Using Data Transformation to Obfuscate (and Deobfuscate) Private RSA Keys

2021-06-13 1020 words 5 minutes

Contents

Obfuscating your RSA Private Key

Imagine we have the following RSA Key:

-----BEGIN RSA PRIVATE KEY-----
This Is My Super Secret Private RSA Key Please Don't Share It
-----END RSA PRIVATE KEY-----

There are some interesting techniques we can use to obfuscate our key from potential prying eyes. For the following demonstrations, we’ll visualize it in CyberChef so feel free to follow along! Any links to CyberChef from here on out will be direct links to the recipes I’m discussing so you can get the exact output I’m showing in this post (or play around with it).

Deflate

(From Wikipedia): In computing, Deflate is a lossless data compression file format that uses a combination of LZSS and Huffman coding. In essence deflate is a way we can transform our RSA key, represented in ASCII, to another format that is not necessarily human readable. If you’re interested in reading more about the algorithm used for DEFLATE, you can do so here

If we use the Raw Deflate function in CyberChef, we are left with this as our output:

mÌ±
Â@..á>O1....É"K0.Ù X.2..¨ì.Â½}ðj§ý.ïøÛIÎ:a¶.iÖk¿.F¹µÒ-ëV ..
û¼é0Þ..äÛ7.ÛidEz0.bx=..[³..]3d.þÚ;

A prying eye won’t be able to really know what this is supposed to represent, but we can take this a step further.

To Hex

Using the deflated (compressed) version of our RSA key, we can then transform this data to Hex. This is going to add another layer of obfuscation to our key and be extremely useful in the subsequent steps. The output of adding a To Hex recipe in CyberChef is the following:

6d cc b1 0a c2 40 10 84 e1 3e 4f 31 9d 95 0f 11
c9 22 4b 30 1c d9 20 58 1e 32 90 80 a8 ec ad c2
bd 7d f0 6a a7 fd 99 ef f8 db 49 ce 3a 61 b6 1e
69 d6 6b bf 08 46 b9 b5 d2 2d eb 56 a0 05 97 0a
fb bc e9 30 de 9d 81 e4 db 37 07 db 69 64 45 7a
30 17 62 78 3d 0f 01 5b b3 13 1a 5d 33 64 1a fe
da 3b

XOR

This step is an optional one, and really just a demonstration that you can add a LOT of layers to this process (but it’s important to remember the process and order you use, so you can deobfuscate your key later on!!!). In this example, I’m going to XOR the entire Hex string above with a key value of secret. Doing so in CyberChef results in the following output:

ÚjÌm...?Ì>...<Ì:Ü.Ý>Ì6Ø..?Ì=..ØhÌ=Ý.ÕjÌ7Ù.ÜhÌ?Ý..7Ì<Þ.ØlÌ=Ü.ÝmÌjÕ.Þ>Ì;Ô.ÝkÌ=Þ.Õ>Ì6Ü..6Ìk...jÌmÞ..jÌ9...>Ì8...
9Ìh..Õ7Ìk...6Ìj..Ø7Ìm..ßoÌ8Ý..8Ì?..Ú7ÌjÚ.ÚlÌl..Ü6Ì:Ú..7ÌlÙ..<Ì<...lÌ;Ú..>Ì>Ù.Õ9Ì>...lÌl...7Ì=Ü..kÌ7..Ô?ÌkØ..
lÌ=Û.Ü9Ìj..Ú7Ì8Ø.Ø;Ì9..ß>Ì?Û.Ú<Ì9Ô.ßjÌ>..Ü?Ì;...=Ì?ß.ÝoÌ;..ß=Ì8Ø.ÝoÌh...oÌ=.

To Hex (again)

From here, we can repeat the process of converting this data to a HEX representation in CyberChef:

da 6a cc 6d 8f 2e 8e 3f cc 3e 8d 2e 8f 3c cc 3a
dc 2e dd 3e cc 36 d8 2e 89 3f cc 3d 89 2e d8 68
cc 3d dd 2e d5 6a cc 37 d9 2e dc 68 cc 3f dd 2e
e6 6d d5 2e de 3c cc 3a 8e 2e df 3e cc 3f 8f 2e
88 37 cc 3c dc 2e d9 36 cc 3f 89 2e df 3c cc 37
dc 2e d4 3e cc 6f d4 2e 89 6d cc 6f 88 2e 8f 3c
cc 04 8e 6a cc 39 88 2e 8a 3e cc 38 8d 2e 8d 39
cc 68 88 2e d5 37 cc 6b 8a 2e 8a 36 cc 6a 8e 2e
d8 37 cc 6d 89 2e df 6f cc 38 dd 2e 8e 38 cc 3f
89 2e e6 38 d5 2e 88 38 cc 38 8e 2e 8e 68 cc 3e
d4 2e d8 38 cc 6c d5 2e 8e 3b cc 6a de 2e de 6a
cc 6b 8e 2e d9 38 cc 6f dc 2e dc 3b cc 37 db 2e
dc 6f cc 04 8a 6c cc 6c 8f 2e 89 37 cc 3d dc 2e
88 6b cc 37 88 2e d4 3f cc 6b d8 2e 88 6c cc 3d
db 2e dc 39 cc 6a 8e 2e da 37 cc 38 d8 2e d8 3b
cc 39 8d 2e e6 3d dc 2e dd 39 cc 38 de 2e db 36
cc 3d 88 2e dc 68 cc 3e dd 2e d9 6c cc 6c df 2e
dd 3d cc 3f 8d 2e d9 6a cc 3d df 2e da 3a cc 3f
8d 2e 8a 6b cc 04 88 6f cc 3d 8e

As you can see, our data has grown significantly in size from our previous HEX representation.

Hex to PEM

CyberChef has a really cool function that allows us to take any hex value and convert it into a PEM file (RSA key). By using this recipe in CyberChef, we can finally transform our data back into a valid (in appearance) RSA key:

As you can see, we’re left with a seemingly valid RSA key. We can leave this on a system and unless someone knows our obfuscation algorithm they really can’t do anything with it.

Use Case

There may be a case where a file is encrypted on a system and we are able to find a private key on the system that could potentially decrypt it. Particularly in CTFs, you may encounter an RSA key that just doesn’t work. Consider using some of these methods to transform an obfuscated key back to its original form.

Deobfuscating an RSA Key

To return to our original key, we simply have to follow the algorithm we designed to obfuscate it in the first place. That is:

Convert the PEM key back to Hex
Convert from Hex to its raw value
XOR the raw data with our key, “secret”
Convert the resulting hex back to raw value
Use Inflate to decompress the data

Using this CyberChef recipe, you can see how we can get back to where we started.

In the end, all we’re doing is manipulating and transforming the data into different representations to obfuscate it. Hope you enjoyed the read!