## Monday, May 13, 2013

### Balt CTF 2013 - Crypto 300 RSA - [Team xbios]

For this challenge, public key (e, n) and cipher text (c) is given. We have to find the hex(plain text), which is our flag. With the given data, the first attack that came to mind was to factorize the modulus (n). Fermat's factorization method worked out for us. With (p) and (q) values revealed, we can compute the private key exponent (d) and decrypt the cipher text. Computation was done using sage
```sage: e = 0x10001

sage: c = 0x53da088f69a0c11b11f458e9ec6d89034c3b523d7389221dccec4df09f3dcb6fcd92afb29e2ba7d623525c97604a95ac0b16116bae0545cb9d6608d2c1f6712e5acd1b9e1ebf6e4778c7467d2394bd347dff08b2f41f9cd00c31898641daf4fab519a531112f3b2dd87ef1711992871cfc5168c2dab19dee0d645fc8af560d851eb5c87c5a3038fa84ef7f1bde1df4c766b85a10f3ae888ddef4368684b08674382cd41522485f13dce522080f28f9936c5482cf69f96c51f6d1354f265eb2c334b96b9fb114cdb626c6bbeecaaa9ea5d0b072af

sage: a = ceil(sqrt(n))  # Fermat's factorization
sage: b = (a*a) - n
sage: while not b.is_square():
....:     a = a + 1
....:     b = (a * a) - n
....:
sage: a - sqrt(b)
1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111178333333333334444487294872309872209128742098742420984723982734329843732987178261897634983473987323987439874932873402398720978429874230987340298723097527
sage: a + sqrt(b)
1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111178333333333334444487294872309872209128742098742420984723982734329843732987178261897634983473987323987439874932873402398720978429874230987340298723103639

# The two primes are close to each other

sage: p = a - sqrt(b)
sage: q = a + sqrt(b)
sage: phi_n = (p-1) * (q-1)
sage: d = inverse_mod(e, phi_n) # d is multiplicative inverse of e in phi(n)
sage: d
954337922767969916908684322511626172153813028433471847116048101750834558256320009222949546736110051489265793707710489453529078417995956007435026641927114607256687547284882784003724373712426598639807261395269322730689854325793227045289600093508768321130231092684779871351143961963991606200867096255924369283753459133254468784782317092964170117014480277377749896360826708246366013560507323222994034704551754940109682559173621578143499090359492462527474301373854713937148548729916280548630343340454397431053024437

sage: m = Mod(c, n) ^ d         # m = (c ^ d) mod n
sage: c == Mod(m, n) ^ e
True
sage: m
15056585307564100396433190076676958000692809023067706122001961903801830300386286
sage: hex(15056585307564100396433190076676958000692809023067706122001961903801830300386286)
'8207fd4917aa8d07ed9b1bfa9cc2dc7803b848edefa1c2dc7803e97822696b03ee'
```
Flag for the challenge is : 8207fd4917aa8d07ed9b1bfa9cc2dc7803b848edefa1c2dc7803e97822696b03ee