题目:
from Crypto.Util.number import bytes_to_long, getPrime
from random import randint
from gmpy2 import powmod
import sys
p = getPrime(1024)
q = getPrime(1024)
N = p*q
Phi = (p-1)*(q-1)
with open("flag", 'r') as fr:
flag = bytes_to_long(fr.read().strip())
def get_enc_key(BitLen, Phi):
e = getPrime(BitLen)
if Phi % e == 0:
return get_enc_key(BitLen, Phi)
else:
return e
def sprint(message):
print(message)
sys.stdout.flush()
def communicate():
sprint("This is a message distribute system. Please tell me your name: ")
user = raw_input()
bakcdoor(user)
e = get_enc_key(randint(13, 13 + (len(user) % 4)), Phi)
ct = powmod(flag, e, N)
sprint("Hi %s, your N is: %d\nAnd your exponent is: %d\nLast but not least, your secret is: %d" % (user, N, e, ct))
sprint("You will know the secret after I give you P,Q.\nSee you next time!")
if __name__ == "__main__":
communicate()
追踪流量包的TCP流:共能查到6份加密文件
分析文件的模数N会发现,有两份使用了相同的N,简单共模攻击。
# 共模攻击
from gmpy2 import*
from libnum import*
N = 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
e1 = 7669
c1 = 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
e2 = 6947
c2 = 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
s = gcdext(e1,e2)
m = pow(c1,s[1],N)*pow(c2,s[2],N)%N
print(n2s(m))