Description
A friend wrote the RSA signature code used by a server for authentication. He took care to have code that runs in constant time using a ‘Square and Multiply Always’ type of exponentiation. However, he reused this code in his smart card.
It is then possible to recover the card’s private key by disturbing the signature computation.
The file mille-fautes.txt contains a log of the faults from a successful attack, allowing the recovery of the private exponent d.
The performed attack is described in the file mille-fautes.py.
The signature code is in the file RSA.asm, which is called using a virtual machine that supports fault injections (files machine.py and machine_faulted.py).
The fault model consists of assigning a random value to the destination register if the faulted instruction was supposed to update a register.
The expected flag is in the format FCSC{d}, where d is expressed in base 10.
Files
-
assembly.py
20.84 KiB – db186ab7dfb5f5e7f4790f1afc951deda349a8a9565a57b6328da2ba89965525 -
crypto_accelerator.py
5.34 KiB – fe3c3f0ef53ec9e4be03ac6843b59b9879e7c8102325e2f323c1adad1e80e192 -
machine.py
19.96 KiB – 048716eab19f32556b08fbea73a07b641f29fa0ff795abd407ead484e3d5041c -
machine_faulted.py
381 B – fff04c758a8017e0ef27e19c5264435d081446779d52acb3d0e01724c7e5d34c -
mille-fautes.py
1.22 KiB – 5fac638d46079af8d93466a7918f66b38a5ec72a10cab70c195779c7db89799f -
mille-fautes.txt
80.81 KiB – 3c1d81d6e5b20b602507dede3126b70aa4d61be432c20148100cc3530db10556 -
RSA.asm
585 B – ab4b6c384856d1c20f8e54172d1ba3f1bc472c0d24e0a35df2bb61717f5f9e75 -
vm.md
27.75 KiB – 0d241df97205c1ea035561b006926949e768e749d997f43f50569e416ee11cdc
Author
Flag
Submit your solution
You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.
You need to be logged in to submit a writeup.
Writeups
There are no public solutions for this challenge yet, but you can submit yours after getting the flag.