Startseite Erkunden Hilfe
Anmelden
maker
/
bachelor
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 9984b07ce5
Branches Tags
bachelor
/
src
/
questions
/
wiener.c

wiener.c 2.8 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 
  1. /**
    2. 

  2.  * \file wiener.c
    3. 

  3.  * \brief An implementation of Wiener's Attack using bignums.
    4. 

  4.  *
    5. 

  5.  * Wiener's atttack states that:
    6. 

  6.  * given N = pq the public modulus, the couple e, d . ed ≡ 1 (mod φ(N))
    7. 

  7.  * respectively the private and public exponent,
    8. 

  8.  * given p < q < 2p and d < ⅓ ⁴√N,
    9. 

  9.  * one can efficently recover d knowing only <N, e>.
    10. 

  10.  *
    11. 

  11.  */
    12. 

  12. #include <math.h>
    13. 

  13. #include <stdlib.h>
    14. 

  14. 

  15. #include <openssl/x509.h>
    16. 

  16. #include <openssl/rsa.h>
    17. 

  17. #include <openssl/bn.h>
    18. 

  18. 

  19. #include "qa/questions/questions.h"
    20. 

  20. #include "qa/questions/qarith.h"
    21. 

  21. #include "qa/questions/qwiener.h"
    22. 

  22. 

  23. 

  24. /*
    25. 

  25.  *  Weiner Attack Implementation
    26. 

  26.  */
    27. 

  27. static RSA*
    28. 

  28. wiener_question_ask_rsa(const RSA *rsa)
    29. 

  29. {
    30. 

  30.   /* key data */
    31. 

  31.   RSA *ret = NULL;
    32. 

  32.   BIGNUM *n, *e, *d, *phi;
    33. 

  33.   /* continued fractions coefficient, and mod */
    34. 

  34.   cf_t* cf;
    35. 

  35.   bigfraction_t *it;
    36. 

  36.   size_t  i;
    37. 

  37.   BIGNUM *t, *tmp, *rem;
    38. 

  38.   /* equation coefficients */
    39. 

  39.   BIGNUM *b2, *delta;
    40. 

  40.   BN_CTX *ctx;
    41. 

  41.   int bits;
    42. 

  42. 

  43.   phi = BN_new();
    44. 

  44.   tmp = BN_new();
    45. 

  45.   rem = BN_new();
    46. 

  46.   n = rsa->n;
    47. 

  47.   e = rsa->e;
    48. 

  48.   b2 = BN_new();
    49. 

  49.   delta = BN_new();
    50. 

  50. 

  51.   /*
    52. 

  52.    * Generate the continued fractions approximating e/N
    53. 

  53.    */
    54. 

  54.   bits = BN_num_bits(n);
    55. 

  55.   cf = cf_init(NULL, e, n);
    56. 

  56.   ctx = cf->ctx;
    57. 

  57.   for (i=0, it = cf_next(cf);
    58. 

  58.        // XXX. how many keys shall I test?
    59. 

  59.        i!=bits && it;
    60. 

  60.        i++, it = cf_next(cf)) {
    61. 

  61.     t = it->h;
    62. 

  62.     d = it->k;
    63. 

  63. 

  64.     fprintf(stderr, "[-] Testing continued fractions (%zu/%d)\r", i, bits);
    65. 

  65.     /*
    66. 

  66.      * Recovering φ(N) = (ed - 1) / t
    67. 

  67.      * TEST1: obviously the couple {t, d} is correct → (ed-1) | t
    68. 

  68.      */
    69. 

  69.     BN_mul(phi, e, d, cf->ctx);
    70. 

  70.     BN_usub(tmp, phi, BN_value_one());
    71. 

  71.     BN_div(phi, rem, tmp, t, cf->ctx);
    72. 

  72.     if (!BN_is_zero(rem)) continue;
    73. 

  73.     // XXX. check, is it possible to fall here, assuming N, e are valid?
    74. 

  74.     if (BN_is_odd(phi) && BN_cmp(n, phi) == 1)   continue;
    75. 

  75.     /*
    76. 

  76.      * Recovering p, q
    77. 

  77.      * Solving the equation
    78. 

  78.      *  x² + [N-φ(N)+1]x + N = 0
    79. 

  79.      * which, after a few passages, boils down to:
    80. 

  80.      *  x² + (p+q)x + (pq) = 0
    81. 

  81.      *
    82. 

  82.      * TEST2: φ(N) is correct → the two roots of x are integers
    83. 

  83.      */
    84. 

  84.     BN_usub(b2, n, phi);
    85. 

  85.     BN_uadd(b2, b2, BN_value_one());
    86. 

  86.     BN_rshift(b2, b2, 1);
    87. 

  87.     if (BN_is_zero(b2)) continue;
    88. 

  88.     /* delta */
    89. 

  89.     BN_sqr(tmp, b2, ctx);
    90. 

  90.     BN_usub(delta, tmp, n);
    91. 

  91. 

  92.     if (!BN_sqrtmod(tmp, rem, delta, ctx)) continue;
    93. 

  93.     /* key found :) */
    94. 

  94.     ret = RSA_new();
    95. 

  95.     ret->n = rsa->n;
    96. 

  96.     ret->e = rsa->e;
    97. 

  97.     ret->p = BN_new();
    98. 

  98.     ret->q = BN_new();
    99. 

  99.     BN_usub(ret->p, b2, tmp);
    100. 

  100.     BN_uadd(ret->q, b2, tmp);
    101. 

  101.     break;
    102. 

  102.   }
    103. 

  103. 

  104.   cf_free(cf);
    105. 

  105.   BN_free(rem);
    106. 

  106.   BN_free(tmp);
    107. 

  107.   BN_free(b2);
    108. 

  108.   BN_free(delta);
    109. 

  109.   BN_free(phi);
    110. 

  110.   fprintf(stderr, "\n");
    111. 

  111. 

  112.   return ret;
    113. 

  113. }
    114. 

  114. 

  115. 

  116. 

  117. qa_question_t WienerQuestion = {
    118. 

  118.   .name = "wiener",
    119. 

  119.   .pretty_name = "Wiener's Attack",
    120. 

  120.   .setup = NULL,
    121. 

  121.   .teardown = NULL,
    122. 

  122.   .test = NULL,
    123. 

  123.   .ask_rsa = wiener_question_ask_rsa,
    124. 

  124.   .ask_crt = NULL,
    125. 

  125. };
    126. 

  126.