Recommended
More Related Content
What's hot
What's hot (20)
Similar to Rsa in CTF
Similar to Rsa in CTF (20)
Recently uploaded
Recently uploaded (20)
Rsa in CTF
- 1. RSA in CTF Thirty Years of Attacks on the RSA Cryptosystem Twenty Years of Attacks on the RSA Cryptosystem 台科大資安研究社_楊明軒
- 2. Outline • 雜項 • when p == q • twin prime • 加密指數攻擊 • Hastad’s Broadcast Attack • 解密指數攻擊 • Wiener's attack • 模數攻擊 • RSA common modulus attack • 實作問題 • p、q reuse
- 3. 雜項
- 4. when p == q
- 5. when p == q • 剛好看到CTF題目有就拉近來佔佔頁數… • Euler's totient function • https://en.wikipedia.org/wiki/Euler's_totient_function
- 6. when p == q 練習 • Qiwi Infosec CTF 2016 : 2-400 • https://goo.gl/GYTI5U
- 7. twin prime
- 8. twin prime • if p is prime and p + 2 is prime • https://en.wikipedia.org/wiki/Twin_prime • n1 = p*q • n2 = (p+2)*(q+2) • n1 的 phi = (p-1)*(q-1) = pq - (p+q) + 1 = n1 - (p+q) +1 • n2 的 phi = (p+1)*(q+1) = pq + (p+q) + 1 = n1 + (p+q) +1 • n2 = (p+2)*(q+2) = p*q + 2( p+q ) + 4 • 2( p+q ) = n2 - p*q – 4 • p+q = ( n2 - n1 - 4 )/2
- 9. twin prime 練習 • 2016 - MMA CTF - Twin Primes • https://goo.gl/IGuwlk
- 10. 加密指數攻擊
- 12. 中國剩餘定理/CRT • 每次都要叫韓信出來點兵 • 有物不知其數,三三數之剩二,五五數之剩三,七七數之剩二。 問物幾何? • 解模數相異且互質的同餘方程組 • X ≡ c1 (mod n1) • X ≡ c2 (mod n2) • X ≡ c3 (mod n3) …
- 13. CRT -- 解方程 • 1. 求共同模數: N = n1 * n2 * n3 … • 2. 算 N1 = N/n1 , N2 = N/n2 , N3 = N/n3 , … • 3. 分別求 N1 mod n1 的乘法反元素, N2 mod n2 的乘法反元素 來得到 N1’ , N2’ , N3’ … • 求解方程式答案: X = (c1 * N1 * N1’ + c2 * N2 * N2’ + c3 * N3 * N3’ ) mod N
- 14. CRT – 韓信點兵舉例 • X ≡ 2 (mod 3) • X ≡ 3 (mod 5) • X ≡ 2 (mod 7) • N = 3 * 5 * 7 = 105 • N1 = 105/3 => 35 , N2 = 105/5 => 21 , N3 = 105/7 => 15 • N1’ = 2 (35 在 mod 3 下的乘法反元素) N2’ = 1 , N3’1 = 1 • X = (2 * 35 * 2 + 3 * 21 * 1 + 2 * 15 * 1) mod 105 => 23 • X = 23 + 105k , k = 0、 1、2 、3……
- 15. Hastad’s Broadcast Attack • 常見情境: • 小明要送同一個訊息出去,已知 e = 3 ,則只需截獲該明文加密後的密文 三次即可解 (n都不同) • 使用條件 • M / e 需不變 • 密文數量要有 e 這麼多 (ex: e = 3 , 則最少要有 c1,c2,c3) (n 都不同)
- 16. Hastad’s Broadcast Attack • 假設 e = 3 • (n1 , e) , c1 = 𝑚3 mod n1 => 𝑚3 ≡ c1 (mod n1) • (n2 , e) , c2 = 𝑚3 mod n2 => 𝑚3 ≡ c2 (mod n2) • (n3 , e) , c3 = 𝑚3 mod n3 => 𝑚3 ≡ c3 (mod n3) • 中國剩餘定理 / Chinese Remainder Theorem / CRT • C’ = 𝑚3 mod (n1 * n2 * n3) => C’ = 𝑚3
- 17. Hastad’s Broadcast Attack in python • 假設 e = 3 • import libnum • cs = (c1 , c2 , c3) • ns = (n1 , n2 , n3) • key = libnum.solve_crt(cs,ns) • flag = libnum.nroot(key,3) # e = 3
- 18. Hastad’s Broadcast Attack in python • 用 cryptanalib • https://github.com/nccgroup/featherduster • import cryptanalib as ca • answer_as_number = ca.hastad_broadcast_attack( [(c1, n1), (c2, n2), (c3, n3)], e) • print ca.long_to_string(answer_as_number)
- 19. Hastad’s Broadcast Attack in CTF (練習) • 2015 tw edu ctf mayday crypto 150 • https://goo.gl/wuyFBP • 2016 H4ckIT CTF - Interceptor – Portugal • https://goo.gl/6L2izu
- 20. 解密指數攻擊
- 21. Wiener's attack Boneh-Durfee's low private exponent Attack
- 22. Wiener's theorem • copy from wiki
- 23. Wiener's attack • 低解密指數攻擊 / Low Private-Exponent Attack / 連續分數攻擊 • 基於 continued fraction • 算 e/N 的連分數 • 用來近似 d • 不用對 n 分解 • d 很小(d < (N**0.25)/3) • e 很大 • wiki • https://en.wikipedia.org/wiki/Wiener%27s_attack
- 24. continued fraction • 分子分母不斷輾轉相除法 • 參考 • https://goo.gl/gynL7d • 用漸進分數來近似d
- 25. Wiener's attack • n = p*q • φ(n) = (p-1)*(q-1) = pq – (p+q) + 1 = n – (p+q) +1 • φ(n) 近似 n • e*d -1 = φ(n)*k => e/φ(n) – 1/d*φ(n) = k/d => e/n – k/d = 1/d*φ(n) 透過 wiener 可以推出 φ(n) 有 φ(n) 可以算出 (p+q) 有 (p+q)、pq 可以透過 x^2 - (p + q)*x + pq = 0 來求出 p 、 q
- 26. Wiener's attack in python • git clone https://github.com/pablocelayes/rsa-wiener-attack.git • import RSAwienerHacker • d = RSAwienerHacker.hack_RSA(e,n)
- 27. Wiener‘s attack 練習 • bctf 2015 warmup • https://goo.gl/x1VmR5
- 28. 模數攻擊
- 29. RSA common modulus attack
- 30. RSA common modulus attack • m 相同 / n 相同 / e 不同的廣播 • e 需互質 • CB = m^eB mod n • CC = m^eC mod n • gcd(eB , eC) = 1 • s1eB + s2eC = 1 • CB^s1 * CC^s2 = (m^eB mod n )^s1 * (m^eC mod n)^s2 => m^s1eB * m^s2eC mod n => m^(s1eB+s2eC) mod n => m mod n
- 31. 次方負數? / 餘數除法 ?
- 32. 次方負數 •除法 •A^b / A^c = A^(b-c) •3^(-2) => 3^0 / 3^(2) => 1 / 3^(2)
- 33. 餘數除法 • 餘數乘法的反運算 • 1 / 7 = ? (mod 5) • ? * 7 = 1 (mod 5) • ? * 7 * 7’ = 1 * 7’ (mod 5) • ? = 1 * 7’ (mod 5)
- 34. RSA common modulus attack in python • import gmpy2 • def common_modulus_attack(c1, c2, e1, e2, n): • _ , s1, s2 = gmpy2.gcdext(e1, e2) • if s1 < 0: • s1 = -s1 • c1 = gmpy2.invert(c1, n) • elif s2 < 0: • s2 = -s2 • c2 = gmpy2.invert(c2, n) • c1s1 = pow(c1, s1, n) • c2s2 = pow(c2, s2, n) • m = (c1s1 * c2s2) % n • return m
- 35. RSA common modulus attack 練習 • TW edu 2015 - share (crypto 150) • https://goo.gl/yptXjB • Volga CTF Quals 2013 - Crypto 200 • https://goo.gl/1Qa4XQ • PlaidCTF CTF 2015: Strength • https://goo.gl/i0AkFS
- 36. 實作問題
- 37. p、q reuse
- 38. p、q reuse • 常見題目: • 給一堆 public key (可能 100 個) • n1 = p1 * q1 = 3 * 5 = 15 • n2 = p2 * q2 = 3 * 7 = 21 • gcd(n1 , n2) = 3 = p1 = p2 • n1 / p1 = q1 = 5 • n2 / p2 = q2 = 7
- 39. p、q reuse 練習 • 2016 AIS3 pre exam Crypto 03 • https://goo.gl/lPvdVM • 2015 Backdoor CTF RSALOT • https://goo.gl/f9W2hA
Editor's Notes
- # for mma ctf twin prime #!/usr/bin/env python from Crypto.Util.number import * c = 7991219189591014572196623817385737879027208108469800802629706564258508626010674513875496029177290575819650366802730803283761137036255380767766538866086463895539973594615882321974738140931689333873106124459849322556754579010062541988138211176574621668101228531769828358289973150393343109948611583609219420213530834364837438730411379305046156670015024547263019932288989808228091601206948741304222197779808592738075111024678982273856922586615415238555211148847427589678238745186253649783665607928382002868111278077054871294837923189536714235044041993541158402943372188779797996711792610439969105993917373651847337638929 n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951 e = 65537 n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859 p_q = (n2 - n1 - 4) / 2 phi_n1 = n1 - p_q + 1 phi_n2 = n1 + p_q + 1 d1 = inverse(e,phi_n1) d2 = inverse(e,phi_n2) print long_to_bytes(pow(pow(c,d2,n2),d1,n1))
- 如果d < 1/3 n1/4,一种基于连分数(一个数论当中的问题)的特殊攻击类型就可以危害RSA的安全。要发生这样的事情,必须要有q < p < 2q。如果这两种情况存在,伊夫就可以在多项式时间中分解n。
- https://zhuanlan.zhihu.com/p/21858074
- http://www.csie.ntnu.edu.tw/~u91029/Residue.html