Password homework
cryptopals
Topic description:
(1) Implement PKCS#7 padding
(2) Implement CBC mode
(3) An ECB/CBC detection oracle
(4) Byte-at-a-time ECB decryption (Simple)
(5) ECB cut-and-paste
(6) Byte-at-a-time ECB decryption (Harder)
(7) PKCS#7 padding validation
(8) CBC bit flipping attacks
process:
Among them, the byte flip attack of (8):
Now if you want to change b into plaintext c, you can modify the ciphertext a and change a to a b b', but this will cause the original corresponding plaintext at a to change.
MTC3 AES key -encoded in the machine readable zone of a European ePassport
Topic description:
The question gives a part of the passport and a secret text. The encryption key of the ciphertext is generated according to the corresponding rules, and an attempt is made to decrypt the ciphertext according to the provided information and the key generation rules.
process:
1. Obtained according to the passport verification rules? The character represented by is 7
2. According to the ka, kb generation rules, generate ka, kb and then change ka, kb according to the parity check of ka, kb.
3. Obtain the key and decrypt the block cipher.
PA2 option
Topic description:
AES decrypt a challengecipher text generated usingAES in CBC-mode with PKCS#5 padding.
The question provides feedback on whether the decrypted result of the sent ciphertext complies with the padding rules, and requires the decryption of the given ciphertext.
process:
The principle of decryption is roughly: by being able to feedback whether the decrypted plaintext conforms to the padding rules, that is to say, we can change the value of ciphertext, and when a padding that meets the requirements appears, it is equivalent to knowing part of the ciphertext and plaintext at the same time. In this way, the red part can be obtained through XOR, and the plaintext can be obtained by XORing the ciphertext provided in the question.
RSA encryption system deciphering question
Topic description:
The question gives some intercepted frames, which contain parameters n, e, c. Use mathematical methods to crack as much as possible to get the plain text.
process:
1. The common mode attack on frame0 and frame4 can decrypt the ciphertext without decomposing n.
The modulus n of Frame0 and frame4 is the same. Assuming gcd(e1,e2)=1, then e1 s1+e2 s2 = 1. In the formula, s1 and s2 are both integers. By extending the Euclidean algorithm, we get this A set of solutions to the formula (s1, s2), assuming that s1 is a positive number and s2 is a negative number. Because c1
= m^e1%n c2 = m^e2%n so
(c1 s1*c2 s2)%n = (( m e1%n) s1*(m e2%n) s2)%n
According to the properties of modular operation, it can be simplified to
(c1 s1*c2 s2)%n = ((m e1) s1*(m e2) s2)% n
is (c1 s1*c2 s2)%n = (m (e1 s1+e2^s2))%n.
As mentioned earlier, e1 s1+e2 s2 = 1, so
(c1 s1*c2 s2)%n = (m ^(1))%n
(c1 s1*c2 s2)%n = m^%n
is c1 s1*c2s2 = m
2. There are common factors for two different modulus n, which leads to the decomposition of n (the time complexity of the algorithm for solving the common factors of the two numbers is low). There are common factors for the
n corresponding to the two frames Frame1 and frame18. The common factors That is, a factor of n can be obtained by dividing another factor, that is, the private key of the encryption algorithm can be obtained, and the plaintext can be solved.
3. Frame3, 8, 12, 16, 20 broadcast attack.
The encryption index of these frames is 5. A system of congruential equations can be constructed. By solving the congruential equations, we can get a 5th root of Cx. For the case of e=3, we also tried to use the broadcast attack, but in the end the crack was not successful, probably because the number of frames provided was not enough. In the end, Cx in the formula obtained through the Chinese Remainder Theorem is still in the modulo n' sense. The value of m cannot be solved directly by taking the third square root. I found a blog saying that it can be cracked through Coppersmith attack. This part requires knowledge about the grid, so I can skip it if I don't know much about it.
4. Use the p-1 method to decompose the modulus n and crack frames 2, 6, and 19.
When p and q are very different, that is, if one of (p-1) or (q-1) is very small, you might as well set p -1 is very small. At this time, choose an integer k so that it satisfies (p-1)|k! , obtained from Fermat's little theorem, that is, there is a common factor p between n and -1, and n is decomposed at this time.
5. Decompose the modulus n through the fermat theorem and crack frame10,14
When p and q are not very different, pq is negligible relative to n and (p+q), so there is. Get p, q through continuous trials
The above two methods have different effects on the size of the difference between p and q, but in the actual cracking process, only n is known and no information about p and q is known. Therefore, when cracking, you need to use two methods at the same time to try to crack. You can open multiple processes for parallel computing.