The nonce generation is emphatically not stock DSA though.
Going through the implementation of signature generation and verification and naming the variables after the wikipedia pseudocode confirms that the implementation is mostly vanilla DSA. It’s folklore that DSA allows private key recovery with a single duplicated nonce, so the fact that we’re limited in how many signatures we’re given adds to the hint, in addition to the choice of output names.įrom the exec menu option, we see that if we’re able to provide a valid signature for a string, it gets passed to system, so forging signatures (probably by recovering the private key) is our goal. Signing keeps track of how many signatures there are, and uses the names r and s for the printout, giving a good hint that the signing algorithm is DSA. to sign rayammer can change the rules\0\0, although this doesn’t end up being useful for the attack). Signing only allows signing 2 particular strings, "the rules are the rules, no complaints" and "rayammer can change the rules" (although since strcmp is used, and then the length from the get_input helper is passed down the call stack, it’s possible to add null bytes at the end, e.g.
Looking at the references to the strings, there’s a menu with “sign” and “execute” options. For Tania, the handout consists of a single file: an x86_64 ELF binary.