Aleksei Udovenko hellman

## roca_test.py
#!/usr/bin/python
import sys

# Credit: https://crypto.stackexchange.com/questions/52292/what-is-fast-prime
generators = [
    (2, 11), (6, 13), (8, 17), (9, 19), (3, 37), (26, 53), (20, 61), (35, 71),
    (24, 73), (13, 79), (6, 97), (51, 103), (53, 107), (54, 109), (42, 127),
    (50, 151), (78, 157),
]

## infineon-roca.md

      
              1 file
            
          
              1 fork
            
          
              3 comments
            
          
              21 stars
            
          
                hannob
                / infineon-roca.md
            
            
              Last active
              October 25, 2020 15:55
            
              
                Affected Products and Keys by Infineon RSA vulnerability
              
          
    Collecting some information about the extend and affected products and keys of the Infineon RSA vulnerability (ROCA).

Official ROCA infos by the bug finders
Test tool on Github
Online test
Information from Infineon
CVE-2017-15361
CERT/CC advisory

Estonian eID cards

  
## git-auto-sign-commits.sh
# Generate a new pgp key: (better to use gpg2 instead of gpg in all below commands)
gpg --gen-key
# maybe you need some random work in your OS to generate a key. so run this command: `find ./* /home/username -type d | xargs grep some_random_string > /dev/null`

# check current keys:
gpg --list-secret-keys --keyid-format LONG

# See your gpg public key:
gpg --armor --export YOUR_KEY_ID
# YOUR_KEY_ID is the hash in front of `sec` in previous command. (for example sec 4096R/234FAA343232333 => key id is: 234FAA343232333)

## gracias.py
from sage.all import continued_fraction, Integer, inverse_mod

pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777

## solve.py
from scryptos import *
import hashlib
import gmpy
'''
References:
[1] Hitachi, Ltd. 2001. Specification of HIME(R) CryptoSystem - http://www.hitachi.com/rd/yrl/crypto/hime/HIME_R_specE.pdf
'''
SECRET = 'ASISCTF-17'

C0 = [ hashlib.sha1(SECRET[i:] + SECRET[:i]).digest()[:16] for i in xrange(10) ]

## dcquals2017_reeses_revenge_exploit.py
#!/usr/bin/env python2
import socket
import struct
import telnetlib
import sys, time
import pwn

HOST, PORT = "127.0.0.1", 1234
HOST, PORT = "reeses_fc849330ede1f497195bad5213deaebc.quals.shallweplayaga.me", 3456

## jochemsz_may.sage
from sage.all import *
import itertools

# display matrix picture with 0 and X
# references: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage
def matrix_overview(BB, bound):
  for ii in range(BB.dimensions()[0]):
    a = ('%02d ' % ii)
    for jj in range(BB.dimensions()[1]):
      a += ' ' if BB[ii,jj] == 0 else 'X'

## supercomputer-solver.cc
#include <cassert>

#include <NTL/mat_GF2.h>
#include <NTL/GF2.h>

using NTL::GF2;
using NTL::mat_GF2;
using NTL::conv;

int g(GF2 x1, GF2 z1, GF2 x2, GF2 z2) {

## hint_calls.py
'''
IDA plugin to display the calls and strings referenced by a function as hints.

Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils

## generate.py
from binascii import crc32

def lcg_step():
    global lcg
    lcg = (0x5851F42D4C957F2D * lcg + 0x14057B7EF767814F) % 2**64
    return lcg

def extract(val):
    res = 32 + val - 95 * ((
        ((val - (0x58ED2308158ED231 * val >> 64)) >> 1) +
	#!/usr/bin/python
	import sys

	# Credit: https://crypto.stackexchange.com/questions/52292/what-is-fast-prime
	generators = [
	(2, 11), (6, 13), (8, 17), (9, 19), (3, 37), (26, 53), (20, 61), (35, 71),
	(24, 73), (13, 79), (6, 97), (51, 103), (53, 107), (54, 109), (42, 127),
	(50, 151), (78, 157),
	]
	# Generate a new pgp key: (better to use gpg2 instead of gpg in all below commands)
	gpg --gen-key
	# maybe you need some random work in your OS to generate a key. so run this command: `find ./* /home/username -type d \| xargs grep some_random_string > /dev/null`

	# check current keys:
	gpg --list-secret-keys --keyid-format LONG

	# See your gpg public key:
	gpg --armor --export YOUR_KEY_ID
	# YOUR_KEY_ID is the hash in front of `sec` in previous command. (for example sec 4096R/234FAA343232333 => key id is: 234FAA343232333)
	from sage.all import continued_fraction, Integer, inverse_mod

	pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
	from scryptos import *
	import hashlib
	import gmpy
	'''
	References:
	[1] Hitachi, Ltd. 2001. Specification of HIME(R) CryptoSystem - http://www.hitachi.com/rd/yrl/crypto/hime/HIME_R_specE.pdf
	'''
	SECRET = 'ASISCTF-17'

	C0 = [ hashlib.sha1(SECRET[i:] + SECRET[:i]).digest()[:16] for i in xrange(10) ]
	#!/usr/bin/env python2
	import socket
	import struct
	import telnetlib
	import sys, time
	import pwn

	HOST, PORT = "127.0.0.1", 1234
	HOST, PORT = "reeses_fc849330ede1f497195bad5213deaebc.quals.shallweplayaga.me", 3456
	from sage.all import *
	import itertools

	# display matrix picture with 0 and X
	# references: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage
	def matrix_overview(BB, bound):
	for ii in range(BB.dimensions()[0]):
	a = ('%02d ' % ii)
	for jj in range(BB.dimensions()[1]):
	a += ' ' if BB[ii,jj] == 0 else 'X'
	#include <cassert>

	#include <NTL/mat_GF2.h>
	#include <NTL/GF2.h>

	using NTL::GF2;
	using NTL::mat_GF2;
	using NTL::conv;

	int g(GF2 x1, GF2 z1, GF2 x2, GF2 z2) {
	'''
	IDA plugin to display the calls and strings referenced by a function as hints.

	Installation: put this file in your %IDADIR%/plugins/ directory.
	Author: Willi Ballenthin <william.ballenthin@fireeye.com>
	Licence: Apache 2.0
	'''
	import idc
	import idaapi
	import idautils
	from binascii import crc32

	def lcg_step():
	global lcg
	lcg = (0x5851F42D4C957F2D * lcg + 0x14057B7EF767814F) % 2**64
	return lcg

	def extract(val):
	res = 32 + val - 95 * ((
	((val - (0x58ED2308158ED231 * val >> 64)) >> 1) +