0

I have some ciphered text c:

25891321569730591340908100200084238908526220639262493280132434760408339201

And a public key modulus n: 

26968512395163253601932973308752915431751775641665954651069702885890373293

And exponent e:

65537

All of them are in the integer format. I also have the private key in the same format (integer). How can I decrypt the ciphered text then? Do I need to convert to the OpenSSL .pem format? If yes, then how can I do that?

I tried decrypting through OpenSSL, I got this error:

error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than mod len

I have also tried searching on this website and I got this link. When I tried that I got the following error:

0:d=0  hl=2 l=  50 prim: appl [ 27 ]       
Error in encoding
894:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:

Can anyone help?

Community
  • 1
Rajat
  • 9
  • 1
  • 2
  • 3
    openssl operates on RSA keys in PKCS#1 format. This uses ASN.1 DER. It's quite complicated. Are you doing homework? Does your cryptosystem use insecure "textbook RSA" or a real system like PKCS#1 v1.5? If it's just textbook RSA, I suggest python. It supports big integers out of the box. – Z.T. Oct 29 '16 at 00:28
  • Did you try cryptool? It works – hax Oct 29 '16 at 01:46
  • 1
    With what you have you simply need to proceed as given in textbooks to obtain the result of the decryption processing. As mentioned by Z.T., it's very simple to perform the computation in Python. – Mok-Kong Shen Oct 29 '16 at 08:17
  • This problem appears to be part of a CTF contest, so I won't publish the solution here. However, the value of `n` has more than two factors, so be careful when calculating the private exponent `d`. – r3mainer May 29 '17 at 02:31

2 Answers2

2

Actually you don't really need to convert your keys or use OpenSSL. Open a Python console and decrypt your message:

>>> m = (c ** d) % n

where d is your private exponent.

CaptainRR
  • 379
  • 2
  • 10
0

If you want to follow the suggestions in the comments to your question, I suggest you look at the "cryptography" python library, especially at "cryptography.hazmat.primitives.asymmetric.rsa". It's fairly well documented.

See https://cryptography.io/en/latest/ for documentation.

Note that you're working in hazmat territory, so don't use this for serious cryptography without understanding the pitfalls of using cryptographic primitives in a cryptosystem.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • 1
    I think OP has textbook RSA, not pkcs#1 v1.5 so they don't need python bindings for openssl pkcs#1, they just need big integers. Python's integers have unbounded size. – Z.T. Oct 30 '16 at 19:38
  • Yes, python has big integers, and of course you can then go on to recreate RSA using basic mathematical operations on these numbers, but cryptography (or PyCrypto for that matter) has RSA built-in and ready to use; you can just plug in your big integers and get a working public/private key and the routines for encryption and decryption. So I thought that'd be even simpler than doing it by hand. – Out of Band Oct 31 '16 at 14:29
  • 1
    if the ciphertext uses pkcs#1 v1.5 padding, then a real crypto library like openssl or a python wrapper for it is the way to go. But if the ciphertext uses textbook RSA without padding, openssl will fail to decrypt it. – Z.T. Oct 31 '16 at 18:19
  • 1
    Looks like you're right - cryptography takes a padding object as a parameter for the decryption routine, but as far as I can see, there's no 'dummy padding' class to instantiate and pass in if you're not using any padding at all. – Out of Band Oct 31 '16 at 20:57
  • 1
    not using padding at all is extremely insecure, no reason for openssl to implement such an API. – Z.T. Oct 31 '16 at 21:15
  • 1
    @Z.T.: OpenSSL does support unpadded/raw RSA, although _for commandline_ it is not default, and as you say it shouldn't be _used_. But it doesn't directly support decimal strings; only binary for data, and keys in (several variants of) DER (as you noted) or PEM which can be just base64-of-DER but for privatekey can instead be base64-of-_encrypted_-DER. – dave_thompson_085 Jan 30 '17 at 23:44