【CISCN2018-Crypto】 crackme-java解析

2022-12-18 20:35:39

今天闲着无事,于是翻到了buu密码学的最后一页,看到了一道名字带java的题,还是很亲切的,于是花了一点时间做出来了,发现网上相关的wp较少,于是有了这篇wp,一步一步分析。

1.原题

  • 题目为crackme-java,包含一个java源文件,没有其它提示。
import java.math.BigInteger;
import java.util.Random;

public class Test1 {
    static BigInteger two =new BigInteger("2");
    static BigInteger p = new BigInteger("11360738295177002998495384057893129964980131806509572927886675899422214174408333932150813939357279703161556767193621832795605708456628733877084015367497711");
    static BigInteger h= new BigInteger("7854998893567208831270627233155763658947405610938106998083991389307363085837028364154809577816577515021560985491707606165788274218742692875308216243966916");

    /*
     Alice write the below algorithm for encryption.
     The public key {p, h} is broadcasted to everyone.
    @param val: The plaintext to encrypt.
        We suppose val only contains lowercase letter {a-z} and numeric charactors, and is at most 256 charactors in length.
    */
    public static String pkEnc(String val){
        BigInteger[] ret = new BigInteger[2];
        BigInteger bVal=new BigInteger(val.toLowerCase(),36);
        BigInteger r =new BigInteger(new Random().nextInt()+"");
        ret[0]=two.modPow(r,p);
        ret[1]=h.modPow(r,p).multiply(bVal);
        return ret[0].toString(36)+"=="+ret[1].toString(36);
    }

    /* Alice write the below algorithm for decryption. x is her private key, which she will never let you know.
    public static String skDec(String val,BigInteger x){
        if(!val.contains("==")){
            return null;
        }
        else {
            BigInteger val0=new BigInteger(val.split("==")[0],36);
            BigInteger val1=new BigInteger(val.split("==")[1],36);
            BigInteger s=val0.modPow(x,p).modInverse(p);
            return val1.multiply(s).mod(p).toString(36);
        }
    }
   */

    public static void main(String[] args) throws Exception {
        System.out.println("You intercepted the following message, which is sent from Bob to Alice:");
        System.out.println("a9hgrei38ez78hl2kkd6nvookaodyidgti7d9mbvctx3jjniezhlxs1b1xz9m0dzcexwiyhi4nhvazhhj8dwb91e7lbbxa4ieco==2q17m8ajs7509yl9iy39g4znf08bw3b33vibipaa1xt5b8lcmgmk6i5w4830yd3fdqfbqaf82386z5odwssyo3t93y91xqd5jb0zbgvkb00fcmo53sa8eblgw6vahl80ykxeylpr4bpv32p7flvhdtwl4cxqzc");
        System.out.println("Please figure out the plaintext!");
    }
}

//a9hgrei38ez78hl2kkd6nvookaodyidgti7d9mbvctx3jjniezhlxs1b1xz9m0dzcexwiyhi4nhvazhhj8dwb91e7lbbxa4ieco==2q17m8ajs7509yl9iy39g4znf08bw3b33vibipaa1xt5b8lcmgmk6i5w4830yd3fdqfbqaf82386z5odwssyo3t93y91xqd5jb0zbgvkb00fcmo53sa8eblgw6vahl80ykxeylpr4bpv32p7flvhdtwl4cxqzc

2.加解密算法分析

  • 题目给出了加密和解密的算法,给出了一组密文,要求明文。
  • 该加密算法可以用如下数学公式表示:

2 r M o d   p = C 1 ( h r M o d   p ) ∗ M = C 2 C = C 1 + C 2 2^{r} Mod\ p = C_{1}\\ (h^{r} Mod\ p) *M = C_{2}\\ C = C_{1}+C_{2} 2rMod p=C1​(hrMod p)∗M=C2​C=C1​+C2​

  • 其中{p,h}是公钥,M是明文,C是密文,r是int范围内的随机数。

  • 该解密算法可以用如下数学公式表示:

s = ( C 1 x M o d   p ) − 1 M o d   p M = ( C 2 ∗ s )   M o d   p s=(C_{1}^{x} Mod\ p)^{-1} Mod\ p\\ M=(C_{2}*s)\ Mod\ p s=(C1x​Mod p)−1Mod pM=(C2​∗s) Mod p

  • 其中{x}是私钥。私钥我们无从得到。
  • 我们分析加密算法,可以发现,{h,p,C1,C2}都是已知的,只有r是未知的。如果知道了r,那么明文可以表示为:

M = C 2 / ( p o w ( h , r , p ) ) M=C_{2}/(pow(h,r,p)) M=C2​/(pow(h,r,p))

  • r是int范围内的随机数,共32位,完全可以爆破出来,r位数较少即是该加密算法的弱点。

3.r枚举攻击

  • 一共32位,视CPU的核数,我们可以开32个线程去爆破。
  • 大概40分钟左右可以跑出来。放到服务器上可以更快。
from threading import Thread

p=11360738295177002998495384057893129964980131806509572927886675899422214174408333932150813939357279703161556767193621832795605708456628733877084015367497711
c1=int('a9hgrei38ez78hl2kkd6nvookaodyidgti7d9mbvctx3jjniezhlxs1b1xz9m0dzcexwiyhi4nhvazhhj8dwb91e7lbbxa4ieco',36)

def calr(r0,pid):
    print("[Process%d]: start from %d" % (pid, r0))
    while r0 < 2**26*(pid+1):
        if pow(2,r0,p) == c1:
            f = open('r','w')
            f.write(r0)
            exit(0)
        r0+=1
        if r0 % 2**18 == 0:
            print('[Process%d]: now %d' % (pid, r0))
    print('[Process%d]: exited!' % pid)

for i in range(0,32):
    t = Thread(target=calr,args=(i*2**26,i))
    t.start()
  • 最后得到r的值为:
152351913

4.解得明文

  • 所有参数已知,可以解得明文M:
import base36

p = 11360738295177002998495384057893129964980131806509572927886675899422214174408333932150813939357279703161556767193621832795605708456628733877084015367497711
c1 = int('a9hgrei38ez78hl2kkd6nvookaodyidgti7d9mbvctx3jjniezhlxs1b1xz9m0dzcexwiyhi4nhvazhhj8dwb91e7lbbxa4ieco',36)
c2 = int('2q17m8ajs7509yl9iy39g4znf08bw3b33vibipaa1xt5b8lcmgmk6i5w4830yd3fdqfbqaf82386z5odwssyo3t93y91xqd5jb0zbgvkb00fcmo53sa8eblgw6vahl80ykxeylpr4bpv32p7flvhdtwl4cxqzc', 36)
h = int("7854998893567208831270627233155763658947405610938106998083991389307363085837028364154809577816577515021560985491707606165788274218742692875308216243966916")
r = 152351913

print(base36.dumps(c2//pow(h,r,p)))

  • 细节:使用双除号,使用base36实现十进制转36进制。

  • 明文(flag):

ciscncongratulationsthisisdesignedbyalibabasecurity424218533

ATFWUS 2021-06-09

上一篇:数据结构——线段树——普通线段树


下一篇:java课堂作业第十一周