RsaRoll
题目
两个文件
data:
{920139713,19}
704796792
752211152
274704164
18414022
368270835
483295235
263072905
459788476
483295235
459788476
663551792
475206804
459788476
428313374
475206804
459788476
425392137
704796792
458265677
341524652
483295235
534149509
425392137
428313374
425392137
341524652
458265677
263072905
483295235
828509797
341524652
425392137
475206804
428313374
483295235
475206804
459788476
306220148
题目:
RSA roll!roll!roll!
Only number and a-z
(don't use editor
which MS provide)
解题
有分析可知,
n = 920139713
e = 19
然后密文是上面那连续好几组数据
将n分解得到
p = 18443
q = 49891
然后就可以代码解密了
n = 920139713
e = 19
p = 18443
q = 49891
c = [704796792, 752211152, 274704164, 18414022, 368270835, 483295235, 263072905, 459788476, 483295235, 459788476, 663551792, 475206804, 459788476, 428313374, 475206804, 459788476, 425392137, 704796792, 458265677, 341524652, 483295235, 534149509, 425392137, 428313374, 425392137, 341524652, 458265677, 263072905, 483295235, 828509797, 341524652, 425392137, 475206804, 428313374, 483295235, 475206804, 459788476, 306220148]
import gmpy2
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
for i in c:
m=gmpy2.powmod(i,d,n)
print(m,end='')
发现,结果不正确
将最后一句改为
print(chr(m),end='')
答案
flag{13212je2ue28fy71w8u87y31r78eu1e2}
Dangerous RSA
题目
littlE littlE RSA Big Big Dangerous 注意:得到的 flag 请包上 flag{} 提交
改后缀名后打开文件,
problem:
#n: 0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793L
#e: 0x3
#c:0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365
so,how to get the message?
低加密指数攻击
在 RSA 中 e 也称为加密指数。由于 e 是可以随意选取的,选取小一点的 e 可以缩短加密时间(比如 e=2,e=3),但是选取不当的话,就会造成安全问题。
攻击方法:
e=2把密文c开平方求解
e只有2,相当于把明文m平方而已,得到的c也比n小很多。尝试把c开根号看能否得到明文。一般的python开根号方法精度较低,对大整数开出来的根号准确度低。
解密方法:
m = gmpy2.isqrt ( c )
m = int(m)
m_text = libnum.n2s(m)
print(m_text)
e=2 Rabin加密中的N可被分解
e= 2,并不都是Rabin加密,但是e=2是Rabin加密典型特征,Rabin加密是RSA的衍生算法,一般先通过其他方法分解得到p,q,然后解密。
def rabin_decrypt(c, p, q, e=2):
n = p * q
mp = pow(c, (p + 1) / 4, p)
mq = pow(c, (q + 1) / 4, q)
yp = gmpy2.invert(p, q)
yq = gmpy2.invert(q, p)
r = (yp * p * mq + yq * q * mp) % n
rr = n - r
s = (yp * p * mq - yq * q * mp) % n
ss = n - s
return (r, rr, s, ss)
e=3 小明文攻击
公钥e很小,明文m也不大的话,于是me=k*n+m 中的的k值很小甚至为0,爆破k或直接开三次方即可。
解题
import gmpy2
from Crypto.Util.number import long_to_bytes
e = 0x3
c = 0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365
m = gmpy2.iroot(c,3)[0]
print(long_to_bytes(m))
其中,gmpy2.iroot(x,n)函数用于求大整数x开n次方
答案
flag{25df8caf006ee5db94d48144c33b2c3b}