Factoring weak moduli
RSA Attack Workflow factors small semiprimes, rebuilds the private key, and decrypts the ciphertext.
RSA attacks explained through runnable browser demos.
RSA is not broken by one trick. It fails when keys are weak, padding is missing, messages are reused badly, or implementation shortcuts leak structure. CryptoToolkit groups those failures into interactive modules.
Textbook RSA
Textbook RSA demonstrates why raw RSA encryption is malleable without padding.
Small private exponent
Wiener's attack uses continued fractions to recover a private key when d is too small.
Broadcast attack
Hastad broadcast combines ciphertexts with CRT when the same message is sent with e=3.
Padding oracle
Bleichenbacher shows why PKCS#1 v1.5 oracle behavior is dangerous.
CRT fault injection
CRT-RSA Fault Injection recovers a factor from one faulty signature.
What these demos teach
- Use modern padding schemes and high-level library APIs.
- Generate keys with enough entropy, strong primes, and safe parameters.
- Do not use textbook RSA for encryption or signatures.
- Treat side channels, fault behavior, and implementation details as part of the design.
Production boundary
CryptoToolkit is for education. The demos intentionally make attacks visible at small sizes. Production RSA should use audited libraries, modern padding, strong key sizes, and protocol-level review.