# **RSA Starter 1**

All operations in RSA involve modular exponentiation.

Modular exponentiation is an operation that is used extensively in cryptography and is normally written like: 210 mod 17

You can think of this as raising some number to a certain power (210 = 1024), and then taking the remainder of the division by some other number (1024 mod 17 = 4). In Python there's a built-in operator for performing this operation: pow(base, exponent, modulus)

In RSA, modular exponentiation, together with the problem of prime factorisation, helps us to build a "trapdoor function". This is a function that is easy to compute in one direction, but hard to do in reverse unless you have the right information. It allows us to encrypt a message, and only the person with the key can perform the inverse operation to decrypt it.

Find the solution to 10117 mod 22663

In [None]:
print((pow(101,17,22663)))

19906


# **RSA Starter 2**

RSA encryption is modular exponentiation of a message with an exponent e and a modulus N which is normally a product of two primes: N = p * q.

Together the exponent and modulus form an RSA "public key" (N, e). The most common value for e is 0x10001 or 65537.

"Encrypt" the number 12 using the exponent e = 65537 and the primes p = 17 and q = 23. What number do you get as the ciphertext?

In [None]:
m =12
e = 65537
p = 17
q = 23
n = p*q
print(pow(m,e,n))

301


# **RSA Starter 3**

RSA relies on the difficulty of the factorisation of the modulus N. If the primes can be found then we can calculate the Euler totient of N and thus decrypt the ciphertext.

Given N = p*q and two primes:

p = 857504083339712752489993810777

q = 1029224947942998075080348647219

What is the totient of N?

In [None]:
fn =(p-1)*(q-1)
print(fn)

352


In [None]:
def euler_totient(p, q):
    fn = (p - 1) * (q - 1)
    return fn

p = 857504083339712752489993810777
q = 1029224947942998075080348647219
resultado = euler_totient(p, q)

print(f"El resultado de la función totiente de Euler (φ(n)) para p={p} y q={q} es: {resultado}")


El resultado de la función totiente de Euler (φ(n)) para p=857504083339712752489993810777 y q=1029224947942998075080348647219 es: 882564595536224140639625987657529300394956519977044270821168


# **RSA Starter 4**

The private key d is used to decrypt ciphertexts created with the corresponding public key (it's also used to "sign" a message but we'll get to that later).

The private key is the secret piece of information or "trapdoor" which allows us to quickly invert the encryption function. If RSA is implemented well, if you do not have the private key the fastest way to decrypt the ciphertext is to first factorise the modulus.

In RSA the private key is the modular multiplicative inverse of the exponent e modulo the totient of N.

Given the two primes:

p = 857504083339712752489993810777

q = 1029224947942998075080348647219

and the exponent:

e = 65537

What is the private key d?

In [None]:
pip install gmpy2

Collecting gmpy2
  Downloading gmpy2-2.1.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.7 MB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m1.7/1.7 MB[0m [31m16.1 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: gmpy2
Successfully installed gmpy2-2.1.5


In [None]:
import gmpy2
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
e = 65537
fn = (p-1)*(q-1)
d = gmpy2.invert(e,fn)#求e的逆元d
print(d)

121832886702415731577073962957377780195510499965398469843281


# **RSA Starter 5**

I've encrypted a secret number for your eyes only using your public key parameters:

N = 882564595536224140639625987659416029426239230804614613279163

e = 65537

Use the private key that you found for these parameters in the previous challenge to decrypt this ciphertext:

c = 77578995801157823671636298847186723593814843845525223303932

In [None]:
import gmpy2
p = 857504083339712752489993810777
q =  1029224947942998075080348647219
e = 65537
c = 77578995801157823671636298847186723593814843845525223303932
fn = (p-1)*(q-1)
n = p*q
d = gmpy2.invert(e,fn)
print(d)
m =pow(c,d,n)
print(m)

121832886702415731577073962957377780195510499965398469843281
13371337


# **RSA Starter 6**

How can you ensure that the person receiving your message knows that you wrote it?

You've been asked out on a date, and you want to send a message telling them that you'd love to go, however a jealous lover isn't so happy about this.

When you send your message saying yes, your jealous lover intercepts the message and corrupts it so it now says no!

We can protect against these attacks by signing the message.

Imagine you write a message M. You encrypt this message with your friend's public key: C = Me0 mod N0.

To sign this message, you calculate the hash of the message: H(M) and "encrypt" this with your private key: S = H(M)d1 mod N1.

In real cryptosystems, it's best practice to use separate keys for encrypting and signing messages.


Your friend can decrypt the message using their private key: m = Cd0 mod N0. Using your public key they calculate s = Se1 mod N1.

Now by computing H(m) and comparing it to s: assert H(m) == s, they can ensure that the message you sent them, is the message that they received!

Sign the flag crypto{Immut4ble_m3ssag1ng} using your private key and the SHA256 hash function.

The output of the hash function needs to be converted into a number that can be used with RSA math. Remember the helpful bytes_to_long() function that can be imported from Crypto.Util.number.


Challenge files:
  - private.key

In [None]:
pip install pycryptodome


Collecting pycryptodome
  Downloading pycryptodome-3.19.1-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m2.1/2.1 MB[0m [31m8.3 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: pycryptodome
Successfully installed pycryptodome-3.19.1


In [None]:
from hashlib import sha256
from Crypto.Util.number import *
N = 15216583654836731327639981224133918855895948374072384050848479908982286890731769486609085918857664046075375253168955058743185664390273058074450390236774324903305663479046566232967297765731625328029814055635316002591227570271271445226094919864475407884459980489638001092788574811554149774028950310695112688723853763743238753349782508121985338746755237819373178699343135091783992299561827389745132880022259873387524273298850340648779897909381979714026837172003953221052431217940632552930880000919436507245150726543040714721553361063311954285289857582079880295199632757829525723874753306371990452491305564061051059885803
d = 11175901210643014262548222473449533091378848269490518850474399681690547281665059317155831692300453197335735728459259392366823302405685389586883670043744683993709123180805154631088513521456979317628012721881537154107239389466063136007337120599915456659758559300673444689263854921332185562706707573660658164991098457874495054854491474065039621922972671588299315846306069845169959451250821044417886630346229021305410340100401530146135418806544340908355106582089082980533651095594192031411679866134256418292249592135441145384466261279428795408721990564658703903787956958168449841491667690491585550160457893350536334242689
m = b'crypto{Immut4ble_m3ssag1ng}'
H = bytes_to_long(sha256(m).digest())
s = pow(H,d,N)
print((s))

13480738404590090803339831649238454376183189744970683129909766078877706583282422686710545217275797376709672358894231550335007974983458408620258478729775647818876610072903021235573923300070103666940534047644900475773318682585772698155617451477448441198150710420818995347235921111812068656782998168064960965451719491072569057636701190429760047193261886092862024118487826452766513533860734724124228305158914225250488399673645732882077575252662461860972889771112594906884441454355959482925283992539925713424132009768721389828848907099772040836383856524605008942907083490383109757406940540866978237471686296661685839083475


# ***Factoring***

So far we've been using the product of small primes for the modulus, but small primes aren't much good for RSA as they can be factorised using modern methods.

What is a "small prime"? There was an RSA Factoring Challenge with cash prizes given to teams who could factorise RSA moduli. This gave insight to the public into how long various key sizes would remain safe. Computers get faster, algorithms get better, so in cryptography it's always prudent to err on the side of caution.

These days, using primes that are at least 1024 bits long is recommended—multiplying two such 1024 primes gives you a modulus that is 2048 bits large. RSA with a 2048-bit modulus is called RSA-2048.

Some say that to really remain future-proof you should use RSA-4096 or even RSA-8192. However, there is a tradeoff here; it takes longer to generate large prime numbers, plus modular exponentiations are predictably slower with a large modulus.

Factorise the 150-bit number 510143758735509025530880200653196460532653147 into its two constituent primes. Give the smaller one as your answer.

Resources:
  - How big an RSA key is considered secure today?
  - primefac-fork

In [None]:
pip install factordb-python

Collecting factordb-python
  Downloading factordb-python-1.3.0.tar.gz (4.0 kB)
  Preparing metadata (setup.py) ... [?25l[?25hdone
Building wheels for collected packages: factordb-python
  Building wheel for factordb-python (setup.py) ... [?25l[?25hdone
  Created wheel for factordb-python: filename=factordb_python-1.3.0-py3-none-any.whl size=4620 sha256=a8f570b30c5f2d567e84a5c62d088ae010f844cfc086bddfb7a10a0d480eb7ea
  Stored in directory: /root/.cache/pip/wheels/81/a1/61/1197ad7f12fed75140ad16305ca67cba512ba7326f2f572fb4
Successfully built factordb-python
Installing collected packages: factordb-python
Successfully installed factordb-python-1.3.0


In [None]:
from factordb.factordb import FactorDB
f = FactorDB(510143758735509025530880200653196460532653147)
print(f.get_factor_list())
print(f.connect())
print(f.get_factor_list())

[]
<Response [200]>
[19704762736204164635843, 25889363174021185185929]


# ***Monoprime***

Why is everyone so obsessed with multiplying two primes for RSA. Why not just use one?

Challenge files:
  - output.txt

Resources:
  - Why do we need in RSA the modulus to be product of 2 primes?

In [None]:
pip install libnum


Collecting libnum
  Downloading libnum-1.7.1-py3-none-any.whl (14 kB)
Installing collected packages: libnum
Successfully installed libnum-1.7.1


In [None]:
import gmpy2
import libnum
import binascii
from Crypto.Util.number import *
n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942

d = gmpy2.invert(e,(n-1))
flag = pow(ct,d,n)
print(flag)
print(libnum.n2s(int(flag)))
print(bytes.fromhex(hex(flag)[2:]))
print(binascii.unhexlify(hex(flag)[2:]))
print(binascii.a2b_hex(hex(flag)[2:]))
print(long_to_bytes(flag))

44981230718212183184022261350591509650967020174777710365581497711727767219325
b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'
b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'
b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'
b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'
b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'


# **Manyprime**

Using one prime factor was definitely a bad idea so I'll try using over 30 instead.

 If it's taking forever to factorise, read up on factorisation algorithms and make sure you're using one that's optimised for this scenario.


Challenge files:
  - output.txt

Resources:
  - The Elliptic Curve Factorization Method

In [None]:
pip install factordb-pycli

Collecting factordb-pycli
  Downloading factordb-pycli-1.3.0.tar.gz (4.0 kB)
  Preparing metadata (setup.py) ... [?25l[?25hdone
Building wheels for collected packages: factordb-pycli
  Building wheel for factordb-pycli (setup.py) ... [?25l[?25hdone
  Created wheel for factordb-pycli: filename=factordb_pycli-1.3.0-py3-none-any.whl size=4604 sha256=9ee024f5359e988d91ba1acc2132673d90edff9343ae3a7dd4f5e2a9fcdfdef5
  Stored in directory: /root/.cache/pip/wheels/ea/66/3a/286d77c4fca22c613eca648f56ab7931c0174348527ec1a430
Successfully built factordb-pycli
Installing collected packages: factordb-pycli
Successfully installed factordb-pycli-1.3.0


In [None]:
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
ct = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464

from factordb.factordb import FactorDB
from functools import reduce
p_q=[9282105380008121879, 9303850685953812323, 9389357739583927789, 10336650220878499841, 10638241655447339831, 11282698189561966721, 11328768673634243077, 11403460639036243901, 11473665579512371723, 11492065299277279799, 11530534813954192171, 11665347949879312361, 12132158321859677597, 12834461276877415051, 12955403765595949597, 12973972336777979701, 13099895578757581201, 13572286589428162097, 14100640260554622013, 14178869592193599187, 14278240802299816541, 14523070016044624039, 14963354250199553339, 15364597561881860737, 15669758663523555763, 15824122791679574573, 15998365463074268941, 16656402470578844539, 16898740504023346457, 17138336856793050757, 17174065872156629921, 17281246625998849649]

phi =reduce(lambda x,y:x*(y-1),[1]+p_q)
print(phi)
d = pow(e,-1,phi)
flag = pow(ct,d,n)
print(bytes.fromhex(hex(flag)[2:]))

580642391898843191487404652150193463439642600155214610402815446275117822457602964108279991178253399797937961990567828910318944376020941874995912942457183778540787232677949141800666918857974957805860863128934894322453334083108951829885566055541321469492863749601696156719452204625091396670183612468234453545730714411260422415053794985900973204357184470104831581957188055965458235216412636167147716884241110058234315146752181551500634472836779298794303330378218517375396697137335380548442818167481491481087606998467945980408909917714107491743183639877866494931448463312524563384587536906823474872320000000000000000
b'crypto{700_m4ny_5m4ll_f4c70r5}'


# **Salty**
Smallest exponent should be fastest, right?

Challenge files:
  - salty.py
  - output.txt

In [None]:
pip install pycrypto

Collecting pycrypto
  Downloading pycrypto-2.6.1.tar.gz (446 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m446.2/446.2 kB[0m [31m4.9 MB/s[0m eta [36m0:00:00[0m
[?25h  Preparing metadata (setup.py) ... [?25l[?25hdone
Building wheels for collected packages: pycrypto
  Building wheel for pycrypto (setup.py) ... [?25l[?25hdone
  Created wheel for pycrypto: filename=pycrypto-2.6.1-cp310-cp310-linux_x86_64.whl size=498545 sha256=0d165d4c54c32a767fc50f573b76b44867c3f4532ab3d7303af4b461f5e76352
  Stored in directory: /root/.cache/pip/wheels/e8/4b/5b/b10a6fc885057b6ff9fbd5691d7e700d0a9408f80b7e6f12e0
Successfully built pycrypto
Installing collected packages: pycrypto
Successfully installed pycrypto-2.6.1


In [None]:
pip install pyrebase4


Collecting pyrebase4
  Downloading Pyrebase4-4.7.1-py3-none-any.whl (9.2 kB)
Collecting requests-toolbelt<1.0,>=0.7.1 (from pyrebase4)
  Downloading requests_toolbelt-0.10.1-py2.py3-none-any.whl (54 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m54.5/54.5 kB[0m [31m1.7 MB/s[0m eta [36m0:00:00[0m
[?25hCollecting requests<2.30,>=2.19.1 (from pyrebase4)
  Downloading requests-2.29.0-py3-none-any.whl (62 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m62.5/62.5 kB[0m [31m4.7 MB/s[0m eta [36m0:00:00[0m
[?25hCollecting urllib3<2,>=1.21.1 (from pyrebase4)
  Downloading urllib3-1.26.18-py2.py3-none-any.whl (143 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m143.8/143.8 kB[0m [31m11.2 MB/s[0m eta [36m0:00:00[0m
[?25hCollecting gcloud>=0.18.3 (from pyrebase4)
  Downloading gcloud-0.18.3.tar.gz (454 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m454.4/454.4 kB[0m [31m14.7 MB/s[0m eta [36m0:00:

In [None]:
#!/usr/bin/env python3

from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes

e = 1
d = -1

while d == -1:
    p = getPrime(512)
    q = getPrime(512)
    phi = (p - 1) * (q - 1)
    d = inverse(e, phi)

n = p * q

flag = b"XXXXXXXXXXXXXXXXXXXXXXX"
pt = bytes_to_long(flag)
ct = pow(pt, e, n)

print(f"n = {n}")
print(f"e = {e}")
print(f"ct = {ct}")

pt = pow(ct, d, n)
decrypted = long_to_bytes(pt)
assert decrypted == flag


n = 48750203022719316640452982598948188514983773421375177364276837264773889719019069976231137461407710410297497354940396972266531168705121153917095531994346427960376896366232146776116742434159686460574225335425329778613822883950992364946666314647678298950101360912345323077466829355193237475800517372134423038927
e = 1
ct = 8461779300153613774778637702853471884451704643272595544


In [None]:
c = 44981230718212183604274785925793145442655465025264554046028251311164494127485
print(bytes.fromhex(hex(c)[2:]))

b'crypto{saltstack_fell_for_this!}'


# **Modulus Inutilis**

My primes should be more than large enough now!

Challenge files:
  - modulus_inutilis.py
  - output.txt

In [None]:
#!/usr/bin/env python3

from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes

e = 3
d = -1

while d == -1:
    p = getPrime(1024)
    q = getPrime(1024)
    phi = (p - 1) * (q - 1)
    d = inverse(e, phi)

n = p * q

flag = b"XXXXXXXXXXXXXXXXXXXXXXX"
pt = bytes_to_long(flag)
ct = pow(pt, e, n)

print(f"n = {n}")
print(f"e = {e}")
print(f"ct = {ct}")

pt = pow(ct, d, n)
decrypted = long_to_bytes(pt)
assert decrypted == flag


n = 14820295716820595267336997022037271122750439705716969314812644218126236020021489568595822554355895680391546181511159785440597979487956851459915416225744219609963045458732649697399187728081610950537961195680091182336974868748060591829112879912319434490626350170763919762676562669368231358526211349744175453874606087561314192633387253050224823987296827018055187102444639522772857462846570941519530021922165359130933847119983499510121950024640909323743072017233604608935225393186974079136299034451697645873034601776735698775468134457198614372686117870984852095658247757654964400106275949857385662582881441814382099116709
e = 3
ct = 605877858433027603541142896448019044718598083014741806340445425957159123895702361904803311842000502686580406336826200661576812020411053632176514866648130959982749184


In [None]:
pip install gmpy2==2.1.0rc1

Collecting gmpy2==2.1.0rc1
  Downloading gmpy2-2.1.0rc1-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (3.6 MB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m3.6/3.6 MB[0m [31m7.9 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: gmpy2
Successfully installed gmpy2-2.1.0rc1


In [None]:
pip install libnum


Collecting libnum
  Downloading libnum-1.7.1-py3-none-any.whl (14 kB)
Installing collected packages: libnum
Successfully installed libnum-1.7.1


In [None]:
from gmpy2 import iroot
import libnum
n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883

c= 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957
k = 0
while 1:
    res=iroot(c+k*n,3)
    if(res[1]==True):
        print(libnum.n2s(int(res[0])))
        break
    k=k+1

b'crypto{N33d_m04R_p4dd1ng}'


# **Diffie-Hellman Inicial 1**

El conjunto de números enteros módulo n, junto con las operaciones tanto de suma como de multiplicación, forma un anillo. Esto significa que sumar o multiplicar dos elementos cualesquiera del conjunto da como resultado otro elemento del conjunto.

Cuando el módulo es primo: n = p, tenemos garantizado un inverso de cada elemento del conjunto, por lo que el anillo se convierte en un campo. Nos referimos a este campo como un campo finito Fp.

El protocolo Diffie-Hellman trabaja con elementos de algún campo finito Fp, donde el módulo primo suele ser un primo grande.

Dado el primo p = 991 y el elemento g = 209, encuentre el elemento inverso d tal que g * d mod 991 = 1.

In [None]:
from sympy import mod_inverse

p = 991
g = 209

d = mod_inverse(g, p)

print(d)

569


# **Diffie-Hellman Starter 2**

Every element of a finite field Fp can be used to make a subgroup H under repeated action of multiplication. In other words, for an element g: H = {g, g^2, g^3, ...}

A primitive element of Fp is an element whose subgroup H = Fp, i.e., every element of Fp, can be written as g^n mod p for some integer n. Because of this, primitive elements are sometimes called generators of the finite field.

For the finite field with p = 28151 find the smallest element g which is a primitive element of Fp.

/////////

Cada elemento de un cuerpo finito Fp puede usarse para formar un subgrupo H bajo la acción repetida de la multiplicación. En otras palabras, para un elemento g: H = {g, g^2, g^3, ...}

Un elemento primitivo de Fp es un elemento cuyo subgrupo H = Fp, es decir, cada elemento de Fp, puede escribirse como g^n mod p para algún número entero n. Debido a esto, a los elementos primitivos a veces se les llama generadores del campo finito.

Para el campo finito con p = 28151, encuentre el elemento más pequeño g, que es un elemento primitivo de Fp.

In [None]:
from sympy.ntheory import is_primitive_root

p = 28151
g = 2

while not is_primitive_root(g, p):
    g += 1

print(g)

7


# **Diffie-Hellman Starter 3**

The first step of the protocol is to establish a prime p and some generator of the finite field g. These must be carefully chosen to avoid special cases where the discrete log can be solved with efficient algorithms. For example, a safe prime p = 2*q +1 is usually picked such that the only factors of p - 1 are {2,q} where q is some other large prime. This protects DH from the Pohlig–Hellman algorithm.

The user then picks a secret integer a < p and calculates g^a mod p. This can be transmitted over an insecure network and due to the assumed difficulty of the discrete logarithm, the secret integer should be infeasible to compute.

Given the NIST parameters:

g: 2

p: 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919

Calculate the value of g^a mod p for

a: 972107443837033796245864316200458246846904598488981605856765890478853088246897345487328491037710219222038930943365848626194109830309179393018216763327572120124760140018038673999837643377590434413866611132403979547150659053897355593394492586978400044375465657296027592948349589216415363722668361328689588996541370097559090335137676411595949335857341797148926151694299575970292809805314431447043469447485957669949989090202320234337890323293401862304986599884732815

El primer paso del protocolo es establecer un primo p y algún generador del campo finito g. Estos deben elegirse cuidadosamente para evitar casos especiales en los que el registro discreto pueda resolverse con algoritmos eficientes. Por ejemplo, un primo seguro p = 2*q +1 generalmente se elige de modo que los únicos factores de p - 1 sean {2,q} donde q es algún otro primo grande. Esto protege a DH del algoritmo de Pohlig-Hellman.

Luego, el usuario elige un número entero secreto a <p y calcula g^a mod p. Esto puede transmitirse a través de una red insegura y, debido a la supuesta dificultad del logaritmo discreto, no debería ser factible calcular el número entero secreto.

In [None]:

g =2sss

p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919


a = 972107443837033796245864316200458246846904598488981605856765890478853088246897345487328491037710219222038930943365848626194109830309179393018216763327572120124760140018038673999837643377590434413866611132403979547150659053897355593394492586978400044375465657296027592948349589216415363722668361328689588996541370097559090335137676411595949335857341797148926151694299575970292809805314431447043469447485957669949989090202320234337890323293401862304986599884732815
print(pow(g,a,p))

1806857697840726523322586721820911358489420128129248078673933653533930681676181753849411715714173604352323556558783759252661061186320274214883104886050164368129191719707402291577330485499513522368289395359523901406138025022522412429238971591272160519144672389532393673832265070057319485399793101182682177465364396277424717543434017666343807276970864475830391776403957550678362368319776566025118492062196941451265638054400177248572271342548616103967411990437357924


# **Diffie-Hellman Starter 4**

Now it's time to calculate a shared secret using data received from your friend Alice. Like before, we will be using the NIST parameters:

g: 2

p: 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919

You have received the following integer from Alice:

A: 70249943217595468278554541264975482909289174351516133994495821400710625291840101960595720462672604202133493023241393916394629829526272643847352371534839862030410331485087487331809285533195024369287293217083414424096866925845838641840923193480821332056735592483730921055532222505605661664236182285229504265881752580410194731633895345823963910901731715743835775619780738974844840425579683385344491015955892106904647602049559477279345982530488299847663103078045601

You generate your secret integer b and calculate your public one B, which you send to Alice.

b: 12019233252903990344598522535774963020395770409445296724034378433497976840167805970589960962221948290951873387728102115996831454482299243226839490999713763440412177965861508773420532266484619126710566414914227560103715336696193210379850575047730388378348266180934946139100479831339835896583443691529372703954589071507717917136906770122077739814262298488662138085608736103418601750861698417340264213867753834679359191427098195887112064503104510489610448294420720

B: 518386956790041579928056815914221837599234551655144585133414727838977145777213383018096662516814302583841858901021822273505120728451788412967971809038854090670743265187138208169355155411883063541881209288967735684152473260687799664130956969450297407027926009182761627800181901721840557870828019840218548188487260441829333603432714023447029942863076979487889569452186257333512355724725941390498966546682790608125613166744820307691068563387354936732643569654017172

You and Alice are now able to calculate a shared secret, which would be infeasible to calculate knowing only {g,p,A,B}.

What is your shared secret?

In [None]:
p=2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
g = 2
A=70249943217595468278554541264975482909289174351516133994495821400710625291840101960595720462672604202133493023241393916394629829526272643847352371534839862030410331485087487331809285533195024369287293217083414424096866925845838641840923193480821332056735592483730921055532222505605661664236182285229504265881752580410194731633895345823963910901731715743835775619780738974844840425579683385344491015955892106904647602049559477279345982530488299847663103078045601
b= 12019233252903990344598522535774963020395770409445296724034378433497976840167805970589960962221948290951873387728102115996831454482299243226839490999713763440412177965861508773420532266484619126710566414914227560103715336696193210379850575047730388378348266180934946139100479831339835896583443691529372703954589071507717917136906770122077739814262298488662138085608736103418601750861698417340264213867753834679359191427098195887112064503104510489610448294420720
B= 518386956790041579928056815914221837599234551655144585133414727838977145777213383018096662516814302583841858901021822273505120728451788412967971809038854090670743265187138208169355155411883063541881209288967735684152473260687799664130956969450297407027926009182761627800181901721840557870828019840218548188487260441829333603432714023447029942863076979487889569452186257333512355724725941390498966546682790608125613166744820307691068563387354936732643569654017172


print(pow(A,b,p))

1174130740413820656533832746034841985877302086316388380165984436672307692443711310285014138545204369495478725102882673427892104539120952393788961051992901649694063179853598311473820341215879965343136351436410522850717408445802043003164658348006577408558693502220285700893404674592567626297571222027902631157072143330043118418467094237965591198440803970726604537807146703763571606861448354607502654664700390453794493176794678917352634029713320615865940720837909466


# **Diffie-Hellman Starter 4**

Alice wants to send you her secret flag and asks you to generate a shared secret with her. She also tells you she will be using the NIST standard:

g: 2

p: 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919

You receive the following integer from Alice:

A: 112218739139542908880564359534373424013016249772931962692237907571990334483528877513809272625610512061159061737608547288558662879685086684299624481742865016924065000555267977830144740364467977206555914781236397216033805882207640219686011643468275165718132888489024688846101943642459655423609111976363316080620471928236879737944217503462265615774774318986375878440978819238346077908864116156831874695817477772477121232820827728424890845769152726027520772901423784

You then generate your secret integer and calculate your public one, which you send to Alice.

b: 197395083814907028991785772714920885908249341925650951555219049411298436217190605190824934787336279228785809783531814507661385111220639329358048196339626065676869119737979175531770768861808581110311903548567424039264485661330995221907803300824165469977099494284722831845653985392791480264712091293580274947132480402319812110462641143884577706335859190668240694680261160210609506891842793868297672619625924001403035676872189455767944077542198064499486164431451944

B: 1241972460522075344783337556660700537760331108332735677863862813666578639518899293226399921252049655031563612905395145236854443334774555982204857895716383215705498970395379526698761468932147200650513626028263449605755661189525521343142979265044068409405667549241125597387173006460145379759986272191990675988873894208956851773331039747840312455221354589910726982819203421992729738296452820365553759182547255998984882158393688119629609067647494762616719047466973581

Individually you each use the shared secret to derive an AES private key. This allows you to encrypt large amounts of data over your channel without needing to exchange keys again.

Alice sends you the following IV and ciphertext:

{'iv': '737561146ff8194f45290f5766ed6aba', 'encrypted_flag': '39c99bf2f0c14678d6a5416faef954b5893c316fc3c48622ba1fd6a9fe85f3dc72a29c394cf4bc8aff6a7b21cae8e12c'}

Decrypt this to obtain your flag!

The decrypt.py script is provided to help you here and on future challenges too.


Challenge files:
  - source.py
  - decrypt.py

In [None]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
import os
from secret import shared_secret

FLAG = b'crypto{????????????????????????????}'


def encrypt_flag(shared_secret: int):
    sha1 = hashlib.sha1()
    sha1.update(str(shared_secret).encode('ascii'))
    key = sha1.digest()[:16]
    iv = os.urandom(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    ciphertext = cipher.encrypt(pad(FLAG, 16))
    data = {}
    data['iv'] = iv.hex()
    data['encrypted_flag'] = ciphertext.hex()
    return data


print(encrypt_flag(shared_secret))

NameError: name 'shared_secret' is not defined

In [None]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
g = 2
p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
A= 112218739139542908880564359534373424013016249772931962692237907571990334483528877513809272625610512061159061737608547288558662879685086684299624481742865016924065000555267977830144740364467977206555914781236397216033805882207640219686011643468275165718132888489024688846101943642459655423609111976363316080620471928236879737944217503462265615774774318986375878440978819238346077908864116156831874695817477772477121232820827728424890845769152726027520772901423784
b = 197395083814907028991785772714920885908249341925650951555219049411298436217190605190824934787336279228785809783531814507661385111220639329358048196339626065676869119737979175531770768861808581110311903548567424039264485661330995221907803300824165469977099494284722831845653985392791480264712091293580274947132480402319812110462641143884577706335859190668240694680261160210609506891842793868297672619625924001403035676872189455767944077542198064499486164431451944
B= 1241972460522075344783337556660700537760331108332735677863862813666578639518899293226399921252049655031563612905395145236854443334774555982204857895716383215705498970395379526698761468932147200650513626028263449605755661189525521343142979265044068409405667549241125597387173006460145379759986272191990675988873894208956851773331039747840312455221354589910726982819203421992729738296452820365553759182547255998984882158393688119629609067647494762616719047466973581
shared_secret = pow(A,b,p)
iv = '737561146ff8194f45290f5766ed6aba'
encrypted_flag = '39c99bf2f0c14678d6a5416faef954b5893c316fc3c48622ba1fd6a9fe85f3dc72a29c394cf4bc8aff6a7b21cae8e12c'

sha1 = hashlib.sha1()
sha1.update(str(shared_secret).encode('ascii'))
key = sha1.digest()[:16]
ct = bytes.fromhex(encrypted_flag)
iv = bytes.fromhex(iv)
cipher = AES.new(key,AES.MODE_CBC,iv)
flag = cipher.decrypt(ct)
print(flag)

ModuleNotFoundError: No module named 'Crypto'

# **Parameter Injection**

You're in a position to not only intercept Alice and Bob's DH key exchange, but also rewrite their messages. Think about how you can play with the DH equation that they calculate, and therefore sidestep the need to crack any discrete logarithm problem.

Use the script from "Diffie-Hellman Starter 5" to decrypt the flag once you've recovered the shared secret.

Connect at socket.cryptohack.org 13371

In [None]:
pip install pwntools



In [None]:
pip install pycryptodome



In [None]:
import pwn
import json
import hashlib
from Crypto.Cipher import AES

host = "socket.cryptohack.org"
port = 13371


def exploit():
    pr = pwn.connect(host, port)
    try:
        pr.readuntil(": ")
        line = json.loads(pr.readline().strip().decode())
        #p = int(line['p'][2:].strip('f'), 16)
        p = int(line['p'], 16)
        g = int(line['g'], 16)
        A = int(line['A'], 16)

        payload = json.dumps({"p":hex(p),"g":hex(g),"A":hex(p)})
        print(payload, len(payload))
        pr.sendlineafter(": ", payload)

        pr.readuntil(": ")
        line = json.loads(pr.readline().strip().decode())
        B = int(line['B'], 16)

        payload = json.dumps({"B":hex(p)})
        print(payload, len(payload))
        pr.sendlineafter(": ", payload)

        pr.readuntil(": ")
        line = json.loads(pr.readline().strip().decode())
        print(line)

        iv = bytes.fromhex(line['iv'])
        encrypted_flag = bytes.fromhex(line['encrypted_flag'])
        sha1 = hashlib.sha1()
        secret = 0
        sha1.update(str(secret).encode())
        key = sha1.digest()[:16]
        aes = AES.new(key, AES.MODE_CBC, iv)
        print(aes.decrypt(encrypted_flag))
    finally:
        pr.close()

exploit()

UnsupportedOperation: fileno

# **Export-grade**

Alice and Bob are using legacy codebases and need to negotiate parameters they both support. You've man-in-the-middled this negotiation step, and can passively observe thereafter. How are you going to ruin their day this time?

Connect at socket.cryptohack.org 13379

In [None]:
"""
Intercepted from Alice: {"supported": ["DH1536", "DH1024", "DH512", "DH256", "DH128", "DH64"]}
Send to Bob: {"supported":["DH64"]}
Intercepted from Bob: {"chosen": "DH64"}
Send to Alice: {"chosen": "DH64"}
Intercepted from Alice: {"p": "0xde26ab651b92a129", "g": "0x2", "A": "0x637430f37c694fa7"}
Intercepted from Bob: {"B": "0x7249365a2a8c71ff"}
Intercepted from Alice: {"iv": "31077c28f19c90297f3da6dff6ca3019", "encrypted_flag": "0ebb53dab97122361cfa8cdbb5ddc092a5af41452aae8def0d27181b6ee89839"}
"""

p = "0xde26ab651b92a129"
g = "0x2"
A = "0x637430f37c694fa7"
B = "0x7249365a2a8c71ff"
iv =  "31077c28f19c90297f3da6dff6ca3019"
encrypted_flag = "0ebb53dab97122361cfa8cdbb5ddc092a5af41452aae8def0d27181b6ee89839"

p = int(p, 16)
g = int(g, 16)
A = int(A, 16)
B = int(B, 16)
iv = bytes.fromhex(iv)
encrypted_flag = bytes.fromhex(encrypted_flag)

from Crypto.Cipher import AES
from Crypto.Util import number
import hashlib

def decrypt(secret, iv, cipher):
    sha1 = hashlib.sha1()
    sha1.update(str(secret).encode())
    key = sha1.digest()[:16]
    aes = AES.new(key, AES.MODE_CBC, iv)
    plain = aes.decrypt(cipher)
    print(plain)

"""
A = pow(g, a, p)
B = pow(g, b, p)

ka = pow(B, a, p)
kb = pow(A, b, p)
"""
# Use Discrete logarithm calculator https://www.alpertron.com.ar/DILOG.HTM to find out Alice's secret key ``a``
a = 7596561454821291306
secret = pow(B, a, p)
decrypt(secret, iv, encrypted_flag)

b'crypto{d0wn6r4d35_4r3_d4n63r0u5}'
