![]() > According to Fermat's method, we can represent N as the difference of two These descriptions are copied from the solver source code below for convenience: For a detailed description of how this works, see the comments in the solver source code. This actually uses two different methods to factor the RSA modulus and recover the private key, one involving Fermat's factorization method, and other using the quadratic formula. # Factor the RSA modulus and recover the private key Run the following command to convert the certificate to PEM format: `openssl x509 -inform der -in r -out cert-recovered.pem` Find the certificate and right-click -> Export Packet Bytes.Ĥ. ![]() This is the part of the TLS handshake that contains the server's certificate.ģ. Select the packet with a label that begins with, "Server Hello, Certificate, " # Extract the printer's certificate from the packet capture fileĢ. (#factor-the-rsa-modulus-and-recover-the-private-key)ģ. (#extract-the-printers-certificate-from-the-packet-capture-file)Ģ. The rest of this section describes the steps to exploit the weak prime and weak cipher suite vulnerabilities to recover the flag:ġ. This key exchange algorithm does not provide forward secrecy, which means an attacker can decrypt the entire communication stream given the private key. ![]() Both of these approaches are implemented in the solver script at (./solver/solver.go).Īdditionally, the packet capture file reveals that the TLS session is using ( ) which is weak cipher suite. There are two methods of doing this that I'm aware of: Fermat's factorization method and a method based on the quadratic formula. This difference can be used to factor the public key modulus, `N`, into `p` and `q`. This method of generating RSA primes is not secure because the approximate difference between `p` and `q` can be easily guessed. Takes the usual approach to constructing a private key from `p` and `q`. To find `q`, it starts with the value of `p`, flips the third most significant bit, and then finds the next prime in ascending or descending order depending on whether `q` is greater than or less than `p`. Chooses a random 1028-bit prime for `p`, The printer's source code reveals a custom RSA key generation function. Weak RSA prime generation in `printer.go`, and Participants should be given (./dist/printer.go) and (./dist/capture.pcap).Īt a high level, the participant needs to exploit two vulnerabilities:ġ. Will you help me recover it? Here's the (./dist/printer.go) for my printer and a recent (./dist/capture.pcap). I printed a hard copy of the flag, but then I lost it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |