巅峰极客——flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

描述

有两个公钥，两个密文

分析

1. 用RsaCtfTool.py分析公钥信息，发现n相同，e不同

root@ben-PC:/mnt/d/security/misc-tool/RSA/rsatools# python RsaCtfTool.py --pkey pubkey1.pem --v "n" is:17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399 ************************************************************ "e" is:2333 ************************************************************ Try weak key attack Try Wiener's attack root@ben-PC:/mnt/d/security/misc-tool/RSA/rsatools# python RsaCtfTool.py --pkey pubkey2.pem --v "n" is:17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399 ************************************************************ "e" is:23333 ************************************************************ Try weak key attack Try Wiener's attack 密文内容如下： [root RsaCtfTool]$ cat flag1.enc XSKBJ2biS6brC5iGwU0GZitHdVM3HXAiwtFnVf2+HTaUqFahxL+BxBi2QDcx7gLxcjEWCMwFP6DS92nMAU4r0gPWSEUIoY57sgNZsjDIDAukiYeLNDUgYz+1P+nF4fk7gwPdozrIvAXGDBvMBjuviqsC8vmVP3I6eLLkt9C46HFt0SBw5ycfAjVoDF2r7/4B1UDs4G0dpIDUCk4khezzgqspn6tqtwOGB27vrKegoL/FlwmutFYIuRKKCBKx3yc/qfWXZ84Oo8nPqgaxgDlxWeLtGM9ZouwFKnagmjbnH+58Pescw4XYafXKqFjQz3XrK/uUESE8jIEIPeL1+8yUpw== [root RsaCtfTool]$ cat flag2.enc EruzwVAXSVLC3rldjcsx6HO0UUICdR9xxgr9eWNhIW0T8l2O3yT/LlFLK2+YU0HB97xr5HaiZesk4T6IuJ9+iOzB8YSkWMfYvOSDKn7Jng/1Q3wQuoldm+UurmZkiEs9kFi+EhsCNAbVAnLzLXLwzYm3emamueDqru4Doo/lSMz8p0+jqz24HscJN9shU85WX4JngW92REHHV8rPHaisCdxeAs+uPyTNzO4IbwDaJvw3ZR/Lo4m1K2Qw8PbYnOcgVr9CWR7mVyxofoWk6qWpQf3d0fX6wbbPcQkXxnnqLWy5S3PZcNQa1wkfRTJJO03QmNVsOivXGb3GzmeZbxmVhQ== [root RsaCtfTool]$

2. 对于同一明文使用同样的N不同的E分别进行加密，满足共模攻击条件
   解密代码如下：

#!/usr/bin/env python # -*- coding: utf-8 -*- import sys,gmpy,base64 def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def modinv(a, m): g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % m def pad_even(x):#重要！凑齐2位，将0x1 变成 0x01 return ('', '0')[len(x)%2] + x def CipherB2n(c):#将base64编码后的密文转成数字 c2 = base64.b64decode(c) temp = '' for i in c2: temp += pad_even(str(hex(ord(i)))[2:]) temp = eval('0x'+temp) return (temp) def CipherN2b(m):#将数字转换成ascii hex_m=hex(m)[2:] if hex_m[-1] == 'L' : hex_m=hex_m[:-1] return hex_m.decode('hex') if __name__ == '__main__': sys.setrecursionlimit(1000000) e1 = 2333 #根据分解结果 e2 = 23333 #根据分解结果 s = egcd(e1, e2) s1 = s[1] s2 = s[2] c1 = 'XSKBJ2biS6brC5iGwU0GZitHdVM3HXAiwtFnVf2+HTaUqFahxL+BxBi2QDcx7gLxcjEWCMwFP6DS92nMAU4r0gPWSEUIoY57sgNZsjDIDAukiYeLNDUgYz+1P+nF4fk7gwPdozrIvAXGDBvMBjuviqsC8vmVP3I6eLLkt9C46HFt0SBw5ycfAjVoDF2r7/4B1UDs4G0dpIDUCk4khezzgqspn6tqtwOGB27vrKegoL/FlwmutFYIuRKKCBKx3yc/qfWXZ84Oo8nPqgaxgDlxWeLtGM9ZouwFKnagmjbnH+58Pescw4XYafXKqFjQz3XrK/uUESE8jIEIPeL1+8yUpw==' c2 ='EruzwVAXSVLC3rldjcsx6HO0UUICdR9xxgr9eWNhIW0T8l2O3yT/LlFLK2+YU0HB97xr5HaiZesk4T6IuJ9+iOzB8YSkWMfYvOSDKn7Jng/1Q3wQuoldm+UurmZkiEs9kFi+EhsCNAbVAnLzLXLwzYm3emamueDqru4Doo/lSMz8p0+jqz24HscJN9shU85WX4JngW92REHHV8rPHaisCdxeAs+uPyTNzO4IbwDaJvw3ZR/Lo4m1K2Qw8PbYnOcgVr9CWR7mVyxofoWk6qWpQf3d0fX6wbbPcQkXxnnqLWy5S3PZcNQa1wkfRTJJO03QmNVsOivXGb3GzmeZbxmVhQ==' c1 = CipherB2n(c1) c2 = CipherB2n(c2) #print hex(c1) n = 17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399 #共n if s1<0: s1 = - s1 c1 = modinv(c1, n) elif s2<0: s2 = - s2 c2 = modinv(c2, n) m=(pow(c1,s1,n)*pow(c2,s2,n)) % n print m print CipherN2b(m) 运行结果

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

总结

串了一下rsa的明文和密文处理方式。计算过程中明文和密文都作为一个大数字，于是有：

1. 明文是字符串。
   1.1. 将字符串转hex编码（py3里只能逐字，py2里可以直接转），拼上0x头和L尾，成为大数字。
   hex_m.decode('hex')
   1.2. 将字符串分成每行一个字，ord(i)。（解密时chr(i)再拼接）
2. 算出密文是大数字。
   2.1. 转成16进制，去掉0x和L后变成一串16进制。此时可能出现：
   2.1.1 将十六进制直接转存为文件。（解密时提取十六进制值）
   2.1.2 将十六进制进行base64编码，变为可见字符。（解密时进行base64解码,由于二位一组，需注意对0x1这种补成0x01）
   def pad_even(x): return ('', '0')[len(x)%2] + x
for i in c2:temp += pad_even(str(hex(ord(i)))[2:])
   2.2. 直接是10进制数字，无需处理
   m = chr(pow(int(i),d,n))