工具
- rsatool https://github.com/ius/rsatool
- factordb(分解大素数) http://www.factordb.com
- python-PyCrypto库
- Openssl
解析加密密钥:
openssl rsa -pubin -text -modulus -in pub.key
生成解密密钥:
python rsatool.py -f PEM -o key.key -p 1 -q 1 -e 1
openssl rsautl -decrypt -inkey key.pem -in flag.enc -out flag
脚本生成解密密钥:
# coding=utf-8
import math
import sys
from Crypto.PublicKey import RSA
keypair = RSA.generate(1024)
keypair.p =
keypair.q =
keypair.e =
keypair.n = keypair.p * keypair.q
Qn = long((keypair.p - 1) * (keypair.q - 1))
i = 1
while (True):
x = (Qn * i) + 1
if (x % keypair.e == 0):
keypair.d = x / keypair.e
break
i += 1
private = open('private.pem', 'w')
private.write(keypair.exportKey())
private.close()
RSA套路
给出e,p,q,c
import gmpy2 as gp import binascii p = gp.mpz() q = gp.mpz() e = gp.mpz() c = gp.mpz() n = p*q phi = (p-1) * (q-1) d = gp.invert(e, phi) m = pow(c, d, n) print(m)
给出e,n,dp,c
import gmpy2 as gp e = n = gp.mpz() dp = gp.mpz() c = gp.mpz() for x in range(1, e): if(e*dp%x==1): p=(e*dp-1)//x+1 if(n%p!=0): continue q=n//p phin=(p-1)*(q-1) d=gp.invert(e, phin) m=gp.powmod(c, d, n) if(len(hex(m)[2:])%2==1): continue print('--------------') print(m) print(hex(m)[2:]) print(bytes.fromhex(hex(m)[2:]))
给出p,q,dp,dq,c
import gmpy2 as gp p = gp.mpz() q = gp.mpz() dp = gp.mpz() dq = gp.mpz() c = gp.mpz() n = p*q phin = (p-1)*(q-1) dd = gp.gcd(p-1, q-1) d=(dp-dq)//dd * gp.invert((q-1)//dd, (p-1)//dd) * (q-1) +dq print(d) m = gp.powmod(c, d, n) print('-------------------') print(m) print(hex(m)[2:])
低解密指数攻击(e长度较大)
import RSAwienerHacker n= e= d = RSAwienerHacker.hack_RSA(e,n) if d: print(d) import hashlib flag = "flag{" + hashlib.md5(hex(d)).hexdigest() + "}" print flag
共模攻击(n,m相同,c,e不同)
from libnum import n2s,s2n from gmpy2 import invert def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def main(): n = c1 = c2 = e1 = e2 = s = egcd(e1, e2) s1 = s[1] s2 = s[2] if s1<0: s1 = - s1 c1 = invert(c1, n) elif s2<0: s2 = - s2 c2 = invert(c2, n) m = pow(c1,s1,n)*pow(c2,s2,n) % n print hex(m) if __name__ == '__main__': main()
e,m相同,存在两个n有公约数
import gmpy2 from gmpy2 import invert, iroot import gmpy2 as gp from libnum import xgcd, invmod n=[,,,,,,,,,,,,,,,,,,,] for i in n: for j in n: if (i<>j): pub_p=gmpy2.gcdext(i,j) if (pub_p[0]<>1)&(i>j): print i print j print pub_p[0]
a=i,p=pub_p[0] q=a/p p = gp.mpz() q = gp.mpz() e = gp.mpz() c = gp.mpz() n = p*q phi = (p-1) * (q-1) d = gp.invert(e, phi) m = pow(c, d, n) print hex(m)
coppersmith定理攻击
只有部分高位的p或q,例如
p=0xBCF6D95C9FFCA2B17FD930C743BCEA314A5F24AE06C12CE62CDB6E8306A545DE468F1A23136321EB82B4B8695ECE58B763ECF8243CBBFADE0603922C130ED143D4D3E88E483529C820F7B53E4346511EB14D4D56CB2B714D3BDC9A2F2AB655993A31E0EB196E8F63028F9B29521E9B3609218BA0000000000000000000000000