Skip to content

kudelskisecurity/go-manger-attack

Poc
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
This branch is up to date with AnomalRoil/go-manger-attack:Poc.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

go-manger-attack

This is a toy implementation in Go of the well-known chosen-ciphertext attack against RSA-OAEP found by Manger.

James Manger showed that, despite being formally secure, normal implementations of PKCS #1 v2.0 RSA-OAEP decoding were vulnerable to an adaptive chosen ciphertext attack, whose principle is relatively simple.

The present repo is an implementation of that attack in Go, against a modified, vulnerable RSA-OAEP decryption function instead of the one from the crypto/rsa package. The current crypto/rsa package implementation may have a timing discrepancy in the leftPad function which could lead to Manger attack, but if it does, then the signal is too low to be exploitable, even locally (according to my benchmarks).

To test it

You can use the modded RSA library I included to test the code by simply running:

go test -v ./mangerattack -run TestOracleWithModdedRSA

To use it with your own oracle

You can call this as a package and provide the MangerAttack(Oracle) function with your oracle. It needs to satisfy the interface "Oracle" so that it accepts a Decrypt(*big.Int) function that will send the said big Integer to the oracle, and a Query() bool function that will provide your oracle's answer whether the decrypted plaintext is >= B (true, then is has no leading 0 after decryption) or not (false, it has one or more leading zeros after decryption).

An example is provided in attack_test.go that uses Go's "blackbox testing" to show how to implement the interface.

Intellectual property

Copyright (c) 2016 Nagravision SA, all rights are reserved.

rsa.go and parts of utils.go are copyright The Go Authors, with modifications copyright Nagravision SA.

About

This is a toy implementation in Go of Manger's chosen-ciphertext attack on RSA-OAEP

Resources

License

CC0-1.0, BSD-3-Clause licenses found

Licenses found

CC0-1.0
LICENSE
BSD-3-Clause
GO_LICENSE

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%