Research On Key Technology Of Cryptography Algorithm Recognition And Analysis

In the information age, computer application technology and network communication technology has rapid development, cryptographic algorithms play an important role in protecting information security, identification and analysis of cryptographic algorithms in binary code has vital significance for malicious code detection, illegal traffic monitoring, code-breaking and crypto application security analysis. For the problem of low efficiency and accuracy, less effective identification information and other various issues in present cryptographic algorithms recognition and analysis techniques, it carries out the corresponding key technology research, the main work is summarized as follows:1. It analyzes encryption and decryption mechanism of different cryptography types(hash functions, block ciphers, public key ciphers and stream ciphers), builds a multi-level cryptographic algorithms feature space model, and adopts disassemble tool-IDA and the dynamic binary analysis platform based on Pin, respectively in the binary level, disassemble levels and dynamic execution level to extract and analyze cryptographic algorithms feature, lays the foundation for the identification of cryptographic algorithms.2. For the control structure loop character in the cryptographic algorithm code disassembly result, it designs an improved DFS recognition algorithm by introducing the concept of basic block node traversal state; for the sequence loop during the execution of cryptographic algorithms, by introducing loop identification set, it designs sequence loop recognition algorithm(RSLA) based on reduction, and combined with the back-side of dynamic instruction flow and basic block flow on this basis, designs an improved sequence loop recognition algorithm(I-RSLA). For the high information entropy feature of cryptographic algorithm memory operating data, it designs a formatting information entropy measure method based on sliding window, and constructs an information entropy recognition model based on loop pattern. Testing result shows that the combining method of control structure loops and heuristic strategy can effectively reduce the scope of analysis, in the process of sequence loop detection based on dynamic basic block granularity, I-RSLA algorithm is significantly better than RSLA algorithm in the aspect of recognition efficiency and peak memory. Additionally, information entropy feature recognition model based on loop mode can effectively recognize cryptographic functions’ high information entropy property.3. For cryptographic algorithm heuristic features in the dynamic process, it brings forward different granularity filter and classify strategy by constructing eight-dimensional feature vector mainly from dynamic characters. For the problem of cryptographic function filtrating, based on the study of classic SVM model, it constructs cryptographic function filtrating model based on One-Class SVM in order to minimize the probability of missing selection. For problem of cryptographic function classification, based on the cryptographic function filtration, it constructs the K-FCM clustering model for different types of cryptographic function, this model aims at the problem of weak convergence in the traditional FCM model for selecting of the initial cluster center randomly, it adopts the improved K-means algorithm to select the different category cryptographic function cluster center. Testing result shows that cryptographic function filtrating model can effectively filter out the suspected cryptographic functions from the objective function set, the cryptographic function classification model can effectively cluster different cryptographic functions, and has better convergence than the traditional FCM model.4. For the problem of accurately identify cryptographic functionally, it brings forward avalanche data flow concept by researching the relationship between cryptographic algorithms’ avalanche effect and dynamic taint propagation, and analyzes the strict correlation between cryptographic functions’ I/O parameters, it recovers the I/O actual parameters based on dynamic taint data flow analysis and combines with heuristic strategies to verify the I/O relationship. For the block chaining mode recognition problem, it researches the embody character of avalanche data flow in different block chaining mode, and designs corresponding recognition method for typical mode such as ECB, CBC, OFB(CTR) and CFB. The testing result shows that the verification method of cryptographic function I/O parameters can accurately verify functionally, and has better efficiency with respect to the traversal verification method of loop body; typical block chaining mode detection algorithm can effectively identify the chaining mode with good feasibility and practicality.5. For the problem of reversing the crypto system, on the basis of the core crypto functions recognition and analysis from target binary code, it brings forward the concept of encryption and decryption process dependency graph, describes the data and control dependent relationship among crypto functions. For standard cryptographic functions in crypto libraries(OpenSSL and CryptoAPI), based on constructing the parameter information database, it proposes the reconstruction method based on parameter correlation. For non-standard cryptographic functions, it takes key data lifetime as clue in the dynamic execution trace, builds key correlation model, and designs AES sub-key table recognition algorithm according to the rule of AES key expansion, proposes the crypto process reconstructing method based on key correlation. Testing importantly takes LAN communications software-FeiQ and compression software- WinRar as example to show encryption and decryption process reconstructed result, it shows that the encryption and decryption process dependency graph can macroscopically describe the data and control dependent relationship among crypto functions, and provides important technical support for crypto system reversing.Related models and algorithms proposed have been applied in the "Cryptographic Algorithms Identification and Analysis System Based on Dynamic Binary Analysis", and provide important technical support for crypto breaking, malicious code detection, encrypted protocol reversing and cipher application security analysis.