RSA: Is there a way to increase the partially encrypt data without knowing the private key?

Question

EDITED QUESTION FOR A BETTER EXPLAINATION I have this crypted information (RSA):

2FB2BDC75D2D36A779B9F1B66735BDFF
DC0FB25C0E8DDF30E95D1896B2A6A995
1DF2029594DAD93FBDA5E2ED69A62291
11AFCFAC19CF13F9F87F482816355C53
9E6AE5B91C153EA7892F11E1FB7F4E60
F95F7C7133B48740F58A8510E7AEC1B8
7AC14406B510BCBD942F45DE15BF6439
969F010EB282D2236E13BC1D7D1646FA

and the module used is:

4D2BE94E13CAE7ECFB1E267B81759B4C
307FA8F064267BBB7D900DEBB8EADB21
30A4032B510190F917C3B13172150650
F0D7B8C63F1BFCF97B0FD3D52BB7DA83
001B34258BA479AA8A6CA66B9AA8617B
79399FCC59517FF7F163F020941A4CC0
E74B6F6D75B401B1E4F8BAFDF2AC5012
29FE6CB772E02A9D55F8648E70AABDA2

I know also that the RSA decrypted is something like this:

0001FFFFFFFFFFFFFFFF00E23AA1864F
49B535193B2EA07FA82A9F8EF831DF26
90000000000000000000000000000000
00000000000000000000000000000000
00000037B25038000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

decrypted in this way:

my question is: I don't know the private key used to crypt the data before but I want to change data and encrypt it again, I saw that using the cube root is possible to encode the first 0x2D bytes without losing information, is there any way to encrypt more data?

@kelalaka thanks for the reply.. yes..is the same thing I wrote before.. — FabioEnne, Nov 27 '18 at 11:27
@fgrieu thanks for the reply...if you read well I signed PK as public key.. — FabioEnne, Nov 27 '18 at 11:29
Please re-edit your question and use $LaTeX$ mathJax to remove the image. There ate question with cube root attack — kelalaka, Nov 27 '18 at 12:10
Are you sure you did not forget to invert the modulus? If the bytes are reversed then the modulus suddenly starts and ends with a bit set to 1, which is currently not the case. — Maarten Bodewes, Nov 27 '18 at 23:38
@Maarten Bodewes: nice try to make sense out of this given, but the resulting moduli has small factors (as most 1024-bit random odd numbers do); in particular it is divisible by 19 thus not usable with public exponent 3. The OP did not only mangle terminology and bit polarity! — fgrieu, Nov 28 '18 at 06:02
To the OP: please 1) Use proper terminology and distinguish encryption from signature. "Crypt" means encrypt, and has nothing to do with signature. 2) If the question is about making a signature forgery for a variant of RSASSA-PKCS1-v1_5 based on an error in the signature verification code, describe what that code does. 3) Remove numerical values that you are not certain of, including the current "module used" which is wrong. 4) Reformat any remaining numerical value as a single line. — fgrieu, Nov 28 '18 at 06:18
@fgrieu This very much looks like some kind of puzzle to me, finding the weak spots - such as a badly generated modulus / private key - could be part of the puzzle. — Maarten Bodewes, Nov 28 '18 at 11:16

fgrieu · Answer 1 · 2018-11-28T05:50:30.113

The current question and its earlier version have many issues:

"The module used" is even (when the given is interpreted as big-endian hexadecimal, which is customary), and therefore is not an RSA moduli. This makes the first two values useless.
RSA decryption does not involve computing $x\to x^3\bmod n$, as stated. That operation is involved in RSA encryption and RSA signature verification only.
Since the public key $(n,3)$ is public, there is nothing to prevent anyone from doing RSA encryption of anything s/he wants, if it became clear by what method exactly that encryption is to be made ("RSA", or even "RSA encryption", does not define a method precisely).
The beginning of the "RSA decrypted" value looks like it is formatted per EMSA-PKCS1-v1_5, a deterministic RSA padding intended for RSA signature with appendix per RSASSA-PKCS1-v1_5, not for encryption.
The notion of computing a cube root without the private key is incompatible with any safe use of RSA, including proper RSASSA-PKCS1-v1_5.
This OP's comment suggests that signature is involved.

In the end, I agree with this comment: the question really is about signature (protecting integrity and origin of a message) rather than encryption (keeping a message confidential), contrary to the title and body of the question. Wrong terminology strikes again!

The OP seems to be trying to perform a forgery for RSASSA-PKCS1-v1_5 or some unspecified variant thereof. That is, come out with a new message/signature pair that pass verification, without knowledge of a private key or factorization of the public modulus (and, here, without anything holding the private key, nor known-good signatures).

That's believed impossible for proper implementation of RSASSA-PKCS1-v1_5 signature verification, even for low public exponent as in the question. But there are precedents with broken implementations and low public exponent: Daniel Bleichenbacher presented such attack at the rump session of Crypto 2006 (as reported by Hal Finney). There are variations targeting various broken implementations, which used to abound.

The degree of brokenness of the signature verification step is unspecified in the question, thus it can't be told if forgery is possible.

He also said the private key was used to "crypt" the data. This is simply a signature scheme using "RSA encryption". The decryption step then becomes the verification step. — Maarten Bodewes, Nov 27 '18 at 23:02

score 0 · Answer 2 · answered Nov 28 '18 at 00:44

What you are describing is a PKCS#1 v1.5 signature scheme. The later versions explicitly have a different name for modular exponentiation (raw RSA) for signature generation and encryption. Signature generation does not consist of encryption with the public key. Note that the signature scheme does not seem to use the common DER encoding of the hash over the data, but I would be very surprised if that matters for the security.

Of course it is not possible to update a signature using secure scheme such as PKCS#1 v1.5 padding without knowing the private key. If it were possible then anybody could update a signature and the scheme would have failed. With a private key it is possible to update the data. If the key pair was incorrectly generated then this might be the best way of attacking the signature - if that is feasible at all.

However, I think it is more likely that you forgot to reverse a little endian modulus.

RSA: Is there a way to increase the partially encrypt data without knowing the private key?

2 Answers2