Abstract
Serving communications security, identity authentication, etc., cryptographic algorithms constitute the cornerstone of cyberspace security. During the past decades, cryptanalysts have proved that many once prevailing cryptographic algorithms (e.g., MD4, MD5, 3DES, RC4) are no longer secure now. However, insecure cryptographic algorithms are still widely deployed in practice, seriously endangering the security of cyberspace. The reasons for this dilemma are many-fold, one of which is difficult to detect the algorithms used in the legacy binaries. Most of the existing detecting methods of cryptographic algorithms, either require source code analysis (i.e., white-box testing) or depend on the dynamic execution information (i.e., dynamic testing), narrowing the testing scope where the source codes of commercial software are not provided and the running environment may be difficult to deploy. In this paper, we propose a method of static black-box testing of cryptographic algorithms, which can identify a specific algorithm based on the corresponding data characteristics. We have implemented the testing method and used it to check 150 binaries of three types, including cryptographic libraries, commonly-used programs that use cryptographic algorithms, and general-purpose Github projects without cryptographic algorithms. The empirical results demonstrate that 80.6% of the insecure cryptographic algorithm are implemented in the test files that contain the cryptographic algorithms. The false negative rate and false positive rate were 2.10% and 1.68% using our method. Moreover, we found that the insecure cryptographic algorithms (i.e., MD4, SHA-1) is still exist in some popular software, e.g., MbedTLS and 7-Zip.
This work is supported in part by the National Natural Science Foundation of China No. 61902392 and CCF-Tencent Open Fund under Grant RAGR20210131. The corresponding author is Fangyu Zheng.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
A quarter of major CMSs use outdated MD5 as the default password hashing scheme. www.zdnet.com/article/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme/ (2020)
AlFardan, N., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.: On the security of RC4 in TLS. In: 22nd USENIX Security Symposium (USENIX Security 13), pp. 305–320 (2013)
Bai, K., Wu, C.: A secure white-box SM4 implementation. Secur. Commun. Netw. 9(10), 996–1006 (2016)
Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30564-4_16
Boneh, D., Joux, A., Nguyen, P.Q.: Why textbook ElGamal and RSA encryption are insecure. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 30–43. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_3
Dai, W.: Crypto++ library 5.1-a free c++ class library of cryptographic schemes. https://www.cryptopp.com/ (2004)
Daniel, J., Bernstein, T.L.: Safecurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to/
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)
Greenwood, D.S.J.S.G., Khan, Z.L.L.: SMV-HUNTER: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Network and Distributed System Security Symposium (NDSS). Internet Society, San Diego, CA, pp. 1–14. Citeseer (2014)
Harvey, I.: Cipher hunting: how to find cryptographic algorithms in large binaries. NCipher Corporation Ltd., pp. 46–51 (2001)
Kessler, G.C.: An overview of cryptography (2003)
Koch, W., Schulte, M.: The libgcrypt reference manual. Free Software Foundation Inc, pp. 1–47 (2005)
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. IEEE Trans. Softw. Eng. 47(11), 2382–2400 (2019)
Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail?: a case study and open problems. In: APSys (2014)
Li, J., Lin, Z., Caballero, J., Zhang, Y., Gu, D.: K-hunt: pinpointing insecure cryptographic keys from execution traces. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 412–425 (2018)
Lindström, P., Pap, O.: Map** the current state of SSL/TLS (2017)
Lloyd, J.: Botan: crypto and TLS for modern C++. https://botan.randombit.net/ (2018)
Mouha, N., Dworkin, M., et al.: Review of the advanced encryption standard (2021)
Paul Bakker, A.: mbedTLS. tls. mbed. org (2019)
Rahaman, S., et al.: Cryptoguard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2455–2472 (2019)
Rogers, M., Eden, G.: The Snowden disclosures, technical standards and the making of surveillance infrastructures. Int. J. Commun. 11, 802–823 (2017)
Sindhu, S., Sindhu, D.: Cryptographic algorithms: applications in network security. Int. J. New Innovations Eng. Technol. (2017). ISSN 2319-6319
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Turner, S., Chen, L.: MD2 to Historic Status. Technical report, RFC 6149, March (2011)
Turner, S., Chen, L.: RFC 6151: updated security considerations for the MD5 message-digest and the HMAC-MD5 algorithms. Internet Eng. Task Force (2011)
Wang, Z., Jiang, X., Cui, W., Wang, X., Grace, M.: ReFormat: automatic reverse engineering of encrypted messages. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 200–215. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_13
Young, E.A., Hudson, T.J., Engelschall, R.S.: OpenSSL. World Wide Web. https://www.openssl.org/. Accessed September 2001 (2001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Cryptographic Algorithm Supports
The cryptographic algorithms supported by the cryptographic algorithm black-box testing tool include: 13 cryptographic hash algorithms, 15 symmetric cryptographic algorithms, 1 asymmetric cryptographic algorithm, 85 elliptic curves, 8 prime domains of Diffie-Hellman key exchange algorithm, three types of double elliptic curve pseudo-random number generators based on elliptic curves.
B Test File Information
When we tested the false positive rate, we used“tool”, “release” and “exe” as search keywords on Github, sorted the search results by year, and selected 58 projects that are not related to cryptographic algorithms for compilation to get the test file. Github project information is shown in the Table 6.
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Fan, H., Meng, L., Zheng, F., Wang, M., Xu, B. (2022). Black-Box Testing of Cryptographic Algorithms Based on Data Characteristics. In: Lin, J., Tang, Q. (eds) Applied Cryptography in Computer and Communications. AC3 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 448. Springer, Cham. https://doi.org/10.1007/978-3-031-17081-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-17081-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17080-5
Online ISBN: 978-3-031-17081-2
eBook Packages: Computer ScienceComputer Science (R0)