# Network Security Assignment 1 ## Exploiting Textbook RSA Signatures (Task 2) #### Pernille Pallesen 201909457 The task: *You are given the source code of a simple website that a professor has created to automate annoying tasks such as grading. It also distributes quotes to particularly good students. To prevent students from coming up with their own grade, the website authenticates them with RSA signatures. Since the professor is quite lazy and does not want to be bothered by students, he/she provides another API to sign any paperwork except grades.* *Your task is to obtain a signed message stating you got a 12, so that you can receive a quote. To this end, you can use the given API and the malleability properties of plain, textbook RSA.* The solution is written in python and can be found in the `topgradestudent.py` file. I used Python version 3.10.7. ### What is Textbook RSA? RSA (Rivest-Shamir-Adleman) is an asymmetric encryption algorithm, which uses prime factorization as a one-way function. This means that it is easy to encrypt, but difficult to decrypt, since prime factorization is using the fact that every positive integer can be written as composite primes, and this is very difficult to compute for large numbers. This is useful, as you can quickly encrypt a message while making it difficult for others to decrypt it without the private key. When a message is sent it will be encrypted with the receiver's public key, and then the receiver will decrypt it with their private key. ### RSA Signatures RSA is also used for signing, which means that when a message is sent, it will be signed with the senders private key, and the receiver can then verify it by using the sender's public key. ### Why is Textbook RSA bad? Textbook RSA has some flaws, and these can be quite undesirable. For example the fact that it's deterministic, or that you can alter encrypted messages' plaintext. Having a deterministic function can have it's benefits and it's drawbacks. These drawbacks can make it prone to attacks as well as making it semantically insecure, as part of the plaintext can be extracted from the ciphertext. Another aspect of Textbook RSA was introduced by David Chaum as a means to sign a message without having the signer read the message they are signing. Chaum called it Blind Signatures. One of it's first uses was both electronic voting systems and digital cash schemes. This method is what allowed me to have a message signed by the server without exposing the plaintext, which I achieved by blinding the message before sending it to be signed. ### Implementation To solve the task, I want to get a signature for a message stating that I got a 12, so that I can recieve a quote. From the given API in the assignment, I can see that I can use the path `'/sign_random_document_for_students/'` to send a message, and then recieve the signature for the message. However, this does not work if the message includes the words 'grade', '12', 'twelve' or 'tolv', and since I need to get a message signed that includes '12', I can not just send it this way. Therefore, as mentioned earlier, I need to use blind signing. These are the steps I used for blind signing: * Pick the message you want to send. * Blind the message by multiplying it by a random factor r^e mod n. Here, e is the public key and n is the modulus. The random factor r needs to be co-prime with n and 0<r<n. * Send the blinded message and recieve a blinded signature for the message. * Unblind the signature by multiplying it with the inverse of r mod n. * Now you have the signature for the original message, and you can now create a cookie with the message and the signature. * Send the cookie to the `'/quote/'` path and recieve a quote, meaning you now got a signed message stating that you got a 12. These steps are also clarified as comments in the script `topgradestudent.py`. ### How to use the Implementation In the script I implemented the option to pick the local server (http://localhost:5000/) or the remote server (https://cbc-rsa.netsec22.dk:8001/). This option can be changed by setting LOCAL to True (to use local) or False (to use remote) in the script. ``` LOCAL = True OR LOCAL = False ``` If the local server is used, it needs to be running first. For this i will refer to the README in the github for this assignment: https://github.com/dfaranha/netsec-e22-assignments/tree/main/crypto/rsa-signatures under *"Running the Service Locally"*. Required modules: * requests * math * random * json * base64 * beautifulsoup4 I used Python version 3.10.7, but any version 3.10.X should work. Then, you can simply run the script: ``` $ python topgradestudent.py ``` ### Known Bugs For some random facor r's, the script will fail. This happens when r is used to make the blind message, and the blind message is made into a hex that has an uneven amount of characters. To generate a new r, simply run the script again.