ECDH-密码交换攻击

First Post:

Last Update:

Word Count:
364

Read Time:
1 min

[NewStarCTF] Week 5 - An der schönen Elliptische Kurve

Analyz

先上题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#task.sage
from secret import FLAG, ECDH_KEY_EXCHANGE
from Crypto.Cipher import AES
from hashlib import md5
from os import urandom

iv = urandom(16)

a = 14489
b = 10289
p = 7486573182795736771889604737751889118967735916352298289975055815020934891723453392369540853603360270847848895677903334441530052977221688450741083448029661

F = GF(p)
E = EllipticCurve(F, [a, b])

G = E.random_point()

my_private_key = random_prime(2^256)

shared, sender_public_key = ECDH_KEY_EXCHANGE(G, my_private_key)

key = md5(str(int(shared.xy()[0])).encode()).digest()

cipher = AES.new(key, AES.MODE_CBC, iv)
ciphretext = cipher.encrypt(FLAG)

print(a)
print(b)
print(p)
print(sender_public_key)
print(my_private_key)
print(ciphretext.hex())
print(iv.hex())
1
2
3
4
5
6
7
8
#output.txt
14489
10289
7486573182795736771889604737751889118967735916352298289975055815020934891723453392369540853603360270847848895677903334441530052977221688450741083448029661
(1285788649714386836892440333012889444698233333809489364474616947934542770724999997145538088456652601147045234490019282952264340541239682982255115303711207 : 1081635450946385063319483423983665253792071829707039194609541132041775615770167048603029155228167113450196436786905820356216200242445665942628721193713459 : 1)
2549545681219766023689977461986014915946503806253877534915175093306317852773
2f65ff4a97e0e05c06eab06b58ea38a3d5b6d2a65ea4907bc46493b30081a211d7cffc872a23dbd565ef307f9492bb23
d151c04c645c3e2a8d3f1ae44589ef20

浅分析一下task.sage,我们只有sender_public_keymy_private_key,显然考察的是ECDH

ECDH

算法

假设有两端,AliceBob,他们想在非安全信道上安全地交换信息但又不想被第三方获取,此时可以采用ECDH密钥交换算法

双方都知道ECDH算法中的一个大素数p,还有一个整数g作为辅助

Alice生成私钥a,并通过生成公钥。Bob生成私钥b,然后通过生成公钥B,在发送B之前,Bob通过生成公共密钥,但是只发送B,而Alice在接收到Bob的公钥B之后,同样可以通过来生成公共密钥K

攻击

对于AliceBob来说,

所以我们可以得出以下结论,

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#Sage
from hashlib import *
from Crypto.Cipher import AES
from Crypto.Util.number import *

a=14489
b=10289
p=7486573182795736771889604737751889118967735916352298289975055815020934891723453392369540853603360270847848895677903334441530052977221688450741083448029661
#sender_public_key=(1285788649714386836892440333012889444698233333809489364474616947934542770724999997145538088456652601147045234490019282952264340541239682982255115303711207 : 1081635450946385063319483423983665253792071829707039194609541132041775615770167048603029155228167113450196436786905820356216200242445665942628721193713459 : 1)
my_private_key=2549545681219766023689977461986014915946503806253877534915175093306317852773
ciphertext="2f65ff4a97e0e05c06eab06b58ea38a3d5b6d2a65ea4907bc46493b30081a211d7cffc872a23dbd565ef307f9492bb23"
iv="d151c04c645c3e2a8d3f1ae44589ef20"

F=GF(p)
E=EllipticCurve(F,[a,b])
sender_public_key=E([1285788649714386836892440333012889444698233333809489364474616947934542770724999997145538088456652601147045234490019282952264340541239682982255115303711207,1081635450946385063319483423983665253792071829707039194609541132041775615770167048603029155228167113450196436786905820356216200242445665942628721193713459])
shared=sender_public_key*my_private_key
key = md5(str(int(shared.xy()[0])).encode()).digest()
#iv=int(iv,16)
iv=bytes.fromhex(iv)
#ciphertext=int(ciphertext,16)
ciphertext=bytes.fromhex(ciphertext)
cipher=AES.new(key,AES.MODE_CBC,iv)
cipher=cipher.decrypt(ciphertext)
print(cipher)
reward
Alipay
Wechat