{"id":23902946,"url":"https://github.com/mtumilowicz/cryptography-rsa-workshop","last_synced_at":"2026-06-10T20:31:52.668Z","repository":{"id":110875313,"uuid":"510864510","full_name":"mtumilowicz/cryptography-rsa-workshop","owner":"mtumilowicz","description":null,"archived":false,"fork":false,"pushed_at":"2022-08-30T15:50:14.000Z","size":348,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-03-05T07:20:11.338Z","etag":null,"topics":["asymmetric","asymmetric-algorithm","asymmetric-cryptography","asymmetric-encryption","asymmetric-keys","asymmetry","cryptogra","cryptography","rsa","rsa-algorithm","rsa-cryptography","rsa-encryption","rsa-vulnerability","vulnerabilities","workshop","workshop-materials"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mtumilowicz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-05T19:10:41.000Z","updated_at":"2022-08-30T15:52:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"38d80841-7201-4fed-aba8-32182975a003","html_url":"https://github.com/mtumilowicz/cryptography-rsa-workshop","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/mtumilowicz/cryptography-rsa-workshop","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fcryptography-rsa-workshop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fcryptography-rsa-workshop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fcryptography-rsa-workshop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fcryptography-rsa-workshop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mtumilowicz","download_url":"https://codeload.github.com/mtumilowicz/cryptography-rsa-workshop/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fcryptography-rsa-workshop/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34170162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asymmetric","asymmetric-algorithm","asymmetric-cryptography","asymmetric-encryption","asymmetric-keys","asymmetry","cryptogra","cryptography","rsa","rsa-algorithm","rsa-cryptography","rsa-encryption","rsa-vulnerability","vulnerabilities","workshop","workshop-materials"],"created_at":"2025-01-04T22:51:15.156Z","updated_at":"2026-06-10T20:31:52.652Z","avatar_url":"https://github.com/mtumilowicz.png","language":"Scala","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://app.travis-ci.com/mtumilowicz/cryptography-rsa-workshop.svg?branch=master)](https://app.travis-ci.com/mtumilowicz/cryptography-rsa-workshop)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\n# cryptography-rsa-workshop\n\n* references\n * https://stackoverflow.com/a/72461285\n * https://stackoverflow.com/questions/33105434/converting-a-base10-number-to-a-basen-number-using-a-custom-alphabet-of-size-n\n * https://gist.github.com/jasperdenkers/59cf5ad4acbba6b9d75d\n * https://crypto.stackexchange.com/questions/81495/rsa-is-there-a-way-to-digitally-sign-a-message-without-knowing-the-private-key\n * https://www.johndcook.com/blog/2019/03/06/rsa-exponent-3/\n * https://stackoverflow.com/questions/1967578/how-bad-is-3-as-an-rsa-public-exponent\n * https://crypto.stackexchange.com/questions/3608/why-is-padding-used-for-rsa-encryption-given-that-it-is-not-a-block-cipher\n * https://crypto.stackexchange.com/questions/22531/how-does-rsa-padding-work-exactly\n * https://www.encryptionconsulting.com/education-center/what-is-rsa/\n * https://www.comparitech.com/blog/information-security/rsa-encryption/\n * [Faster Primality Test - Applied Cryptography](https://www.youtube.com/watch?v=p5S0C8oKpsM)\n * https://en.wikipedia.org/wiki/Carmichael_number\n * [How To Tell If A Number Is Prime: The Miller-Rabin Primality Test](https://www.youtube.com/watch?v=zmhUlVck3J0)\n * https://blog.trailofbits.com/2019/07/08/fuck-rsa/\n * https://en.wikipedia.org/wiki/Carmichael_number\n * https://medium.com/@prudywsh/how-to-generate-big-prime-numbers-miller-rabin-49e6e6af32fb\n * [Cipher Block Chaining](https://www.youtube.com/watch?v=L4HaxfCRRs0)\n * [Encrypting with Block Ciphers](https://www.youtube.com/watch?v=oVCCXZfpu-w)\n * https://www.techtarget.com/searchsecurity/definition/cipher-block-chaining\n * https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation\n * [Devoxx Greece 2024 - Asymmetric Cryptography: A Deep Dive by Eli Holderness](https://www.youtube.com/watch?v=Q20H-H91-Vk)\n * https://chatgpt.com/\n\n## disclaimer\n* only for workshop purposes\n * for example: given implementation of RSA does not have padding\n\n## preface\n* goals of this workshop\n * introduction to asymmetric cryptography\n * mathematical basis for asymmetric cryptography\n * understanding purpose of trapdoor functions\n * introduction to RSA\n * common vulnerabilities\n * some basic attacks\n * basics of padding\n * basic knowledge of block ciphers\n* structure\n * package cryptography\n * decryption/encryption\n * signing/signature verification\n * package key - to generate RSA key pair: private and public\n * package prime - generating primes\n * exploits are shown in RsaExploitsTest\n* all used/needed math is described here: https://github.com/mtumilowicz/cryptography-math-basics\n\n## asymmetric cryptography\n* solve the problem of secure communications over an insecure network\n* symmetric cryptography context\n * to exchange messages =\u003e first mutually agree on a secret key k\n * what if every communication is monitored?\n * is it possible to exchange a secret key?\n * first reaction: not possible\n * reason: every piece of information is public\n * solution: public key (or asymmetric) cryptography\n * asymmetric ciphers - slower than symmetric ciphers\n * first use an asymmetric cipher to send the key to a symmetric cipher\n * then use symmetric key to transmit the actual file\n* analogy\n * Alice: buys a safe with a narrow slot in the top and puts it in a public location\n * Bob: writes his message and slips it through the slot\n * Alice: only a person with the key to the safe can retrieve Bob’s message\n * summary\n * public key: the safe\n * encryption algorithm: putting the message in the slot\n * decryption algorithm: opening the safe with the key\n* mathematical formulation\n * three sets\n * keys K\n * k = (kpriv, kpub) // private key and the public key\n * plaintexts M\n * ciphertexts C\n * for each kpub =\u003e exists encryption function e_kpub: M -\u003e C\n * for each kpriv =\u003e exists decryption function d_kpriv: C -\u003e M\n * (kpriv, kpub) e K =\u003e (d_kpriv) o (e_kpub) is identity on M\n * private key is sometimes called trapdoor information\n * it provides a trapdoor (shortcut) for computing the inverse function of e_kpub\n * it must be difficult to compute inverse function of e_kpub without a trapdoor\n information\n * encryption is a permutation of b-bit strings\n * {0, 1}^b -\u003e {0, 1}^b\n * each key \"chooses\" some permutation\n\n## trapdoor function\n* is a function that\n * is easy to compute in one direction\n * believed to be difficult to find its inverse (without special information, called the \"trapdoor\")\n* analogy: padlock and its key\n * it is trivial to change the padlock from open to closed without using the key\n * opening the padlock easily requires the key to be used\n * key is the trapdoor\n* example\n * set some n, and define function as y = x^e mod n\n * bad trapdoor function\n * n = p (prime)\n * y = x^e mod p\n * we have to find inverse of e mod (p - 1)\n * Fermat's little theorem =\u003e we can perform calculations mod (p − 1) in the exponent\n * ed = 1 mod (p - 1)\n * it is solvable (for example using extended Euclidean algorithm) if gdc(e, p-1) = 1\n * y^d = (x^e)^d = x^ed = x mod p\n * solution is unique\n * suppose that we have two solution c1, c2\n * c1 ≡ c1^de ≡ (c1^e)^d ≡ y^d ≡ (c2^e)^d ≡ c2^de ≡ c2 mod p\n * summary: very easy to reverse\n * good trapdoor function (rsa)\n * n = pq, p,q - prime\n * y = x^e mod n\n * we have to find inverse of e mod φ(pq)\n * Euler's theorem =\u003e we can perform calculations mod φ(pq) in the exponent\n * ed = 1 mod φ(pq)\n * it is solvable (for example using extended Euclidean algorithm) if gdc(e, φ(pq)) = 1\n * however, calculating φ(pq) is as hard as factoring pq\n * d - decryption exponent\n * e - encryption exponent\n * solution is unique\n * c1 ≡ c1^de ≡ (c1^e)^d ≡ y^d ≡ (c2^e)^d ≡ c2^de ≡ c2 mod n\n * if we know the actual factors, we can use Euler’s theorem and write x as\n * x = y^d mod n\n * ed = 1 mod (p-1)(q-1)\n\n## rsa\n* asymmetric encryption algorithm\n* named after its inventors: Ron Rivest, Adi Shamir, and Leonard Adleman\n* rsa = good trapdoor function explained above (product of two large prime numbers)\n* encryption is faster if e is small and decryption is faster if d is small\n * most common e is 65537\n* we are encrypting / decrypting numbers - not letters\n * example\n * encrypting: \"hello\"\n * observation: all of the information is already stored in binary\n * encoding standards like ASCII or Unicode are used for humans to understand\n * this means that \"hello\" already exist as number\n* RSA relies on the size of its key to be difficult to break\n * longer RSA key =\u003e more secure it is\n* prime generating problem\n * how to test a given number n for being prime?\n * maybe use Fermat’s little theorem?\n * take A: gcd(A,n) == 1\n * if A^(n−1) ≠ 1 mod n =\u003e then n is composite\n * otherwise, it is prime with some probability\n * repeat for many As to increase the likelihood of being prime\n * why it's wrong?\n * take n = 561\n * this is composite number and fulfills Fermat's theorem for any A\n * family of such numbers are called Carmichael numbers\n * Miller Rabin primarity test\n * let p be an odd prime\n * p−1 = 2^k q, gcd(a,p)=1 =\u003e one of the following two conditions is true\n * a^q is congruent to 1 modulo p\n * q = p-1 / 2^k\n * one of a^q, a^2q , a^4q ,..., a^2^(k−1)q is congruent to −1 modulo p\n * proof\n * n = 2^k * q + 1\n * a^(n-1) = 1 mod n\n * a^(n-1) - 1 = 0 mod n\n * (a^(n-1 / 2) - 1)(a^(n-1 / 2) + 1) = 0 mod n\n * (a^(n-1 / 4) - 1)(a^(n-1 / 4) + 1)(a^(n-1 / 2) + 1) = 0 mod n\n * (a^(n-1 / 2^k) - 1)(a^(n-1 / 2^k) + 1)*...*(a^(n-1 / 2) + 1) = 0 mod n\n * we can expand it until n-1 / 2^k is odd\n * if n divides at least one multiplier =\u003e probably prime\n * Euclid's lemma: if p prime \u003c=\u003e p|ab =\u003e p|a or p|b\n * so we check this one by one\n * each number in the list is the square of the previous number\n * n-1 / 2^k, n-1 / 2^(k-1), n-1 / 2^(k-2)\n * if n is composite then running k iterations of the Miller–Rabin test will declare n probably\n prime with a probability at most 4^(−k)\n * proof\n * Theorem 12.8\n * https://math.mit.edu/classes/18.783/2017/LectureNotes12.pdf\n * prime number density\n * φ(n) is the number of prime numbers ≤ n\n * prime number theorem states that n / ln(n) is a good approximation of φ(n)\n * it means the probability that a randomly chosen number is prime is 1 / ln(n)\n * there are n positive integers ≤ n\n * approximately n / ln(n) primes\n * n / ln(n) / n = 1 / ln(n)\n * probability to find a prime number of 1024 bits: (ln(2¹⁰²⁴)) = (1 / 710)\n * primes are odd (except 2), we can increase this probability by 2\n * to generate a 1024 bits prime number, we have to test 355 numbers randomly generated\n* elliptic curves cryptography pros over rsa\n * smaller key sizes and signatures\n * example\n * 256-bit ECC key ~ 3072-bit RSA key\n * 384-bit ECC key ~ 7680-bit RSA key\n * lower storage requirements for both private keys and public keys\n * less computational power for key generation, encryption, and decryption\n * valuable for low-power devices such as IoT devices and mobile phones\n\n## padding\n* structure of a message can give attackers clues about its content\n* padding: adding randomized data to hide the original formatting\n * using the word padding for RSA is by now rather incorrect\n * RSA without padding is also called Textbook RSA\n * old padding schemes for RSA did simply extend the message before converting a number\n * newer schemes actually alter the message itself as well\n * example: OAEP\n * entire message is randomly transformed before RSA modular exponentiation\n * the same message encrypted multiple times looks different each time\n* padding oracles\n * adding padding to a message requires the recipient to perform an additional check\n whether the message is properly padded\n * when the check fails, the server throws an invalid padding error\n * that single piece of information is enough to slowly decrypt a chosen message\n * process is tedious and involves manipulating the target ciphertext millions of times\n * isolating the changes to get valid padding\n * that one error message is all you need to eventually decrypt a chosen ciphertext\n * it makes developing secure libraries almost impossible\n * padding oracle attack\n * will be described in other workshops\n * https://robertheaton.com/2013/07/29/padding-oracle-attack/\n * https://research.nccgroup.com/2021/02/17/cryptopals-exploiting-cbc-padding-oracles/\n * https://flast101.github.io/padding-oracle-attack-explained/\n * https://jiang-zhenghong.github.io/blogs/PaddingOracle.html\n\n## block ciphers\n* if block ciphers act on short blocks, how do we encrypt a long message?\n * electronic codebook mode (ECB)\n * encrypt each block separately\n * example\n * codebook\n * 00 -\u003e 11\n * 01 -\u003e 00\n * 10 -\u003e 01\n * 11 -\u003e 10\n * plaintext: 00|11|00|01|00\n * cipher: 11|10|11|00|11\n * cons\n * patterns\n * cipher block chaining (CBC)\n * each block of plaintext is XORed with the previous ciphertext block before being encrypted\n * cipher block chaining uses what is known as an initialization vector (IV) of a certain length\n * pros\n * decryption of a block of ciphertext to depend on all the preceding ciphertext blocks\n* summary\n \n ![alt text](img/ecb_vs_cbc.png)\n\n## vulnerabilities\n* TLS 1.3 no longer supports RSA\n* criticism: https://www.youtube.com/watch?v=lElHzac8DDI\n* using prime factorization, researchers managed to crack a 768 bit key RSA algorithm\n * recommendations: a minimum key length of 2048 bits now\n * many organizations have been using keys of length 4096 bits\n* p and q must be globally unique\n * if p or q ever gets reused in another RSA moduli =\u003e can be easily factored using the GCD algorithm\n* RSA primitive is based on modular exponentiation\n * this operation is homomorphic\n * c1=md1, c2=md2 =\u003e (m1*m2)^d=c1*c2=c\n * to fix it - it is the essential to break this \"homomorphism\"\n * padding\n * example: RsaExploitsTest \"sign then verify - product attack\"\n* small exponent\n * for example: 3 // most common exponent is 65537\n * suppose you’re using a 2048-bit modulus N and exchanging a 256-bit key\n * message m is simply the key without padding =\u003e m³ \u003c N =\u003e take the cube root\n * example: RsaExploitsTest \"encode / decode - e \u003c n\"\n\n## digital signature\n* solves a problem analogous to the purpose of a pen-and-ink signature on a physical document\n* assymetric cryptography vs digital signatures\n * consider an analogy: bank deposit vaults vs signet rings\n * in today’s world signet rings and wax images obviously would not provide much security\n* digital signatures are at least as important as public key cryptosystems\n* significant use-case\n * your computer receives program and system upgrades over the Internet\n * how can your computer tell that an upgrade comes from a legitimate source?\n * example: the company that wrote the program?\n * solution: digital signature\n * original program comes equipped with the company’s public verification key\n * company uses its private signing key to sign the upgrade\n * your computer can use the public key to verify the signature before installing it on your system\n* it is quite inefficient to sign a large digital document D\n * it takes a lot of time to sign each b bits of D\n * resulting digital signature ~ as large as the original document\n * solution: use a hash function\n * hash: (arbitrary size documents) -\u003e {0,1}^k\n * it should be very difficult to find D and D' whose hash(D) and hash(D') are the same\n * rather than signing document D sign the hash hash(D)\n * for verification: compute and verify the signature on hash(D)\n* setup\n * the same as for RSA encryption\n * encryption\n * e = encryption exponent\n * d = decryption exponent\n * signing\n * d = signing exponent\n * sign document D by computing S ≡ D^d (mod N)\n * e = verification exponent\n * compute S^e mod N and verify that it is equal to D\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtumilowicz%2Fcryptography-rsa-workshop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmtumilowicz%2Fcryptography-rsa-workshop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtumilowicz%2Fcryptography-rsa-workshop/lists"}