OneSecretTwoEncryption ACTF2018
Involved Knowledge
- RSA
- Shared prime number
Topic
public1.pub
-----BEGIN PUBLIC KEY-----
MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAQAma/gXML+bivU20mJu55PZ
SjNAE6S0PQ2WV5sYIA7ZLbJ6lshW8cfohErN0TUIv+6O+hXSMFd4wrv27+f6akPE
qeNL6LWjKqcnC9I03vbyYDZuLkfeoPwM9UHIuRUfU/l/LDOCkjkOkHN5SMufg66y
OGc4wLDi9f8sET4QMerAVF/HZ7acpYYCu8QoWnOSy9KiVzKQMzKkaL+WcN2sbLsA
61zjixv7ybMHDmcyMKHb5VbfPsqMW19roYLV5luY3SlrhTogmyGg19Q3k7hYW3ca
Jc7WLEbPD/OnlHMDLArNUYMyB9t0CdLNZZCHE6pbiMaNGS+rwGcqxHbWCpGCS0vZ
AoIBAA0zxRVob0N2SXRSPv7GRHMzj/mpACiz3VrKtwKgm+MM1UrnvbtCpPcqjqw6
4w7HJqf6O/ccA7l0qY35jbvhOLD2II6rf8USZwkm27ygOuHA3SRS9XZyzpshUmRO
YyJtogGntK4R9R7wfW1HHJbIj5R3/HV/gYdT9XxKq7yICxFSVv3u1lgVBjNeUzTn
5MzOlX9tCEjcS54eq9OCGLEIetj24xTfsruKf/DDGNTRA1et8fU4H49NMsqqHL1R
ZdKvy1SEBWoOrj/XQycz0Dsyre0jcaDWnaywlulHGrPKXYc6ePAJ9S7IMOTKblCf
FU9nj28KAsm/RBAV3PEMkJ3edPM=
-----END PUBLIC KEY-----
public1.pub
-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQASwScpBgKVbfU6JjRoIA9v
JkVCapA5hkllstoPZhO6T1mQZK5DSD+ggwMXu/Ivfa3qKsnQ9zFrvIULjWk52+/+
q1sckgVNXKE9K8RREuj0ChN1Qzx24dpmtz60ObxxQESRkSpLD8wvDTurAd1rolaK
qqS2uXxv9CzbrMzSZOD1UDEmKa/JSXy3YvQ67S4c3NOQVgwHcAmQuqWZTmVuFxsb
l1hwmWSPMgTcNkFpMcjeCx0+DuuN/lTqQWFygJGBRnAvLwSpXUuq747FQiilca5P
+7fiz2Tb2OEn2/WE41vjqMVHUjGxY+RseDpND71FOvkGl8ixWEq8ebflkadtVcK1
AgMBAAE=
-----END PUBLIC KEY-----
flag_encry1
ÏH¿–r÷;î+28 x#_fèaV·ãêª>Û#ì^öšÊ#áÁmkÜ)k»üjRL@f_ëxxü½ù‘&$¤"öp'•êÕdŠ%´jjù{’©"^>a4çÀÂ÷Ct·ÿ™{òB'ˆ#ï¤õ[»Gß‚w…ø©ÿ«Sª—ãrØ@–"ð…s£ýœ+U4§÷z¨(×Ï/F º„¹BS·",Ð[F=nPà0
Ö Q%(”$yýüºmÓL=€w]mWg†í¼Uû#]b¶SÈJ½õѬsa.íSŒƒŠãð“~'uNÃ=D7
5”ÖC .Au>ÁdTÃ3¬:y(¬ëDM
flag_encry2
?繨楺o偈?n(汏E*A聦t??`N`搯痲>0gh茅翭V筇旎畨 ?雧翍Om袥bZ?4鶒懍
x趽巂\紧Z€_┅颌J魓?汕苤t4q??aR幚鯞腻s'仩愓楫? sZ酨A咓蝘玧?留S?瓘顂eJv$洶[ yD噓蟟K棠嶅э毽 頶??e姲H屁3倔擿In6?弈Z跟誺F蠎 @偖??~v圣V??@`3扲瑭ir^?嘭l舑-繇?
Description
一份秘密发送给两个人不太好吧,那我各自加密一次好啦~~~
素数生成好慢呀
偷个懒也……不会有问题的吧?
Analyze
题目附件给了两个公钥,以及两段密文,说明加密了两段明文
通过题目描述素数生成好慢呀 偷个懒也……不会有问题的吧?
既然素数生成慢,那么这里的偷个懒也就明显的提示了在第二次加密的时候和第一次共享
了素数
分析到这里就结束了
那么这道题我们通过两个公钥可以拿到两组n和e,两个n又是共享了素数的,我们就可以通过gcd(n1 , n2)得到p,从而得到q1 , q2。有了pq,就可以得到phi_n1 phi_n2 从而拿到d1 d2 就可以求解了
openssl
我们对公钥的读取可以通过openssl这个工具
openssl rsa -pubin -in public2.pub -text -modulus
我们会得到以下内容
Exponent: 65537 (0x10001)
Modulus=12C127290602956DF53A263468200F6F2645426A9039864965B2DA0F6613BA4F599064AE43483FA0830317BBF22F7DADEA2AC9D0F7316BBC850B8D6939DBEFFEAB5B1C92054D5CA13D2BC45112E8F40A1375433C76E1DA66B73EB439BC71404491912A4B0FCC2F0D3BAB01DD6BA2568AAAA4B6B97C6FF42CDBACCCD264E0F550312629AFC9497CB762F43AED2E1CDCD390560C07700990BAA5994E656E171B1B97587099648F3204DC36416931C8DE0B1D3E0EEB8DFE54EA41617280918146702F2F04A95D4BAAEF8EC54228A571AE4FFBB7E2CF64DBD8E127DBF584E35BE3A8C5475231B163E46C783A4D0FBD453AF90697C8B1584ABC79B7E591A76D55C2B5
这里的Exponent就是e
modulus是模数n,只是我们发现是16进制的,通过int转成10进制就好
也可以通过在线网站ssl SSL在线工具-公钥解析
Exp
import gmpy2
import libnum
from Crypto.Util.number import bytes_to_long
n1 = 4850297138162223468826481623082440249579136876798312652735204698689613969008632545220976699170308454082390834742570718247804202060929493571642074679428565168405877110681518105667301785653517697684490982375078989886040451115082120928982588380914609273008153977907950532498605486225883973643141516024058315360572988744607134110254489421516026937249163493982681336628726033489124705657217768229058487155865265080427488028921879608338898933540825564889012166181346177276639828346376362168934208822467295673761876965864573164529336885250577357767314256581019474130651412100897839606491189424373959244023695669653213498329
e1 = 1666626632960368239001159408047765991270250042206244157447171188195657302933019501932101777999510001235736338843107709871785906749393004257614129802061081155861433722380145001537181142613515290138835765236002811689986472280762408157176437503021753061588746520433720734608953639111558556930490721517579994493088551013050835690019772600744317398218183883402192060480979979456469937863257781362521184578142129444122428832106721725409309113975986436241662107879085361014650716439042856013203440242834878648506244428367706708431121109714505981728529818874621868624754285069693368779495316600601299037277003994790396589299
e2 = 65537
n2 = 2367536768672000959668181171787295271898789288397672997134843418932405959946739637368044420319861797856771490573443003520137149324080217971836780570522258661419034481514883068092752166752967879497095564732505614751532330408675056285275354250157955321457579006360393218327164804951384290041956551855334492796719901818165788902547584563455747941517296875697241841177219635024461395596117584194226134777078874543699117761893699634303571421106917894215078938885999963580586824497040073241055890328794310025879014294051230590716562942538031883965317397728271589759718376073414632026801806560862906691989093298478752580277
p = gmpy2.gcd(n1 , n2)
q1 = n1 // p
q2 = n2 // p
phi_n1 = (p - 1) * (q1 - 1)
phi_n2 = (p - 1) * (q2 - 1)
d1 = gmpy2.invert(e1 , phi_n1)
d2 = gmpy2.invert(e2 , phi_n2)
with open("flag_encry1" , "rb") as f1:
c1 = f1.read()
c1 = bytes_to_long(c1)
with open("flag_encry2" , "rb") as f2:
c2 = f2.read()
c2 = bytes_to_long(c2)
m1 = pow(c1 , d1 , n1)
m2 = pow(c2 , d2 , n2)
print(libnum.n2s(m1))
print(libnum.n2s(m2))
afctf