CN113177218A

CN113177218A - Method and system for identifying type of encryption algorithm based on ciphertext characteristics

Info

Publication number: CN113177218A
Application number: CN202110517337.XA
Authority: CN
Inventors: 才华
Original assignee: Guangdong Southern Information Security Research Institute
Current assignee: Guangdong Southern Information Security Research Institute
Priority date: 2021-05-12
Filing date: 2021-05-12
Publication date: 2021-07-27

Abstract

The invention discloses a method and a system for identifying the type of an encryption algorithm based on ciphertext characteristics, which comprises the following steps: crawling plaintext password information on the information security website, and performing data preprocessing; adopting an OpenSSL open source encryption library to encrypt by adopting different encryption algorithms to obtain an encrypted ciphertext set as training data; performing deep learning model training based on a GRU model, testing the trained model to obtain the classification of classified errors, performing n-gram-based extraction on encrypted password character strings corresponding to the classification of the errors, acquiring n-gram fragments, recording the positions and the tuple numbers of the fragments, hiding data between two n-gram tuples to realize the promotion of important characteristics, performing testing again, stopping training when the threshold degree of a test result is promoted, and otherwise, changing the n-gram tuple numbers and the hidden fragment positions; the method can identify the cipher text encryption type and correct the identified error.

Description

Method and system for identifying type of encryption algorithm based on ciphertext characteristics

[ technical field ] A method for producing a semiconductor device

The invention relates to the technical field of cryptography, in particular to a method for identifying the type of an encryption algorithm by ciphertext characteristics.

[ background of the invention ]

In the current commercial activity, there are many important confidential data, and in order to prevent data leakage, an encryption algorithm is often used to encrypt the data, so as to protect the data security. However, because the importance and the security level of each type of data are different, different encryption algorithms must be adopted for encrypting different data, so as to avoid data leakage and influence on normal use of the data. The method has the advantages that the difficulty of cracking the encryption algorithm is high, the algorithm is not cracked, the encryption type of the encrypted algorithm is identified, and when the encryption type does not accord with the safety standard, targeted reminding can be performed to help enterprises or public institution to obtain system safety. Therefore, in order to ensure correct use of the encryption algorithm, it is very important to identify the type of the encryption algorithm.

Deep learning is one of machine learning, and since deep learning is proposed in 2006, deep learning is widely applied in many fields, and is not exceptional in the field of encryption algorithm identification. In 2013, a distinguishing attack method based on a neural network is proposed by scholars, and a classification model is generated from ciphertexts encrypted by MARS, RC6, Rijndael, Serpent and Twofish by utilizing a linguistic and information retrieval method; however, the previous method has a high recognition error rate, and after the recognition is wrong, more effective features cannot be extracted for accuracy optimization, so that good recognition cannot be guaranteed, and the content of wrong recognition cannot be reduced.

[ summary of the invention ]

The invention provides a method for identifying the type of an encryption algorithm based on ciphertext characteristics, which comprises the following steps:

crawling plaintext password information on the information security website, and performing data preprocessing; adopting an OpenSSL open source encryption library to encrypt by adopting different encryption algorithms to obtain an encrypted ciphertext set as training data; carrying out deep learning model training based on a GRU model, testing the trained model to obtain the classification of classified errors, carrying out n-gram-based extraction on encrypted password character strings corresponding to the classification of the errors to obtain n-gram fragments, recording the positions of the fragments and the number of tuples, hiding data between two n-gram tuples to realize the promotion of important features, carrying out testing again, stopping training when the threshold degree of the test result is promoted, and otherwise, changing the number of the n-gram tuples and the hidden positions of the fragments.

Further optionally, in the method as described above, the plaintext password information on the crawler information security website mainly includes:

matching keywords on the information security related website through a regular expression to be common passwords or passwords matched with various large information security forums are set as follows: "the related report contents of these words or information with numbers, symbols and letters; and processing the data defects and spaces existing in the data.

Further optionally, in the method described above, the OpenSSL open source encryption library uses different types of encryption algorithms for encryption, and mainly includes:

selecting an encryption algorithm in an OpenSSL open source encryption library as a standard encryption algorithm, respectively selecting different types of encryption algorithms from the standard encryption algorithm to encrypt the plaintext password, storing the ciphertexts according to the types of the encryption algorithms to obtain a ciphertext set output by the different types of encryption algorithms, and selecting ciphertexts with different ciphertext length ratios smaller than a preset threshold value as training data.

Further optionally, in the method as described above, the performing deep learning model training based on the GRU model, testing the trained model, and obtaining the classification of the classification error mainly includes: carrying out different types of encryption algorithm samples as characteristics according to the ciphertext set, taking the type algorithm as a marking value to obtain a training set, constructing an encryption algorithm type recognition model based on a GRU neural network, and adding a dropout layer and regularization into the encryption algorithm type recognition model;

test results are identified by inputting test set samples through the model, including correctly classified data and incorrectly classified data.

Further optionally, in the method as described above, the extracting the encrypted password character string corresponding to the error category based on the n-gram, obtaining a n-gram fragment, and recording a fragment position and a tuple number mainly includes:

extracting the data characteristics of the error classification, and grouping according to the symmetrical characteristics of the data characteristics; the grouping comprises the step of carrying out multi-element segmentation on the passwords through an n-gram algorithm; analyzing whether the same n-gram fragment exists or not, and recording the position of the fragment; and separating different n-gram fragments, and realizing grouping according to separated contents.

Further optionally, in the method described above, the hiding data between two n-gram tuples to achieve the enhancement of the important feature mainly further includes:

hiding the middle part data of the two n-gram characteristics, and not hiding the middle part data when the hidden part contains other n-gram strings; when the character strings at intervals in the n-gram are larger than the preset length, the character strings are not hidden.

Further optionally, in the method as described above, the stopping training when the test result is raised by a threshold degree, otherwise, changing the number of n-gram tuples and the hidden segment positions mainly includes:

if the improvement on the accuracy is found not, the element group number of the n-gram is changed, and the extracted binary group is changed into a triple, so that the characteristics are more prominent; or changing the hidden segment position, and only hiding the N character strings at the middlemost of the two tuples instead of hiding all the character strings, thereby improving the characteristic value of the peripheral elements of the N-gram.

The invention discloses a system for identifying the type of an encryption algorithm based on ciphertext characteristics, which comprises:

the data acquisition module is used for acquiring password content which can be used for testing through a crawler;

the deep learning training and testing module is used for training and testing the model accuracy by adopting a deep learning GRU model;

the n-gram extraction module is used for identifying the n-gram characteristics of the wrong content so as to improve the subsequent test;

and the segment hiding module is used for hiding the unimportant segments and realizing the enhancement of important features.

The technical scheme provided by the invention can have the following beneficial effects:

the invention provides a method for identifying the type of an encryption algorithm based on ciphertext characteristics aiming at the problem of encryption algorithm identification, and after correct training, the type of the encryption algorithm to which a ciphertext belongs can be efficiently and accurately identified as long as the ciphertext is input. In addition, the invention can extract the characteristics and hide irrelevant data aiming at the wrong classification result, thereby realizing the improvement and optimization of the accuracy.

[ description of the drawings ]

Fig. 1 is a flowchart of a method for identifying an encryption algorithm type based on ciphertext features of the present invention.

Fig. 2 is a structural diagram of a method for identifying the type of an encryption algorithm based on ciphertext features of the present invention.

[ detailed description ] embodiments

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.

Fig. 1 is a flowchart of a method for identifying an encryption algorithm type based on ciphertext features of the present invention. As shown in fig. 1, the method and system for identifying the type of the encryption algorithm based on the ciphertext feature in this embodiment may specifically include the following steps:

the random distribution characteristics of the ciphertexts output after the encryption by different encryption algorithms are different. The ciphertext can also be regarded as a section of natural language text, the ciphertext output after being encrypted by different encryption algorithms is like different languages, and based on the thought, the ciphertext characteristics can be extracted by utilizing a GRU neural network in deep learning so as to identify the encryption algorithm.

The method comprises the following steps: and (4) crawling related plaintext password data on each information security forum from the network by using a crawler technology, and preprocessing the data.

The crawler program is written based on the script framework of the python language, keywords are matched through regular expressions to be common passwords, or all large information security forums are set as follows if the passwords are set as follows: "several words of related reports or information with numbers, symbols, letters.

The data therein is then data washed or preprocessed. Data crawled from the network is generally defective, or null or erroneous, and cannot be directly utilized. At this time, the Pandas library in python can be used to perform data cleaning on the data to obtain correct data. For example: and if the encryption is directly performed, the content which is not the original text of the password can be encrypted into the password, so that the output ciphertext and the original data do not correspond to each other, and therefore, the Pandas is used for null value filling, and NAN values are filled in the 6 null values. When the encryption operation is performed, the null value in the encryption operation can be extracted and special processing can be performed.

Step two: and encrypting the data by using an encryption algorithm to obtain a ciphertext set obtained after different types of encryption algorithms are adopted.

OpenSSL is a software library package of open source code, and an application program can use this package to perform secure communication, to avoid eavesdropping, and to confirm the identity of a linker at the other end, and this library also contains an encryption library. And selecting the encryption algorithm in the OpenSSL open source encryption library as a standard encryption algorithm, respectively selecting different types of encryption algorithms from the standard encryption algorithm to encrypt the data obtained in the step one, and storing the ciphertexts according to the types of the encryption algorithms to obtain different encryption algorithm output ciphertext sets. And selecting the content with the ciphertext bit difference smaller than a preset threshold value, such as 64 bits, as valuable training data. Avoid some ciphertexts being too long and some being too short. If there are multiple categories of encryption algorithms, then multiple encryptions and stores are performed.

For example: for the data of the section of data of ' 1000 yuan of this day ', the ciphertext obtained by encrypting the data by MD5 is ' 8ff695b12a854ed9da 82 ce82f5c948d2 ', the ciphertext obtained by encrypting the data by SAH1 is ' b3ff0a58f4a88fe9549fd319d09f353d51f2462e ', the ciphertext obtained by AES encryption is ' VkXv + pLtXVVS7qhtV/CWyjAKBwsxljs 1l/1/3hEMN + Q ', and the encrypted ciphertexts are respectively stored in txt files named as ' MD5 ', ' SAH1 ' and AES '. Other kinds of encryption algorithms and so on.

Step three: and coding the label, constructing an encryption algorithm type identification model, and training.

And (5) coding the encryption algorithm type of the ciphertext set obtained in the step two, labeling to obtain a label set, and constructing an encryption algorithm type identification model based on a GRU neural network, wherein a dropout layer and regularization are added. The GRU neural network model is a variant of the LSTM neural network model and is also a kind of cyclic neural network, which has one less gate function than the LSTM, only has an update gate and a reset gate, so the number of parameters is less than that of the LSTM, and the overall training speed is faster than that of the LSTM. And a dropout layer and regularization are added to avoid overfitting of a neural network model, so that a result with high classification accuracy only on the training set is obtained.

For example: according to the mapping table { "MD 5": 0, "SAH 1": 1, "AES": 2, coding the encryption algorithm type, using the obtained coding table {0, 1, 2} as a label, constructing a GRU layer with the stacking layer number of 64, without offset, then a dropout layer, and adding an L1 regularization parameter (0.01) into an output Dense layer.

Step four: and training the encryption algorithm type identification model to obtain an identification result.

And C, dividing the ciphertext set obtained in the step II into a training set, a verification set and a test set, inputting the test set, the verification set and the label set obtained in the step III into the GRU neural network model constructed in the step III, and obtaining the type identification result of the encryption algorithm of the ciphertext set. The verification set is used for preventing the encryption algorithm type identification model from being over-fitted and better adjusting the hyper-parameter setting of the model.

For example: existing ciphertext sets of MD5, SAH1 and AES are 3000 ten thousand txt files respectively, and the files are arranged according to the following ratio of 5: 2: and 3, dividing the proportion into a training set, a verification set and a test set, inputting the training set and the verification set into an encryption algorithm type identification model to train 100 epochs, and setting a callback parameter function to stop training when the error of the training set is reduced and the error of the verification set is increased. After 75 epochs were trained, the model automatically stopped training. And (4) testing through the test set to see whether the algorithms can be correctly classified or not and to judge which characteristic cryptographic algorithms are identified wrongly.

And fifthly, optimizing the error classification again.

First, data bits that are misclassified are extracted and grouped according to their symmetry characteristics. The grouping method comprises the step of carrying out multi-element segmentation on the passwords through an n-gram algorithm. Analyze if there are identical n-gram fragments and record the position of the fragments. And separating different n-gram fragments and grouping according to separated contents.

The n-gram algorithm can automatically identify and extract repeated small-segment character strings, for example, the encrypted text obtained by MD5 is "8 ff695b12a854ed9da69ce82f5c948d 2", wherein 69 is a binary segment which appears twice. Likewise, some ternary and quaternary strings will often appear similarly.

And step six, hiding partial non-n-gram character string information segments and improving the overall n-gram characteristics. The reason why the cipher type cannot be correctly identified is largely that the features of the cipher string cannot be found, and the n-gram is repetitive and features that are more easily distinguished. Hiding partial non-n-gram features is beneficial to boosting the weight of the n-gram. The hiding mode is to hide the middle part data of two n-gram features, and when the hidden part contains other n-gram strings, the hidden part is not hidden. When the character strings at intervals in the n-gram are larger than the preset length, the character strings are not hidden. Otherwise, data hiding is carried out to improve the characteristic weight.

And step seven, testing the classified error data again to obtain new characteristics and classification results.

And (3) carrying out n-gram processing on the data set which is originally classified wrongly, and then carrying out classification testing by adopting the model again, wherein after the algorithm is improved, the characteristics are highlighted, new classification testing results are obtained, and some data sets can be classified correctly. For example, from the original total accuracy 87.91%, when the total accuracy reaches 88.82%, the model is considered to be improved. If the improvement on the accuracy is found not, the element number of the n-gram is changed, and if the improvement on the accuracy is found not, the element group number of the n-gram is changed, so that the extracted binary group is changed into a triple group, and the characteristics are more prominent; or changing the hidden segment position, and only hiding the N character strings at the middlemost of the two tuples instead of hiding all the character strings, thereby improving the characteristic value of the peripheral elements of the N-gram. The associated information with the data characteristics is prevented from being deleted.

Step eight: and encrypting the specific text in an online encryption website of the network by using a Selenium test tool, inputting the encrypted ciphertext into an encryption algorithm type identification model for identification, carrying out large-scale automatic test, and adjusting the test result. Therefore, large-scale data can be obtained and the optimal parameter step can be obtained in the characteristic adjusting process.

The Selenium is a tool for Web application testing that runs directly in the browser, just as a real human would be operating. By using the software, a specific text can be directly encrypted at a webpage end in an encryption website, an encrypted ciphertext is obtained, the encrypted ciphertext is input into an encryption algorithm type identification model for identification, if the identification result is not the correct encryption algorithm, the section of ciphertext is added into a corresponding ciphertext set, and the model is trained again.

For example: MD5 encryption is carried out on plaintext password information on an information security website on an online encryption website chahu.com by using Selenium, the number of encrypted words does not exceed 10 words each time, a ciphertext set is obtained, the ciphertext set is input into an encryption algorithm type identification model for identification, the identification accuracy rate of the identified type MD5 is 81.27%, the SAH1 is 54.29%, and the AES algorithm is 65.44%, so that the most types of identification errors are input again and the number of n-gram feature hidden tuples is adjusted, and the encryption algorithm is subjected to targeted optimization training in the type identification model. The algorithm with high error rate can be improved greatly.

Through the above description of the embodiments, it is clear to those skilled in the art that the above embodiments can be implemented by software, and can also be implemented by software plus a necessary general hardware platform. With this understanding, the technical solutions of the embodiments can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. A method for identifying a type of an encryption algorithm based on ciphertext features, the method comprising:

2. The method of claim 1, wherein the plaintext cryptographic information on the crawler information security website further comprises:

3. The method of claim 1, wherein the OpenSSL open source encryption library is encrypted using different kinds of encryption algorithms, and mainly comprises:

4. The method of claim 1, wherein the performing deep learning model training based on the GRU model, testing the trained model to obtain the classification of the classification error, further comprises: carrying out different types of encryption algorithm samples as characteristics according to the ciphertext set, taking the type algorithm as a marking value to obtain a training set, constructing an encryption algorithm type recognition model based on a GRU neural network, and adding a dropout layer and regularization into the encryption algorithm type recognition model;

5. The method according to claim 1, wherein the extracting the encrypted password character string corresponding to the error category based on n-gram, obtaining n-gram fragments, and recording fragment positions and tuple numbers, further comprises:

6. The method according to claim 1, wherein the hiding the data between the two n-gram tuples to achieve the enhancement of the important features mainly further comprises:

7. The method of claim 1, wherein stopping training when the test result is raised by a threshold degree, otherwise changing the number of n-gram tuples and the hidden segment position, further comprises:

8. The method for identifying the type of the encryption algorithm based on the ciphertext features is characterized in that the system comprises the following steps: