Description
A friend wrote the RSA signature code used by a server for authentication. He took care to have code that runs in constant time using a ‘Square and Multiply Always’ type of exponentiation. However, he reused this code in his smart card.
It is then possible to recover the card’s private key by disturbing the signature computation.
The file mille-fautes.txt contains a log of the faults from a successful attack, allowing the recovery of the private exponent d.
The performed attack is described in the file mille-fautes.py.
The signature code is in the file RSA.asm, which is called using a virtual machine that supports fault injections (files machine.py and machine_faulted.py).
The fault model consists of assigning a random value to the destination register if the faulted instruction was supposed to update a register.
The expected flag is in the format FCSC{d}, where d is expressed in base 10.
The documentation of the virtual machine is available on this page.
Files
-
assembly.py
20.84 KiB – db186ab7dfb5f5e7f4790f1afc951deda349a8a9565a57b6328da2ba89965525 -
crypto_accelerator.py
5.34 KiB – fe3c3f0ef53ec9e4be03ac6843b59b9879e7c8102325e2f323c1adad1e80e192 -
machine.py
19.96 KiB – 048716eab19f32556b08fbea73a07b641f29fa0ff795abd407ead484e3d5041c -
machine_faulted.py
381 B – fff04c758a8017e0ef27e19c5264435d081446779d52acb3d0e01724c7e5d34c -
mille-fautes.py
1.22 KiB – 5fac638d46079af8d93466a7918f66b38a5ec72a10cab70c195779c7db89799f -
mille-fautes.txt
80.81 KiB – 3c1d81d6e5b20b602507dede3126b70aa4d61be432c20148100cc3530db10556 -
RSA.asm
585 B – ab4b6c384856d1c20f8e54172d1ba3f1bc472c0d24e0a35df2bb61717f5f9e75
Author
Flag
Submit your solution
You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.
You need to be logged in to submit a writeup.
Writeups
There are no public solutions for this challenge yet, but you can submit yours after getting the flag.