How to generate PGP key from RSA numbers.

Question

I found the numbers p,q,n,phi(n),e and d used in the RSA ciphered of a message. I have the public PGP key and now i want to find the private key, i found in wikipedia that PGP private key is a pair of (n,d) but i don't know how to generate it. Can someone help me? Thanks a lot.

All numbers and data: https://pastebin.com/raw/5qHUxWZK

Answer 1

The first thing to do now is to analyse the pgp message. It indeed (as you say in the comments) consists of a Public-Key Encrypted Session Key Packet followed by a Sym. Encrypted Integrity Protected Data Packet (Tag 18) see the standard for the format.

Using my own "packet dumper" I found:

old type 1 of length 741
key ID: b0689cef7a225189
RSA encrypted key data (BE raw):
0f 93 e4 72 bc 96 d7 3c ed 5f 81 ab 86 ad 3d 95
a4 d6 69 3e 05 1b 4b c4 cc c7 77 75 46 9f 40 4b
a4 6a 41 b5 95 94 f4 66 23 24 36 a0 61 29 d7 95
3f c8 02 99 cd e6 f6 43 1a f3 40 15 48 87 40 8a
35 81 47 03 1e 05 63 83 5a 54 6c 6e 31 6a 66 61
ad af 43 44 31 0a 10 2b 25 2b b4 30 15 fd b2 f0
8b 30 ef be 43 2e ad 98 db 7e 74 1e 3b ac 5b 00
5b 78 5b 8b df 55 6c 5d 88 00 33 9e 9e ff ac ef
3c 90 26 36 62 1f 00 82 d5 65 af 7b 69 7e af 29
df 63 b1 65 54 99 7e 76 74 84 bb aa 16 2e ca 97
18 d9 72 c6 df a7 83 91 de fb 48 f0 88 14 22 e6
ce 49 1c 4a fb 92 7e aa cd 7d 5f 05 b0 e6 5f d6
44 61 f8 5d 38 74 6f a7 9e 2e 34 be 53 88 cd b3
26 ee 98 c8 4a 22 e7 f8 b2 e2 5f 48 8a 0c 64 cf
7e e2 75 10 18 86 18 00 83 b1 7d 5d ce 20 ef 0d
8d ef 28 2a 89 6a d4 e7 d1 e6 41 30 f6 b5 0d e8
17 d4 02 d3 bc 11 40 49 46 b0 c8 39 f2 82 e3 38
66 c8 f0 11 98 ae e6 f7 b2 32 38 8a 33 f2 cc 5c
23 7f f6 55 38 82 fd 38 09 9e 19 0b 1d db 2f 37
db fa d4 5f 79 4a 37 d0 8b 9d 40 69 07 3a b5 a7
b2 06 24 29 83 41 1b 61 0e a5 1b 1f fa ac 1a 53
19 ab 8c a7 07 3f 0a 9c 34 d0 89 a7 ee 88 2a 1a
81 d2 f9 1a 50 68 0e 2c 0d 44 67 9c 4e 12 9e 20
ac ac 4d 79 3f 60 41 ff 11 63 1d 8b 48 9a 74 30
57 14 f4 cc 98 9e 76 df 62 45 0a b5 d5 7a 0b 09
bd 9e 9c e5 9a 6d 93 54 6d f3 44 61 52 3a c1 d8
45 30 f6 13 17 fa c3 47 42 41 60 20 39 82 7d f5
f2 5a 09 cd 5d a1 69 32 a8 31 a8 ee 4c 70 9e b9
d1 91 5d 4d a1 a1 2d e7 2d 44 c4 66 ac 7b e8 80
b3 eb 78 37 8e 06 43 72 52 4d cb e6 d2 cc 87 6e
31 52 1d 74 9b b5 ce 13 ba 2d c7 6b 9d bb f5 e7
78 e5 a1 2b 72 96 ca 0e c2 97 1d 29 66 3b 4d 46
b9 1e 17 cd 99 00 2a 16 2b b5 12 d0 f5 ab fa 2a
ad 08 ff fe 82 09 ed f5 66 6b 1b 0d 75 bc 53 57
4e 78 90 28 ca 89 9e ea 59 e9 72 c5 63 6c 5d 81
44 25 dd b0 b6 63 b6 40 63 a7 60 d0 3e e5 95 24
c4 78 42 53 11 63 87 8b 20 56 ff 2f 52 1c bd 47
ad 56 14 83 72 cc 72 f1 95 70 5d 80 91 0c 44 44
cb d1 b2 cf bb e0 4c 3b 64 09 cb c1 f3 93 4a fc
56 69 ca 8d 72 bc 16 b2 84 20 0d ea 42 ff 70 79
da f0 19 a4 47 27 a3 05 79 7f 21 64 db f4 83 5f
87 2c 59 48 35 93 b7 cb a6 75 b7 8f c9 8f 94 73
47 11 29 fb 52 fd fe a1 fc 5b cc ab 2c fb d5 f2
8e 45 16 f3 45 84 c5 d7 e5 3b 33 98 62 cd 12 59
2e 92 a0 f6 8e c6 5a 63 b3 bb 48 eb 75 f3 ca af
4d ad 79 56 6e 21 9b a1 ac
new type 18 of length 753
encrypted and MDC data:
10 96 b9 20 03 ab 07 e5 0d 16 30 52 f1 f4 e3 0e
11 36 31 f5 d4 ab 74 f9 4c b8 bc e2 45 cc 83 40
ca 6f 8c 5f 2b 79 2a f5 b0 9d 57 29 b1 79 12 dd
17 53 d9 90 3a 94 f8 ba fc 24 a2 3d 82 c8 04 cc
bc 78 75 78 f0 70 0e 1d bd 8d 73 db f2 13 08 b9
b7 5d 65 01 2f 10 73 83 75 f3 5d 71 21 2d 33 45
1b be d7 52 3c 14 c3 92 08 ee b3 8d aa f9 50 a8
85 97 61 be 5c fe 62 98 ed da c9 c5 8d 7c c5 f4
7b 07 80 c9 cf f2 06 eb cb 84 7f 20 9a e4 98 1f
2a 5f 72 be 54 3b 26 f8 25 1b 07 82 db d5 fb ec
47 22 9d f7 88 a3 71 da 46 f7 c7 6a 19 74 41 92
69 71 ac ce 42 61 af e2 06 c2 46 4f 75 c8 d5 fd
41 69 26 f5 a2 1d 09 26 aa bf 25 a5 47 6f 24 83
14 7b 19 0d 51 78 27 ae 97 68 32 09 13 06 9f 12
04 d0 28 de 62 19 9f b1 bd df af 4e 20 8d 3a 7f
17 85 23 3c 91 e0 95 71 0b 0c ff 7f cd ca ff fc
2b 00 b2 49 91 8a 8b 08 43 dc 4b 9b dc a4 d8 1a
4f 09 03 9d 3c a3 55 10 c2 e7 e6 b2 38 ee 73 a1
7b 61 3a e6 db 2f 63 cb 3a 10 40 40 7e 69 50 e9
40 74 93 96 4b a9 7d 70 95 63 5e e9 24 ef 70 df
da 44 04 d5 a7 6c af 38 fe 74 ca f5 0a d1 44 90
cf 2f b6 44 32 f8 59 61 54 ba b0 38 21 5d 78 fa
63 7f ba 08 e5 53 a9 a4 b4 0d 45 81 2f f1 a1 55
09 2e 61 07 43 12 ec 83 c9 21 83 8a fd 08 e0 7e
07 93 85 74 c0 20 cf 88 90 06 cd 0d 2b 20 a8 6a
7b 23 02 86 86 52 3d e9 4d bc 06 16 65 04 97 2e
a6 65 4e 41 0d 99 8d d7 f2 16 89 7b 59 e2 16 2f
4f 5b f1 25 a5 54 03 a0 ec bc c9 d1 ac f5 cc 37
77 80 d5 24 ff 45 ce d9 0b 51 62 1e 47 67 55 7b
15 b0 bd 5a 7f 46 a2 2d 3d ef 9f 77 77 04 e6 94
cf c5 8a 9a c7 93 91 01 31 f7 e3 5c 79 b7 4b c1
09 9b b8 f3 d1 90 d6 b9 82 da 3c 38 97 1b ca b0
d3 16 f9 bc 98 ce d7 53 03 8b e5 59 b8 a9 56 94
9d ed f6 16 37 16 22 6e e1 51 07 ce 13 24 e9 cc
e5 e3 4d 3a fc e6 8c 21 2f 51 9b b1 27 78 28 be
33 85 64 b7 62 83 49 f6 a3 1f dc 6a ff 59 7e b9
4c 5a 7a 64 ab bf 47 58 de 34 d6 47 e4 95 ab 41
ba c6 ec c7 19 69 2b 41 59 42 ba 31 e0 8e d9 55
ea 25 19 4d 31 ec 85 72 e6 43 dc 9e e3 49 93 9a
c7 37 ad b1 37 3a 60 72 70 1a fa 14 2e 92 d8 7b
0a 30 d1 ed ea 87 d8 55 a3 d8 80 23 32 e2 3b d1
2a 20 28 d1 a0 e8 06 03 bf e0 ec b4 7e a8 52 82
ad 05 c5 77 dc cf d7 29 e0 c9 1d 86 b6 32 ee e2
11 7d df d1 55 02 39 08 96 23 3b 1e ea cf bd d8
d7 2e 01 25 bc 33 76 47 b4 1c 12 f1 9c 38 1e 3d
7e cb 18 cd 64 9e 5b 15 fa 67 87 83 b2 5c 62 c0
20 81 73 80 2a bd 0c c7 3c 7a 7c 14 0f 86 68 94

Using Python one can quickly decrypt the first part, and we get 0002105f37831ba708b933e2e284cc10e39dfe982a68be7261df90a5845080c6d06e59ad86ab82bb8eb44f0bba75df419544feba9e7c42067d0ecabd978370c246b7c3cb614f3cab957580af5d37cfbfa4e3e6ee4f391a4aff9692f432cd61b753af09a2bae9c7f7fbd0d6f05af7ca173d50efb58cfd14ac0959a24a3321dcd1a2dcbc76f5d219d58740f761502ae93ff343507740b1abcacba1aa9c578ee3d4077a0fff778bf1169a3915fd115a762c3e15e401438fb006708829992b79568a0e1b62bcdf83ed1724a45acebd54113a7fcf57cc1e9d1cba64160755b6fd3275afe6ccc3afdab3fb6748910d51aba3f7099858acb805ad888a9392a7d76e36ac1bebf9906d9c717e236a3d1729c2d75985d0072a179f4baf9b8fbb73871213d94186f150039705b90eefe37a5ea1f085434b70d744f78cd5fc265f4059a138ee7aa34de3d4809e296d22cd2df2952878c94b5b8d40a1f003c2c8c46c873cddc578237e16ca97775f9b0ed775667e3d81a5704933a218255f263784ca38ab442564e7e2cdc38e8345b96266aaa165f1e569a1736adae9a4a3ac1eb6b09f2ada5ffd5520de94c5efcdd69375e28334b966e6aa3ef9d40f05b9ce4e5ded39276d89017adc48ba3835d8e6051af596179abf358911e8e7c821321065f9d8ed681e0ca3159e72203b49c2593b09d0d46a01c27086cb4098114d0999ccbb3e28b7ef333263d28c0e835c6df56495a1553225303498479cc14ab2bf2e088031da51f4f1750f9e2f64095885a16f306a0cffca1de92522e498453937f77bc97ece6d83a2fd567555c1f26ba763b08e6bd65890f6bba115b6633c4d0de8893f1e6f0755a9eb29a5967d9dd3d2fa83229092844aa276599742f35a6506e6cb8d2311b2b755c59f3e63c1b107498dc0bdf9716def62fe10c68890321edf7afb4bbcc73a6ade182c759b24ade2553df740b05b28eb7e2bca209bf200096321160a7384e62871aa342bc3c303dab28fcf0580c51341123908959dd2ba790dbe

which has the right form, written out as bytes (see the PKCS1.5 padding section in the standard).

We can see the cipher algorithm 09 meaning AES-256 and a correct checksum 0x0dbe at the end. So the key is then known and then you can decrypt the second part of the message using AES-256 in CFB mode with IV the zero block (e.g. use openssl) and check the repeated bytes 15/16 equaling 17/18.

Then you can verify the checksum (SHA-1 digest of all but the last $20$ bytes must equal the final $20$ bytes of the plain text).

The payload then starts at byte $18$ and is of the type compressed data (zlib).

Decompress it (I used zpipe) and you get a MIME message (mail), from "[email protected]" in Spanish with some code in it (a CTF I gather, I won't spoil it here).

There is no need to produce a PGP-secret key; one can just follow the standards and do a bit of coding.