Reputation: 2760
JAVA RSAES-OAEP attack
I need to implement an RSAES-OAEP PKCS#1 V2.1 attack, using a unix executable oracle and a ASCII format challenge file. The format of challenge ASCII file is
{n}
{e}
{c}
where N (an integer) is a 1024-bit modulus, e (an integer) is the public exponent and c (an octet string) is the ciphertext corresponding to the RSAES-OAEP encryption of some unknown plaintext m (an octet string) under the public key (N, e). Note that the plaintext is ASCII text (i.e., each octet is an ASCII encoded character), and that the RSAES-OAEP encryption will have used SHA-1 as the hash function and a null label (i.e., in all cases the label is an octet string of length zero). The executable represents an RSAES-OAEP decryption oracle: when executed from a BASH shell using the command
bash$ ./ USER < USER . challenge
it tries to decrypt the ciphertext read from stdin using the private key (N, d). Note that N is read from stdin (i.e., from the challenge) but d (an integer) is a private exponent embedded into the oracle (i.e., you do not have access to it).
The challenge file is as follows:
99046A2DB3D185D6D2728E799D66AC44F10DDAEE1C0A1AC5D7F34F04EDE17B96A5B486D95D927AA9B58FC91865DBF3A1685141345CC31B92E13F06E8212BAB22529F7D06B503AAFEEB89800E12EABA50C3F3BBE86F5966A88CCCF5C843281F8B98DF97A3111458FCA89B8085A96AE68EAEBAE270831D41C956159B81D29503
80A3C4043F940BE6AC16B11A0A77016DBA96B0239311AF182DD70E214E07E7DF3523CE1E269B176A3AAA0BA8F02C59262F693D6A248F22F2D561ED7ECC3CB9ABD0FE7B7393FA0A16C4D07181EEF6E27D97F48B83B90C58F51FD40DCDA71EF5E3C3E97D1697DC8E26B694B5CAFE59E427B12EE82A93064C81AAB74431F3A735
57D808889DE1417235C790CB7742EB76E537F55FD49941EBC862681735733F8BB095EDBB3C0DA44AB8F1176E69A61BBD3F0D31EB997071758A5DD850730A1D171E9EC92788EBA358974CE521537EE4A809BF1607D04EFD4A407866970981B88F44D5260D25C9E8864D5FC2AFB2CB90994DD1934BCEA728B38A00D4712AE0EE
Any ideas as to how to proceed for this attack?!
thanks Anyone to guide me for this?!!!!!!!!!!
Upvotes: 0
Views: 1125
Answers (1)
Reputation: 3194
The first thing you could try is to find out whether you can apply the attack by J. Manger from the paper "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0." Crypto 2001.
That means you have to find out what kind of information you can get from the oracle. I.e. Choose two arbitrary integers m0, m1 such that m1 is a 1024-bit integer smaller than n and m0 is 1023 or less bits long. If you pass m0^e mod n and m1^e mod n to the oracle do you get a different response? If so then you might be able to apply the attack in the paper above. Otherwise you will have to search for another flaw in the decryption oracle.
Another approach that might work is to try to modify the modulus n. If the oracle really reads the modulus from user supplied input, then it looks like modifying the modulus should work and the attack becomes quite easy. I don't have access to the implementation of the oracle so I can only guess what might be possible. If you can check for any chosen n',c' whether c'^d mod n' is a valid OAEP encoded plaintext then you decrypting the original message is not all you can do, in fact you can also recover d and hence factor the original RSA modulus.
(Furthermore this would indeed be a very nice puzzle, so I don't want to spoil the fun by giving a step by step receipe on how to solve it.)
Upvotes: 4
Related Questions
- How to use RSA_PKCS1_OAEP_PADDING encrypt in Java
- Java: RSA Encryption issue
- Encryption/Decryption with bouncycastle-java and RSAES-OAEP
- RSA-OAEP encryption in Javascript and decryption in Java
- RSA Encryption with OAEP between Java and JavaScript
- RSA OAEP , Golang Decrypt , Java Encrypt
- Issues in RSA encryption in Java class
- RSA encrypt with Pycrypto OAEP and decrypt with plain old Java
- RSA Encryption problem
- RSA Encryption Problem