category : crypto
points : 871
Two parts in this challenge:
- get the key
- generate a collision to this mac
Same technique as in CSAW CTF - Fault Box
let f be bytes_to_long("fake_flag")
c will be f ** e + k * p for some k
We know the value of f ** e
Simply calculate gcd(f ** e - c, n) will give us prime factor p, then we can factor n
To make things simple, we send messages of 32 bytes.
Both messageblocks[1] and tag, which is ECB.encrypt(messageblocks[0]) we can control
Just make the result of strxor be the same
flag: bsides_delhi{F4ult'n'F0rg3_1s_@_b4d_c0mb1n4ti0n}