RSA multi attacks tool : uncipher data from weak public key and try to recover private key Automatic selection of best attack for the given public key
Attacks :
-
Attacks that doesn't depend on the factorization of integers (may depend on knowing n,e,cyphertext,etc...):
- Wiener's attack
- Hastad's attack (Small public exponent attack)
- Boneh Durfee Method when the private exponent d is too small compared to the modulus (i.e d < n^0.292)
- Londahl
- Same n, huge e
- Small crt exponent
- Common factor between ciphertext and modulus attack
- Partial q
-
Strict Integer factorization methods (only depends on knowing n):
- Weak public key factorization
- Small q (q < 100,000)
- Fermat's factorisation for close p and q
- Gimmicky Primes method
- Past CTF Primes method
- Non RSA key in the form b^x, where b is prime
- Self-Initializing Quadratic Sieve (SIQS) using Yafu (https://github.com/DarkenCode/yafu.git)
- Common factor attacks across multiple keys
- Small fractions method when p/q is close to a small fraction
- Elliptic Curve Method
- Pollards p-1 for relatively smooth numbers
- Mersenne primes factorization
- Factordb
- Noveltyprimes
- Primefac
- Qicheng
- binary polynomial factoring
- Euler method
- Pollard Rho
- Wolfram alpha
- cm-factor
- z3 theorem prover
- Primorial pm1 gcd
- Mersenne pm1 gcd
- Fermat Numbers gcd
- Fibonacci gcd
- System primes gcd
- Shanks's square forms factorization (SQUFOF)
- Return of Coppersmith's attack (ROCA) with NECA variant
- Dixon
- brent (Pollard rho variant)
- Pisano Period
- XYXZ form integer factorization
- High and Low Bits Equal attack
usage: RsaCtfTool.py [-h] [--publickey PUBLICKEY] [--output OUTPUT] [--timeout TIMEOUT] [--createpub] [--dumpkey] [--ext] [--uncipherfile UNCIPHERFILE] [--uncipher UNCIPHER]
[--verbosity {CRITICAL,ERROR,WARNING,DEBUG,INFO}] [--private] [--tests] [--ecmdigits ECMDIGITS] [-n N] [-p P] [-q Q] [-e E] [--key KEY]
[--password PASSWORD] [--show-factors SHOW_FACTORS]
[--attack {SQUFOF,binary_polinomial_factoring,boneh_durfee,brent,cm_factor,comfact_cn,cube_root,dixon,ecm,ecm2,euler,factordb,fermat,fermat_numbers_gcd,fibonacci_gcd,londahl,mersenne_pm1_gcd,mersenne_primes,neca,nonRSA,noveltyprimes,partial_q,pastctfprimes,pisano_period,pollard_p_1,pollard_rho,primorial_pm1_gcd,qicheng,roca,siqs,small_crt_exp,smallfraction,smallq,system_primes_gcd,wiener,wolframalpha,z3_solver,XYXZ,highandlowbitsequal,common_factors,common_modulus,hastads,same_n_huge_e,all} [{SQUFOF,binary_polinomial_factoring,boneh_durfee,brent,cm_factor,comfact_cn,cube_root,dixon,ecm,ecm2,euler,factordb,fermat,fermat_numbers_gcd,fibonacci_gcd,londahl,mersenne_pm1_gcd,mersenne_primes,neca,nonRSA,noveltyprimes,partial_q,pastctfprimes,pisano_period,pollard_p_1,pollard_rho,primorial_pm1_gcd,qicheng,roca,siqs,small_crt_exp,smallfraction,smallq,system_primes_gcd,wiener,wolframalpha,z3_solver,XYXZ,highandlowbitsequal,common_factors,common_modulus,hastads,same_n_huge_e,all} ...]]
[--sendtofdb] [--isconspicuous] [--isroca] [--convert_idrsa_pub] [--check_publickey]Mode 1 : Attack RSA (specify --publickey or n and e)
- publickey : public rsa key to crack. You can import multiple public keys with wildcards.
- uncipher : cipher message to decrypt
- private : display private rsa key if recovered
Mode 2 : Create a Public Key File Given n and e (specify --createpub)
- n : modulus
- e : public exponent
Mode 3 : Dump the public and/or private numbers (optionally including CRT parameters in extended mode) from a PEM/DER format public or private key (specify --dumpkey)
- key : the public or private key in PEM or DER format
./RsaCtfTool.py --publickey ./key.pub --uncipherfile ./ciphered\_file
./RsaCtfTool.py --publickey ./key.pub --private
Attempt to break multiple public keys with common factor attacks or individually- use quotes around wildcards to stop bash expansion
./RsaCtfTool.py --publickey "*.pub" --private
./RsaCtfTool.py --publickey "*.pub" --private --sendtofdb
./RsaCtfTool.py --createpub -n 7828374823761928712873129873981723...12837182 -e 65537
./RsaCtfTool.py --dumpkey --key ./key.pub
./RsaCtfTool.py --key examples/conspicuous.priv --isconspicuous
./RsaCtfTool.py --publickey key.pub --ecmdigits 25 --verbose --private
For more examples, look at test.sh file
./RsaCtfTool.py --convert_idrsa_pub --publickey $HOME/.ssh/id_rsa.pub
./RsaCtfTool.py --isroca --publickey "examples/*.pub"
docker pull ganapati/rsactftool
docker run -it --rm -v $PWD:/data ganapati/rsactftool <arguments>
- GMPY2
- SymPy
- PyCrypto
- Requests
- Libnum
- SageMath : optional but advisable
- Sage binaries
git clone https://github.com/Ganapati/RsaCtfTool.git
sudo apt-get install libgmp3-dev libmpc-dev
cd RsaCtfTool
pip3 install -r "requirements.txt"
python3 RsaCtfTool.pygit clone https://github.com/Ganapati/RsaCtfTool.git
sudo dnf install gcc python3-devel python3-pip python3-wheel gmp-devel mpfr-devel libmpc-devel
cd RsaCtfTool
pip3 install -r "requirements.txt"
python3 RsaCtfTool.pyIf you also want the optional SageMath you need to do
sudo dnf install sagemath
pip3 install -r "optional-requirements.txt"If pip3 install -r "requirements.txt" fails to install requirements accessible within environment, the following command may work.
easy_install `cat requirements.txt`
You can follow instructions from : https://www.mersenneforum.org/showthread.php?t=23087
- Implement test method in each attack.
- Assign the correct algorithm complexity in Big O notation for each attack.
- Support multiprime RSA, the project currently supports textbook RSA.
- Please read the CONTRIBUTING.md guideline for the bare minimum aceptable PRs.