CSE 207B, Fall 2023
Homework 7: Repeated ECDSA nonces

The web application located here validates API queries using an ECDSA signature before executing the commands in the query string. To validate the token, the web server parses the full query as:

    query = token=token_string&rest_of_query_string
  
and then checks whether token_string is a valid ECDSA signature over the SHA256 hash of rest_of_query_string using the NIST p256 public key.

Unfortunately for this server, it didn't use a very good random number generator when generating the ECDSA signatures, and accidentally repeated the signature nonce k. Here is another valid token/query combo. Your task is to recover the server's secret signing key and forge a valid ECDSA signature on the query string user=admin&get_file=hw7.pdf that will allow you to download the rest of your homework.

Repeated DSA and ECDSA nonces have been found many times in the wild, including for Bitcoin (2013 and 2016) and other cryptocurrencies as well as in protocols like SSH.

You may discuss this assignment in small groups with classmates, but please code and write up your solutions yourself. Please credit any collaborators you discussed with and any references you used.

Submission requirements and autograder

Submission requirements:

The autograder...

Here is some sample code illustrating ECDSA validation for our example inputs:
#!/usr/bin/env python3

import ecdsa
import hashlib
import binascii

pubkey = b'30796a2934b6044c1f3414bff26c9c46b1652f16f4824f0a84f47b365d08160e145c77d4b364a54fa98c21a6dbe7636196decb48a8916cbaae43b3675d64d259'
signature = b'f6cc696a7a8ce83e7cdcd37e250b4e8bf0f742c63c66ab4d0a990cf852fa1bce3c38e6df9902654117a01c2acd1dbdf3205ab7b73b5323f02930b77cf5cce6f5'
query_string = b'user=admin&get_file=kitten.jpg'

vk = ecdsa.VerifyingKey.from_string(binascii.unhexlify(pubkey),curve=ecdsa.NIST256p)
vk.verify(binascii.unhexlify(signature),query_string,hashfunc=hashlib.sha256)