创建: 2023-12-11 16:09
https://scz.617.cn/misc/202312111609.txt
ECC公钥(pub.pem)如下:
-----BEGIN PUBLIC KEY-----
MIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA////////////////
/////////////////////v///C8wRAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHBEEEeb5m
fvncu6xVoGKVzocLBwKb/NstzijZWfKBWxb4F5hIOtp3JqPEZV2k+/wOEQio/Re0
SKaFVBmcR9CP+xDUuAIhAP////////////////////66rtzmr0igO7/SXozQNkFB
AgEBA0IABADEclsh8RJbhCu4meeZlw0gzBz1qTgoiLpK09ATpsF/BpHlr7syDmqf
QDw39Axe+HDZwECCIkHgUgAjiP2kpww=
-----END PUBLIC KEY-----
三组明文如下:
xxd -g 1 message_0.bin
00000000: 54 68 69 73 20 69 73 20 74 68 65 20 66 69 72 73 This is the firs
00000010: 74 20 6d 65 73 73 61 67 65 2e t message.
xxd -g 1 message_1.bin
00000000: 54 68 69 73 20 69 73 20 74 68 65 20 73 65 63 6f This is the seco
00000010: 6e 64 20 6d 65 73 73 61 67 65 2e nd message.
xxd -g 1 message_2.bin
00000000: 54 68 69 73 20 69 73 20 74 68 65 20 74 68 69 72 This is the thir
00000010: 64 20 6d 65 73 73 61 67 65 2e d message.
两组ECDSA签名如下:
xxd -g 1 message_0.sig
00000000: 30 46 02 21 00 90 2e d0 16 f3 b7 58 87 64 85 e3 0F.!.......X.d..
00000010: 3c 6e a3 d4 db 8e f1 a3 3b 7d 83 ce 26 de eb 75 <n......;}..&..u
00000020: 1d 11 7a 82 9d 02 21 00 a3 c5 89 cc 08 4b a4 b5 ..z...!......K..
00000030: 4b f1 84 e2 2b a5 e6 e4 8f 58 21 10 8c 8c 9a 49 K...+....X!....I
00000040: d0 0f 8f cf 4a fc bc b8 ....J...
xxd -g 1 message_1.sig
00000000: 30 46 02 21 00 90 2e d0 16 f3 b7 58 87 64 85 e3 0F.!.......X.d..
00000010: 3c 6e a3 d4 db 8e f1 a3 3b 7d 83 ce 26 de eb 75 <n......;}..&..u
00000020: 1d 11 7a 82 9d 02 21 00 c9 bb 9b 55 86 ef 05 8e ..z...!....U....
00000030: ba 76 3d fe f4 6b 16 09 45 78 01 84 d0 16 09 33 .v=..k..Ex.....3
00000040: 45 f8 71 fc 1a 65 7a 45 E.q..ezE
已知k值固定,ECDSA签名数据由类似下列OpenSSL命令生成:
openssl dgst -sha512 -sign priv.pem -out msg.sig msg.bin
验证签名命令类似:
openssl dgst -sha512 -verify pub.pem -signature msg.sig msg.bin
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
题目要求
a) 参照Sony惨案还原k值、ECC私钥
b) 用还原得到的k值、ECC私钥对message_0.bin生成ECDSA签名message_0_other.sig,应与message_0.sig完全相同
c) 用还原得到的k值、ECC私钥对message_2.bin生成ECDSA签名message_2.sig,用已知ECC公钥验证ECDSA签名
整个题目完整模拟了Sony惨案,攻击者获取两份用同样k签名过的PS3游戏,最终还原了Sony的ECC私钥,进而对第三方游戏进行ECDSA签名,使之可运行在PS3上。
所以已知数据在此:
https://scz.617.cn/misc/SonyECCChallenge.7z
原文始发于微信公众号(青衣十三楼飞花堂):椭圆曲线加密算法之Sony惨案模拟题