Limited Entropy Dot Com Not so random thoughts on security featured by Eloi Sanfèlix


A story about Chinese, Bells and Injections : CPEU Wargame challenge

I wanted to share with you guys the little challenge I prepared for the Campus Party Europe. The wargame was organized by SecurityByDefault and took place during the last couple of days.

I was asked to prepare a cryptography challenge for it, and I delivered a little problem that became the level 4 challenge in the crypto category. The problem is based around RSA with 2048 bit keys and AES in ECB mode with 128 bit keys.

The idea was to give some real crypto instead of the typical break-classic-crypto or find-the-needle-in-the-haystack challenges. Of course, I am not asking you to factor an RSA-2048 modulo (well, I am, in a way...) nor breaking AES in a mathematical sense because that is not feasible nowadays. You have to find the trick ;-).

Want to challenge yourself? Give it a try!

I'll leave the challenge here, and the solution will be published in SecurityByDefault in some time. If you have questions or want to share ideas with me you can use the comments, but please do not spoil the solution for other readers!

These are the instructions:

Dear agent,

In one of our missions we have intercepted an email containing a file encrypted with AES in ECB mode with a 128 bit key. Together with the file there was what we suspect is the AES key encrypted with a 2048 RSA key, which we found to be as follows:

-----END PUBLIC KEY-----

The encrypted AES key is as follows:


Although it was a tough mission, our Operations team did a great job and was able to provide the following information on the target:

- It uses a cryptographic device that contains a 1024 bit modular exponentiation accelerator
- The device uses the same key for decryption and for signature generation

In addition, the Operations team modified the hardware used by our target and was able to collect a pair of RSA signatures over the same data. One of these signatures contains a fault injected thanks to our hardware modification, while the other one is the correct signature. These are the signature values:



Unfortunately, the team was not able to obtain the private RSA key nor decrypt the AES file. It is critical for the mission to obtain the contents of the encrypted file. Your task is to obtain the contents of the AES file.

Good luck!

PS: All RSA operations are RAW operations. This means no padding, just modular exponentiation. For keys smaller than the modulus, the padding is null (i.e. zero bytes).

And the file encrypted with AES can be found here.

Posted by Eloi Sanfèlix

Comments (6) Trackbacks (2)
  1. Hi,

    Thanks for thie chanllenge :). But… where is the encrypted file?

  2. Hi,

    Two things…

    1) Is supposed to have access to the encrypted file? This would help.
    2) The 2 signatures are about the same data, but… There are obtained using the AES encrypted file, or a specific text?


  3. Hi David,

    Sure, I forgot about the encrypted file although you don’t really need it till the end. I’ve just uploaded it to .

    I’ll update the post. Thanks!

    With respect to the signatures, they are exactly signing the same data. It’s just some data completely unrelated to the AES key or AES file or anything. That’s the key, it’s the same data but one of them has a fault and was computed in a wrong way.


  4. Great challenge! I’ll post my solution in a couple of days, so people can try it first.

  5. @Anonymous , sorry man, your comment went into the Spam queue and didn’t see it till now. Now the file is linked on the post ;-).

    @vierito5 Thanks!

  6. As you can see from the trackbacks, vierito5 his write-up with the solution of the challenge.

    He solved it during the wargame, just out of curiosity, did anyone solve it from here? 🙂

Leave a comment