[ Log On ]
  • Home
  • Tst
  • Cha
  • Enc
  • Code
  • IP
  • Fun
  • Sub
  • DigF
  • Cis
  • Com
  • Db
  • About
  • Netsim

Cracking the Private RSA Key

[Back] One of the weakest things about cryptography is that you might have a strong encryption key (such as a 128-bit or 256 bit key), but you create it from a pass phrase, or where you protect it with a password. This considerable reduces the strength of the key. For example, if our password is generated from a list of 1,024 words, we only have an equivalent key size of 10 bits. For one million passwords, it rises to 20 bits, which is considerably shorter than a 128-bit key. The overhead is the time taken to try the key.

So let's look at cracking the private key. The RSA private key can be stored in a PEM file format. This applies a passwords onto the private. Unfortunately this can often be cracked with a brute force or dictionary attack.The method we can use is illustrated below:

First we generate a private key and setup a password of "qwerty":

:~/crackkey$ openssl genrsa -des3 -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
....................+++
...+++
e is 65537 (0x10001)
Enter pass phrase for private.pem: qwerty
Verifying - Enter pass phrase for private.pem:qwerty

Note that we can also use the "-passout" optionn to automate the password:

openssl genrsa -aes128 -passout pass:qwerty -out private.pem 2048

Next we will list the key:

:~/crackkey$ cat private.pem 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8D8D035DDCEBAEEE

tpNB6AxbpSpYiNQnFroHMFruBG5/TOnGXSVXxmHPRHkctUvhChMHy2g3WKxe+Gm2
+UgCU5r8xZ6pyJ6QcVDJjV2cybRtjpBeoqDd9s30FaXoTHQLQhYm/yME8iP7NWxl
+oxUk+NlVqWClfWlxKYEYqLfKjTQvpO64TBHv3lBw8DhApRLbNB2Z9KMtxt/c7UE
ULzJDYCxQWpYmhP2YcDUp/juOCjxoRAicVDiW2F6MbfXiy3urlMV81frHpcjkwPW
FcetsPr5pBhypdY9nf3zQYQsXyw1X/OlcINPZsTJpIyyd1JYEfWQ0Wyye7Y0Oy45
0jlxKMRrfCeWgo3RhuYGDuRqpJdB++3t1WWY/A1ml6VqX77ZX00lNRDpESnw5lYd
R1pVO9lvsVXExrP/CoUpn3IjGc+hEKyMZzXXnpMpCjg1K5SppJT018n9Yqwa0kVw
FFxKPqoPo4M7o4KuAgYzrE8ntenIm0H9F9UDBWenbGVSOmzlAt+ONmpwQwNd54E7
vSc47m6AON7cHK9d3AzkSwZD19WofQYSEupaa2InCu1FTrca9HB7aKSK94+3Tq97
aWzajJk2eMWUcyEWzO5sR5jmJMthPBQYHio3z02aLhRoUBrA2iMUAY2wKniUnk1b
v3U8P1GRE9VIscchbyQvbQh4SlLUGlg7t5oixBwUYZgG7zdWmHmsiDtCWlpqhsCR
2Gx5suA/luRJG6OG2AZjkW5YKgkjAjQlqS+WduB/cWHHBBKlRwc/vXzt8tEUs+5q
bT3jgPUIh4swWtK7o76XibSMq1FWCMOFSGXMKG2x4fjjLmXRQpzwfgPLxSnPdfi0
XjuVEcRyAgJDpNzCpile33VYT9iWGQl2WHGQ7OjYTeGejER5AKalHLYR1weUC5rV
yRTdCdwAf2QfagSu8iB+PhIWi6sVemTD95pmgX/FT5sry/8kIGM9ofmGuBz2OtFa
hRi2xcHtmiCajwwXY6chLYH0D9AcHNZVPyQ1g620e2OhLuLyCLYZ29mpplIsTLT+
IY2FVRbp4hwnuJFWUGKfEHwJSi6pM21/yzvG80E5Zarnroza8iFcFE31G9Hzsy6Q
jAf0niY8xG9LrXQwPLgvSTkAsgprMYOvNoDPyYISqxnAN8hyWzg2SwcSBYTt+gsu
U2uU4PZyQZcZMAx/ipxPqznVjJERPNswMdrulXjHi/ogRotItmnGqjRl6UY3IS70
uKhdk0vpmRGcsMGa7DjqGRcCPptnFn6A8ASJeuP1qga4WCFOTJeBs8kGP9HiTy/N
DlnxhlQHDWNdLlUwKmOW5pqgrM12hLVf4TVTR7wjUuC7wzBp/1bhaiUifr8p8Ie0
mvC9Pz79TWg7oKCZCkdOv6valYqtwFXN7mu/a/neHOFh7Tqao9q5+iK1zdpwX1jv
ESn/O/zOFCFcK1Q2M66P9rvGqv73U2zyO22219LpbEqWh0IHARmikaZgS6XLHGVZ
mNQyjfDsO55zJHVOVA6+pw2W09fZVBS1xgV4hK3q3Egx2KytLzVtcOeTK+2MZTwb
aMBMYui04Dc4PklgwUO7cSpMG9GhBn3W0cNx8ppBXwCDFnGyaA5kfG3HjaFcseDn
-----END RSA PRIVATE KEY-----

In this case we have encrypted the key with DES-EDE3-CBC (3-DES) and with a salt of "8D8D035DDCEBAEEE" (as we used the -des3 option, and where other options include -aes128, -aes192, -aes256, -des, and -idea). Normally we would export the public key with:

:~/crackkey$ openssl rsa -in private.pem -pubout > key.pub
Enter pass phrase for private.pem: qwerty
writing RSA key
:~/crackkey$ cat key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsp0LoOvjc5eyjcFD6wJy
SvQRBf6E++VbXCKWhB2X387j6vwjP0wKxw5BVrvFf/YfLBZnN30a598vr3exhxii
A6r8pMl4mxkuNSn0EfPHHWACdmdBCBMhOqvnjivaAXoy9P857EY1jRJGmP+04Wcd
Pi74dVNfMlJ6h37+iQl2k5c94+A3AtDw2+lNDZx621zOUa3fUjH1ECk6eBBMITt6
C18CxzigoKGau+bXxusWtbY6illKNOFskQNrED9F2qZdt6882bzc/wXVyELBVHqk
MgbjNTGW+bH9CpIsnuTdL/TCg0Ade6KUaBqOww42CJt0nmPD0ubs82Pyd/2b6krc
VQIDAQAB
-----END PUBLIC KEY-----

If we try the wrong password on the private key file we get an exception:

:~/crackkey$ openssl rsa -in private.pem -out out.key -passin pass:password123
unable to load Private Key
140735838671752:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/evp/evp_enc.c:529:
140735838671752:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:486:

Next we will try the correct password:

:~/crackkey$ openssl rsa -in private.pem -out out.key -passin pass:qwerty
writing RSA key

and the message we receive is "writing RSA key". We thus just need to write a Python program which reads-in a dictionary file, and then detects the "writing RSA key" message. We now use a dictionary file (pass.lst [link]):

:~/crackkey$ head pass.lst 
12345
abc123
password
computer
123456
tigger
1234
a1b2c3
qwerty
123

And then run some Python code:

:~/crackkey$ python keyscrack.py 

0/3106
1/3106
2/3106
3/3106
4/3106
5/3106
6/3106
7/3106

The key is: qwerty

And we have cracked the key. If we view the key, we get (out.key):

:~/crackkey$ cat out.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2KVGBwQdq9QyUWGPqvktNcyu3CqiZRHDlWihP3NxXklkbxa+
3L2z+hS4xxKCj6YSOOXuOCYElcjr+2oNRgvH2ExM5hQxWeYxjZQmn60rY8bQJrJQ
Zhov5U/zIdItToEakRbX1SwSPIWW5Dtqu7Q4ptN62eM6Uvkkpa/FBrRy6p+bpRPB
Z/28VAcMUVyRAUIYV8yFRY+gP3i3T1rnhEeax4omNrXN7bcw/znRxdTl2wplliMw
sJ9EXKucz4+d9xSjFK9qvsinU2xk4/5q2Sh+2TTqpvT8dYQZQl/SPBAolyT2wo+w
IQoHjvOq/L3buGubHNpfzl2hOrfWHnCCMGUvmwIDAQABAoIBAQC9UUAupWQgYeBO
yYi4ieL+Ho23i/I5jBp0F+jA/+rT0CLaCPBlCcmbAjyuifhZ+2/1FMjlfCOJmPjO
zVAoI+dRluukK4Us4EHxTMOrybIfEP+YsT4c20l7hDAdIAPDlIJYw7N8b3TIOp0v
eNS+jrDq5+d1PGIdW+awezcbstixOYkGi+MMGjPn0sHxr0G11B6GEzXy4JbQTatF
QD9Q6o8oO1p+0NS0WBaMnDdHQ9bmpVYA4LJHP+wIePZKJgNPpjaXOvNtD/4HRUwW
W/zuMEUs6D35k8VwhPfe5yo6ixGO7lZaen1cpXy/JjAELC434N2LpWeeZW6sIjtp
q03dmLMRAoGBAPMO15gvkNFQ5fYA4q/SQINX5QUSPy0xLp58uxCp/nMopB1Adroy
qXu/rvySmnizNHSOCYUwMOJg5VibpiezdzzNVPgYI3egrL7RnIUQ7fP2bu9McnSl
KI2i8GYXwWatxBnoIaZjRDUQsxDjnV3GNoHK0qT5PDQb1paGoCh1HNwvAoGBAOQu
ZoeugDXytlWZcuZtNlO8aF0HmD+zKSeR35IdrUZTkSLw681XBy/JgvdMzQaJ88xw
VrwRZOaHHE13/VIDdCz1DX9WP9z6jLX6ULfGiuYouS9CuK0cWMEcrnjR+O6V2fWt
IGTYSQn2tQqpVHoaA0vP1xAqsQ/sA/uWCBXRiCxVAoGBAJ/GbPDsq6z9Gf3pvRpJ
AwGUIMeBpCgIAZZLdgjRRqPa3m8gNivWK9VePyBnGsYnP18zE40LDcdyXLEvuDy2
27YLYESqUX5ND+FsFxDd/R33LBuATGjjPNJGfvMNwKPHrHY/QweGj4q2jI+YoJTJ
PIF7m5a5A9tZRWmz28pcmfkfAoGANmmKMZi/Ih46tLbe22v3pIgtKuIAwE/s5G64
rZM+GqMa3QYudMzn/dFD1c0OpxyGcp3nUPmk4gQeD6spUUFZls7o5RCgMgXdQBfs
36YMwU28uzRh7YXw9DvurwkDH4HEc/1Q2DtrT2DxUxWF+4fweUeatVQ43N8fJANm
8i0BF/ECgYEA7EMU9jdNgb0aBZLqrRZpBWa2WFreUsA9aLc8oeM6XxdOPi7DDW5S
merJ7GhaucXP+eafnG5iB5xb/CpJWI4RwalknhaTmEpLO+vwFeSv8fuTRhq4ySO+
woSIOMMkyvF5HVy0Osxy203tTtj2/Y+0anJd79ZmdRqgVT5doF4jLM0=
-----END RSA PRIVATE KEY-----

Python code

The Python code used is:

from subprocess import PIPE, Popen
import subprocess
import sys

def cmdline(command):
    proc = subprocess.Popen(str(command), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=T$
    (out, err) = proc.communicate()
    return err

def main():
    words = [line.strip() for line in open('pass.lst')]
    print("\n")
    count=0

    for w in words:
        strcmd = "openssl rsa -in private.pem -out out.key -passin pass:"+w
        res=cmdline(strcmd)
        if res.startswith("writing"):
                print("\nThe key is: "+w)
                sys.exit()
        print(str(count)+"/"+str(w))
        count=count+1
    print("\n")

if __name__ == '__main__':
    main()

Presentation

Puzzle

Can you solve the password on the following [file]:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,15D541B6D82BC43C51240532FBCFD84F

TJFHpBez3sMkQIiA7JOw+7sjnr87Vpq98eRqWtOgSGjXWQ6f0fjx+PZ6DoBaI2pE
JcMbINBvGlOyk66/GGWrowgJnipzj4UTOtWRp7k38PETBwNt+1o2cZ8nB8emyjVz
0JnZ3Skf1NZnf4SOVvwYhOwGRPS89bbRFUN/HPg/46Km+GEJjmzipRKoyZZpPNdu
I/0pCdyTZypuciF8IzKMnrQA0k2llEG4no5/pGYz+SJ/Y+32Tdl1cpoCeND03NYL
bjye2EL1wC+ecXAFWlAKrze/Xk2Ed18sigBSRjgBLWPh9kcWTXDnvELriIotlHa5
qAGbxShHTI4Xeci7VepUW+WdNGuDtBgUbCn47tKZrA0aXp71re8AQOLO6pKlSL3r
bsl3ps7pk/q9CF9fdyhcHygCddhPi96qhhaV5hqI1tM4XW+BC0yLAkzMIRHfgaBy
kEwr2v6fC6IT4lEAlpl9ebbXlLUXLkex8+pnpa+BsLHbqxKXn6evl7stO3RjrXNk
DbGptzj5rKOONu12KxYk5v3B0IjB7plFY/8c1yVELwuLHv2nFSClewOUS6WW9GI7
yqdC/2HQ0bGOga9IOC9KISnwIaTADJfi3UO1J+WJnPBte508a7BHNxKG80QZuggT
OmVzebiOn0aIAs5WlpLPcYbcsPCDAucNk0fKMynu5uHhAnpxQntGf1MzfoZs+aZD
0LpwztfNPw66dWF6LrU0bn59B3X764XfmgSi3mx9AGz4DEP51pWe8fUmLztcWnze
dvXtmb2Qu21BgCl79wwsTMXs1kDYeUqNk6r1B6S9u5LT0v1lfcfcDx+0YKWCs0hN
g94MrnpV/EnIwdCHs4u5FeZEAveinHFNqAqJerdq9uJBBCShJi3QXp1y4Z/Z2GL3
/N47hNDDZ3o8IoRZiKRVi4UgH8Niavfjbk+AJ5710AudzzgYyePo906WMOVVCvaL
nzmhdV+phXfA6Scb8wStoZtimrNnJWZoByLwJUdWHcqa735uewUfUnHcVp3StCiB
MwRzH0UvK//oZGvSbb+Nsy/1eDHK3DuAAmo+WF9m8jrl8JTM4rUVqgJCkmouIkW9
rxSWHFvup+e4fRYLLuZqfkKOsamPRxg1at7m2L/FG0UOQGBHTjbIX6/dHM7I7Ymp
VlxAv4s8wpeff/1Tm1EiDPqt/+vb/tej/VmxRS/f0Oa+gZtDx9s55hZ1WKbQO+G0
uC6jjBLCz4+eSYhXs5eRV5PUjHQoTymjeiBiwLynBWD3DGH4tt11BbysqmksrUxu
FKnbDPPdyGYiuP6Ax6YC3F9dL4S+7MAxc2+pHnLHYfW4L1anvgsyRUtbwvK9LrFy
bjsnJCMgIVqoJ50apPn0eOGXDVfimisCRBOBT9AhlZbG9jNXU9fnhI9zB5FZMytq
HXbBLxnN0Pa3qZavLz5KTiDmoXiyXo7asoTTrnDkoyJtz8mUzGRfp8LrR8XXHJ2l
Zge+3et6+2jgpGBioz/19RYpDhgHNFr8RsmDFbpofKmEi6RcEuY9p+q9JL7rHOPY
+Sn/wkC9G/MsjgduyX8NT4aBOv5PjuI+evCsIebm0i1rKXkurwUMyM33nEVljNpY
-----END RSA PRIVATE KEY-----

And this one [file]:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,A3BFD60060A709639D2B4D6794BA7174

CxefW9kF6wFjTqgxg2V2phMKgtmKi0UxzXGd125z8b42VQY8BnRPSlXvs/a9Kirb
aKve9pW0dnQ/V0P88OvpbURjfIMfrgFJIaB1H1fcUwSxEp0zfpEcDVGFhKSIvTnf
RK4ErMUV+oh21BgWSCNc6QDG5U3bt/8aXWxqqDogqKy5CUD+G4DLAi2aDe1WaPa2
9LhVp5plr/AJXRFESF3GyoFYGXNtQ3kirscSV6JOT5rQU1DnK/8XFEfexz3+iaVt
Qn+AzSR52YN8PrrfFNiEF1dZWCcgS+HdyYw38IHEUpYNlFNHXSbWT+h8ml3U93wI
ZtzUwSaXsT8hefUQVxFWMnO5yjkbZzA/Bgr8jFBG+Fsp8CKrnGiZH0URt6Jbt0+L
Ejt/rfdYlTg8M/lsmmuncHISUcr6jGDH9uJg+7psMO9ZiUCHsSRyxUTxGvKePup9
Hc7dzr7RsMwvCo5LU4ilJRQzFwhe+V6a76xmfaTr4nzif5uuBgl7t0m4IhWedVmM
5OQOGx0QG6vX+aWzWDiXcqnxaspXW/m62E+v5QA40MzkPr7Ub6oNSh90TX9w803g
WtpGolRxxsBoUfxz/5eqNDKUDZbT7o00t9djknz6Gvqg2fdtnEk014msaB0XL+uk
rzLvdUohCRi0MOH63pGBPPct8iFj4/qiVeyf9nIhSk0Vw2mdcHtho9Gy4xRjDfai
CXxBGVS5WotIk1rIv7ddwfAEreVllXugGeGIVt8vTt/Eb63QFGte6WOe52j2WzJg
/MBWcKnL24QGD5IRA8+XdiH7TzDz4mb3cqwHlY92XL5lvlK6kJEnLWz1klCQCyOT
WPiI5rB4a0gDVjYj5spBTyMnJC1D3BKEXRUJM/KzoxxYcvFqaa/lypAryrsBGep5
9KXcZoXOGHs8ldT5/hYqHWTVE6AjeO3AX+iNWbYgWgPSmeNG31HW8JStrQYW80vK
PzTzS1awW1uv8RPrbJwFCHccpHXGNUNQ1dqhMD+FpNxgcHLW1DQF0+tGRd0Gm8lF
Q20CmEFQS5hhyccFXO6iwmGjFEyQlxI0nsjTl+O7rjal6Yb3ZsL4KrAqbPnbO+z0
zjgOhcu4QIAGFrZR2VhiW40hfHud9RytkREP+aBgyPdNbjgsAZg7d+GewQCt8MeD
XgOnIkHxet/Ib2JO40r7QR5Ru/Sz3P/z0kq+xFGwZC68jMN9FN74xATxLhvtv+ZT
R9u/8hY50y3AYXyMaWIvltR8zZQhOySekU1KFUWYumrW6HCosUxEH9JuRLZzr1L6
RVClBJ2Oyfj+eILVag7FRkX0f9Vh0ECtjapp+k5jGLSXrfa5JTUI6B0JQqtc9wwT
PRd3dRmuVxHSLNYVJxH5OkD+tRy3U0aeMEFXa8DXBvuM9ZJWNA7EWV2bKxMPQRok
JwHPMXL859ptExBGB2C2TQFU91jVA8rQROrhAZ6O8XJsci280vWK5y0Bcxj/RabE
4hI+koFnU05rj9eQk0/B6bqDQTN/Yfi6cB8k6JsNp2qBKnpj8NLz6+UKiKJYZ1P5
o5VNQeF+OFWUzBGYqQ52NOT1pWeZZo/L3dz41eG60Hx7cSRgxzmk2na8Orn4fkbY
-----END RSA PRIVATE KEY-----

And this one [file]:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,65DB46E90AADB85E

x8fTqxWPs0RLjGud/n/Zo9HM+73Zm9WYoyG5mGI6V0BLHoTPBRCR7Px0CAav2AR1
v1r8hhXcWH21aXDeTe5D7RehvDW9WKTGRAzV/D6bVTlj3E9FblsludtLOgmW1+SS
8D+H223oBm+xF1ZpwAG+/1seltiEhTb/pED8JKkmueV+uIS2gNPmYaHtpmFZODRZ
z70+m98kGiOGLOsoQyOLSFKgN8XxOH103EVw4j/bjCIqlDdl0YSAy1J/5iNsScuK
cwKSl3s9bIJp9a3mOtpXufhJ6DYFbKaL09fef+mvIlHFzolVkfNsfIKuki2Eg8xY
Ccxh7mVpJqj3Nfe51WdXvJdeIRA3snkfbmmZ3Nc5mmmPhE0zOf5zVPV1S7RLisP+
ZEdZgByITJI/fi4rz9S+82+oJ7vaJIggkKbraJHYDqtUZAmu1xIrN5FNjP6Tv1b4
HcQiQUiV7Qjb9yI+pP10yZ8xz6Gg/B5NQKixutLed22c7r830l8UH70vfsSbYTwc
zeEXtH5EOlBrWvOfl3p5pwISfaXzRkENujzR74pLsFyClrDGTQpvACfdYM1BQvVB
5SgxXQ90oaXaFEjTJhiO/nM5a+EHwgkt486Qde0iWsJbB88KLt/tZzKl+uQehsC0
aWxPPnSfCJFnnftti4EzvSXZ5DN+o20Hf9941xq/4uJc4jUS1BIHNG8FEPdJFf6s
KKRUQhHn1fWT070NDIYsF5zJP0nmuKs7Kl5fIMhTxdNonw69RZP6MBK6XvW6Dv4z
yZ/s+D20HQtofZmbJdEMwdwF/qNDT7VZ3lbG/yO5qTFUyXY8PUHmqwt2l6S7CTcj
LbLRx1u5HMO/begGCXMK/S4qbbtAnEasY5WBrHq5TPg6BGr/N+1gBn8D4bpPTsKP
eh9KKXRhEzW0Tv0ByGP5ml4CXbG4slSS/b/vuSpU2GnFSbs3/bGgt57Lb3ge3SUw
BGUOtQTUMnkq1pvakbzvxglNMDM1UoqqlL9U0yECdrGtXefAqTwYjkl6ph8iS3jR
CAONvkYMIq7ifxfv5mkPTkyjNQL+8IjqhOZ/5UkN2iSojKQ4is7DRgIQUrTjmbk6
8YDPPBF5Y15z4Y7z6xWzlp+v2f8AMVdEz3XrLwEGTHETcV7nIo1zRjGZIpSqkaoJ
E7L3C5OOr9mJ767ppO7QKQ1lfGaN+B75h1D9XBuwSIhgWneudmIM5DL3+fn2e/rW
ozbJSR0wnO0Ueh/iBExLd1Ul/zWRJQL3Bm6QS6J01hSbrhqgil1VL0JY8Vnz0bnu
kUj4bjgGeycV4xta1NatoGpfbr2QpDJgC2ShNB/iZTbTub6DrqyAuZ0BfAcLwHi2
EeQEVOudSmQeVKJbaCaSIjsd6NCW9frwSf8CRYdmc57gxuMBYTVFQaIs2UEDTH5l
E8hVoK/1QP+fxIVP3ar0rr/tZKpgXSsw6SdsUrv8foP4GgY1M0lsZs210gKl+TvD
DSgyj2uhSU8OyFvd0krlP7TfoPluRuiApQ2WD3oRAqUSKxi32/JwYHz/3cyWc/jp
gItBrO7UK+TCRfnNrG2buxRHiWWGAcSBLTn/4uqlMQ3tOsULTq4zMJK7xH1JFfbN
-----END RSA PRIVATE KEY-----

The passwords are all contained within this [file]