RSA 2: Attacks
Johnny Pesavento
Follow along at tiny.cc/tjcsc.
m
normal message (plaintext)
c
ciphertext
e
public exponent
n
public modulus
d
private key
public key
In theory, m can only be retrieved from c when d is known.
In reality, this is not true.
There are several ways to exploit improper RSA techniques.
Weak n attack (factor n)
Weak n attack (factor n)
RSA factoring challenge
RSA factoring challenge
Another vulnerability occurs when a small public exponent is used.
The most common example: e = 3.
Recall c = me mod n. If n is greater than me, then me = c because mod n does nothing. Therefore, m = √c .
e
picoCTF example problem:
N: 374159235470172130988938196520880526947952521620932362050308663243595788308583992120881359365258949723819911758198013202644666489247987314025169670926273213367237020188587742716017314320191350666762541039238241984934473188656610615918474673963331992408750047451253205158436452814354564283003696666945950908549197175404580533132142111356931324330631843602412540295482841975783884766801266552337129105407869020730226041538750535628619717708838029286366761470986056335230171148734027536820544543251801093230809186222940806718221638845816521738601843083746103374974120575519418797642878012234163709518203946599836959811
e: 3
ciphertext (c): 2205316413931134031046440767620541984801091216351222789180967130585669043554866325905770867150377611820746759815247778516899403229047066700396787852388511389893043279713280998235746440322483431305358901578692935378439077796777060321410661
e seems small enough, we can try eth root ✔
e: 3
ciphertext (c): 2205316413931134031046440767620541984801091216351222789180967130585669043554866325905770867150377611820746759815247778516899403229047066700396787852388511389893043279713280998235746440322483431305358901578692935378439077796777060321410661
Use a script to compute the root
e: 3
ciphertext (c): 2205316413931134031046440767620541984801091216351222789180967130585669043554866325905770867150377611820746759815247778516899403229047066700396787852388511389893043279713280998235746440322483431305358901578692935378439077796777060321410661
√c: 13016382529449106065839070830454998857466392684017754632233814825405652260960637
0x7069636F4354467B655F7734795F7430305F736D346C6C5F33343039353235397D
picoCTF{e_w4y_t00_sm4ll_34095259} ✔
e
Prevention strategies
What if me is larger than n? Does that make it completely safe?
No. An attacker can still recover m if the same message is encrypted and sent e times with e relatively prime different n values.
Let’s say e = 3.
You are able to recover three different c values encrypted with three relatively prime n values that you also know.
What we know
We want to recover m using this information.
c1 = m3 mod n1
c2 = m3 mod n2
c3 = m3 mod n3
Using the Chinese Remainder Theorem (CRT):
c = m3 (mod n1n2n3)
We know m is less than n1, n2, and n3. Therefore, m3 < n1n2n3 and we can use the cube root strategy!
Final CRT equation:
m = √c mod n1n2n3
e
Prevention strategies
Small d attacks
Factoring attacks
RsaCtfTool
Our winter competition has begun