CN117725587A

CN117725587A - Penetration test method and penetration test system

Info

Publication number: CN117725587A
Application number: CN202311531808.8A
Authority: CN
Inventors: 龚亮华; 李依薄; 张提
Original assignee: Fengtai Technology Beijing Co ltd
Current assignee: Fengtai Technology Beijing Co ltd
Priority date: 2023-11-16
Filing date: 2023-11-16
Publication date: 2024-03-19

Abstract

The application belongs to the technical field of computers, and provides a penetration testing method and a penetration testing system, wherein the penetration testing method comprises the following steps: generating a secret key for the penetration test terminal; encrypting the data packet uploaded by the first terminal according to the secret key to obtain a first ciphertext; encrypting the penetration target uploaded by the second terminal according to the secret key to obtain a second ciphertext; then, acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext; and finally, decrypting the target ciphertext through the secret key to obtain a penetration test result, so that the method can be used for ensuring that shared or collaborative data are safer and collaborative penetration efficiency is higher, the technical problem that the data transmission safety shared among penetration personnel in the work process of the collaborative penetration test of multiple persons cannot be ensured is solved, and meanwhile, the work efficiency of the collaborative penetration test of multiple persons is improved.

Description

Penetration test method and penetration test system

Technical Field

The application belongs to the technical field of computers, and particularly relates to a penetration testing method and a penetration testing system.

Background

The penetration test is a mechanism provided for proving that network defense normally operates according to an expected plan, and is an indispensable stage in a software security development life cycle.

In the actual penetration test work for a service system at present, penetration test personnel often carry out cooperative test in a form of a group, but data including some data messages related to privacy are required to be transmitted in the cooperative test process, for the safety consideration of the privacy data, the penetration test personnel usually share the data which needs to be shared or cooperated in a compressed package encryption mode or a safe data USB flash disk mode and the like, however, the test efficiency of the penetration test is reduced in the cooperative processing mode, that is, the technical problems of low safety and low penetration efficiency exist in the scheme of the multi-person cooperative penetration test in the prior art.

Disclosure of Invention

The embodiment of the application provides a penetration test method and a penetration test system, which aim to solve the technical problems of low safety and low penetration efficiency in the prior art scheme of multi-user collaborative penetration test.

In a first aspect, embodiments of the present application provide a penetration test method, the penetration test method including the steps of:

generating a secret key for a penetration test terminal, wherein the penetration personnel at least comprise a first terminal and a second terminal;

encrypting the data packet according to the secret key to obtain a first ciphertext, wherein the data packet is uploaded by the first terminal;

Encrypting the penetration target according to the secret key to obtain a second ciphertext, wherein the penetration target is uploaded by the second terminal;

acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext;

and decrypting the target ciphertext through the key to obtain a penetration test result.

In an embodiment, the step of generating a key for the penetration test terminal includes:

collecting unique characteristics of a first terminal;

and generating a key pair based on the unique characteristic, wherein the key pair comprises a first key and a second key, the first key is disclosed in a penetration test service system, and the second key is stored in the first terminal.

In an embodiment, the encrypting the data packet according to the key to obtain a first ciphertext includes:

encrypting the data packet according to the first key to obtain a first ciphertext;

correspondingly, encrypting the penetration target according to the key to obtain a second ciphertext, including:

encrypting the penetration target according to the first key to obtain a second ciphertext;

correspondingly, decrypting the target ciphertext through the secret key to obtain a penetration test result, wherein the penetration test result comprises the following steps:

Decrypting the target ciphertext by the first terminal through the second key to obtain a penetration test result;

and transmitting the penetration test result to the second terminal.

In one embodiment, the first key satisfies the formulaThe second key satisfies the formula->

Wherein p is _k Representing the first key s _k Representing a second key; alpha represents the unique characteristic of the first terminal, E represents the index of the unique characteristic alpha, and D represents the square root of the unique characteristic alpha; mod N represents a remainder operation, N being a strong prime number agreed upon by the first key and the second key.

In one embodiment, the data packet or the penetration destination is encrypted by the following formula:

y＝β ^E θ ^r modN

wherein y represents a first ciphertext obtained by encrypting the data packet by the key or a second ciphertext obtained by encrypting the penetration target by the key; beta and beta belong to the characteristics of the packet or the penetration target; e represents an index of the unique feature α; r represents the random number in the smallest remaining set belonging to said unique feature alpha.

In one embodiment, the target ciphertext is decrypted by the following formula:

wherein M represents the target ciphertext, D represents the square root of the unique feature alpha, and M represents the penetration test result.

In an embodiment, the first key further satisfies the following formula:

accordingly, the second key also satisfies the following formula:

wherein e=e ₁ +e ₂ +…+e _n α=a×b, a and b being factors of the unique feature α.

In an embodiment, the encryption process for the data packet or the penetration target may also be calculated by the following formula:

wherein y represents a first ciphertext obtained by encrypting the data packet by the key, or is obtained by encrypting the penetration target by the keyIs a second ciphertext; beta and beta are features of the data packet or the penetration target; e, e ₁ 、e ₂ 、…、e _n An index E representing the unique feature α after decomposition; r represents the random number in the smallest remaining set belonging to said unique feature alpha.

In a second aspect, embodiments of the present application provide a penetration test system, where the penetration test system includes a key generation module, a data encryption module, and a privacy calculation module:

the key generation module is used for generating a key for a penetration test terminal, wherein the penetration test terminal at least comprises a first terminal and a second terminal;

the data encryption module is used for encrypting the data packet according to the secret key to obtain a first ciphertext, wherein the data packet is uploaded by the first terminal;

The data encryption module is further configured to encrypt the penetration target according to the key to obtain a second ciphertext, where the penetration target is uploaded by the second terminal;

the privacy calculation module is used for acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext;

the key is used for decrypting the target ciphertext to obtain a penetration test result.

In an embodiment, the key generation module is further configured to collect a unique feature of the first terminal; generating a key pair based on the unique feature, wherein the key pair comprises a first key and a second key, the first key is disclosed in a penetration test service system, and the second key is stored in the first terminal;

the data encryption module is further used for encrypting the data packet according to the first key to obtain a first ciphertext;

the data encryption module is further used for encrypting the penetration target according to the first key to obtain a second ciphertext;

the first terminal is used for decrypting the target ciphertext through the second key to obtain a penetration test result; and transmitting the penetration test result to the second terminal.

Firstly, generating a secret key for a penetration test terminal; encrypting the data packet uploaded by the first terminal according to the secret key to obtain a first ciphertext; encrypting the penetration target uploaded by the second terminal according to the secret key to obtain a second ciphertext; then, acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext; and finally, decrypting the target ciphertext through the secret key to obtain a penetration test result, so that the method can be used for ensuring that shared or collaborative data are safer and collaborative penetration efficiency is higher, the technical problem that the data transmission safety shared among penetration personnel in the work process of the collaborative penetration test of multiple persons cannot be ensured is solved, and meanwhile, the work efficiency of the collaborative penetration test of multiple persons is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of a first embodiment of a penetration test method provided herein;

FIG. 2 is a schematic flow chart of a second embodiment of a penetration test method provided herein;

FIG. 3 is a block diagram of a penetration test system provided in accordance with a third embodiment of the present application;

FIG. 4 is a schematic structural diagram of a penetration test system according to a fourth embodiment of the present application;

fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.

It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".

In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

It can be understood that network security has become an important component of a security strategy, and penetration testing is an indispensable stage in a life cycle of software security development, so that multiple penetration personnel often need to cooperate to complete a penetration testing task, but data including some data messages related to privacy are required to be transmitted in the process of cooperation testing, and in order to consider security of the privacy data, penetration testing personnel usually share data needing to be shared or cooperated in a manner of compressed package encryption or a secure data U disk, etc., so that the test efficiency of the penetration testing is reduced in such a cooperated processing manner.

In order to ensure the data safety and the test efficiency of the penetration test, the application provides a penetration test method: firstly, generating a secret key for a penetration test terminal; encrypting the data packet uploaded by the first terminal according to the secret key to obtain a first ciphertext; encrypting the penetration target uploaded by the second terminal according to the secret key to obtain a second ciphertext; then, acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext; and finally, decrypting the target ciphertext through the secret key to obtain a penetration test result, and protecting the data transmitted by the tester in a privacy calculation mode.

Simultaneously, the application also provides a penetration test system, the penetration test system includes secret key generation module, data encryption module and privacy calculation module, each module of penetration test system can be with the terminal interaction that penetration test personnel used, can handle penetration test personnel uploading and penetration test related data, the penetration test system of this application provides the trusted environment for many people's cooperation penetration test process, penetration test system carries out privacy calculation to penetration in-process data that need share or cooperate, make sharing or cooperate data safer, reach the higher beneficial effect of efficiency of cooperation penetration test.

Specifically, for the technical solutions of the present application, please refer to the following embodiments:

example 1

In order to solve the above-mentioned problems, a penetration testing method is provided in the first embodiment, as shown in fig. 1, and the penetration testing method mainly includes the following steps:

step S10, a secret key is generated for a penetration test terminal, wherein the penetration test terminal at least comprises a first terminal and a second terminal;

it should be noted that, the main execution body of the penetration test method in this embodiment is a penetration test system, where the penetration test system may be understood as a penetration test platform software, in a specific implementation, multiple testers may use the penetration test platform software together to perform penetration test on a service system, so as to provide a trusted environment for a collaborative penetration test process of multiple testers, where the multiple testers include at least a first penetration person and a second penetration person, and of course may also include a greater number of penetration test staff, and this embodiment is not limited thereto; different testers access the penetration test platform software by using different penetration test terminals (for example, a first penetration tester uses a first terminal, a second penetration tester uses a second terminal) and are in communication connection with the penetration test system, so that the penetration test of multi-user cooperation is completed.

It can be understood that, because the penetration personnel need to share data mutually to cooperatively complete the penetration test, in order to protect the shared penetration data, a key is generated for the terminal where the penetration personnel is located, and the key is used for encrypting and decrypting the penetration data.

Step S20, encrypting the data packet according to the secret key to obtain a first ciphertext, wherein the data packet is uploaded by the first terminal;

in a specific implementation, a first penetrant uploads the data packet to the penetration test platform software through a first terminal, encrypts penetration test data in the data packet through a key corresponding to the first terminal to obtain and store encrypted ciphertext (namely a first ciphertext) of the data packet, and the penetration test platform software in the step cannot store plaintext of the penetration test data of the data packet. Wherein the data packet may include a plurality of different types of penetration test data;

in this embodiment, the types of penetration test data may specifically include: system information type, user information type, application information type, vulnerability information type, network security device information type, and penetration command information type;

Specifically, the data of the system information type may include: operating system information and system open ports;

the data of the user information type may include: a user name and password;

the data of the application information type may include: web information and database information;

the vulnerability information type data may include: known vulnerability and vulnerability information;

the data of the network security device information type may include: firewall, IDS/IPS and other device information;

the data of the penetration command information type may include: message, command for obtaining information of target equipment, command for raising right, etc.

Step S30, encrypting the penetration target according to the secret key to obtain a second ciphertext, wherein the penetration target is uploaded by the second terminal;

it can be appreciated that the second osmosis personnel may upload the osmosis target by using the second terminal, where the osmosis target uploaded by the second terminal needs to be in the same dimension as the data packet uploaded by the first terminal, for example, the data uploaded by the first terminal is a hexadecimal message, and the data uploaded by the second terminal is an IP port. If the data packet and the penetration target are not data in one dimension, the penetration test platform software will report an error.

Specifically, the penetration target may include target information such as an IP address, an IP port, a domain name, and the like;

it can be understood that, as the penetration test terminal (second terminal) of other penetration personnel accessing the penetration test platform software needs to use the penetration test data in the data packet uploaded by the first terminal to perform penetration test operation on the penetration target, the penetration test can be completed once; in order to prevent the data leakage of the penetration target, the encrypted ciphertext (i.e., the second ciphertext) of the penetration target is obtained and stored by encrypting the key pair generated in the step S10, and the penetration test platform software in this step does not store the plaintext of the penetration target.

Step S40, acquiring a target ciphertext meeting an expected result based on the first ciphertext and the second ciphertext;

and S50, decrypting the target ciphertext through the secret key to obtain a penetration test result.

In this embodiment, the penetration test platform software processes penetration test data in the data packet uploaded by the first terminal and the penetration target uploaded by the second terminal by adopting a set of preset privacy algorithm;

specifically, the penetration test platform software takes the two sections of ciphertext (a first ciphertext and a second ciphertext) as input of the preset privacy algorithm, calculates the first ciphertext and the second ciphertext to obtain a target ciphertext meeting the expected result on the premise of not decrypting the data, decrypts the target ciphertext through the secret key to obtain a penetration test result, and feeds the penetration test result back to a penetration staff using the penetration test platform software;

The predicted result can be understood as a penetration test result meeting the demands of penetration workers, and the threshold value of the predicted result can be preconfigured by the penetration workers according to the demands.

It should be noted that, in this embodiment, privacy operation is performed on two sections of ciphertext, which is used to explain the principle of the technical scheme; in a specific implementation, the embodiment can perform privacy operation processing on ciphertext corresponding to a plurality of (more than two) permeated persons, and does not need to operate after decrypting each ciphertext into plaintext, so that the safety of permeated data transmission can be further ensured, the risk of data leakage is greatly reduced, meanwhile, the flow of data processing can be reduced, and the transmission rate is accelerated.

The technical scheme of the embodiment has the beneficial effects that the shared or collaborative penetration data can be safer in the transmission process, the working efficiency of the whole collaborative penetration test is higher, the method can be applied to data sharing in each test stage of the penetration test, the technical problem that the safety of data transmission shared among penetration personnel in the working process of the multi-person collaborative penetration test cannot be ensured is solved, and meanwhile, the working efficiency of the multi-person collaborative penetration test is improved.

Example two

On the basis of the penetration test method of the first embodiment, this embodiment proposes another penetration test method embodiment, where the step S10 further includes:

step S101, collecting unique characteristics of a first terminal;

specifically, the unique feature α may be a biological feature of a first person who uses the first terminal, where the biological feature may specifically include a fingerprint feature, an iris feature, a face feature, a sound feature, and the like of the first person as a way of identifying the identity of the first person, and the biological feature is unique to the person, and is convenient for the first person to use, unlike a password and a password, and also needs to be memorized, which brings great convenience.

The unique feature α may be the current timestamp of the first terminal for recording that a piece of data already exists at a particular point in time, and that this piece of data is complete and verifiable. The digital signature is carried out on the signature objects such as the original file information, the signature parameters, the signature time and the like to generate a timestamp, so that the original file can be proved to exist before the signature time.

And step S102, generating a key pair based on the unique characteristics, wherein the key pair comprises a first key and a second key, the first key is disclosed in a penetration test service system, and the second key is stored in the first terminal.

Specifically, the penetration test platform software of the present embodiment generates a key pair according to the unique feature α of the first terminal, where the key pair includes the first key p _k And a second key s _k The method comprises the steps of carrying out a first treatment on the surface of the First key p _k It can be understood as a public key which is disclosed in the service system of the penetration test, so that all penetration persons connected to the penetration test platform software can obtain this first key p _k ；

Second key s _k It can be understood as a private key, stored in said first terminal, a second key s _k Can be applied to the first key p _k And (5) decrypting the ciphertext generated by encryption.

Further, the present embodiment adopts the following calculation formula for the first terminal to generate the key:

the first key satisfies the formulaThe second key satisfies the formula->

Wherein p is _k Representing the first key s _k Representing a second key; α is a unique feature of the first terminal, E represents an index of the unique feature α, D represents a square root of the unique feature α; in this embodiment, the E and D are prime numbers, E, D respectively represent two large prime numbers of 128-256 bits, so as to increase the complexity of encryption calculation, prevent third party personnel from obtaining the key pair by brute force cracking, effectively increase the cracking difficulty, and ensure the key security, while the first key p _k In a public state, can enable all penetration personnel to acquire and use the first key p _k Encrypting the data, and storing and recording E by the penetration test platform software; the mod N represents the remainder operation, N is a strong prime number agreed by the first key and the second key, and N is set to be a 1024-bit random number in this embodiment, so as to further improve the difficulty of the key being cracked by violence.

Further, the step S20 further includes:

step S201, encrypting the data packet according to the first key to obtain a first ciphertext;

accordingly, the step S30 further includes:

step S301, encrypting the penetration target according to the first key to obtain a second ciphertext;

specifically, the system encrypts the permeation data of the data packet uploaded by the first terminal and the permeation target uploaded by the second terminal according to the first key respectively;

the penetration data may include data information for penetration test, such as system information, user information, application information, vulnerability information, network security device information, and penetration command information, and the penetration targets include target information, such as IP addresses, ports, domain names, and the like.

In this embodiment, the penetration data and the penetration target are collectively referred to as data G, and specifically, the encryption process for the data packet or the penetration target may be calculated by the following formula:

y＝β ^E θ ^r modN

the specific process comprises the following steps: the permeation data G plaintext is converted into a G-order group, and beta and theta are generators of the G-order group; it is understood that the generator refers to: in the order group, if there is one element a, all elements in the order group can be generated by repeating the operation of the order group, this element a is referred to as a generation element of the order group.

Beta, theta can be regarded as the characteristic of G, Z is the minimum remaining set of unique characteristics alpha, r e Z, r represents the random number in the minimum remaining set belonging to said unique characteristics alpha, such that the first ciphertext y satisfies the formula y = beta ^E θ ^r modN；

It can be appreciated that the minimum residual set is a concept related to the generation elements of the order group, considering one order group G and its generation element a, if for any integer k, the set { a ζ mod|g| } is called a minimum residual set; e represents the exponent of the unique feature alpha, i.e. E represents the first keyp _k (public key) feature.

In the encryption process of the penetration data G, the complexity can be increased in the power operation encryption process, the effectiveness of calculation is ensured, the penetration test platform software cannot record plaintext data of the penetration data G, and the credibility of the environment is ensured.

Accordingly, the step S50 further includes:

step S501, decrypting, by the first terminal, the target ciphertext through the second key, to obtain a penetration test result;

in a specific implementation of this embodiment, the penetration test platform software will pass the first key p _k Encrypted plurality of first ciphertext y (corresponding to first terminal) _1, And a plurality of second ciphertext y (corresponding to the second terminal) ₂ Added to set K (i.e., k= { y _1, y ₂ ,y ₃ ... A. }), a target ciphertext M that satisfies the expected result is formed, while the target ciphertext M satisfies the formulaThat is, the ciphertext is calculated on the basis of the same characteristic (E, Z) in a summation mode by a plurality of ciphertexts, so that the target ciphertext after calculation is completed meets the characteristic value of the expected result.

Further, since the first terminal stores the second key s _k The penetration test platform software then transmits the target ciphertext M to the first terminal for use by the first penetration person to cause the first terminal to invoke the second key s _k The target ciphertext M may be decrypted by a specific decryption method that may decrypt the target ciphertext M by the following formula:

where m represents the final penetration test result, an efficient public key can be provided using exponential operations during decryption, while the private key (second key ) The corresponding base numbers are included and the final penetration test results can be accurately obtained.

And step S502, transmitting the penetration test result to the second terminal.

It is understood that the second penetrant person needs to use the final penetration test result to complete a penetration test; in a specific implementation of this embodiment, the first terminal may transmit the penetration test result m to the penetration test platform software, and then the penetration test platform software is transmitted to the second terminal, so that the second penetration personnel can successfully complete the penetration test once after obtaining the penetration test result m.

The second embodiment has the beneficial effects that: by means of the technical scheme, perfect data security and trusted environment can be provided for multi-user collaborative penetration test work, penetration test personnel can complete penetration test by sharing or collaborating data on the basis of the technical scheme of the embodiment, transmission sharing is not needed by compressing package or USB flash disk and other modes of the penetration data, the safety of the penetration data can be effectively guaranteed, and collaborative penetration efficiency is improved.

Example III

Based on the penetration test method of the second embodiment, in order to reduce the consumption resources and the operation time of the privacy operation processing on the ciphertext of the penetration test data, a third embodiment of the penetration test method is provided;

It will be appreciated that the encryption algorithm employed to encrypt the permeate data requires a large number of matrix multiplication algorithms, resulting in a significant consumption of computational resources and time resources. In the third embodiment, for the permeation testing process, not only the safety of permeation data is ensured, but also the time cost consumed in the permeation process is saved.

In this embodiment, in order to further reduce the problem of high calculation cost caused by excessive calculation amount of the key in the encryption process, the first key in this embodiment further satisfies the following formula:

accordingly, the second key also satisfies the following formula:

specifically, the present embodiment takes a and b as factors of the unique feature α such that α=a×b;

it can be understood that, since the exponent E of the second embodiment represents two large prime numbers of 128-256 bits, in order to reduce the consumption resources for the ciphertext privacy operation processing of the penetration test data, the exponent E of the unique feature α is split such that e=e ₁ +e ₂ +…+e _n The method comprises the steps of carrying out a first treatment on the surface of the Thus, the operation to the power of E for a large prime number is converted to a smaller power operation. The time consumed for encrypting the penetration data depends on the processor of the computer equipment, and the lower the number of parts of the index E which is split into E is, the lower the time complexity is, so that the resource expense of the computer equipment can be saved;

Accordingly, the encryption process for the data packet or the penetration target is further calculated by the following formula:

wherein y represents a first ciphertext obtained by encrypting the data packet by the key or a second ciphertext obtained by encrypting the penetration target by the key; beta and beta are features of the data packet or the penetration target; e, e ₁ 、e ₂ 、…、e _n An index E representing the unique feature α after decomposition; r represents the random number in the smallest remaining set belonging to said unique feature alpha.

The third embodiment has the advantages of improving the defect that a large amount of computing resources and time resources are consumed due to the fact that a large amount of matrix multiplication algorithms are needed for encryption algorithm adopted for encrypting the permeation data, improving the efficiency of the computer for encrypting the permeation data, reducing the consumption of hardware resources and saving the time resources.

Example IV

Further, in order to provide a safe and reliable working environment for the collaborative penetration test process of multiple persons, based on the penetration test method embodiment, a penetration test system embodiment is provided in the fourth embodiment;

as shown in fig. 3, the penetration test system of the present embodiment includes a key generation module 10, a data encryption module 20, and a privacy calculation module 30:

The key generation module 10 is configured to generate a key for a penetration test terminal, where the penetration test terminal includes at least a first terminal and a second terminal;

the data encryption module 20 is configured to encrypt the data packet according to the key to obtain a first ciphertext, where the data packet is uploaded by the first terminal;

the data encryption module 20 is further configured to encrypt the penetration target according to the key to obtain a second ciphertext, where the penetration target is uploaded by the second terminal;

a privacy calculation module 30, configured to obtain a target ciphertext that satisfies an expected result based on the first ciphertext and the second ciphertext;

the key generated by the key generating module 10 is used for decrypting the target ciphertext to obtain a penetration test result.

In a specific implementation, a plurality of testers can jointly use the penetration test system to participate in penetration test, so that a safe and reliable working environment is provided for the multi-person collaborative penetration test process;

since the penetration test is completed cooperatively by mutually sharing data among penetration personnel, in order to protect the shared penetration data, the key generation module 10 generates a key for the terminal where the penetration test personnel is located, and the key is used for encrypting and decrypting the penetration data.

Specifically, the key generation module 10 may collect unique characteristics of the first terminal; a key pair is generated based on the unique feature,wherein the key pair comprises a first key p _k And a second key s _k The first key p _k The second key s is disclosed in the service system of penetration test _k The first terminal is stored in the first terminal;

further, as shown in fig. 4, taking the case that the second penetrant B uses the penetration data uploaded by the first penetrant a to perform the penetration test on the penetration target, the penetration test system may obtain the penetration data uploaded by the first terminal a, and obtain the penetration target uploaded by the second terminal B;

the data encryption module 20 will, based on the first key p _k Encrypting the data packet uploaded by the first terminal A to obtain a first ciphertext y1; and according to the first key p _k Encrypting the permeation data uploaded by the second terminal B to obtain a second ciphertext y2;

further, the privacy computing module 30 may acquire the first ciphertext y1 and the second ciphertext y2 (of course, may further include ciphertext data of more permeable persons) generated by the data encrypting module 20, and use the two sections of ciphertext (the first ciphertext and the second ciphertext) as the input of the privacy computing module 30, and operate the first ciphertext and the second ciphertext to obtain a target ciphertext M that meets the predicted result on the premise that the ciphertext data of the permeable persons are not decrypted; the predicted result can be understood as a penetration test result meeting the demands of penetration workers, and the threshold value of the predicted result can be preconfigured by the penetration workers according to the demands.

The privacy calculating module 30 of this embodiment can perform privacy operation processing on ciphertext corresponding to a plurality of (more than two) permeators, without performing operations after decrypting each ciphertext into plaintext, thereby further ensuring the security of permeated data transmission, greatly reducing the risk of data leakage, reducing the flow of data processing, and accelerating the transmission rate.

Further, after obtaining the target ciphertext M, the penetration test system feeds back the target ciphertext M to the first terminal a, where the first terminal a uses the stored second key s _k Decrypting the target ciphertext M to obtain a penetration test result M; a kind of electronic deviceAnd the first terminal A transmits the permeation test result m back to the permeation test system, and the permeation test result m is transmitted to the second terminal B where the second permeation personnel are located by the permeation test system, so that the permeation test of sharing data for one time is successfully completed to obtain the safety guarantee on the premise of not encrypting by means of a safety data U disk or a compressed packet, and the permeation test working efficiency is improved while the safety of permeation data is guaranteed.

It should be noted that, the penetration test system of the fourth embodiment may be understood as a penetration test platform software, and after the penetration personnel access the local penetration test platform software, the penetration test platform software may execute the key generation module 10, the data encryption module 20 and the privacy calculation module 30 according to a certain flow sequence shown in fig. 4.

The content of information interaction and execution process between the above devices/units is based on the same conception as the method embodiment of the present application, and specific functions and technical effects thereof may be found in the method embodiment section, and will not be described herein.

The fourth embodiment has the beneficial effects that: the penetration test system of the embodiment can provide perfect data security and trusted environment for penetration test schemes participated by a plurality of synergetic penetration personnel, can be used for penetration test work of a plurality of different penetration personnel in each penetration stage, can ensure the transmission security of penetration data, further strengthen the data security of the penetration test task process participated by the plurality of synergetic penetration personnel and improve the penetration efficiency.

An embodiment of the present invention provides a computer device, as shown in fig. 5, and fig. 5 is a schematic structural diagram of the computer device provided in the embodiment of the present application. The computer device of this embodiment includes: a processor 01, a memory 02 and a computer program 03 stored in the memory and executable on the processor, which processor, when executing the computer program, implements the steps of an embodiment of a penetration test method.

The computer program may be a program loaded in the penetration test platform software, program code for performing penetration tests.

The processor may be a central processing unit (Central Processing Unit, CPU), the processor 01 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The memory may in some embodiments be the internal storage unit, such as a hard disk or a memory of a computer device. The memory may in other embodiments also be an external storage device of the computer device, such as a plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card) or the like, provided on the computer device.

The computer device of the present application may be a server where the penetration test platform software is located in the fourth embodiment, or may be a terminal used by each penetration tester, for example, a first terminal a used by a first penetration tester, and a second terminal B used by a second tester may be the computer device of the present application.

Furthermore, the embodiments of the present application also provide a storage medium, which is a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to implement steps in each of the method embodiments described above.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims

1. A penetration test method, comprising the steps of:

generating a secret key for a penetration test terminal, wherein the penetration test terminal at least comprises a first terminal and a second terminal;

2. The penetration test method of claim 1, wherein the step of generating a key for the penetration test terminal comprises:

collecting unique characteristics of a first terminal;

3. The method of claim 2, wherein encrypting the data packet according to the key to obtain a first ciphertext comprises:

and transmitting the penetration test result to the second terminal.

4. A penetration test method according to any one of claims 1-3, wherein the first key satisfies the formulaThe second key satisfies the formula->

Wherein p is _k Representing the first key s _k Representing a second key; alpha represents the unique characteristic of the first terminal, E represents the index of the unique characteristic alpha, and D represents the square root of the unique characteristic alpha; modN represents a remainder operation, N being the first key and the second secretThe strong prime number agreed by the key.

5. The penetration test method of claim 4, wherein the data packet or the penetration target is encrypted by the following formula:

y＝β ^E θ ^r modN

wherein y represents a first ciphertext obtained by encrypting the data packet by the key or a second ciphertext obtained by encrypting the penetration target by the key; beta and beta are characteristics of the packet or the penetration target; e represents an index of the unique feature α; r represents the random number in the smallest remaining set belonging to said unique feature alpha.

6. The penetration test method of claim 5, wherein the target ciphertext is decrypted by the following formula:

7. The penetration test method of claim 4, wherein the first key further satisfies the following formula:

accordingly, the second key also satisfies the following formula:

wherein e=e ₁ +e ₂ +…+e _n α=a×b, a and b being the soleA factor characteristic of alpha.

8. The penetration test method of claim 7, wherein the encryption process for the data packet or the penetration target is further calculated by the following formula:

9. A penetration testing system, comprising a key generation module, a data encryption module, and a privacy calculation module:

10. The penetration test system of claim 9,

the key generation module is also used for collecting unique characteristics of the first terminal; generating a key pair based on the unique feature, wherein the key pair comprises a first key and a second key, the first key is disclosed in a penetration test service system, and the second key is stored in the first terminal;