Initial commit

Author: exp101t

RsaAttack.py

@@ -0,0 +1,108 @@
+from Crypto.PublicKey import RSA
+from attacks import *
+import argparse
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='This tool is for attacks on RSA multiple keys')
+
+    parser.add_argument('--key-files', nargs='*', help='Specify RSA public keys in standart form')
+    parser.add_argument('--enc-files', nargs='*', help='Specify encrypted files')
+    parser.add_argument('--chosen-plaintext', action='store_true', help='Specify to start chosen plaintext attack')
+    parser.add_argument('--exponents', nargs='*', help='Specify exponents of keys')
+    parser.add_argument('--modules', nargs='*', help='Specify modules of keys')
+    parser.add_argument('--ciphertexts', nargs='*', help='Specify ciphertexts')
+    parser.add_argument('--exponents-list', nargs=1, help='Specify file with exponents (line by line)')
+    parser.add_argument('--modules-list', nargs=1, help='Specify file with modules (line by line)')
+    parser.add_argument('--ciphertexts-list', nargs=1, help='Specify file with ciphertexts (line by line)')
+
+    args = parser.parse_args()
+
+    exponents, modules, ciphertexts = list(), list(), list()
+
+    if args.exponents_list is not None:
+        for file_name in args.exponents_list:
+            lines = open(file_name, 'r').readlines()
+            exponents = [transform_to_int(l) for l in lines]
+
+    if args.modules_list is not None:
+        for file_name in args.modules_list:
+            lines = open(file_name, 'r').readlines()
+            modules = [transform_to_int(l) for l in lines]
+
+    if args.ciphertexts_list is not None:
+        for file_name in args.ciphertexts_list:
+            lines = open(file_name, 'r').readlines()
+            ciphertexts = [transform_to_int(l) for l in lines]
+
+    if args.exponents is not None:
+        for e in args.exponents:
+            exponents.append(transform_to_int(e))
+
+    if args.modules is not None:
+        for n in args.modules:
+            modules.append(transform_to_int(n))
+
+    if args.ciphertexts is not None:
+        for c in args.ciphertexts:
+            ciphertexts.append(transform_to_int(c))
+
+    if args.key_files is not None:
+        for file_name in args.key_files:
+            key = open(file_name, 'r').read()
+            key_handle = RSA.importKey(key)
+
+            exponents.append(key_handle.e)
+            modules.append(key_handle.n)
+
+    if args.enc_files is not None:
+        for file_name in args.enc_files:
+            buffer = open(file_name, 'rb').read()
+
+            try:
+                if match(r'^[\w+/=\r\n]+$', buffer.decode()):
+                    ciphertexts.append(transform_to_int(buffer.decode()))
+                else:
+                    ciphertexts.append(bytes_as_int(buffer))
+            except:
+                ciphertexts.append(bytes_as_int(buffer))
+
+    if len(exponents) != len(modules) or len(modules) != len(ciphertexts):
+        print('[-] You should provide the same number of ciphertexts and keys')
+        exit(0)
+
+    if args.chosen_plaintext:
+        chosen_plaintext(modules[0], exponents[0], ciphertexts[0])
+        exit(0)
+
+    # First of all, trying to find e keys with exponent e
+    common_e_dict = dict()
+
+    for index, e in enumerate(exponents):
+        temp = common_e_dict.get(e, (list(), list()))
+
+        common_e_dict[e] = (
+            temp[0] + [modules[index]], 
+            temp[1] + [ciphertexts[index]]
+        )
+
+        if len(temp[0]) == e - 1:
+            print(common_exponent(e, *common_e_dict[e]))
+            exit(0)
+
+    # Trying to find keys with common modulus
+    for i in range(len(modules)):
+        for j in range(i + 1, len(modules)):
+            if modules[i] == modules[j] and gcd(exponents[i], exponents[j]) == 1:
+                print(common_modulus(
+                    modules[i],
+                    exponents[i], exponents[j],
+                    ciphertexts[i], ciphertexts[j]
+                ))
+                exit(0)
+
+            if gcd(modules[i], modules[j]) > 1:
+                print(common_divisor(
+                    modules[i], modules[j],
+                    exponents[i], ciphertexts[i]
+                ))
+                exit(0)

attacks.py

@@ -0,0 +1,67 @@
+from utils import *
+from random import randint
+
+def chosen_plaintext(n: int, e: int, c: int) -> bytes:
+    p = randint(2, 1000)
+    q = mod_inv(p, n)
+
+    to_decrypt = c * pow(p, e, n) % n
+    b = int_as_bytes(to_decrypt)
+
+    print('Send data for decrypting in one of the following forms:')
+    print('As decimal integer:', to_decrypt)
+    print('As hexidecimal integer:', hex(to_decrypt))
+    print('As Base64 encoded bytes:', b64encode(b).decode('ascii'))
+
+    result = input('Provide decrypted data: ')
+    result = transform_to_int(result)
+
+    m = result * q % n
+    print('Result is:', int_as_bytes(m))
+
+def common_divisor(n1: int, n2: int, e1: int, c1: int) -> bytes:
+    assert gcd(n1, n2) > 1
+
+    p = gcd(n1, n2)
+    q = n1 // p
+
+    d = mod_inv(e1, (p - 1) * (q - 1))
+    m = pow(c1, d, n1)
+
+    return int_as_bytes(m)
+
+def common_modulus(n: int, e1: int, e2: int, c1: int, c2: int) -> bytes:
+    assert gcd(e1, e2) == 1
+
+    p1, p2, _ = egcd(e1, e2)
+
+    if p1 < 0:
+        c1 = mod_inv(c1, n)
+        p1 *= -1
+    else:
+        c2 = mod_inv(c2, n)
+        p2 *= -1
+
+    m = pow(c1, p1, n) * pow(c2, p2, n) % n
+
+    return int_as_bytes(m)
+
+def common_exponent(e: int, modules: list, ciphertexts: list) -> bytes:
+    assert len(modules) == e
+
+    solution = solve_chinese_problem(modules, ciphertexts)
+
+    left, right = 1, min(modules)
+
+    while right - left > 1:
+        middle = (left + right) // 2
+
+        if middle ** e == solution:
+            return int_as_bytes(middle)
+
+        if middle ** e < solution:
+            left = middle
+        else:
+            right = middle
+
+    return b''

examples/common-divisor/enc1.bin

@@ -0,0 +1,2 @@
+@�E�c�?[w�;��U�/^>�q(�^Jv!nu�Bˬ?���ﭹl
�P|V�Ly4��a���{�<��A�l�͡�WD���z�W�K|�9�z�
+/�u��`]t�E(�hC?w{��`^)��'�

examples/common-divisor/enc2.bin

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmsaTRyPhf5Kt0NbaUW8K+ZynZ
+poVfMHrhSH9so/pul3f4/HKMUTfDn2ili+oRvXScvngrE8l7bE+ADA6HbLxzIdQV
+GhqhMEJTmo0808tpsYsMJ1sR13I3vcYpZ76bphEGhLxae9ssARuvn37Tx/f+RDXa
+JHWDuJfeupD9EjJqGwIDAQAB
+-----END PUBLIC KEY-----

examples/common-divisor/key1.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgs4hS/4DYe9xjCP0ELXGdWLbR
+gYewDLHRewpb1ASH5Zi+LL777FpadvTvpuiht1D97WoUBjwQaa4xFj4lmNVZyoK7
+I9zMPxrU+rpjjZh2Gqa5Jy+PmYuUUN0FAEVU6xO6sb6oZWJx+mqyEAhMQ9K8JRAb
+jaNoBx8fywENyd7+ZQIDAQAB
+-----END PUBLIC KEY-----

examples/common-divisor/key2.pem

@@ -0,0 +1 @@
+pycryptodome==3.8.2

requirements.txt

@@ -0,0 +1,63 @@
+from base64 import b64encode, b64decode
+from re import match
+
+# Mathematical algorithms
+def egcd(a: int, b: int) -> (int, int, int):
+    prelast_u, prelast_v = 1, 0
+    last_u, last_v = 0, 1
+
+    while True:
+        q, r = a // b, a % b
+
+        if r == 0:
+            return (last_u, last_v, b)
+
+        prelast_u, last_u = last_u, prelast_u - q * last_u
+        prelast_v, last_v = last_v, prelast_v - q * last_v
+
+        a, b = b, r
+
+def gcd(a: int, b: int) -> int:
+    while True:
+        if b == 0:
+            return a
+        a, b = b, a % b
+
+def mod_inv(a: int, b: int) -> int:
+    return egcd(a, b)[0] % b
+
+def solve_chinese_problem(modules: list, remainders: list) -> int:
+    mult = 1
+
+    for i in modules:
+        mult *= i
+
+    result = sum(
+        r * mult * mod_inv(mult // m, m) // m
+        for r, m in zip(remainders, modules)
+    )
+
+    return result % mult
+
+# Conversion algorithms
+def int_as_bytes(n: int) -> bytes:
+    bit_length = n.bit_length()
+
+    if bit_length == 0:
+        length = 1
+    else:
+        length = (bit_length + 7) // 8
+
+    return n.to_bytes(length, 'big')
+
+def bytes_as_int(b: bytes) -> int:
+    return int.from_bytes(b, 'big')
+
+def transform_to_int(s: str) -> int:
+    if match(r'^\d+$', s):
+        return int(s)
+    elif s.startswith('0x'):
+        return int(s, 16)
+    elif match(r'^[\w+/=\r\n]+$', s):
+        b = b64decode(s.encode('utf-8'))
+        return bytes_as_int(b)