言安全特性,以及面向对象和分布式系统的安全实践。最后,展望了人工智能驱动攻击、物联网漏洞等新兴威胁,并提出零信任架构、区块链和机器学习等应对技术,强调遵循GDPR和ISO 27001等行业标准的重要性,为构建全面的数字安全生态提供
历年计算机科学领域中各大顶会的获奖文章 ICCV、AAAI、CVPR...
ghw15221836342的博客
01-12 5300
Original address: https://jeffhuang.com/best_paper_awards.html By Conference:   AAAI   ACL   CHI   CIKM   CVPR   FOCS   FSE   ICCV   ICML   ICSE   IJCAI   INFOCOM   KDD   MOBICOM   NSDI   OSDI   PLDI...
RFID 仿真/模拟/监控/拦截/检测/嗅探器
weixin_33895695的博客
09-24 2511
Sound card based RFID sniffer/emulator  (Too tired after recon.cx to do draw the schematics better than that :) Stay tuned for the next version including Tag emulation.) baudline FFT signal anal...
Desafios_CRYPTOHACK_Resueltos:储存资料库
03-06
Desafios_CRYPTOHACK 资料库活动范围:Fin de Ciclo,Cryptohack desarrollandodesafíos
CryptoHack:应对CryptoHack挑战的解决方案
04-16
加密黑客 是用于学习密码学的平台。 您可以通过一系列Capture The Flag风格的挑战来学习现代密码学,在这里,我为您提供了应对这些挑战的解决方案。 解决方案: 1.简介: 2.总则: 2.1编码: 编码挑战 2.2 XOR: 异或启动器 XOR属性 最喜欢的字节 你们都知道,XOR你们不 狐猴XOR 2.3数学 最大公约数 扩展GCD 模块化算术1 模块化算术2 模块化反相 2.4数据格式 增强隐私的邮件? 绝对不是 透明度 如果您发现任何错误或有任何建议,可以通过我的社交网络与我联系: 推特: @ h_r0rsch4ch Discord:h-rorschach#3993
RSA加密算法原理
mike_jun的博客
03-13 2932
RSA原理  在RSA原理之前,我想还是有必要了解一下非对称加密算法的加密跟解密过程。下面就是一幅非称加密算法的流程图。    在此可以看到,非对称加密是通过两个密钥(公钥-私钥)来实现对数据的加密和解密的。公钥用于加密,私钥用于解密。对于非对称的加密和解密为什么可以使用不同的密钥来进行,这些都是数学上的问题了。不同的非对称加密算法也会应用到不同的数学知识。上面也对RSA中使用的数学问题做了一个小...
RSA 2048位算法的主要参数N,E,P,Q,DP,DQ,Qinv,D分别是什么意思 哪个是通常所说的公钥与私钥 -安全行业基础篇5
Innocence_0的博客
03-04 2882
N(Modulus):模数,是两个大素数P和Q的乘积。N的长度决定了RSA算法的安全性。E(Public Exponent):公钥指数,通常为65537(0x10001)。E用于加密数据,是公钥的一部分。P(Prime Factor):素数P,是模数N的一个因子。Q(Prime Factor):素数Q,是模数N的另一个因子。DP(D mod (P-1)):D对(P-1)取模的结果,用于解密数据。DQ(D mod (Q-1)):D对(Q-1)取模的结果,用于解密数据。
Cryptohack刷题记录(五) RSA部分 STARTER writeup
u010883831的博客
11-14 1010
cryptohackRSA,writeup,Crypto,CTF
已知 RSA 模数和指数,生成公钥进行加密
一起学习哈
04-16 1932
一. 使用cryptography 包获取 RSA 公钥 # 安装cryptography pip3 install cryptography from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import serialization #方法一 def
RSA的一些资料
jxluoix的专栏
10-03 830
RSA Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1   目录 1 介绍 3 2 标记法 3 3 密钥类型 4 3.1 RSA公钥 4 3.2 RSA私钥 5 4 数据转换原语 6 4.1 I2OSP 6 4.2 OS2IP 7 5 密码原...
RSA学习2 —— 公钥密码
Rashu99's blog
07-10 2343
小指数明文爆破 如果B使用的e很小,如e=3,且A传给B的明文也很小,如几个字节 那么,c = m^ e mod n 如果n很大 则可能 c = m^ e 即 c=m^ 3 即对c开三次根号 就可以得到m 如果m的三次方大于n但是没有超过太多 即 k*n <m^3 < (k+1)*n 且k是可以爆破的大小 k*n - c = m^3 n=4796670818328963996250136316376186439945424169101446717280565851836842313516
SSH 登录思科路由器RSA modulus too small处理
aletero的专栏
05-27 4960
问题现象:ssh_rsa_verify: RSA modulus too small: 512 key_verify failed for server_host_key 临时解决: 用ssh -v -1 -c des参数连接 test@linux:~$ ssh -v -1 -c des root@10.1.1.1 永久解决方法: liyi-cisco72
rsa peer-public-key
07-04
RSA非对称加密中,使用对等方的公钥通常涉及数据加密、密钥交换或数字签名验证等场景。以下是具体的应用方式和实现细节: ### 数据加密 在数据加密过程中,发送方使用接收方提供的公钥对明文数据进行加密,生成的密文只能通过对应的私钥解密。这种方式确保了只有持有私钥的接收方才能读取信息,保障了通信的安全性。 例如,在iOS开发中,若需要使用PEM格式的公钥进行加密,首先需要将公钥从PEM格式解析为可用的密钥对象,然后使用该公钥对数据进行加密。以下是一个简单的Python示例,展示了如何使用`cryptography`库完成这一过程: ```python from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives import hashes # 加载PEM格式的公钥 with open("public_key.pem", "rb") as f: public_key = serialization.load_pem_public_key( f.read() ) # 使用公钥加密数据 plaintext = b"Secret message" ciphertext = public_key.encrypt( plaintext, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) ) print("Encrypted data:", ciphertext) ``` ### 密钥交换 RSA还可以用于安全地交换对称加密算法所需的密钥。在这种情况下,发送方生成一个随机的对称密钥,并使用接收方的公钥对其进行加密。接收方收到加密后的密钥后,使用自己的私钥解密并获取对称密钥。随后,双方可以使用该对称密钥进行高效的数据加密和解密[^3]。 ### 数字签名验证 数字签名是另一种常见的应用场景,它利用RSA的非对称特性来验证数据的完整性和真实性。发送方使用自己的私钥对数据进行签名,而接收方则使用发送方的公钥验证签名的有效性。如果签名验证成功,则表明数据未被篡改且确实来自签名者。 以下是一个使用Python的`cryptography`库进行数字签名验证的示例: ```python from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.serialization import load_pem_public_key # 加载PEM格式的公钥 with open("public_key.pem", "rb") as f: public_key = load_pem_public_key(f.read()) # 验证签名 message = b"Message to be signed" signature = b"Signature generated by the private key" try: public_key.verify( signature, message, padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH ), hashes.SHA256() ) print("Signature is valid.") except Exception as e: print("Signature is invalid:", e) ``` ### 公钥的格式与管理 在实际应用中,公钥可能以多种格式存在,包括PEM(Privacy Enhanced Mail)、DER(Distinguished Encoding Rules)以及直接提供模数(n)和公开幂(e)的情况。PEM格式的公钥通常以`-----BEGIN PUBLIC KEY-----`开头,并以Base64编码形式存储;而DER格式则是二进制形式的公钥数据。此外,某些场景下可能会直接给出模数n和公开幂e的十六进制值,这时需要手动构造公钥对象[^1]。 对于物联网设备的身份验证,每台设备会生成并绑定一个随机的公钥,同时还会发送设备证书以供CA中心验证。这种方法结合了公钥加密和证书机制,进一步增强了系统的安全性[^5]。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值