Public Key Recovery

Recover an RSA public key from two RS256 signatures, then use it in an algorithm confusion attack.

Concept

When a server uses RS256 but doesn't expose its public key, it's still possible to recover the public key mathematically from two JWT signatures sharing the same private key. This uses the GCD (Greatest Common Divisor) of candidate values derived from the RSA-PKCS#1 signature equations.

Once recovered, the public key enables the Algorithm Confusion attack - use it as the HMAC secret with alg: HS256.

Why no browser implementation?

Key recovery requires GCD computation over 4096-bit numbers (RSA-2048 signatures). While possible in JavaScript via BigInt, the multi-step process involving multiple candidate pairs makes a reliable browser implementation impractical compared to the Python tool. This page provides the exact commands to run.

Step 1 - Recover the Public Key

Obtain two JWT tokens

You need two different JWT tokens signed by the same RS256 private key (same server, different requests with different payloads).

Install rsa_sign2n

setup

git clone https://github.com/silentsignal/rsa_sign2n
cd rsa_sign2n
pip3 install -r requirements.txt

Run the recovery script

rsa_sign2n

python3 jwt_forgery.py \
  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.<PAYLOAD_1>.<SIG_1>" \
  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.<PAYLOAD_2>.<SIG_2>"

Extract the public key

The script outputs candidate public keys in PEM format. Multiple candidates may be returned - each corresponds to a possible prime factorization. Test each one in Step 2.

Step 2 - Algorithm Confusion with Recovered Key

Once you have the recovered public key, use the Algorithm Confusion page to forge an HS256 token signed with the public key PEM as the HMAC secret.

Open Algorithm Confusion

jwt_tool equivalent

# After recovering the public key to recovered_public.pem:
python3 jwt_tool.py <ORIGINAL_JWT> -X k -pk recovered_public.pem

References

Practice in the lab

JWT-SecLabs · 8 · Shadow Key - hands-on Docker environment

Open lab