BCTF warmup 50

　　这是一道关于RSA的解密题；首先，我们要明白，通常是公钥加密、私钥解密，私钥签名、公钥验证。这个题目中给出的是一个公钥和一段密文。

　　刚开始一直以为和验证签名有关，费劲脑汁也想不出来怎么办。下面介绍些思路。

　　首先，利用openssl分析公钥的格式，获得modulus和expoent。

　　方法一：利用openssl asn1parse来分析公钥格式

root@bt:~/Desktop# openssl asn1parse -in publickey.pub
    :d=  hl= l=  cons: SEQUENCE
    :d=  hl= l=   cons: SEQUENCE
    :d=  hl= l=    prim: OBJECT            :rsaEncryption
   :d=  hl= l=    prim: NULL
   :d=  hl= l=  prim: BIT STRING        

　　那么在偏移为19处就是证书的expoent和modulus的信息。

root@bt:~/Desktop# openssl asn1parse -in publickey.pub -i -strparse
    :d=  hl= l=  cons: SEQUENCE
    :d=  hl= l=  prim:  INTEGER           :0367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
  :d=  hl= l=  prim:  INTEGER           :F3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F

　　则第二行的十六进制就是modulus，第三行的十六进制则是expoent。观察到这里，expoent几乎和modulus一样长。

　　方法二：利用openssl rsa来获得modulus和expoent。

root@bt:~/Desktop# openssl rsa -in publickey.pub -pubin -modulus -text
Modulus ( bit):
    :::8d:6b:::e9:::ad:d8:f2:2a::
    :bc::be:1e:ab:d9::d1:b8:::fd:b7:5b:
    8e:d2::be::d7:d1:b6:9d::::c1::c8:
    6f:::2e:cb::::fd:9d::8a:6d::f8:
    4d:b2:7b:c5:1a:::7d:c8:6f:4b:f7::c6::
    c1::e5:ab:e5::b5:bd:2d:6e:b1:a2:1f:d6::
    0e:7e:1b::fe:::fb:b2:e1:b0:b3::4e:6f:
    4d:e8:b4:e4:a3::da::a1:3d:e8::b7:::
    db:6c:7c:4a::b7:::e6:c8:7b:bf:de:f6:b4:
    ::d4:9c:::a5:8b:cd::b7:6d::b4::
    :b1::bd:7e:bc:4d:ac:b0:b1:cf:d6:c2:c1::
    :f4:0e:b2:ef:d0:e9:e1:0d:c7::5c:ad::bc:
    af::b9:ea:c3::::d6:::c5:e7:::
    4a::f0::ef:d1:d3:dc::6d:9b:5d:::e5:
    8b:de:e4:3e::b9:9a:0d:::b9:db:::5a:
    f9::af:f1::d4:a6:e2::da:d0:8d:a5:7f:a7:
    e4:::a5:ba:db:2a::3e:da::b4:::ab:
    :5d
Exponent:
    :f3::9d::8e::eb:9f::de:f3:f3::d8:
    f8:af:d7::::dd:ac::b7::b6:c2:2a:f0:
    fa::2f::0b:::6b:d2:4a:::c7:8d:f4:
    a0::5f::7f:d3:ab::2d:::7e:b9::e7:
    1b:dd:cd:::c2:4b:::7b:8c:8f:cf:5a:dd:
    4c:5d::f0:c7:7c::dc:9c::cb:e4::e2:b6:
    7b:af:d3:::b6:aa:f1::1d::c3:ad:6f::
    d0::b3::::b2:::d4::e6:7e:::
    7f:7b:::7d:db:c0:c2:d5::ce::4c:bf:5d:
    fc:cc::::f1:4e:0b:::f8:::e5:f0:
    ba:e5:f0:1e:3f:a7:0d:b0:e9::5e:7c:fd::5e:
    9c::ef:ee:c5::c3:3f:d9::7a::fd:8a:cd:
    :3a:c9:::::3e::f9::8a:e3::1c:
    dd:0a:9a:2b::6f:::c8:d4::a3::a0::
    ::::ee:cd::1a:bb::b0:::3e::
    9f:2f:a4::::b2:::ff:c1:1e::1c:e8:
    ee::5a::e7:e2::bc:f5:f7:6a:::::
    fe:3f
Modulus=367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D

　　同样的，我们获得了modulus和expoent。

　  由于expoent很大，可以使用Wiener攻击来得到d，从而对信息解密。

　　求d的python脚本使用了https://github.com/pablocelayes/rsa-wiener-attack上的，稍微修改了下。

import ContinuedFractions, Arithmetic
import sys
sys.setrecursionlimit(1000000)
def hack_RSA(e,n):
    '''
    Finds d knowing (e,n)
    applying the Wiener continued fraction attack
    '''
    frac = ContinuedFractions.rational_to_contfrac(e, n)
    convergents = ContinuedFractions.convergents_from_contfrac(frac)

    for (k,d) in convergents:

        #check if d is actually the key
        if k!=0 and (e*d-1)%k == 0:
            phi = (e*d-1)//k
            s = n - phi + 1
            # check if the equation x^2 - s*x + n = 0
            # has integer roots
            discr = s*s - 4*n
            if(discr>=0):
                t = Arithmetic.is_perfect_square(discr)
                if t!=-1 and (s+t)%2==0:
                    print("Hacked!")
                    return d
if __name__ == "__main__":
     e = 0xF3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F
     n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
     d = hack_RSA(e,n)
     print d
#d为：4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399

　　解密的脚本，参考自：http://rickgray.me/2015/03/23/bctf2015-writeup.html 写得很简单，但很清晰

import binascii

n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
d = 4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399L
c = 0x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108cd029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297cd96d1ea602309ecf47cd009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86

m = hex(pow(c,d,n)).rstrip("L")
print m
print binascii.unhexlify(m[2:])
#0x424354467b3965745265613479217d
#BCTF{9etRea4y!}

参考文献：

http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html

http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key

http://www.openssl.org/docs/apps/openssl.html

https://github.com/pablocelayes/rsa-wiener-attack

http://rickgray.me/2015/03/23/bctf2015-writeup.html