happy writeup

Author: Pharisaeus

Diff for: 2019-09-02-tokyowesterns/README.md

@@ -8,3 +8,4 @@ Team: c7, shalom, nazywam, rev, chivay, Eternal, rodbert, msm, des, psrok1, nied
 * [Simple logic (crypto)](simple_logic)
 * [Meow (re/crypto)](meow)
 * [M-Poly-Cipher (re/crypto)](mpolycipher)
+* [Happy (crypto)](happy)

Diff for: 2019-09-02-tokyowesterns/happy/README.md

@@ -0,0 +1,109 @@
+# Happy (crypto, 242p, 36 solved)
+
+In the challenge we get [encrypted flag](flag.enc), [rsa public key](pub.key) and [encryption code](happy).
+The code performs generation of RSA-CRT key (although in a bit convoluted way, to make sure there are safe primes used).
+Then encryption of the flag is performed using RSA with OAEP SHA1 padding.
+Unusually the modulus `N` is here `p*q**k`, but on its own it doesn't yet cause any issues.
+From the modulus size of 2300 bits, and minimum bitsize for primes set for 700, we can deduce that `p` and `q` are about 765 bits long and `k=2`.
+
+The key to solve the problem is to notice this:
+
+```ruby
+cf = p.pow(q ** (k - 1) * (q - 1) - 1, q ** k)
+```
+
+and then
+
+```ruby
+def public_key
+    Key.new(@attr.reject{|k, v| [:p, :q, :d1, :d2, :ce].include?(k)})
+end
+```
+
+The `cf` parameter is what is normally known as `qInv`, and in our case `cf = modinv(p,q^2)`.
+But if you look closely at the public key construction, the omitted parameters are `:p, :q, :d1, :d2, :ce`.
+There is no parameter `ce` but there was `cf`!
+
+This means that actually the value of `cf` is still stored in the public key, alongside `e` and `N`.
+
+In conclusion, we know a small part of RSA-CRT private key -> we know value `qInv` such that `qInv*p == 1 mod q**2`
+
+What we would like to calculate is `p` (or `q`). 
+Let's rephrase that into an equation:
+
+`f(x) = qInv*x - 1 == 0 mod q**2`
+
+We want to solve such equation, because non-trivial root of this polynomial has to be `p`.
+Once it's written like this, it's pretty clear that it look a lot like polynomial for Coppersmith theorem.
+Just to recap:
+
+Given polynomial `f(x)` such that `f(x) == 0 mod N` there is a polynomial algorithm to calculate `small roots` of such polynomial mod some factor of `N` bigger than `N^beta` (where beta can be anything `0<beta<1`).
+Small in this case mean that for polynomial of degree `d` they have to be smaller than `N^(beta^2)/d`.
+
+In our case `p` is of similar order to `q`, so about `N^1/3` and degree of the polynomial is `1`.
+We know that `q^2` is about `N^2/3` and is a factor of `N`, so we can look for roots modulo `N^2/3` thus `beta = 0.6`.
+And with this constraint we should be able to find roots smaller than `N^(4/9)`, and we know `p` is about `N^1/3` so `N^3/9`, so it's  smaller than the bound, and we should be able to find it.
+
+We proceed with the code:
+
+```python
+def main():
+    e = 65537
+    N = 5452318773620154613572502669913080727339917760196646730652258556145398937256752632887555812737783373177353194432136071770417979324393263857781686277601413222025718171529583036919918011865659343346014570936822522629937049429335236497295742667600448744568785484756006127827416640477334307947919462834229613581880109765730148235236895292544500644206990455843770003104212381715712438639535055758354549980537386992998458659247267900481624843632733660905364361623292713318244751154245275273626636275353542053068704371642619745495065026372136566314951936609049754720223393857083115230045986813313700617859091898623345607326632849260775745046701800076472162843326078037832455202509171395600120638911
+    qinv = 25895436290109491245101531425889639027975222438101136560069483392652360882638128551753089068088836092997653443539010850513513345731351755050869585867372758989503310550889044437562615852831901962404615732967948739458458871809980240507942550191679140865230350818204637158480970417486015745968144497190368319745738055768539323638032585508830680271618024843807412695197298088154193030964621282487334463994562290990124211491040392961841681386221639304429670174693151
+    
+    P.<x> = PolynomialRing(Zmod(N), implementation='NTL')
+    pol = x*qinv - 1
+    pol = pol.monic()
+    roots = pol.small_roots(X=2**765, beta=0.6)
+    print("Potential solutions:")
+    for p in roots:
+        q = isqrt(int(N)/int(p))
+        phi = (p-1)*(q-1)*q
+        d = inverse_mod(e, phi)
+        print(d)
+
+main()
+```
+
+And almost immediately we get back `d = 313643312579885910144930879740792443079046797319702735470940304815114423813387207622962378717692956907985131193206173468032955155911357015790117906931310982300638685119345225585365379933984401550490180088069653940748930777249398681018529181837718088338410634951815720591986027326920386342449211862769317826747179543111987382083071211027548820393280953703100868439675930431579069835763288141197755585262721361909904809472100941962440764955942607730932895387899109482973057485978370088173899965076238641801547197089631820258212320243267074873219925727866388979716767504927253295557727184298435208619716766017226260721754210366993951047440280419099305076176216010566878368093440228299300269753`
+
+Now we only need to decrypt the flag.
+It's a bit tricky, since unlike in most CTFs, it's not textbook RSA but OAEP.
+
+To decrypt the flag we need:
+
+```python
+from Crypto.PublicKey import RSA
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding
+
+
+def main():
+    e = 65537L
+    N = 5452318773620154613572502669913080727339917760196646730652258556145398937256752632887555812737783373177353194432136071770417979324393263857781686277601413222025718171529583036919918011865659343346014570936822522629937049429335236497295742667600448744568785484756006127827416640477334307947919462834229613581880109765730148235236895292544500644206990455843770003104212381715712438639535055758354549980537386992998458659247267900481624843632733660905364361623292713318244751154245275273626636275353542053068704371642619745495065026372136566314951936609049754720223393857083115230045986813313700617859091898623345607326632849260775745046701800076472162843326078037832455202509171395600120638911
+    d = 313643312579885910144930879740792443079046797319702735470940304815114423813387207622962378717692956907985131193206173468032955155911357015790117906931310982300638685119345225585365379933984401550490180088069653940748930777249398681018529181837718088338410634951815720591986027326920386342449211862769317826747179543111987382083071211027548820393280953703100868439675930431579069835763288141197755585262721361909904809472100941962440764955942607730932895387899109482973057485978370088173899965076238641801547197089631820258212320243267074873219925727866388979716767504927253295557727184298435208619716766017226260721754210366993951047440280419099305076176216010566878368093440228299300269753
+    key = RSA.construct((N, e, d))
+    pemkey = key.exportKey()
+    encrypted = open("flag.enc", 'rb').read()
+    private_key = serialization.load_pem_private_key(
+        pemkey,
+        password=None,
+        backend=default_backend()
+    )
+    original_message = private_key.decrypt(
+        encrypted,
+        padding.OAEP(
+            mgf=padding.MGF1(algorithm=hashes.SHA1()),
+            algorithm=hashes.SHA1(),
+            label=None
+        )
+    )
+    print(original_message)
+
+
+main()
+```
+
+Which finally gives `TWCTF{I_m_not_sad__I_m_happy_always}`

Diff for: 2019-09-02-tokyowesterns/happy/flag.enc

@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+require 'openssl/oaep'
+require 'optparse'
+
+class Key
+    def initialize(attr)
+        @attr = attr
+    end
+
+    def self.generate_key(bits, k)
+        while true
+            p = OpenSSL::BN::generate_prime(bits, true).to_i
+            q = OpenSSL::BN::generate_prime(bits, true).to_i
+            e = 65537
+            next if e.gcd((p - 1) * (q - 1) * q ** (k - 1)) > 1
+            d1 = e.pow((p - 1) / 2 - 2, (p - 1))
+            fail unless d1 * e % (p - 1) == 1 
+            d2 = e.pow(((q - 1) / 2 - 1) * (q - 1) * (k > 1 ? q ** (k - 2) : 1) - 1, q ** (k - 1) * (q - 1))
+            fail unless d2 * e % (q ** (k - 1) * (q - 1)) == 1 
+            cf = p.pow(q ** (k - 1) * (q - 1) - 1, q ** k)
+            return Key.new({
+                n: p * q ** k,
+                e: e,
+                p: p,
+                q: q ** k,
+                d1: d1,
+                d2: d2,
+                cf: cf,
+            })
+            break
+        end
+    end
+
+    def private?
+        @attr.key?(:d1) && @attr.key?(:d2) && @attr.key?(:p) && @attr.key?(:q)
+    end
+
+    def public?
+        @attr.key?(:n) && @attr.key?(:e)
+    end
+
+    def public_key
+        Key.new(@attr.reject{|k, v| [:p, :q, :d1, :d2, :ce].include?(k)})
+    end
+
+    def self.import(str)
+        Key.new(Marshal.load(str))
+    end
+
+    def to_s
+        Marshal.dump(@attr)
+    end
+
+    def public_encrypt(str, pad = true)
+        raise StandardError.new('NotPublicKey') unless public?
+        n, e = @attr[:n], @attr[:e]
+        if pad
+            msg = OpenSSL::PKCS1.add_oaep_mgf1(str, (n.to_s(16).size + 1) / 2)
+        else
+            msg = str
+        end
+        long_to_bytes(msg.unpack1('H*').to_i(16).pow(e, n))
+    end
+
+    def private_decrypt(str, pad = true)
+        raise StandardError.new('NotPrivateKey') unless private?
+        n, p, q, d1, d2, c = @attr[:n], @attr[:p], @attr[:q], @attr[:d1], @attr[:d2], @attr[:cf]
+        enc = str.unpack1('H*').to_i(16)
+        e1 = enc.pow(d1, p)
+        e2 = enc.pow(d2, q)
+        ret = long_to_bytes(e1 + p * ((c * (e2 - e1)) % q))
+        ret = "\0" + ret while ret.size < (n.to_s(16).size + 1) / 2
+        pad ? OpenSSL::PKCS1.check_oaep_mgf1(ret) : ret
+    end
+
+    private
+    
+    def long_to_bytes(l)
+        r = '%x' % l
+        r = '0' + r if r.size.odd?
+        return [r].pack('H*')
+    end
+end
+
+def main
+    if ARGV[0] == 'keygen'
+        if ARGV.size != 5
+            STDERR.puts "Usage: happy keygen <bits> <k> <path_to_private_key> <path_to_public_key>"
+            exit 1
+        end
+        bits = ARGV[1].to_i
+        k = ARGV[2].to_i
+        priv = ARGV[3]
+        pub = ARGV[4]
+        if bits < 700 || k < 1
+            STDERR.puts "Invalid parameter"
+            exit 1
+        end
+        key = Key.generate_key(bits, k)
+        File.binwrite(ARGV[3], key.to_s)
+        File.binwrite(ARGV[4], key.public_key.to_s)
+    elsif ARGV[0] == 'encrypt'
+        if ARGV.size != 4
+            STDERR.puts "Usage: happy encrypt <path_to_key_file> <path_to_input> <path_to_output>"
+            exit 1
+        end
+        key = Key.import(File.binread(ARGV[1]))
+        File.binwrite(ARGV[3], key.public_encrypt(File.binread(ARGV[2])))
+    elsif ARGV[0] == 'decrypt'
+        if ARGV.size != 4
+            STDERR.puts "Usage: happy decrypt <path_to_key_file> <path_to_input> <path_to_output>"
+            exit 1
+        end
+        key = Key.import(File.binread(ARGV[1]))
+        File.binwrite(ARGV[3], key.private_decrypt(File.binread(ARGV[2])))
+    else
+        STDERR.puts "Usage: happy keygen/encrypt/decrypt"
+        exit 1
+    end
+end
+
+main if __FILE__ == $0