Skip to content

标题: 椭圆曲线加密算法之Sony惨案模拟题

创建: 2023-12-11 16:09 更新: 2023-12-18 19:03 链接: https://scz.617.cn/misc/202312111609.txt

ECC公钥(pub.pem)如下:

-----BEGIN PUBLIC KEY----- MIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA//////////////// /////////////////////v///C8wRAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHBEEEeb5m fvncu6xVoGKVzocLBwKb/NstzijZWfKBWxb4F5hIOtp3JqPEZV2k+/wOEQio/Re0 SKaFVBmcR9CP+xDUuAIhAP////////////////////66rtzmr0igO7/SXozQNkFB AgEBA0IABADEclsh8RJbhCu4meeZlw0gzBz1qTgoiLpK09ATpsF/BpHlr7syDmqf QDw39Axe+HDZwECCIkHgUgAjiP2kpww= -----END PUBLIC KEY-----

三组明文如下:

xxd -g 1 message_0.bin

00000000: 54 68 69 73 20 69 73 20 74 68 65 20 66 69 72 73 This is the firs 00000010: 74 20 6d 65 73 73 61 67 65 2e t message.

xxd -g 1 message_1.bin

00000000: 54 68 69 73 20 69 73 20 74 68 65 20 73 65 63 6f This is the seco 00000010: 6e 64 20 6d 65 73 73 61 67 65 2e nd message.

xxd -g 1 message_2.bin

00000000: 54 68 69 73 20 69 73 20 74 68 65 20 74 68 69 72 This is the thir 00000010: 64 20 6d 65 73 73 61 67 65 2e d message.

两组ECDSA签名如下:

xxd -g 1 message_0.sig

00000000: 30 46 02 21 00 90 2e d0 16 f3 b7 58 87 64 85 e3 0F.!.......X.d.. 00000010: 3c 6e a3 d4 db 8e f1 a3 3b 7d 83 ce 26 de eb 75 <n......;}..&..u 00000020: 1d 11 7a 82 9d 02 21 00 a3 c5 89 cc 08 4b a4 b5 ..z...!......K.. 00000030: 4b f1 84 e2 2b a5 e6 e4 8f 58 21 10 8c 8c 9a 49 K...+....X!....I 00000040: d0 0f 8f cf 4a fc bc b8 ....J...

xxd -g 1 message_1.sig

00000000: 30 46 02 21 00 90 2e d0 16 f3 b7 58 87 64 85 e3 0F.!.......X.d.. 00000010: 3c 6e a3 d4 db 8e f1 a3 3b 7d 83 ce 26 de eb 75 <n......;}..&..u 00000020: 1d 11 7a 82 9d 02 21 00 c9 bb 9b 55 86 ef 05 8e ..z...!....U.... 00000030: ba 76 3d fe f4 6b 16 09 45 78 01 84 d0 16 09 33 .v=..k..Ex.....3 00000040: 45 f8 71 fc 1a 65 7a 45 E.q..ezE

sha512sum message_0.bin message_1.bin message_2.bin message_0.sig message_1.sig

fd8b4f3ab120efcd6bed61028c2a0b026f5d676535621339d0ed085313ae482cbfae15885e56295939393e78afb11118f0cc89caeba55d65172b870f3c6bb7fd message_0.bin 4ec0b587154fc85b7c28ad5b9f22225817027434b3b26ed895359643deba1e80b4cce0a1181a40a411e94cce88742489349e3f4960090e0e07b1c4e85cdd0b04 message_1.bin 8109b25d7fdaf1374933ae02aefe81dc787a7cec5323eeff51419770f96f2b9066f512dfb36e67dfd29e718e465f30129c26ad2fdc1f6b2398a0abd60f7d31dd message_2.bin d57f19dd89ba91cf2498551dafa8968ddb66608dd114bd5315e3fed47db244d39e51836fb79f284388c69c03d8c5164da63dcd002883881222b120b3ea2c7c21 message_0.sig e4c2eab10a86acea580156ba28ca3ff4dab0e4a426b1b2cb1fca7c84c874a599887ecf218afd9785b91bc63fa4a8b055ffcdfcb09d88ced56945909f23654418 message_1.sig

已知k值固定,ECDSA签名数据由类似下列OpenSSL命令生成:

openssl dgst -sha512 -sign priv.pem -out msg.sig msg.bin

验证签名命令类似:

openssl dgst -sha512 -verify pub.pem -signature msg.sig msg.bin

openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

题目要求

a) 参照Sony惨案还原k值、ECC私钥 b) 用还原得到的k值、ECC私钥对message_0.bin生成ECDSA签名message_0_other.sig, 应与message_0.sig完全相同 c) 用还原得到的k值、ECC私钥对message_2.bin生成ECDSA签名message_2.sig,用已 知ECC公钥验证ECDSA签名

整个题目完整模拟了Sony惨案,攻击者获取两份用同样k签名过的PS3游戏,最终还原 了Sony的ECC私钥,进而对第三方游戏进行ECDSA签名,使之可运行在PS3上。

所以已知数据在此:

https://scz.617.cn/misc/SonyECCChallenge.7z

2023-12-12 21:29

微博网友UID(2010143057)还原k值

k=0x90a0b0c0d0e0f101259f2ae83a986c3b989d814fa02e8eac37c9c7c5b255620

有兴趣者,可以继续做完全题。

2023-12-18 19:03

0x指纹(5845952017)的答案

第一题直接套公式

n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 z1 = 0xfd8b4f3ab120efcd6bed61028c2a0b026f5d676535621339d0ed085313ae482c z2 = 0x4ec0b587154fc85b7c28ad5b9f22225817027434b3b26ed895359643deba1e80 r = 0x902ed016f3b758876485e33c6ea3d4db8ef1a33b7d83ce26deeb751d117a829d s1 = 0xa3c589cc084ba4b54bf184e22ba5e6e48f5821108c8c9a49d00f8fcf4afcbcb8 s2 = 0xc9bb9b5586ef058eba763dfef46b160945780184d016093345f871fc1a657a45 k = ((z1-z2)pow(s1-s2,-1,n))%n d = (pow(r,-1,n)(s1*k-z1))%n print( hex(k) ) print( hex(d) )

k = 0x90a0b0c0d0e0f101259f2ae83a986c3b989d814fa02e8eac37c9c7c5b255620 d = 0x60e89fd3bec9c5184ff8b72883bb1989f5504a112f8521eb03258f4171af0c7e

第二题、第三题用ecdsa库来搞很方便,可以设置k和ECC私钥

import binascii, hashlib, ecdsa

k = 0x90a0b0c0d0e0f101259f2ae83a986c3b989d814fa02e8eac37c9c7c5b255620 d = '60e89fd3bec9c5184ff8b72883bb1989f5504a112f8521eb03258f4171af0c7e' ecc_pri = ecdsa.SigningKey.from_string( binascii.unhexlify(d), curve=ecdsa.SECP256k1 )

with open('message_0.bin', 'rb') as f : f_data = f.read()

f_sig = ecc_pri.sign( f_data, k=k, hashfunc=hashlib.sha512, sigencode=ecdsa.util.sigencode_der ) with open('message_0_other.sig', 'wb') as f : f.write( f_sig )

md5sum message_0.sig message_0_other.sig

二者完全一样