Applicable scenarios:
N is very large, more than 4000 bits, e is very small, E = 3
Generally, e selects65537However, E = 3 may be selected during RSA encryption (Do not ask why, because E
= 3 saves time and effort, and he may think that N is safe at more than 4000 bits ,).
RSA encryption is M's E Power modulo n equals C.
① M ^ 3 <n, that is, m ^ 3 = C. ② M ^ 3> N, I .e. (M ^ 3 + in) mod n = C (blow up I, do not know what value I takes)
We can directly open the Power of Three. In fact, the above two cases can be completed using a script.
import gmpy
N=721059527572145959497866070657244746540818298735241721382435892767279354577831824618770455583435147844630635953460258329387406192598509097375098935299515255208445013180388186216473913754107215551156731413550416051385656895153798495423962750773689964815342291306243827028882267935999927349370340823239030087548468521168519725061290069094595524921012137038227208900579645041589141405674545883465785472925889948455146449614776287566375730215127615312001651111977914327170496695481547965108836595145998046638495232893568434202438172004892803105333017726958632541897741726563336871452837359564555756166187509015523771005760534037559648199915268764998183410394036820824721644946933656264441126738697663216138624571035323231711566263476403936148535644088575960271071967700560360448191493328793704136810376879662623765917690163480410089565377528947433177653458111431603202302962218312038109342064899388130688144810901340648989107010954279327738671710906115976561154622625847780945535284376248111949506936128229494332806622251145622565895781480383025403043645862516504771643210000415216199272423542871886181906457361118669629044165861299560814450960273479900717138570739601887771447529543568822851100841225147694940195217298482866496536787241
c=0x85C0DE5F89E88720AFD485F91DED38E9EAEDA3A61DDEE7087BBD29920EE40B6D53565EDD1E418095586BD4F33015729D433AF413C660E4C0B164ED025F91216D904578F7F20C5FB1E09E71992198D8E8D7FBD917597AEE45EBF4CA80124CE9B47ED163F0B9D5716A9D6E1F5B8AE09B16CAE30BBD64A15E17CC39A90FB62536AD943CDDA9A4AAC5978E3C93502535D5353638BC708C9B59CC9DC7BCB1D873336CE081591522B1D48904463783DD6837B1C41B8011889648E0ACDFBD3EE259F717990828D16DB34EB982446216DB534DC06B9E7AAF90BCCB54A1CC77C2813BDFE9A1B5C2E958C3EA8CA103BA1A89036B7014BBC962EB7A8C910E095BB83791BD9FEEE0D8F6AF0C2E030CCCC6D8729743419BDEE0A1E45AB5E7324A344761C8CC8DB30961A971D566E49C4562924C3EE001EDECE3445CD28DBA264BA8A90C5E533542096C26AA7D874997A308025A5E95BFC6949EBD16CEA889D242AB2E2FF2446090D07666D7574946E391D3F153D50346BC75DA94634182DF80F7BA97B77AF8922F13E43B2DF788902A209B9E569DD3C6FAA4DD7B43899F59798845DF642EDEEF34A186949CBE83C099F085F87A299591E715CCB4FE74612B00AEBE25C114819CF887C256121915416ACBCB058937E3D39EB7EF7143E145131119DA9C3D9818599A0E5109727FB581BBC20EB3E6A25011B8E9034537C0E580A0EE8F1553805BE8
i=0
while 1:
if(gmpy.root(c+i*N, 3)[1]==1):
print gmpy.root(c+i*N, 3)
break
i=i+1
Starting from 0, I is the first case. Open the power to the power of three to see if it is correct.
I start from 1. Adding 1 each time is the second case.
We will directly obtain the plain text, and convert it to text in 10 hexadecimal notation. Here the script uses
Import libnum
N = 440721643740967258786371951429849843897639673893942371730874939742481383302887786063966117819631425015196093856646526738786745933078032806737504580146717737115929461581126895844008044713461807791172016433647699394456368658396746134702627548155069403689581548233891848149612485605022294307233116137509171389596747894529765156771462793389236431942344003532140158865426896855377113878133478689191912682550117563858186
Print libnum. N2s (N)
Here I started to use converter to convert to decimal. It was not successful. I don't know why.
It will take a long time, and the computer will beep.
Gmpy and libnum I have failed to install in windows, and it's okay to install them on Kali.
Example:
Https://dn.jarvisoj.com/challengefiles/extremelyhardRSA.rar.8782e822c895a2af3d8ba4ffbb3e280b
Unzip the downloaded file and change the file suffix .rar. After decompression, you can see the flag. ENC and pubkey. pem. One ciphertext and one public key.
② OpenSSL view public key information (N and e)
N = bytes
N is 4096 bits. I cried. What about you?
③ E = 3, low-encryption index attacks.
It is a script. Directly power (C ^ 3 + kN) to the Power of Three and ran for a while.
C is the flag. ENC's hexadecimal format is directly thrown into winhex, and its hexadecimal format is copied. Wrap the line and write a str. replace ('','') just remove the space.
Plaintext is
440721643740967258786371951429849843897639673893942371730874939742481383302887786063966117819631425015196093856646526738786745933078032806737504580146717737115929461581126895844008044713461807791172016433647699394456368658396746134702627548155069403689581548233891848149612485605022294307233116137509171389596747894529765156771462793389236431942344003532140158865426896855377113878133478689191912682550117563858186
Note that there is no l in plain text, which is a python issue.
Then convert the decimal value to text.
RSA advanced low-encryption index attack