GPN CTF 2026 — Easy-DSA: UUID3 MD5 Collision → ECDSA Nonce Reuse
Platform GPN CTF 2026 (kitctf) Difficulty Medium OS Crypto — ECDSA on P-521, deterministic nonce, MD5 collision Tags recognising uuid3 as MD5(ns || name), generating identical-prefix MD5 collisions with Marc Stevens' fastcoll, recovering the nonce from two signatures with the same r, sign-flip check against the published public key, forging fresh signatures with the recovered private key Easy-DSA is a classic cryptographic-engineering blunder dressed up in a Mongolian-barbecue narrative. The server signs arbitrary recipes with ECDSA on P-521. The “secure” nonce is derived through uuid3, which is MD5 under the hood. Marc Stevens’ fastcoll generates two messages that MD5-collide under the namespace prefix, forcing the ECDSA nonce to repeat. Standard nonce-reuse algebra recovers the private key in one round. Forge a fresh signature, claim the flag: ...