RoarCTF2020 EASYRSA题解
探险者安全团队技术文章仅供参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作,由于传播、利用本公众号所提供的技术和信息而造成的任何直接或者间接的后果及损失,均由使用者
本人负责,公众号及作者不为此承担任何责任,如有侵权烦请告知,我们会立即删除并致歉,创作不易转载请标明出处.感谢!
我是 Breeze,我很高兴为大家带来RoarCTF的一道RSA题目,该题目我认为出的很好,考验了大家对模运算,数学代算的能力,希望大家阅读完后能有所提升!
题目链接:题目复现链接
#原题
from Crypto.Util.number import *
from gmpy2 import *
from secret import *
assert(flag.startwith('flag{')) and (flag.endwith('}'))
assert(is_prime(beta) and len(bin(beta)[2:]) == 512)
assert(len(bin(x)[2:]) == len(bin(y)[2:]))
#This is tip!!!
assert(tip == 2*x*y*beta + x + y)
p = 2*x*beta + 1
q = 2*y*beta + 1
assert(is_prime(p) and is_prime(q))
n = p*q
e = 65537
m = bytes_to_long(flag)
enc = powmod(m,e,n)
#n=17986052241518124152579698727005505088573670763293762110375836247355612011054569717338676781772224186355540833136105641118789391002684013237464006860953174190278718294774874590936823847040556879723368745745863499521381501281961534965719063185861101706333863256855553691578381034302217163536137697146370869852180388385732050177505306982196493799420954022912860262710497234529008765582379823928557307038782793649826879316617865012433973899266322533955187594070215597700782682186705964842947435512183808651329554499897644733096933800570431036589775974437965028894251544530715336418443795864241340792616415926241778326529055663
#e=65537
#enc=10760807485718247466823893305767047250503197383143218026814141719093776781403513881079114556890534223832352132446445237573389249010880862460738448945011264928270648357652595432015646424427464523486856294998582949173459779764873664665361437483861277508734208729366952221351049574873831620714889674755106545281174797387906705765430764314845841490492038801926675266705606453163826755694482549401843247482172026764635778484644547733877083368527255145572732954216461334217963127783632702980064435718785556011795841651015143521512315148320334442235923393757396733821710592667519724592789856065414299022191871582955584644441117223
#beta=11864389277042761216996641604675717452843530574016671576684180662096506094587545173005905433938758559675517932481818900399893444422743930613073261450555599
Crack
我们将有用信息提取出来
b
e
t
a
i
s
a
p
r
i
m
e
,
a
n
d
i
t
i
s
a
512
−
b
i
t
x
a
n
d
y
h
a
v
e
t
h
e
s
a
m
e
n
u
m
b
e
r
o
f
b
i
t
s
t
i
p
=
2
x
y
∗
b
e
t
a
+
x
+
y
p
=
2
∗
x
∗
b
e
t
a
+
1
q
=
2
∗
y
∗
b
e
t
a
+
1
beta is a prime,and it is a 512-bit\\ x\ and\ y\ have\ the\ same\ number\ of\ bits\\ tip = 2xy*beta+x+y\\ p = 2*x*beta + 1\\ q = 2*y*beta + 1
betaisaprime,anditisa512−bitx and y have the same number of bitstip=2xy∗beta+x+yp=2∗x∗beta+1q=2∗y∗beta+1
所以能推出
n
=
p
∗
q
=
(
4
x
y
b
e
t
a
2
+
2
(
x
+
y
)
b
e
t
a
+
1
)
n =p*q=(4xybeta^2+2(x+y)beta+1)
n=p∗q=(4xybeta2+2(x+y)beta+1)
所以
t
i
p
=
(
n
−
1
)
/
/
2
b
e
t
a
tip = (n-1)//2beta
tip=(n−1)//2beta
我们给tip模上beta得到
x + y = t i p ( m o d b e t a ) x+y=tip(mod\ \ beta) x+y=tip(mod beta)
对于获得 x+y ,beta是 512bit ,n是 2068bit (python中使用n.bitlength()得到), p*q = n,p和q的位数大约是1034位。x位数大概就是
1034
−
1
−
512
=
1033
−
512
=
521
1034-1- 512 = 1033-512 = 521
1034−1−512=1033−512=521
所以 x + y 的位数就差不多是521+1 = 522位,稍微比beta 的位数大了10位。可以暴力枚举
我们得到x+y后再得到xy,因为
t
i
p
=
2
x
y
∗
b
e
t
a
+
x
+
y
tip = 2xy*beta+x+y
tip=2xy∗beta+x+y
所以得到
x
y
=
(
t
i
p
−
x
−
y
)
/
/
2
b
e
t
a
xy=(tip-x-y)//2beta
xy=(tip−x−y)//2beta
得到了x+y和xy,通过解方程,然后就可以得到p和q了!有了p和q就相当于破解了RSA.
hack
from Crypto.Util.number import inverse, long_to_bytes
from gmpy2 import iroot
n=...
e=65537
enc=...
beta=...
tip = (n-1)//(2*beta)
for i in range(10000):
#获取x + y的值
x_add_y = tip % beta + beta*i
#根据x + y 获取 x * y
x_mul_y = (tip - x_add_y)//(2*beta)
try:
if iroot(x_add_y**2 - 4*x_mul_y,2)[1]:
#解方程获取x 和 y
y = (x_add_y - iroot(x_add_y**2 - 4*x_mul_y,2)[0] )//2
x = x_add_y - y
p = 2*y*beta + 1
q = 2*x*beta + 1
phi = (p-1)*(q-1)
d = inverse(e,int(phi))
print(long_to_bytes(pow(enc,d,n)))
except:
pass
好了,今天就到这里了,欢迎大家跟我探讨问题!下次再见!