Export Grade

This challenge is simulating the infamous Logjam attack on many internet protocols like HTTPS, SSH, IPsec, SMTPS and protocols rely on TLS that uses Diffie-Hellman key exchange. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography, as there is an option for clients back when the paper is published to use DHE_EXPORT level of security. There is no indication of the cipher suites the server has chosen, so a MiTM can easily modify the client’s ciphersuite to be DHE_EXPORT....

December 8, 2022 · 3 min · qvinhprolol

Smooth Criminal

The title of the challenge hints at a clue - the modulo used in the challenge is a smooth prime. There are no obvious weakness in the encryption scheme given in the source code. Again, revising the old lesson - Pohlig-Hellman algorithm is insane at solving DLP with primes of smooth order. Otherwise, the challenge is simply a matter of figuring out the proper Sage syntax to solve the challenge. discrete_log of Sage is powerful when it comes to solving DLP, as the underlying implementation of Sage involves both Pohlig-Hellman and BSGS....

December 8, 2022 · 2 min · qvinhprolol

Bean Counter

Tricky challenge. The description is trying to throw me off from “My counter can go both upwards and downwards to throw off cryptanalysts”, which is not the case. The given code for encryption given is trying to simulate AES-CTR mode by doing AES-ECB block-by-block with the given IV. However, in the code of increment(), the method for changing the IV, there is a very sneaky bug: 1 2 3 4 5 6 7 def increment(self): if self....

December 7, 2022 · 2 min · qvinhprolol

Diffie-Hellman Starter 2

The task is to find the generator of the finite field. There are multiple ways to do this: Naive implementation (brute-force). Credits to Landryl @ Cryptohack. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ''' Rather than using a set and checking if every element of Fp has been generated, we can also rapidly disregard a number from being a generator by checking if the cycle it generates is smaller in size than p....

December 7, 2022 · 1 min · qvinhprolol

Many Prime

The challenge is straightforward - just factor out the modulus used N. There are two approaches, one using FactorDB and one using the intended way of using Sage. Credits to pdro solution on Cryptohack: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637 ''' Key observation: the number is 2033 bits and it has 30+ factors. The smallest factor will be ~2033/30 = 68 bits in the worst case (i....

December 7, 2022 · 1 min · qvinhprolol

Modulus Inutilis

A interesting challenge, we are given the modulus n, public exponent e and ciphertext ct. 1 2 3 n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883 e = 3 ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957 From this, denote $m$ as the plaintext, we need to solve the equation $$ m^e \equiv ct \mod N $$ The above equation is equivalent to: $$ m ^ e - ct = 0 \mod N $$ The idea that I had is to use Coppersmith attack for low-exponent 3, we can find the solution to the equation quickly....

December 7, 2022 · 1 min · qvinhprolol

Parameter Injection

In this challenge, we are acting as the MiTM which will intercept the key exchange messages between Alice and Bob. We are able to modify the A and B - each of the shared secret by doing g^a and g^b of Alice and Bob. The flag is sent from Alice to Bob, hence we only need to care about the response of the key exchange message from Bob to Alice. Recall that when Bob’s secret B is sent over to Alice, Alice will do B^a on her side, where a is the secret of Alice....

December 7, 2022 · 3 min · qvinhprolol

ECB Oracle

This takes much longer time than I would like to admit. It is known to me that ECB leads to poor diffusion of the plaintext - the classic example from the Linux penguin used in almost every cryptography book ever. The attack, however, is not exactly clear to me at the beginning. With fuzzy memory of how AES in ECB mode, I was thinking of a scheme that xor a plaintext block with a key block to generate the corresponding ciphertext block....

December 6, 2022 · 2 min · qvinhprolol

Symmetry

An embarrassing challenge for me. The solution to this challenge is quite simple. The symmetry of the xor operation enables us to decrypt the message/plaintext $P$ from the $IV$ and ciphertext $C$. Denote the output after running block cipher encryption with key k $E_k$ to be $O$, then we have: $$ O = E_k(IV) $$ $$ C = P \oplus O $$ xor both sides of the above equation, we have:...

December 6, 2022 · 2 min · qvinhprolol

Adrien's Signs

We are given the following Python code for encrypting the flag: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 from random import randint a = 288260533169915 p = 1007621497415251 FLAG = b'crypto{????????????????????}' def encrypt_flag(flag): ciphertext = [] plaintext = ''.join([bin(i)[2:].zfill(8) for i in flag]) print(plaintext) for b in plaintext: e = randint(1, p) n = pow(a, e, p) if b == '1': ciphertext....

December 5, 2022 · 2 min · qvinhprolol