-
-
[分享]RSA Attacking Toolkit v0.1f
-
2008-12-3 15:41
-
RSA Attacking Toolkit v0.1f By bLaCk-eye [RET]
.About
******
This tool is supposed to help crackers who are cracking targets
protected by RSA and who aren't attackable by the classic method of
factoring i.e who'se modulus is > 400 bits.
.How to use
***********
It's very easy to use it once you know the when the attacks
apply.So here are the explanations:
1.Common Modulus Attack: not really an attack but more of a tool, its
purpose is to find the factors of the modulus given the public AND
secret key, i.e E and D
So entering N,D,E you find P,Q so that N = P * Q.
I included it in this 'toolkitt' as i got asked many times
by other crackers if you can find the factors of N given D and E is
possible. The answer is yes. The algo which i used can be found here:
http://math.usask.ca/~wurtz/crypt/attacks_rsa/node1.html
2. Weger Attack: this attack applies when the factors of N are close
one another i.e the diference |P - Q| is small in comparison to P and
Q.
So if let's say P and Q have the same bitsize s than for the
RSA key to be susceptible to this attack then |P-Q| bitsize must
be smaller then (s/2)
E.g. P bitsize=256 bits
Q bitsize=256 bits
|P-Q| bitsize is 100bits then they key generated with this
primes is attackble.
When testing a RSA key for this attack if you don't get any
result after at most 5mins then the attack don't work.
BTW: you can try this attack on Amenesia Basis#1 Crackme that presents
an RSA key with exactly this weakness.
3. Wiener Attack: this attack applies when the private key is
D < (1/3)*N^(1/4) and if P < Q < 2P (which is true most of the
times.).
So if you have an s bit modulus and if the bitsize of the
private key is < (s/4) bits than you can succesfully recover.
The attack can be improved, but i'm lazy so i only did the
easier version :).
4. Low Exponent Attack:
If E=3 and the message is short enough and not padded then
there's a possibility that M^E < N so the modular reductions don't
take place so computing M having the ciphertext is just a matter
of computing the E'th root from the cipher text.
As input you must provide N and the ciphertext
BTW: you can try this attack on Amenesia Basis#2 Crackme that presents
an RSA key with exactly this weakness.
.Bugs
******
Send them to bLaCk@reteam.org or correct them yourself, i gave
you the source right? :)
.Future plans
*************
- add threads for Weger attack
- add Cycling attack - i need to find more info about how to efficiently
implemented (i know it's not an efficient attack from the start but
people asked for it)
- add ? (here you put what you think is missing)
.History
*********
- v.0.1f - added the low public exponent 'attack' :)
- added automatic base convertion, so it's easier to
work with
- added automatic md5 hasher (a request)
- added Encrypt/Decrypt functions to play with
the RSA keys
- v.0.1b - first version released
.Greets
*******
RET, TKM!, KANAL23, LZ0 Members as they all put up with my
stupid questions :P
tf25.rar
.About
******
This tool is supposed to help crackers who are cracking targets
protected by RSA and who aren't attackable by the classic method of
factoring i.e who'se modulus is > 400 bits.
.How to use
***********
It's very easy to use it once you know the when the attacks
apply.So here are the explanations:
1.Common Modulus Attack: not really an attack but more of a tool, its
purpose is to find the factors of the modulus given the public AND
secret key, i.e E and D
So entering N,D,E you find P,Q so that N = P * Q.
I included it in this 'toolkitt' as i got asked many times
by other crackers if you can find the factors of N given D and E is
possible. The answer is yes. The algo which i used can be found here:
http://math.usask.ca/~wurtz/crypt/attacks_rsa/node1.html
2. Weger Attack: this attack applies when the factors of N are close
one another i.e the diference |P - Q| is small in comparison to P and
Q.
So if let's say P and Q have the same bitsize s than for the
RSA key to be susceptible to this attack then |P-Q| bitsize must
be smaller then (s/2)
E.g. P bitsize=256 bits
Q bitsize=256 bits
|P-Q| bitsize is 100bits then they key generated with this
primes is attackble.
When testing a RSA key for this attack if you don't get any
result after at most 5mins then the attack don't work.
BTW: you can try this attack on Amenesia Basis#1 Crackme that presents
an RSA key with exactly this weakness.
3. Wiener Attack: this attack applies when the private key is
D < (1/3)*N^(1/4) and if P < Q < 2P (which is true most of the
times.).
So if you have an s bit modulus and if the bitsize of the
private key is < (s/4) bits than you can succesfully recover.
The attack can be improved, but i'm lazy so i only did the
easier version :).
4. Low Exponent Attack:
If E=3 and the message is short enough and not padded then
there's a possibility that M^E < N so the modular reductions don't
take place so computing M having the ciphertext is just a matter
of computing the E'th root from the cipher text.
As input you must provide N and the ciphertext
BTW: you can try this attack on Amenesia Basis#2 Crackme that presents
an RSA key with exactly this weakness.
.Bugs
******
Send them to bLaCk@reteam.org or correct them yourself, i gave
you the source right? :)
.Future plans
*************
- add threads for Weger attack
- add Cycling attack - i need to find more info about how to efficiently
implemented (i know it's not an efficient attack from the start but
people asked for it)
- add ? (here you put what you think is missing)
.History
*********
- v.0.1f - added the low public exponent 'attack' :)
- added automatic base convertion, so it's easier to
work with
- added automatic md5 hasher (a request)
- added Encrypt/Decrypt functions to play with
the RSA keys
- v.0.1b - first version released
.Greets
*******
RET, TKM!, KANAL23, LZ0 Members as they all put up with my
stupid questions :P
tf25.rar
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
