Submit Search
Upload
Rsa in CTF
•
Download as PPTX, PDF
•
1 like
•
2,372 views
S
SoL ymx
Follow
2017/04/06 台科大資安社-密碼學第二次社課
Read less
Read more
Technology
Report
Share
Report
Share
1 of 39
Download now
Recommended
新しい暗号技術
新しい暗号技術
MITSUNARI Shigeo
LLVM Backend の紹介
LLVM Backend の紹介
Akira Maruoka
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
楕円曲線と暗号
楕円曲線と暗号
MITSUNARI Shigeo
集約署名
集約署名
MITSUNARI Shigeo
暗号技術入門
暗号技術入門
MITSUNARI Shigeo
BLS署名の実装とその応用
BLS署名の実装とその応用
MITSUNARI Shigeo
Recommended
新しい暗号技術
新しい暗号技術
MITSUNARI Shigeo
LLVM Backend の紹介
LLVM Backend の紹介
Akira Maruoka
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
楕円曲線と暗号
楕円曲線と暗号
MITSUNARI Shigeo
集約署名
集約署名
MITSUNARI Shigeo
暗号技術入門
暗号技術入門
MITSUNARI Shigeo
BLS署名の実装とその応用
BLS署名の実装とその応用
MITSUNARI Shigeo
ROP 輕鬆談
ROP 輕鬆談
hackstuff
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
sonickun
暗認本読書会13 advanced
暗認本読書会13 advanced
MITSUNARI Shigeo
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみた
MITSUNARI Shigeo
12 分くらいで知るLuaVM
12 分くらいで知るLuaVM
Yuki Tamura
Homomorphic encryption
Homomorphic encryption
Cysinfo Cyber Security Community
初心者向けCTFのWeb分野の強化法
初心者向けCTFのWeb分野の強化法
kazkiti
Rpn and forth 超入門
Rpn and forth 超入門
Yoshitaka Seo
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
Atsushi KOMIYA
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
ts21
Parser combinatorってなんなのさ
Parser combinatorってなんなのさ
cct-inc
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25
Isaac Mathis
楕円曲線入門トーラスと楕円曲線のつながり
楕円曲線入門トーラスと楕円曲線のつながり
MITSUNARI Shigeo
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
MITSUNARI Shigeo
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
MITSUNARI Shigeo
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向
shigeki_ohtsu
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
Ankita Kapratwar
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
SECCON Beginners
Cryptanalysis 101
Cryptanalysis 101
rahat ali
rsa.ppt
rsa.ppt
ArkadiansNatblida
rsa.ppt
rsa.ppt
PrasadM389394
More Related Content
What's hot
ROP 輕鬆談
ROP 輕鬆談
hackstuff
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
sonickun
暗認本読書会13 advanced
暗認本読書会13 advanced
MITSUNARI Shigeo
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみた
MITSUNARI Shigeo
12 分くらいで知るLuaVM
12 分くらいで知るLuaVM
Yuki Tamura
Homomorphic encryption
Homomorphic encryption
Cysinfo Cyber Security Community
初心者向けCTFのWeb分野の強化法
初心者向けCTFのWeb分野の強化法
kazkiti
Rpn and forth 超入門
Rpn and forth 超入門
Yoshitaka Seo
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
Atsushi KOMIYA
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
ts21
Parser combinatorってなんなのさ
Parser combinatorってなんなのさ
cct-inc
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25
Isaac Mathis
楕円曲線入門トーラスと楕円曲線のつながり
楕円曲線入門トーラスと楕円曲線のつながり
MITSUNARI Shigeo
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
MITSUNARI Shigeo
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
MITSUNARI Shigeo
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向
shigeki_ohtsu
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
Ankita Kapratwar
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
SECCON Beginners
Cryptanalysis 101
Cryptanalysis 101
rahat ali
What's hot
(20)
ROP 輕鬆談
ROP 輕鬆談
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
暗認本読書会13 advanced
暗認本読書会13 advanced
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみた
12 分くらいで知るLuaVM
12 分くらいで知るLuaVM
Homomorphic encryption
Homomorphic encryption
初心者向けCTFのWeb分野の強化法
初心者向けCTFのWeb分野の強化法
Rpn and forth 超入門
Rpn and forth 超入門
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
Parser combinatorってなんなのさ
Parser combinatorってなんなのさ
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25
楕円曲線入門トーラスと楕円曲線のつながり
楕円曲線入門トーラスと楕円曲線のつながり
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
Cryptanalysis 101
Cryptanalysis 101
Similar to Rsa in CTF
rsa.ppt
rsa.ppt
ArkadiansNatblida
rsa.ppt
rsa.ppt
PrasadM389394
Homomorphic Encryption
Homomorphic Encryption
Victor Pereira
Homomorphic Encryption
Homomorphic Encryption
Göktuğ Serez
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)
budi rahardjo
Computing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
Common Crypto Pitfalls
Common Crypto Pitfalls
Amirali Sanatinia
PKC&RSA
PKC&RSA
Anver S R
06 Recursion in C.pptx
06 Recursion in C.pptx
MouDhara1
Class3
Class3
ankitasinghbsc
Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
ALPSチュートリアル
ALPSチュートリアル
Computational Materials Science Initiative
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01
anasz3z3
PVS-Studio team experience: checking various open source projects, or mistake...
PVS-Studio team experience: checking various open source projects, or mistake...
Andrey Karpov
module 1 (part A).pdf
module 1 (part A).pdf
ChethanKrishna14
3 pkc+rsa
3 pkc+rsa
Shashank Mishra
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
Riscure
Ntewrok secuirty cs7
Ntewrok secuirty cs7
Infinity Tech Solutions
Asymptotic Notation
Asymptotic Notation
sohelranasweet
Similar to Rsa in CTF
(20)
rsa.ppt
rsa.ppt
rsa.ppt
rsa.ppt
Homomorphic Encryption
Homomorphic Encryption
Homomorphic Encryption
Homomorphic Encryption
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
what engineers don't know (but probably mathematicians do)
what engineers don't know (but probably mathematicians do)
Computing on Encrypted Data
Computing on Encrypted Data
Common Crypto Pitfalls
Common Crypto Pitfalls
PKC&RSA
PKC&RSA
06 Recursion in C.pptx
06 Recursion in C.pptx
Class3
Class3
Ctf hello,world!
Ctf hello,world!
ALPSチュートリアル
ALPSチュートリアル
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01
PVS-Studio team experience: checking various open source projects, or mistake...
PVS-Studio team experience: checking various open source projects, or mistake...
module 1 (part A).pdf
module 1 (part A).pdf
3 pkc+rsa
3 pkc+rsa
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
Ntewrok secuirty cs7
Ntewrok secuirty cs7
Asymptotic Notation
Asymptotic Notation
Recently uploaded
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
MarianaLemus7
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Andrey Dotsenko
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Wonjun Hwang
Recently uploaded
(20)
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Rsa in CTF
1.
RSA in CTF Thirty
Years of Attacks on the RSA Cryptosystem Twenty Years of Attacks on the RSA Cryptosystem 台科大資安研究社_楊明軒
2.
Outline • 雜項 • when
p == q • twin prime • 加密指數攻擊 • Hastad’s Broadcast Attack • 解密指數攻擊 • Wiener's attack • 模數攻擊 • RSA common modulus attack • 實作問題 • p、q reuse
3.
雜項
4.
when p ==
q
5.
when p ==
q • 剛好看到CTF題目有就拉近來佔佔頁數… • Euler's totient function • https://en.wikipedia.org/wiki/Euler's_totient_function
6.
when p ==
q 練習 • Qiwi Infosec CTF 2016 : 2-400 • https://goo.gl/GYTI5U
7.
twin prime
8.
twin prime • if
p is prime and p + 2 is prime • https://en.wikipedia.org/wiki/Twin_prime • n1 = p*q • n2 = (p+2)*(q+2) • n1 的 phi = (p-1)*(q-1) = pq - (p+q) + 1 = n1 - (p+q) +1 • n2 的 phi = (p+1)*(q+1) = pq + (p+q) + 1 = n1 + (p+q) +1 • n2 = (p+2)*(q+2) = p*q + 2( p+q ) + 4 • 2( p+q ) = n2 - p*q – 4 • p+q = ( n2 - n1 - 4 )/2
9.
twin prime 練習 •
2016 - MMA CTF - Twin Primes • https://goo.gl/IGuwlk
10.
加密指數攻擊
11.
Hastad’s Broadcast Attack
12.
中國剩餘定理/CRT • 每次都要叫韓信出來點兵 • 有物不知其數,三三數之剩二,五五數之剩三,七七數之剩二。 問物幾何? •
解模數相異且互質的同餘方程組 • X ≡ c1 (mod n1) • X ≡ c2 (mod n2) • X ≡ c3 (mod n3) …
13.
CRT -- 解方程 •
1. 求共同模數: N = n1 * n2 * n3 … • 2. 算 N1 = N/n1 , N2 = N/n2 , N3 = N/n3 , … • 3. 分別求 N1 mod n1 的乘法反元素, N2 mod n2 的乘法反元素 來得到 N1’ , N2’ , N3’ … • 求解方程式答案: X = (c1 * N1 * N1’ + c2 * N2 * N2’ + c3 * N3 * N3’ ) mod N
14.
CRT – 韓信點兵舉例 •
X ≡ 2 (mod 3) • X ≡ 3 (mod 5) • X ≡ 2 (mod 7) • N = 3 * 5 * 7 = 105 • N1 = 105/3 => 35 , N2 = 105/5 => 21 , N3 = 105/7 => 15 • N1’ = 2 (35 在 mod 3 下的乘法反元素) N2’ = 1 , N3’1 = 1 • X = (2 * 35 * 2 + 3 * 21 * 1 + 2 * 15 * 1) mod 105 => 23 • X = 23 + 105k , k = 0、 1、2 、3……
15.
Hastad’s Broadcast Attack •
常見情境: • 小明要送同一個訊息出去,已知 e = 3 ,則只需截獲該明文加密後的密文 三次即可解 (n都不同) • 使用條件 • M / e 需不變 • 密文數量要有 e 這麼多 (ex: e = 3 , 則最少要有 c1,c2,c3) (n 都不同)
16.
Hastad’s Broadcast Attack •
假設 e = 3 • (n1 , e) , c1 = 𝑚3 mod n1 => 𝑚3 ≡ c1 (mod n1) • (n2 , e) , c2 = 𝑚3 mod n2 => 𝑚3 ≡ c2 (mod n2) • (n3 , e) , c3 = 𝑚3 mod n3 => 𝑚3 ≡ c3 (mod n3) • 中國剩餘定理 / Chinese Remainder Theorem / CRT • C’ = 𝑚3 mod (n1 * n2 * n3) => C’ = 𝑚3
17.
Hastad’s Broadcast Attack
in python • 假設 e = 3 • import libnum • cs = (c1 , c2 , c3) • ns = (n1 , n2 , n3) • key = libnum.solve_crt(cs,ns) • flag = libnum.nroot(key,3) # e = 3
18.
Hastad’s Broadcast Attack
in python • 用 cryptanalib • https://github.com/nccgroup/featherduster • import cryptanalib as ca • answer_as_number = ca.hastad_broadcast_attack( [(c1, n1), (c2, n2), (c3, n3)], e) • print ca.long_to_string(answer_as_number)
19.
Hastad’s Broadcast Attack
in CTF (練習) • 2015 tw edu ctf mayday crypto 150 • https://goo.gl/wuyFBP • 2016 H4ckIT CTF - Interceptor – Portugal • https://goo.gl/6L2izu
20.
解密指數攻擊
21.
Wiener's attack Boneh-Durfee's low
private exponent Attack
22.
Wiener's theorem • copy
from wiki
23.
Wiener's attack • 低解密指數攻擊
/ Low Private-Exponent Attack / 連續分數攻擊 • 基於 continued fraction • 算 e/N 的連分數 • 用來近似 d • 不用對 n 分解 • d 很小(d < (N**0.25)/3) • e 很大 • wiki • https://en.wikipedia.org/wiki/Wiener%27s_attack
24.
continued fraction • 分子分母不斷輾轉相除法 •
參考 • https://goo.gl/gynL7d • 用漸進分數來近似d
25.
Wiener's attack • n
= p*q • φ(n) = (p-1)*(q-1) = pq – (p+q) + 1 = n – (p+q) +1 • φ(n) 近似 n • e*d -1 = φ(n)*k => e/φ(n) – 1/d*φ(n) = k/d => e/n – k/d = 1/d*φ(n) 透過 wiener 可以推出 φ(n) 有 φ(n) 可以算出 (p+q) 有 (p+q)、pq 可以透過 x^2 - (p + q)*x + pq = 0 來求出 p 、 q
26.
Wiener's attack in
python • git clone https://github.com/pablocelayes/rsa-wiener-attack.git • import RSAwienerHacker • d = RSAwienerHacker.hack_RSA(e,n)
27.
Wiener‘s attack 練習 •
bctf 2015 warmup • https://goo.gl/x1VmR5
28.
模數攻擊
29.
RSA common modulus
attack
30.
RSA common modulus
attack • m 相同 / n 相同 / e 不同的廣播 • e 需互質 • CB = m^eB mod n • CC = m^eC mod n • gcd(eB , eC) = 1 • s1eB + s2eC = 1 • CB^s1 * CC^s2 = (m^eB mod n )^s1 * (m^eC mod n)^s2 => m^s1eB * m^s2eC mod n => m^(s1eB+s2eC) mod n => m mod n
31.
次方負數? / 餘數除法
?
32.
次方負數 •除法 •A^b / A^c
= A^(b-c) •3^(-2) => 3^0 / 3^(2) => 1 / 3^(2)
33.
餘數除法 • 餘數乘法的反運算 • 1
/ 7 = ? (mod 5) • ? * 7 = 1 (mod 5) • ? * 7 * 7’ = 1 * 7’ (mod 5) • ? = 1 * 7’ (mod 5)
34.
RSA common modulus
attack in python • import gmpy2 • def common_modulus_attack(c1, c2, e1, e2, n): • _ , s1, s2 = gmpy2.gcdext(e1, e2) • if s1 < 0: • s1 = -s1 • c1 = gmpy2.invert(c1, n) • elif s2 < 0: • s2 = -s2 • c2 = gmpy2.invert(c2, n) • c1s1 = pow(c1, s1, n) • c2s2 = pow(c2, s2, n) • m = (c1s1 * c2s2) % n • return m
35.
RSA common modulus
attack 練習 • TW edu 2015 - share (crypto 150) • https://goo.gl/yptXjB • Volga CTF Quals 2013 - Crypto 200 • https://goo.gl/1Qa4XQ • PlaidCTF CTF 2015: Strength • https://goo.gl/i0AkFS
36.
實作問題
37.
p、q reuse
38.
p、q reuse • 常見題目: •
給一堆 public key (可能 100 個) • n1 = p1 * q1 = 3 * 5 = 15 • n2 = p2 * q2 = 3 * 7 = 21 • gcd(n1 , n2) = 3 = p1 = p2 • n1 / p1 = q1 = 5 • n2 / p2 = q2 = 7
39.
p、q reuse 練習 •
2016 AIS3 pre exam Crypto 03 • https://goo.gl/lPvdVM • 2015 Backdoor CTF RSALOT • https://goo.gl/f9W2hA
Editor's Notes
# for mma ctf twin prime #!/usr/bin/env python from Crypto.Util.number import * c = 7991219189591014572196623817385737879027208108469800802629706564258508626010674513875496029177290575819650366802730803283761137036255380767766538866086463895539973594615882321974738140931689333873106124459849322556754579010062541988138211176574621668101228531769828358289973150393343109948611583609219420213530834364837438730411379305046156670015024547263019932288989808228091601206948741304222197779808592738075111024678982273856922586615415238555211148847427589678238745186253649783665607928382002868111278077054871294837923189536714235044041993541158402943372188779797996711792610439969105993917373651847337638929 n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951 e = 65537 n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859 p_q = (n2 - n1 - 4) / 2 phi_n1 = n1 - p_q + 1 phi_n2 = n1 + p_q + 1 d1 = inverse(e,phi_n1) d2 = inverse(e,phi_n2) print long_to_bytes(pow(pow(c,d2,n2),d1,n1))
如果d < 1/3 n1/4,一种基于连分数(一个数论当中的问题)的特殊攻击类型就可以危害RSA的安全。要发生这样的事情,必须要有q < p < 2q。如果这两种情况存在,伊夫就可以在多项式时间中分解n。
https://zhuanlan.zhihu.com/p/21858074
http://www.csie.ntnu.edu.tw/~u91029/Residue.html
Download now