search
TwitterGithub

Cryptography

Challenge
Link

RSA Outro (n solves)

Here

Just One More (n solves)

Here

ForgeMe 1 (n solves)

Here

ForgeMe 2 (n solves)

Here

Signed Jeopardy (n solves)

Here

hashtag
RSA Outro (n solves)

hashtag
Description

-

hashtag
Solution

We have p = 2*q + 1, so

pβˆ—q=2βˆ—q2+qpβˆ—q2=q2+q2p*q = 2*q^2 + q\\ \frac{p*q}{2} = q^2 + \frac{q}{2}

With those equation , we can get number close with q by doing integer square root on (p*q)/2 . Here is implemented script i used

from Crypto.Util.number import *
import gmpy2

e = 65537
d = 53644719720574049009405552166157712944703190065471668628844223840961631946450717730498953967365343322420070536512779060129496885996597242719829361747640511749156693869638229201455287585480904214599266368010822834345022164868996387818675879350434513617616365498180046935518686332875915988354222223353414730233
phi = 245339427517603729932268783832064063730426585298033269150632512063161372845397117090279828761983426749577401448111514393838579024253942323526130975635388431158721719897730678798030368631518633601688214930936866440646874921076023466048329456035549666361320568433651481926942648024960844810102628182268858421164
ct = 37908069537874314556326131798861989913414869945406191262746923693553489353829208006823679167741985280446948193850665708841487091787325154392435232998215464094465135529738800788684510714606323301203342805866556727186659736657602065547151371338616322720609504154245460113520462221800784939992576122714196812534

q = gmpy2.iroot(phi//2, 2)[0]
q = gmpy2.next_prime(q)

p = 2*q + 1

assert((p-1)*(q-1) == phi)

n = p*q

print(long_to_bytes(pow(ct,d,n)))

hashtag
Just One More (n solves)

hashtag
Description

-

hashtag
Solution

Since we know all values used in multiplication with flag we can use z3 to get the flag. So we just need to change the flag value with Int('x{}') to make z3 find those values. Here is script that i used during the competition

hashtag
ForgeMe 1 (n solves)

hashtag
Description

-

hashtag
Solution

The idea is doing hash length extension attack on sha1. In this case i used hashpump command line because hashpump python library doesn't work on my machine. Nothing special since we just need to add random value to make our new value not available in queries. Because we need to include first_part in our value, we can use mac_query function to get the signature first and add random value on it. Here is solver i used to implement the idea

hashtag
ForgeMe 2 (n solves)

hashtag
Description

-

hashtag
Solution

The idea is same like forge1 , but we need to brute the key length. Here is solver i used during the competition

hashtag
Signed Jeopardy (n solves)

hashtag
Description

-

hashtag
Solution

We know that r*d is static, d is generated at initial run and r is calculated from k and G which is generated at initial run also. By using two different message we have

s1=(h(m1)+rβˆ—d)βˆ—kβˆ’1s2=(h(m2)+rβˆ—d)βˆ—kβˆ’1s1βˆ’s2=(h(m1)βˆ’h(m2))βˆ—kβˆ’1s_1 = (h(m_1) + r*d) * k^{-1}\\ s_2 = (h(m_2) + r*d) * k^{-1}\\ s_1 - s_2 = (h(m_1) - h(m_2)) * k^{-1}

Since we can get value of h(m1) and h(m2) we can leak k using equation below

(s1βˆ’s2)βˆ’1=(h(m1)βˆ’h(m2))βˆ’1βˆ—kk=(h(m1)βˆ’h(m2))βˆ—(s1βˆ’s2)βˆ’1(s_1 - s_2)^{-1} = (h(m_1) - h(m_2))^{-1} * k\\ k = (h(m_1) - h(m_2)) * (s_1 - s_2 )^{-1}

After getting value for k , we can get value for other unknown value which is d. To get value of d we can use equation below

s1=(h(m1)+rβˆ—d)βˆ—kβˆ’1s1βˆ—k=(h(m1)+rβˆ—d)s1βˆ—kβˆ’h(m1)βˆ—rβˆ’1=ds_1 = (h(m_1) + r*d) * k^{-1}\\ s_1 * k = (h(m_1) + r*d)\\ s_1 * k - h(m_1) * r^{-1} = d\\

Last step just sign new value using leaked value. Here is solver i used during competition

PreviousNahamCon CTFNextHSCTF

Last updated