Home ABCTF-2016 A Small Broadcast
Writeup
Cancel

A Small Broadcast

Challenge I RSA encrypted the same message 3 different times with the same exponent. Can you decrypt this?

1
2
3
4
5
6
7
8
9
10
11
Problem updated on 7/17/16 @ 8PM EST - fixed values
I RSA encrypted the same message 3 different times with the same exponent. Can you decrypt it?

N1:79608037716527910392060670707842954224114341083822168077002144855358998405023007345791355970838437273653492726857398313047195654933011803740498167538754807659255275632647165202835846338059572102420992692073303341392512490988413552501419357400503232190597741120726276250753866130679586474440949586692852365179
C1:34217065803425349356447652842993191079705593197469002356250751196039765990549766822180265723173964726087016890980051189787233837925650902081362222218365748633591895514369317316450142279676583079298758397507023942377316646300547978234729578678310028626408502085957725408232168284955403531891866121828640919987

N2:58002222048141232855465758799795991260844167004589249261667816662245991955274977287082142794911572989261856156040536668553365838145271642812811609687362700843661481653274617983708937827484947856793885821586285570844274545385852401777678956217807768608457322329935290042362221502367207511491516411517438589637
C2:48038542572368143315928949857213341349144690234757944150458420344577988496364306227393161112939226347074838727793761695978722074486902525121712796142366962172291716190060386128524977245133260307337691820789978610313893799675837391244062170879810270336080741790927340336486568319993335039457684586195656124176

N3:95136786745520478217269528603148282473715660891325372806774750455600642337159386952455144391867750492077191823630711097423473530235172124790951314315271310542765846789908387211336846556241994561268538528319743374290789112373774893547676601690882211706889553455962720218486395519200617695951617114702861810811
C3:55139001168534905791033093049281485849516290567638780139733282880064346293967470884523842813679361232423330290836063248352131025995684341143337417237119663347561882637003640064860966432102780676449991773140407055863369179692136108534952624411669691799286623699981636439331427079183234388844722074263884842748

Solution

used the same value for d three times? can we calculate p’s and q’s from this? assume e=65537? bruteforceable? maybe a math problem? Those values are all interrelated, set of linear equations?

-> yep, need to brush up on modular arithmetic I think

what we know about RSA:

  • A public key is composed of the pair (N,e) - the modulus N and the public exponent e
  • A private key is composed of the pair (N,d) - the modulus N and the private exponent d
  • Decrypting a ciphertext is taking the integer value of a ciphertext to the private exponent and applying modulo N to it - c^d mod N = m
  • Encrypting a message is taking the integer value of a message to the public exponent and applying modulo N to it - m^e mod N = c
  • A modulus N is composed of a multiplication of two (large) prime numbers p and q
  • This multiplication is a trapdoor - easy in one way (multiplication), difficult in the other (factoring)
  • The totien phi(N) can be calculated as follows: phi(N) = phi(p*q) = (p-1)*(q-1)
  • The public exponent e is chosen in the range [3,phi(N)[, often 65537 as it is in this case
  • The private exponent d is calculated using the phi(N) modular multiplicative inverse of e so that e*d = 1 mod phi(N)
  • Private components are therefore p, q, d and phi(N)
  • Public components are therefore e and N
  • OAEP Padding is used to avoid several attacks against RSA

Flag