这是一道关于RSA的解密题;首先,我们要明白,通常是公钥加密、私钥解密,私钥签名、公钥验证。这个题目中给出的是一个公钥和一段密文。
刚开始一直以为和验证签名有关,费劲脑汁也想不出来怎么办。下面介绍些思路。
首先,利用openssl分析公钥的格式,获得modulus和expoent。
方法一:利用openssl asn1parse来分析公钥格式
root@bt:~/Desktop# openssl asn1parse -in publickey.pub
:d= hl= l= cons: SEQUENCE
:d= hl= l= cons: SEQUENCE
:d= hl= l= prim: OBJECT :rsaEncryption
:d= hl= l= prim: NULL
:d= hl= l= prim: BIT STRING
那么在偏移为19处就是证书的expoent和modulus的信息。
root@bt:~/Desktop# openssl asn1parse -in publickey.pub -i -strparse
:d= hl= l= cons: SEQUENCE
:d= hl= l= prim: INTEGER :0367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
:d= hl= l= prim: INTEGER :F3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F
则第二行的十六进制就是modulus,第三行的十六进制则是expoent。观察到这里,expoent几乎和modulus一样长。
方法二:利用openssl rsa来获得modulus和expoent。
root@bt:~/Desktop# openssl rsa -in publickey.pub -pubin -modulus -text
Modulus ( bit):
:::8d:6b:::e9:::ad:d8:f2:2a::
:bc::be:1e:ab:d9::d1:b8:::fd:b7:5b:
8e:d2::be::d7:d1:b6:9d::::c1::c8:
6f:::2e:cb::::fd:9d::8a:6d::f8:
4d:b2:7b:c5:1a:::7d:c8:6f:4b:f7::c6::
c1::e5:ab:e5::b5:bd:2d:6e:b1:a2:1f:d6::
0e:7e:1b::fe:::fb:b2:e1:b0:b3::4e:6f:
4d:e8:b4:e4:a3::da::a1:3d:e8::b7:::
db:6c:7c:4a::b7:::e6:c8:7b:bf:de:f6:b4:
::d4:9c:::a5:8b:cd::b7:6d::b4::
:b1::bd:7e:bc:4d:ac:b0:b1:cf:d6:c2:c1::
:f4:0e:b2:ef:d0:e9:e1:0d:c7::5c:ad::bc:
af::b9:ea:c3::::d6:::c5:e7:::
4a::f0::ef:d1:d3:dc::6d:9b:5d:::e5:
8b:de:e4:3e::b9:9a:0d:::b9:db:::5a:
f9::af:f1::d4:a6:e2::da:d0:8d:a5:7f:a7:
e4:::a5:ba:db:2a::3e:da::b4:::ab:
:5d
Exponent:
:f3::9d::8e::eb:9f::de:f3:f3::d8:
f8:af:d7::::dd:ac::b7::b6:c2:2a:f0:
fa::2f::0b:::6b:d2:4a:::c7:8d:f4:
a0::5f::7f:d3:ab::2d:::7e:b9::e7:
1b:dd:cd:::c2:4b:::7b:8c:8f:cf:5a:dd:
4c:5d::f0:c7:7c::dc:9c::cb:e4::e2:b6:
7b:af:d3:::b6:aa:f1::1d::c3:ad:6f::
d0::b3::::b2:::d4::e6:7e:::
7f:7b:::7d:db:c0:c2:d5::ce::4c:bf:5d:
fc:cc::::f1:4e:0b:::f8:::e5:f0:
ba:e5:f0:1e:3f:a7:0d:b0:e9::5e:7c:fd::5e:
9c::ef:ee:c5::c3:3f:d9::7a::fd:8a:cd:
:3a:c9:::::3e::f9::8a:e3::1c:
dd:0a:9a:2b::6f:::c8:d4::a3::a0::
::::ee:cd::1a:bb::b0:::3e::
9f:2f:a4::::b2:::ff:c1:1e::1c:e8:
ee::5a::e7:e2::bc:f5:f7:6a:::::
fe:3f
Modulus=367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
同样的,我们获得了modulus和expoent。
由于expoent很大,可以使用Wiener攻击来得到d,从而对信息解密。
求d的python脚本使用了https://github.com/pablocelayes/rsa-wiener-attack上的,稍微修改了下。
import ContinuedFractions, Arithmetic
import sys
sys.setrecursionlimit(1000000)
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac) for (k,d) in convergents: #check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
if __name__ == "__main__":
e = 0xF3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F
n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
d = hack_RSA(e,n)
print d
#d为:4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399
解密的脚本,参考自:http://rickgray.me/2015/03/23/bctf2015-writeup.html 写得很简单,但很清晰
import binascii n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
d = 4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399L
c = 0x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108cd029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297cd96d1ea602309ecf47cd009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86 m = hex(pow(c,d,n)).rstrip("L")
print m
print binascii.unhexlify(m[2:])
#0x424354467b3965745265613479217d
#BCTF{9etRea4y!}
参考文献:
http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html
http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key
http://www.openssl.org/docs/apps/openssl.html
https://github.com/pablocelayes/rsa-wiener-attack
http://rickgray.me/2015/03/23/bctf2015-writeup.html