Time for RSA!
e = 65537
n = 134023913680045880492110426626164090971954352532495944119602241841766743315344885078078359876157853261789964632342961459801834169156073972150056251259429043527344585589350222304649100454018523375146422111308080990153227407607374257909945989989405880451908900962388521742688809203045971595430040363546058882461
c = 28029822339281125656746130462465126562337695724847502110361462137424051877785282190017747622367185811734822848358173889752744532793526865170001730008026265012114272142868291439355242497819138690415609825725896275747305098862360965342890612304634184172461662826694263502110523984165435588581876100119126419239
p = 10982621221489294931830537773519582919197608543135586716536756890800033254598710943732068869355188441831549541090720220093538940987353399632224377192068317
Flag Format: /flag{.+}/
Solution
RSA is a cryptosystem which allows for secure data transmission. RSA mangles
the plain text
in a form that makes it undecipherable
to people without the
key, while making it much easier for people with a key to open it and get back
the message.
The mathematics is out of the scope of this article, I would encourage a serious reading on your own to figure it out.
The steps to generate a RSA key is as follows.
- Generate two large prime numbers
p
, andq
. n
=p
*q
.e
is a number co-prime tolcm(p -1, q - 1)
and 1 <e
<n
d
=1 / e mod (p - 1)(q - 1)
The 1 / e
in this case, should not be confused with division. It is the
inverse_modulo
operation, I.E. d
is the number, which when multiplied with
e
has the following relation.
ed = 1 mod (p - 1)(q - 1)
This notation will also be confusing for a newbie to modular arithmatic. What this means is that
(e * d) mod (p - 1)(q - 1) = 1
The public key consists of n
and e
. The secret key consists of the rest.
Namely, d
, p
, q
.
The security of RSA relies on the one-way trap function of multiplication.
Which means that for a function f
f((x, y)) = x * y | x, y ∈ Z
It is easy enough to go from (x, y)
to x * y
(multiplication). But is is
far more difficult to go from x * y
to (x, y)
(factorization).
The encryption for an message, converted to an integer form, m
is given as…
c = RSA_e_n(m) = m ^ e mod n
c
is the cipher text. RSA_e_n
is a notation used to denote that the RSA
parameters of e
, and n
are constant and a feature of RSA instead of being
a part of the arguments to a RSA function.
To get back the m
from the c
we require the presence of d
, which is a good
hint as to why it is a part of the private
key in the first place.
m' = inverse_RSA_e_n_d(c) = c ^ d mod n
It is also now interesting to note why p
and q
are part of the private
key. That comes because if you have either of p
or q
, generating a d
for the RSA key is trivial. Because you can easily find the other factor, and
quickly generate the d
via doing a modular_inverse operation of e on base of
(p - 1) * (q - 1).
Once d
is obtained, decryption can be done since you now have the key.
Since this is the introductory RSA problem, I am kind enough to give the p
directly, which means that this RSA is totally broken.
I also give the following number to integer conversion scheme.
A -> 0x41 = 64
AA -> 0x4141 = 16705
AAAAAA -> 0x4141414141 = 280267669825
Which basically says that the number is converted to a hexadecimal representation, and then the hexadecimal is intepreted as an ASCII string.
So now, it's time for some sage
. Sage Math is a number crunching library with
a ton of useful functions built-in.
There are many alternatives to give, but it is a personal preference of quite a few people to use sage, and it is not without reason.
e = 65537
n = 134023913680045880492110426626164090971954352532495944119602241841766743315344885078078359876157853261789964632342961459801834169156073972150056251259429043527344585589350222304649100454018523375146422111308080990153227407607374257909945989989405880451908900962388521742688809203045971595430040363546058882461
c = 28029822339281125656746130462465126562337695724847502110361462137424051877785282190017747622367185811734822848358173889752744532793526865170001730008026265012114272142868291439355242497819138690415609825725896275747305098862360965342890612304634184172461662826694263502110523984165435588581876100119126419239
p = 10982621221489294931830537773519582919197608543135586716536756890800033254598710943732068869355188441831549541090720220093538940987353399632224377192068317
q = n / p
d = inverse_mod(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(m)
This prints out 240545625414703578862070172273428889513126431163886829837844391499244541180606084628879027055096318636117555581
.
Converting this to integer is done by.
print(bytes.fromhex(hex(240545625414703578862070172273428889513126431163886829837844391499244541180606084628879027055096318636117555581)[2:]))
Which prints out b'flag{breaking_rsa_is_easy_if_you_know_the_key}'
. Which is the flag.
Flag
flag{breaking_rsa_is_easy_if_you_know_the_key}
Recommended Reading
RSA. But it failed
#crypto #ctf #rsac = 7404228387482887479261869746749991746176804495927055118318206683570516448983801743960459361546161134428690426222368709863453442050071171756423599377401597984440754435058668926603178633761668515076496069751847161724033187368679875259918093224187811267691876198273870870578467510184510086298582204521702946045220312770122458237518246424165432296119053607094777200284200814236416350304918483690156578148133652864328594441673632360773823893061942585188618198600179924877899949396771723157015085683434661302154230334257765610040158570863416499816053904560634890245995407176180498179848769133967582005361790108725945277949845769358752674332269800138008126120486961174643630274131401283073800170609863393091462716402062974615038997250596862336175333249971111165958082179351116528188875511999901288868170989351009565637749016012554778609401305705599425503266370571838403199592830285591168821852287944019050110517938219347052153238370382065390639346971764343981632465382255796047103032366703706122266986406432114737513202337430860123189821063638894815952679576109060674029276361130756827095433943772560556432939992933276440340090287373085788774415087792787958810051460428461265815708830858361853853472340042568141996425244740239642623958541083311687869085046368156034023773742764525490982352637357523475031768768619981883253061696021829604666466769997506990572364386730754183019245389791086458671560767393577689687174730155049027616849606316072012661663516661756810877578172095321431600121667891545760511844723167476314345937930753837239733394626157660380103339672690094231220365695508657679602754981411231543816566131037225152153015287164171129157814773590352342570677841639550177097704155982858059402540582839885549452130954935219771327861980762934458786390322073771612324195542640000816993296528925039288704714097937261854536340516727095307316259517387188619927408613685678242056200319636422554100280245820480283675364454021450870487344889261
...Recommended Reading
Timing Attack
#ctf #introductory #misc #webOnce upon a time, there was a programmer. His name was Anshul. He did not know how to work with passwords. His friend Animesh took this opportunity to do jugaad and guess the passwords so that he is able to order a lot of free shirts from MustCapture...
...