Digital Signature

In this challenge, you will perform an RSA digital signature generation using a pre-defined secret key in private_key.pem. The message to be signed can be found in message.txt.

Please use Python's hazmat modules. The private key is serialized in the PKCS8 format and protected using a password b'skpassword' via BestAvailableEncryption. The encrypted message is padded according to PKCS1v15.

You can verify your result by /challenge/solve.

Forging an RSA signature for arbitrary message is easy as long as a signature oracle is given, even when the oracle is set not to sign certain harmful messages.

This challenge provides you a RSA public key (N,e) and a message m in context.txt, and your goal is to get the signature for m. However, the oracle is programmed only to sign messages of which the last 20-bits are zero (assuming the integer representation). Also, you are limited to query only once.

To query for the signature for message m', use /challenge/oracle m', where m' is an integer.

To verify the signature for message m, use /challenge/verify signature, where signature is an integer.

Diffie-Hellman key exchange also works on elliptic curves. In this challenge, you will play the role of Alice to compute the derived key. Similar to the previous Diffie-Hellman challenge, it would be convenient if you use Python's hazmat module. The private key is serialized in the PKCS8 format and protected using a password b'alicepassword' via BestAvailableEncryption. The curve is secp384r1. The key derivation is done by HKDF based on SHA256 (with info b'handshake data').

You can verify your result by /challenge/solve.

Python's cryptography modules provide interfaces for signing x509 certificates. In this challenge, you play the role of Certificate Authority to sign a certificate for your own public key.

Your private key is stored in key.pem in the traditional openssl form and is protected by a passwork b'passphrase'. Your certificate also contains your country, state, locality, organization name, and common name, which are US, Arizona, Tempe, SCAI, scai.engineering.asu.edu. You will use a fixed serial number 5371057310573120643673490341432. The start time is 05/15/2025 and the expiration time is 05/25/2025. The DNS is simply the localhost.

Please store the certificate in .pem format. You can verify your result by /challenge/solve LOCATION_TO_YOUR_CERTIFICATE.

ECDSA can be insecure if it is not correctly implemented. In this challenge, you will find some signatures in signatures.txt. They are generated over curve secp256r1. For i from 0, the i-th row is a signature for the message this is message i. This string is encoded in utf-8 format to bytes before hashed by SHA256. The hash is converted from bytes to int using big endian. You need to find the vulnerability and get the secret key used to sign these messages.

You can verify your result by /challenge/solve.