可怜的RSA AFCTF2018
这道题记录一个疑问
Involved Knowledge
-
RSA
-
Private key decryption
Topic
public.key
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQMlsYv184kJfRcjeGa7Uc/4
3pIkU3SevEA7CZXJfA44bUbBYcrf93xphg2uR5HCFM+Eh6qqnybpIKl3g0kGA4rv
tcMIJ9/PP8npdpVE+U4Hzf4IcgOaOmJiEWZ4smH7LWudMlOekqFTs2dWKbqzlC59
NeMPfu9avxxQ15fQzIjhvcz9GhLqb373XDcn298ueA80KK6Pek+3qJ8YSjZQMrFT
+EJehFdQ6yt6vALcFc4CB1B6qVCGO7hICngCjdYpeZRNbGM/r6ED5Nsozof1oMbt
Si8mZEJ/Vlx3gathkUVtlxx/+jlScjdM7AFV5fkRidt0LkwosDoPoRz/sDFz0qTM
5q5TAgMBAAE=
-----END PUBLIC KEY-----
public.key是公钥,我们可以从中提取出模数n
和加密指数e
flag.enc
GVd1d3viIXFfcHapEYuo5fAvIiUS83adrtMW/MgPwxVBSl46joFCQ1plcnlDGfL19K/3PvChV6n5QGohzfVyz2Z5GdTlaknxvHDUGf5HCukokyPwK/1EYU7NzrhGE7J5jPdi0Aj7xi/Odxy0hGMgpaBLd/nL3N8O6i9pc4Gg3O8soOlciBG/6/xdfN3SzSStMYIN8nfZZMSq3xDDvz4YB7TcTBh4ik4wYhuC77gmT+HWOv5gLTNQ3EkZs5N3EAopy11zHNYU80yv1jtFGcluNPyXYttU5qU33jcp0Wuznac+t+AZHeSQy5vk8DyWorSGMiS+J4KNqSVlDs12EqXEqqJ0uA==
可以很明显的看到flag.enc 也就是密文c 是经过base64加密的,我们在计算的时候就需要对flag.enc里面的内容进行base64解码
Analyze
我们通过公钥得到了n
和e
后,可以尝试对n
进行分解,试图找到p
,q
发现n是可被分解的,那么就拿到了p
和q
p = 3133337
q = 25478326064937419292200172136399497719081842914528228316455906211693118321971399936004729134841162974144246271486439695786036588117424611881955950996219646807378822278285638261582099108339438949573034101215141156156408742843820048066830863814362379885720395082318462850002901605689761876319151147352730090957556940842144299887394678743607766937828094478336401159449035878306853716216548374273462386508307367713112073004011383418967894930554067582453248981022011922883374442736848045920676341361871231787163441467533076890081721882179369168787287724769642665399992556052144845878600126283968890273067575342061776244939
$\phi n = (p-1) * (q-1) \rightarrow $ phi_n = (p - 1) * (q - 1)
\(e * d \equiv1\mod \phi n \rightarrow\) d = gmpy2.invert(e , phi_n)
这里就是我所不明白的地方,为什么这道题不能通过求得私钥d
,然后pow(c , d ,n)
拿到明文,如果有知道的师傅的话评论区教教弟弟
这里需要从Crypto.PublicKey
导入RSA
这个方法,从Crypto.Cipher
导入PKCS1_OAEP
接下来的代码步骤如下
key_info = RSA.construct((n , e , d , p , q))
key = RSA.importKey(key_info.exportKey())
key = PKCS1_OAEP.new(key)
flag = key.decrypt(c)
具体怎么实现的等我学了这两个库的方法再回来补充吧
Exp
import gmpy2
import libnum
import base64
from Crypto.Util.number import bytes_to_long , long_to_bytes
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
# n = int("25B18BF5F389097D17237866BB51CFF8DE922453749EBC403B0995C97C0E386D46C161CADFF77C69860DAE4791C214CF8487AAAA9F26E920A977834906038AEFB5C30827DFCF3FC9E9769544F94E07CDFE0872039A3A6262116678B261FB2D6B9D32539E92A153B3675629BAB3942E7D35E30F7EEF5ABF1C50D797D0CC88E1BDCCFD1A12EA6F7EF75C3727DBDF2E780F3428AE8F7A4FB7A89F184A365032B153F8425E845750EB2B7ABC02DC15CE0207507AA950863BB8480A78028DD62979944D6C633FAFA103E4DB28CE87F5A0C6ED4A2F2664427F565C7781AB6191456D971C7FFA395272374CEC0155E5F91189DB742E4C28B03A0FA11CFFB03173D2A4CCE6AE53" , 16)
with open("flag.enc" , "r") as f:
c = f.read()
# c = "GVd1d3viIXFfcHapEYuo5fAvIiUS83adrtMW/MgPwxVBSl46joFCQ1plcnlDGfL19K/3PvChV6n5QGohzfVyz2Z5GdTlaknxvHDUGf5HCukokyPwK/1EYU7NzrhGE7J5jPdi0Aj7xi/Odxy0hGMgpaBLd/nL3N8O6i9pc4Gg3O8soOlciBG/6/xdfN3SzSStMYIN8nfZZMSq3xDDvz4YB7TcTBh4ik4wYhuC77gmT+HWOv5gLTNQ3EkZs5N3EAopy11zHNYU80yv1jtFGcluNPyXYttU5qU33jcp0Wuznac+t+AZHeSQy5vk8DyWorSGMiS+J4KNqSVlDs12EqXEqqJ0uA=="
c = base64.b64decode(c)
# print(c)
n = 79832181757332818552764610761349592984614744432279135328398999801627880283610900361281249973175805069916210179560506497075132524902086881120372213626641879468491936860976686933630869673826972619938321951599146744807653301076026577949579618331502776303983485566046485431039541708467141408260220098592761245010678592347501894176269580510459729633673468068467144199744563731826362102608811033400887813754780282628099443490170016087838606998017490456601315802448567772411623826281747245660954245413781519794295336197555688543537992197142258053220453757666537840276416475602759374950715283890232230741542737319569819793988431443
e = 65537
p = 3133337
q = 25478326064937419292200172136399497719081842914528228316455906211693118321971399936004729134841162974144246271486439695786036588117424611881955950996219646807378822278285638261582099108339438949573034101215141156156408742843820048066830863814362379885720395082318462850002901605689761876319151147352730090957556940842144299887394678743607766937828094478336401159449035878306853716216548374273462386508307367713112073004011383418967894930554067582453248981022011922883374442736848045920676341361871231787163441467533076890081721882179369168787287724769642665399992556052144845878600126283968890273067575342061776244939
# phi_n = (p - 1) * (q - 1)
phi_n = 79832156279006753615345318561177456585117025350436220800170683345721668590492578389881313968446670228753236035314235010635436738865498763695760331670690883248845129482154408647992608091727864280499372378565045529666497144667283734129531551500638961941603599845651403112576691705565535718498343779441613892280587634790561052031969693115780986025906530240372665863343404282790483795755094816852513540292393774320731730378097012076455188030122559902533733349199586750399700942907304508812908324737440157923063549034114221010461102115420375873851284970378813070633751075610203322805869405290105946772652464251994477732209053168
# d = gmpy2.invert(e, phi_n)
d = 406853230956379689450620815713768871010712825839536410687962650677800895818003893712259622281477453292088146173840036827322518131453630576229976208523593618949818777897059256426591560532784635697190752924923710375949616954069804342573867253630978123632384795587951365482103468722384133084798614863870775897915929475258974188300927376911833763105616386167881813301748585233563049693794370642976326692672223638908164822104832415788577945314264232531947860576966629150456995512932232264881080618006698700677529111454508900582785420549466798020451488168615035256292977390692401388790460066327347700109341639992159475755036449
key_info = RSA.construct((n , e , d , p , q))
key = RSA.importKey(key_info.exportKey())
key = PKCS1_OAEP.new(key)
flag = key.decrypt(c)
print(flag)
b'afctf{R54_|5_$0_B0rin9}'
这道题做的挺难受的,一直卡在通过pow(c , d , n)
拿到m后libnum.n2s
得到一堆乱码..