STARTER
1.RSA Starter 1
Find the solution to 101^17 mod 22663
print(pow(101,17,22663))
#19906
2.RSA Starter 2
“Encrypt” the number 12 using the exponent e = 65537 and the primes p = 17 and q = 23. What number do you get as the ciphertext?
b = 12
e = 65537
p, q = 17, 23
N = p * q
print(pow(b, e, N))
#301
3.RSA Starter 3
Given N = p*q and two primes:
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
What is the totient of N?
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
phi = ( p - 1) * ( q - 1 )
print(phi)
#882564595536224140639625987657529300394956519977044270821168
4.RSA Starter 4
Given the two primes:
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
and the exponent:
e = 65537
What is the private key d?
import gmpy2
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
e=65537
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
print(d)
# 121832886702415731577073962957377780195510499965398469843281
5.RSA Starter 5
Use the private key that you found for these parameters in the previous challenge to decrypt this ciphertext:
c = 77578995801157823671636298847186723593814843845525223303932
pow(c, d, n)
#13371337
6.RSA Starter 6
Sign the flag crypto{Immut4ble_m3ssag1ng} using your private key and the SHA256 hash function
A nice application of RSA, but still nice and straightforward to implement:
from hashlib import sha256
N=15216583654836731327639981224133918855895948374072384050848479908982286890731769486609085918857664046075375253168955058743185664390273058074450390236774324903305663479046566232967297765731625328029814055635316002591227570271271445226094919864475407884459980489638001092788574811554149774028950310695112688723853763743238753349782508121985338746755237819373178699343135091783992299561827389745132880022259873387524273298850340648779897909381979714026837172003953221052431217940632552930880000919436507245150726543040714721553361063311954285289857582079880295199632757829525723874753306371990452491305564061051059885803
d=11175901210643014262548222473449533091378848269490518850474399681690547281665059317155831692300453197335735728459259392366823302405685389586883670043744683993709123180805154631088513521456979317628012721881537154107239389466063136007337120599915456659758559300673444689263854921332185562706707573660658164991098457874495054854491474065039621922972671588299315846306069845169959451250821044417886630346229021305410340100401530146135418806544340908355106582089082980533651095594192031411679866134256418292249592135441145384466261279428795408721990564658703903787956958168449841491667690491585550160457893350536334242689
flag="crypto{Immut4ble_m3ssag1ng}"
flag=flag.encode("gb2312")
h=sha256(flag)
h=h.hexdigest()
c=pow(int(h,16),d,N)
print(hex(c))
#0x6ac9bb8f110b318a40ad8d7e57defdcce2652f5928b5f9b97c1504d7096d7af1d34e477b30f1a08014e8d525b14458b709a77a5fa67d4711bd19da1446f9fb0ffd9fdedc4101bdc9a4b26dd036f11d02f6b56f4926170c643f302d59c4fe8ea678b3ca91b4bb9b2024f2a839bec1514c0242b57e1f5e77999ee67c450982730252bc2c3c35acb4ac06a6ce8b9dbf84e29df0baa7369e0fd26f6dfcfb22a464e05c5b72baba8f78dc742e96542169710918ee2947749477869cb3567180ccbdfe6fdbe85bcaca4bf6da77c8f382bb4c8cd56dee43d1290ca856318c97f1756b789e3cac0c9738f5e9f797314d39a2ededb92583d97124ec6b313c4ea3464037d3
PRIMES PART 1
1.Factoring
Factorise the 150-bit number 510143758735509025530880200653196460532653147 into its two constituent primes. Give the smaller one as your answer.
Use factor DB,and get 19704762736204164635843 , 25889363174021185185929
So the answer is 19704762736204164635843
2.Inferius Prime
Here is my super-strong RSA implementation, because it’s 1600 bits strong it should be unbreakable… at least I think so!
import gmpy2
from Crypto.Util.number import inverse,long_to_bytes
n = 742449129124467073921545687640895127535705902454369756401331
p = 752708788837165590355094155871
q = 986369682585281993933185289261
e = 3
ct = 39207274348578481322317340648475596807303160111338236677373
phi=(p-1)*(q-1)
d=inverse(e,phi)
m=pow(ct,d,n)
print(long_to_bytes(m))
# crypto{N33d_b1g_pR1m35}
3.Monoprime
Why is everyone so obsessed with multiplying two primes for RSA. Why not just use one?
from Crypto.Util.number import inverse,long_to_bytes
n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942
phi=n-1
d=inverse(e,phi)
print(long_to_bytes(pow(ct, d, n)))
#crypto{0n3_pr1m3_41n7_pr1m3_l0l}
4.Square Eyes
It was taking forever to get a 2048 bit prime, so I just generated one and used it twice.
If you’re stuck, look again at the formula for Euler’s totient.
5.Manyprime
Using one prime factor was definitely a bad idea so I’ll try using over 30 instead.
If it’s taking forever to factorise, read up on factorisation algorithms and make sure you’re using one that’s optimised for this scenario.
from Crypto.Util.number import inverse,long_to_bytes
import gmpy2
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
ct = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464
factors=[13099895578757581201,16656402470578844539,12132158321859677597,14963354250199553339,12834461276877415051,14278240802299816541, 14178869592193599187, 11492065299277279799, 10336650220878499841, 12955403765595949597, 10638241655447339831, 11403460639036243901, 12973972336777979701, 14100640260554622013, 11665347949879312361, 11328768673634243077,9303850685953812323, 11530534813954192171, 15998365463074268941, 13572286589428162097, 11282698189561966721, 9389357739583927789, 15824122791679574573, 17281246625998849649, 15669758663523555763, 14523070016044624039, 17138336856793050757, 11473665579512371723,9282105380008121879, 16898740504023346457, 15364597561881860737, 17174065872156629921]
phi=1
for x in factors:
phi *= (x-1)
d = gmpy2.invert(e, phi)
print(long_to_bytes(pow(ct, d, n)))
#crypto{700_m4ny_5m4ll_f4c70r5}
PUBLIC EXPONENT
1.Salty
Smallest exponent should be fastest, right?
from Crypto.Util.number import inverse, long_to_bytes
n = 110581795715958566206600392161360212579669637391437097703685154237017351570464767725324182051199901920318211290404777259728923614917211291562555864753005179326101890427669819834642007924406862482343614488768256951616086287044725034412802176312273081322195866046098595306261781788276570920467840172004530873767
e = 1
ct = 44981230718212183604274785925793145442655465025264554046028251311164494127485
print(long_to_bytes(ct))
#crypto{saltstack_fell_for_this!}
2.Modulus Inutilis
My primes should be more than large enough now!
from Crypto.Util.number import long_to_bytes
from gmpy2 import iroot
n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883
e = 3
ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957
print(long_to_bytes(iroot(ct,3)[0]))
#crypto{N33d_m04R_p4dd1ng}