SY
Uploaded bySoL ymx
PPTX, PDF2,452 views

Rsa in CTF

This document summarizes various attacks on the RSA cryptosystem over 30 years, including: - When p=q, the private key can be derived from the public key - Using twin primes p and p+2 to factor the modulus - Hastad's broadcast attack to derive the plaintext from encryptions using the same message but different public keys - Wiener's attack and Boneh-Durfee's attack to derive the private key d when it is below a certain threshold based on the modulus n - Common modulus attacks when encryptions use the same modulus n but different public exponents e - Issues that can arise from reusing the prime factors p and q in different keys

Embed presentation

Downloaded 18 times
RSA in CTF Thirty Years of Attacks on the RSA Cryptosystem Twenty Years of Attacks on the RSA Cryptosystem 台科大資安研究社_楊明軒
Outline • 雜項 • when p == q • twin prime • 加密指數攻擊 • Hastad’s Broadcast Attack • 解密指數攻擊 • Wiener's attack • 模數攻擊 • RSA common modulus attack • 實作問題 • p、q reuse
雜項
when p == q
when p == q • 剛好看到CTF題目有就拉近來佔佔頁數… • Euler's totient function • https://en.wikipedia.org/wiki/Euler's_totient_function
when p == q 練習 • Qiwi Infosec CTF 2016 : 2-400 • https://goo.gl/GYTI5U
twin prime
twin prime • if p is prime and p + 2 is prime • https://en.wikipedia.org/wiki/Twin_prime • n1 = p*q • n2 = (p+2)*(q+2) • n1 的 phi = (p-1)*(q-1) = pq - (p+q) + 1 = n1 - (p+q) +1 • n2 的 phi = (p+1)*(q+1) = pq + (p+q) + 1 = n1 + (p+q) +1 • n2 = (p+2)*(q+2) = p*q + 2( p+q ) + 4 • 2( p+q ) = n2 - p*q – 4 • p+q = ( n2 - n1 - 4 )/2
twin prime 練習 • 2016 - MMA CTF - Twin Primes • https://goo.gl/IGuwlk
加密指數攻擊
Hastad’s Broadcast Attack
中國剩餘定理/CRT • 每次都要叫韓信出來點兵 • 有物不知其數,三三數之剩二,五五數之剩三,七七數之剩二。 問物幾何? • 解模數相異且互質的同餘方程組 • X ≡ c1 (mod n1) • X ≡ c2 (mod n2) • X ≡ c3 (mod n3) …
CRT -- 解方程 • 1. 求共同模數: N = n1 * n2 * n3 … • 2. 算 N1 = N/n1 , N2 = N/n2 , N3 = N/n3 , … • 3. 分別求 N1 mod n1 的乘法反元素, N2 mod n2 的乘法反元素 來得到 N1’ , N2’ , N3’ … • 求解方程式答案: X = (c1 * N1 * N1’ + c2 * N2 * N2’ + c3 * N3 * N3’ ) mod N
CRT – 韓信點兵舉例 • X ≡ 2 (mod 3) • X ≡ 3 (mod 5) • X ≡ 2 (mod 7) • N = 3 * 5 * 7 = 105 • N1 = 105/3 => 35 , N2 = 105/5 => 21 , N3 = 105/7 => 15 • N1’ = 2 (35 在 mod 3 下的乘法反元素) N2’ = 1 , N3’1 = 1 • X = (2 * 35 * 2 + 3 * 21 * 1 + 2 * 15 * 1) mod 105 => 23 • X = 23 + 105k , k = 0、 1、2 、3……
Hastad’s Broadcast Attack • 常見情境: • 小明要送同一個訊息出去,已知 e = 3 ,則只需截獲該明文加密後的密文 三次即可解 (n都不同) • 使用條件 • M / e 需不變 • 密文數量要有 e 這麼多 (ex: e = 3 , 則最少要有 c1,c2,c3) (n 都不同)
Hastad’s Broadcast Attack • 假設 e = 3 • (n1 , e) , c1 = 𝑚3 mod n1 => 𝑚3 ≡ c1 (mod n1) • (n2 , e) , c2 = 𝑚3 mod n2 => 𝑚3 ≡ c2 (mod n2) • (n3 , e) , c3 = 𝑚3 mod n3 => 𝑚3 ≡ c3 (mod n3) • 中國剩餘定理 / Chinese Remainder Theorem / CRT • C’ = 𝑚3 mod (n1 * n2 * n3) => C’ = 𝑚3
Hastad’s Broadcast Attack in python • 假設 e = 3 • import libnum • cs = (c1 , c2 , c3) • ns = (n1 , n2 , n3) • key = libnum.solve_crt(cs,ns) • flag = libnum.nroot(key,3) # e = 3
Hastad’s Broadcast Attack in python • 用 cryptanalib • https://github.com/nccgroup/featherduster • import cryptanalib as ca • answer_as_number = ca.hastad_broadcast_attack( [(c1, n1), (c2, n2), (c3, n3)], e) • print ca.long_to_string(answer_as_number)
Hastad’s Broadcast Attack in CTF (練習) • 2015 tw edu ctf mayday crypto 150 • https://goo.gl/wuyFBP • 2016 H4ckIT CTF - Interceptor – Portugal • https://goo.gl/6L2izu
解密指數攻擊
Wiener's attack Boneh-Durfee's low private exponent Attack
Wiener's theorem • copy from wiki
Wiener's attack • 低解密指數攻擊 / Low Private-Exponent Attack / 連續分數攻擊 • 基於 continued fraction • 算 e/N 的連分數 • 用來近似 d • 不用對 n 分解 • d 很小(d < (N**0.25)/3) • e 很大 • wiki • https://en.wikipedia.org/wiki/Wiener%27s_attack
continued fraction • 分子分母不斷輾轉相除法 • 參考 • https://goo.gl/gynL7d • 用漸進分數來近似d
Wiener's attack • n = p*q • φ(n) = (p-1)*(q-1) = pq – (p+q) + 1 = n – (p+q) +1 • φ(n) 近似 n • e*d -1 = φ(n)*k => e/φ(n) – 1/d*φ(n) = k/d => e/n – k/d = 1/d*φ(n) 透過 wiener 可以推出 φ(n) 有 φ(n) 可以算出 (p+q) 有 (p+q)、pq 可以透過 x^2 - (p + q)*x + pq = 0 來求出 p 、 q
Wiener's attack in python • git clone https://github.com/pablocelayes/rsa-wiener-attack.git • import RSAwienerHacker • d = RSAwienerHacker.hack_RSA(e,n)
Wiener‘s attack 練習 • bctf 2015 warmup • https://goo.gl/x1VmR5
模數攻擊
RSA common modulus attack
RSA common modulus attack • m 相同 / n 相同 / e 不同的廣播 • e 需互質 • CB = m^eB mod n • CC = m^eC mod n • gcd(eB , eC) = 1 • s1eB + s2eC = 1 • CB^s1 * CC^s2 = (m^eB mod n )^s1 * (m^eC mod n)^s2 => m^s1eB * m^s2eC mod n => m^(s1eB+s2eC) mod n => m mod n
次方負數? / 餘數除法 ?
次方負數 •除法 •A^b / A^c = A^(b-c) •3^(-2) => 3^0 / 3^(2) => 1 / 3^(2)
餘數除法 • 餘數乘法的反運算 • 1 / 7 = ? (mod 5) • ? * 7 = 1 (mod 5) • ? * 7 * 7’ = 1 * 7’ (mod 5) • ? = 1 * 7’ (mod 5)
RSA common modulus attack in python • import gmpy2 • def common_modulus_attack(c1, c2, e1, e2, n): • _ , s1, s2 = gmpy2.gcdext(e1, e2) • if s1 < 0: • s1 = -s1 • c1 = gmpy2.invert(c1, n) • elif s2 < 0: • s2 = -s2 • c2 = gmpy2.invert(c2, n) • c1s1 = pow(c1, s1, n) • c2s2 = pow(c2, s2, n) • m = (c1s1 * c2s2) % n • return m
RSA common modulus attack 練習 • TW edu 2015 - share (crypto 150) • https://goo.gl/yptXjB • Volga CTF Quals 2013 - Crypto 200 • https://goo.gl/1Qa4XQ • PlaidCTF CTF 2015: Strength • https://goo.gl/i0AkFS
實作問題
p、q reuse
p、q reuse • 常見題目: • 給一堆 public key (可能 100 個) • n1 = p1 * q1 = 3 * 5 = 15 • n2 = p2 * q2 = 3 * 7 = 21 • gcd(n1 , n2) = 3 = p1 = p2 • n1 / p1 = q1 = 5 • n2 / p2 = q2 = 7
p、q reuse 練習 • 2016 AIS3 pre exam Crypto 03 • https://goo.gl/lPvdVM • 2015 Backdoor CTF RSALOT • https://goo.gl/f9W2hA

More Related Content

PDF
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
PDF
LinuxのFull ticklessを試してみた
byHiraku Toyooka
 
PDF
コンセプトから理解するGitコマンド
byktateish
 
PDF
Make static instrumentation great again, High performance fuzzing for Windows...
byLucas Leong
 
PDF
ClickHouse Keeper
byAltinity Ltd
 
PDF
CUDA 6の話@関西GPGPU勉強会#5
byYosuke Onoue
 
PDF
JIT のコードを読んでみた
byy-uti
 
PDF
関数型プログラミング入門 with OCaml
byHaruka Oikawa
 
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
LinuxのFull ticklessを試してみた
byHiraku Toyooka
 
コンセプトから理解するGitコマンド
byktateish
 
Make static instrumentation great again, High performance fuzzing for Windows...
byLucas Leong
 
ClickHouse Keeper
byAltinity Ltd
 
CUDA 6の話@関西GPGPU勉強会#5
byYosuke Onoue
 
JIT のコードを読んでみた
byy-uti
 
関数型プログラミング入門 with OCaml
byHaruka Oikawa
 

What's hot

PDF
Introduction to Polyhedral Compilation
byAkihiro Hayashi
 
PDF
Pycon2014 django performance
byhirokiky
 
PDF
ROP 輕鬆談
byhackstuff
 
PPTX
冬のLock free祭り safe
byKumazaki Hiroki
 
PDF
Execution
byAngel Boy
 
PDF
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
byPreferred Networks
 
PDF
ctfで学ぼうリバースエンジニアリング
byjunk_coken
 
PDF
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
byNTT DATA Technology & Innovation
 
PDF
プログラムを高速化する話Ⅱ 〜GPGPU編〜
by京大 マイコンクラブ
 
PDF
Things you should know about Oracle truncate
byKazuhiro Takahashi
 
PDF
Garbage First Garbage Collection (G1 GC) #jjug_ccc #ccc_cd6
byYuji Kubota
 
PDF
「FPGA 開発入門:FPGA を用いたエッジ AI の高速化手法を学ぶ」
by直久 住川
 
PDF
ヤフー社内でやってるMySQLチューニングセミナー大公開
byYahoo!デベロッパーネットワーク
 
PDF
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
byAltinity Ltd
 
PDF
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
byikikko
 
PDF
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
PDF
雑なMySQLパフォーマンスチューニング
byyoku0825
 
PPTX
php and sapi and zendengine2 and...
bydo_aki
 
PPTX
純粋関数型アルゴリズム入門
byKimikazu Kato
 
PDF
Advanced heap exploitaion
byAngel Boy
 
Introduction to Polyhedral Compilation
byAkihiro Hayashi
 
Pycon2014 django performance
byhirokiky
 
ROP 輕鬆談
byhackstuff
 
冬のLock free祭り safe
byKumazaki Hiroki
 
Execution
byAngel Boy
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
byPreferred Networks
 
ctfで学ぼうリバースエンジニアリング
byjunk_coken
 
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
byNTT DATA Technology & Innovation
 
プログラムを高速化する話Ⅱ 〜GPGPU編〜
by京大 マイコンクラブ
 
Things you should know about Oracle truncate
byKazuhiro Takahashi
 
Garbage First Garbage Collection (G1 GC) #jjug_ccc #ccc_cd6
byYuji Kubota
 
「FPGA 開発入門:FPGA を用いたエッジ AI の高速化手法を学ぶ」
by直久 住川
 
ヤフー社内でやってるMySQLチューニングセミナー大公開
byYahoo!デベロッパーネットワーク
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
byAltinity Ltd
 
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
byikikko
 
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
雑なMySQLパフォーマンスチューニング
byyoku0825
 
php and sapi and zendengine2 and...
bydo_aki
 
純粋関数型アルゴリズム入門
byKimikazu Kato
 
Advanced heap exploitaion
byAngel Boy
 

Recently uploaded

PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 

Rsa in CTF

  • 1.
    RSA in CTF ThirtyYears of Attacks on the RSA Cryptosystem Twenty Years of Attacks on the RSA Cryptosystem 台科大資安研究社_楊明軒
  • 2.
    Outline • 雜項 • whenp == q • twin prime • 加密指數攻擊 • Hastad’s Broadcast Attack • 解密指數攻擊 • Wiener's attack • 模數攻擊 • RSA common modulus attack • 實作問題 • p、q reuse
  • 3.
  • 4.
  • 5.
    when p ==q • 剛好看到CTF題目有就拉近來佔佔頁數… • Euler's totient function • https://en.wikipedia.org/wiki/Euler's_totient_function
  • 6.
    when p ==q 練習 • Qiwi Infosec CTF 2016 : 2-400 • https://goo.gl/GYTI5U
  • 7.
  • 8.
    twin prime • ifp is prime and p + 2 is prime • https://en.wikipedia.org/wiki/Twin_prime • n1 = p*q • n2 = (p+2)*(q+2) • n1 的 phi = (p-1)*(q-1) = pq - (p+q) + 1 = n1 - (p+q) +1 • n2 的 phi = (p+1)*(q+1) = pq + (p+q) + 1 = n1 + (p+q) +1 • n2 = (p+2)*(q+2) = p*q + 2( p+q ) + 4 • 2( p+q ) = n2 - p*q – 4 • p+q = ( n2 - n1 - 4 )/2
  • 9.
    twin prime 練習 •2016 - MMA CTF - Twin Primes • https://goo.gl/IGuwlk
  • 10.
  • 11.
  • 12.
    中國剩餘定理/CRT • 每次都要叫韓信出來點兵 • 有物不知其數,三三數之剩二,五五數之剩三,七七數之剩二。 問物幾何? •解模數相異且互質的同餘方程組 • X ≡ c1 (mod n1) • X ≡ c2 (mod n2) • X ≡ c3 (mod n3) …
  • 13.
    CRT -- 解方程 •1. 求共同模數: N = n1 * n2 * n3 … • 2. 算 N1 = N/n1 , N2 = N/n2 , N3 = N/n3 , … • 3. 分別求 N1 mod n1 的乘法反元素, N2 mod n2 的乘法反元素 來得到 N1’ , N2’ , N3’ … • 求解方程式答案: X = (c1 * N1 * N1’ + c2 * N2 * N2’ + c3 * N3 * N3’ ) mod N
  • 14.
    CRT – 韓信點兵舉例 •X ≡ 2 (mod 3) • X ≡ 3 (mod 5) • X ≡ 2 (mod 7) • N = 3 * 5 * 7 = 105 • N1 = 105/3 => 35 , N2 = 105/5 => 21 , N3 = 105/7 => 15 • N1’ = 2 (35 在 mod 3 下的乘法反元素) N2’ = 1 , N3’1 = 1 • X = (2 * 35 * 2 + 3 * 21 * 1 + 2 * 15 * 1) mod 105 => 23 • X = 23 + 105k , k = 0、 1、2 、3……
  • 15.
    Hastad’s Broadcast Attack •常見情境: • 小明要送同一個訊息出去,已知 e = 3 ,則只需截獲該明文加密後的密文 三次即可解 (n都不同) • 使用條件 • M / e 需不變 • 密文數量要有 e 這麼多 (ex: e = 3 , 則最少要有 c1,c2,c3) (n 都不同)
  • 16.
    Hastad’s Broadcast Attack •假設 e = 3 • (n1 , e) , c1 = 𝑚3 mod n1 => 𝑚3 ≡ c1 (mod n1) • (n2 , e) , c2 = 𝑚3 mod n2 => 𝑚3 ≡ c2 (mod n2) • (n3 , e) , c3 = 𝑚3 mod n3 => 𝑚3 ≡ c3 (mod n3) • 中國剩餘定理 / Chinese Remainder Theorem / CRT • C’ = 𝑚3 mod (n1 * n2 * n3) => C’ = 𝑚3
  • 17.
    Hastad’s Broadcast Attackin python • 假設 e = 3 • import libnum • cs = (c1 , c2 , c3) • ns = (n1 , n2 , n3) • key = libnum.solve_crt(cs,ns) • flag = libnum.nroot(key,3) # e = 3
  • 18.
    Hastad’s Broadcast Attackin python • 用 cryptanalib • https://github.com/nccgroup/featherduster • import cryptanalib as ca • answer_as_number = ca.hastad_broadcast_attack( [(c1, n1), (c2, n2), (c3, n3)], e) • print ca.long_to_string(answer_as_number)
  • 19.
    Hastad’s Broadcast Attackin CTF (練習) • 2015 tw edu ctf mayday crypto 150 • https://goo.gl/wuyFBP • 2016 H4ckIT CTF - Interceptor – Portugal • https://goo.gl/6L2izu
  • 20.
  • 21.
    Wiener's attack Boneh-Durfee's lowprivate exponent Attack
  • 22.
  • 23.
    Wiener's attack • 低解密指數攻擊/ Low Private-Exponent Attack / 連續分數攻擊 • 基於 continued fraction • 算 e/N 的連分數 • 用來近似 d • 不用對 n 分解 • d 很小(d < (N**0.25)/3) • e 很大 • wiki • https://en.wikipedia.org/wiki/Wiener%27s_attack
  • 24.
    continued fraction • 分子分母不斷輾轉相除法 •參考 • https://goo.gl/gynL7d • 用漸進分數來近似d
  • 25.
    Wiener's attack • n= p*q • φ(n) = (p-1)*(q-1) = pq – (p+q) + 1 = n – (p+q) +1 • φ(n) 近似 n • e*d -1 = φ(n)*k => e/φ(n) – 1/d*φ(n) = k/d => e/n – k/d = 1/d*φ(n) 透過 wiener 可以推出 φ(n) 有 φ(n) 可以算出 (p+q) 有 (p+q)、pq 可以透過 x^2 - (p + q)*x + pq = 0 來求出 p 、 q
  • 26.
    Wiener's attack inpython • git clone https://github.com/pablocelayes/rsa-wiener-attack.git • import RSAwienerHacker • d = RSAwienerHacker.hack_RSA(e,n)
  • 27.
    Wiener‘s attack 練習 •bctf 2015 warmup • https://goo.gl/x1VmR5
  • 28.
  • 29.
  • 30.
    RSA common modulusattack • m 相同 / n 相同 / e 不同的廣播 • e 需互質 • CB = m^eB mod n • CC = m^eC mod n • gcd(eB , eC) = 1 • s1eB + s2eC = 1 • CB^s1 * CC^s2 = (m^eB mod n )^s1 * (m^eC mod n)^s2 => m^s1eB * m^s2eC mod n => m^(s1eB+s2eC) mod n => m mod n
  • 31.
  • 32.
    次方負數 •除法 •A^b / A^c= A^(b-c) •3^(-2) => 3^0 / 3^(2) => 1 / 3^(2)
  • 33.
    餘數除法 • 餘數乘法的反運算 • 1/ 7 = ? (mod 5) • ? * 7 = 1 (mod 5) • ? * 7 * 7’ = 1 * 7’ (mod 5) • ? = 1 * 7’ (mod 5)
  • 34.
    RSA common modulusattack in python • import gmpy2 • def common_modulus_attack(c1, c2, e1, e2, n): • _ , s1, s2 = gmpy2.gcdext(e1, e2) • if s1 < 0: • s1 = -s1 • c1 = gmpy2.invert(c1, n) • elif s2 < 0: • s2 = -s2 • c2 = gmpy2.invert(c2, n) • c1s1 = pow(c1, s1, n) • c2s2 = pow(c2, s2, n) • m = (c1s1 * c2s2) % n • return m
  • 35.
    RSA common modulusattack 練習 • TW edu 2015 - share (crypto 150) • https://goo.gl/yptXjB • Volga CTF Quals 2013 - Crypto 200 • https://goo.gl/1Qa4XQ • PlaidCTF CTF 2015: Strength • https://goo.gl/i0AkFS
  • 36.
  • 37.
  • 38.
    p、q reuse • 常見題目: •給一堆 public key (可能 100 個) • n1 = p1 * q1 = 3 * 5 = 15 • n2 = p2 * q2 = 3 * 7 = 21 • gcd(n1 , n2) = 3 = p1 = p2 • n1 / p1 = q1 = 5 • n2 / p2 = q2 = 7
  • 39.
    p、q reuse 練習 •2016 AIS3 pre exam Crypto 03 • https://goo.gl/lPvdVM • 2015 Backdoor CTF RSALOT • https://goo.gl/f9W2hA

Editor's Notes

  • #10  # for mma ctf twin prime #!/usr/bin/env python from Crypto.Util.number import * c = 7991219189591014572196623817385737879027208108469800802629706564258508626010674513875496029177290575819650366802730803283761137036255380767766538866086463895539973594615882321974738140931689333873106124459849322556754579010062541988138211176574621668101228531769828358289973150393343109948611583609219420213530834364837438730411379305046156670015024547263019932288989808228091601206948741304222197779808592738075111024678982273856922586615415238555211148847427589678238745186253649783665607928382002868111278077054871294837923189536714235044041993541158402943372188779797996711792610439969105993917373651847337638929 n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951 e = 65537 n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859 p_q = (n2 - n1 - 4) / 2 phi_n1 = n1 - p_q + 1 phi_n2 = n1 + p_q + 1 d1 = inverse(e,phi_n1) d2 = inverse(e,phi_n2) print long_to_bytes(pow(pow(c,d2,n2),d1,n1))
  • #22  如果d < 1/3 n1/4,一种基于连分数(一个数论当中的问题)的特殊攻击类型就可以危害RSA的安全。要发生这样的事情,必须要有q < p < 2q。如果这两种情况存在,伊夫就可以在多项式时间中分解n。
  • #27  https://zhuanlan.zhihu.com/p/21858074
  • #34 http://www.csie.ntnu.edu.tw/~u91029/Residue.html