Disclaimer: Please do not use the relevant technologies in this article for illegal testing. Any direct or indirect consequences and losses caused by the dissemination or use of the information provided in this article shall be borne by the user. The author assumes no responsibility for this.
Follow this public account for occasional fan benefits.
Part-01
Background
In today’s rapidly developing information age, information security has become a significant issue that cannot be ignored by countries, enterprises, and individuals. Cryptographic algorithms, as the core cornerstone of information security, play a crucial role. They relate not only to the confidentiality, integrity, and availability of data but also serve as an important guarantee for national security, economic stability, and social order.
In simple terms, as the security of business systems continuously improves, subsequent security assessments inevitably involve cryptography. Based on the author’s daily security assessment experiences, most systems use various encryption algorithms such as asymmetric encryption, symmetric encryption algorithms, and hashes. Therefore, understanding cryptographic algorithms is very necessary, and this article will discuss the characteristics of various algorithms!At the end of the article, a method to download encryption and decryption tools will be shared for everyone to use in future security assessments.
Part-02
Overview and Characteristics of Various Algorithms
Cryptographic algorithms are mainly divided into two categories: national cryptographic algorithms and international algorithms.
National cryptographic algorithms refer to the cryptographic algorithm standards published by the Chinese National Cryptography Administration, aimed at safeguarding national information security. These algorithms include SM1, SM2, SM3, SM4, etc., which are widely used in finance, e-government, and security fields, providing strong protection for sensitive data. National cryptographic algorithms reduce reliance on external cryptographic products through self-controllable cryptographic technology, enhancing the level of national information security.International algorithms are cryptographic algorithm standards established by international standardization organizations or industry alliances. Algorithms such as RSA, AES, and SHA are among the best, enjoying a high reputation globally and receiving widespread support and trust.
The characteristics of encrypted data from national cryptographic algorithms and international encryption algorithms differ mainly in algorithm type, key length, block length, as well as the complexity and security of encryption results.
The characteristics of encrypted data from national cryptographic algorithms are as follows.
1. SM1: • Type: Symmetric encryption algorithm. • Key Length: 128 bits. • Block Length: Fixed at 128 bits. • Features: Specific algorithm details are not disclosed, but the encryption strength is high, and the encryption/decryption speed is fast, suitable for large-scale data processing. The encrypted data has high security and confidentiality. The author has not encountered any systems using SM1 encryption during assessments. It is a relatively rare type. 2. SM2: • Type: Asymmetric encryption algorithm (based on elliptic curves). • Key Length: Supports various key lengths with good flexibility. • Block Length: Not applicable (asymmetric encryption usually does not discuss block lengths). • Features: The security of encrypted data is high, effectively resisting various attacks. At the same time, the computational efficiency is high, meeting the needs of large-scale data processing. Generally used for signing and verification, identity authentication. 3. SM3: • Type: Hash algorithm. • Output Length: Fixed (usually 256 bits or 32 bytes). • Features: The encryption process is irreversible, with high security. The fixed output length is convenient for storage and transmission. The algorithm executes efficiently, meeting real-time requirements. Encrypted data is typically used for digital signatures, message authentication, etc., ensuring the authenticity and integrity of information. 4. SM4: • Type: Symmetric encryption algorithm. • Key Length: 128 bits. • Block Length: 128 bits. • Features: Uses a round function structure similar to AES, but the specific implementation is different. The security of the encrypted data is comparable to AES, meeting the needs of various secure application scenarios. At the same time, the cost of software and hardware implementation is low, making it easy to deploy on various devices. Currently, it is the most widely used national symmetric encryption algorithm in various systems. 5. Other national cryptographic algorithms (such as SM7, SM9, ZUC, etc.): • These algorithms also have their unique data characteristics and application scenarios. For example, SM7 is suitable for contactless IC card applications; SM9 is an identity-based asymmetric cryptographic algorithm suitable for data security and privacy protection in IoT environments; ZUC is a stream encryption algorithm suitable for encryption and decryption operations in 3GPP LTE communications.Characteristics of encrypted data from international encryption algorithms 1. AES: • Type: Symmetric encryption algorithm. • Key Length: 128 bits, 192 bits, 256 bits. • Block Length: 128 bits. • Features: The security and efficiency of encrypted data are high. Due to the widespread adoption and in-depth research of the AES algorithm, its encryption results have high reliability and stability. Most commonly used in daily systems. 2. DES/3DES: • Type: Symmetric encryption algorithm. • Key Length: DES is 56 bits (actual effective key length is shorter), 3DES uses three 56-bit keys. • Block Length: 64 bits. • Features: The DES algorithm has gradually failed to meet modern security needs due to its short key length. 3DES, as a variant of DES, enhances encryption strength but is relatively slow. The security of encrypted data is not as robust as modern algorithms like AES. Due to the short key length security flaw of DES, current business systems generally adopt 3DES. 3. RSA: • Type: Asymmetric encryption algorithm. • Key Length: Usually long (e.g., 1024 bits, 2048 bits, etc.). • Block Length: Not applicable (asymmetric encryption usually does not discuss block lengths, but the length of the encrypted data typically differs from the plaintext length). • Features: The security of encrypted data is high, based on the mathematical problem of large prime factorization. The RSA algorithm is widely used in key management, digital certificates, e-commerce, etc. It corresponds to the national password SM2. 4. SHA series (e.g., SHA-1, SHA-256, etc.): • Type: Hash algorithm. • Output Length: Varies based on the algorithm (e.g., SHA-256 outputs 256 bits). • Features: The encryption process is irreversible, and the output length is fixed. SHA algorithms are mainly used to generate message digests to verify data integrity. Encrypted data (i.e., the digest) is typically used in digital signatures, file verification, etc.
Part-03
Conclusion
During daily penetration testing, focus on key leakage, key algorithm determination, and ultimately decrypting encrypted data using obtained keys and known encryption algorithms, suitable for uncovering sensitive information leakage vulnerabilities such as personal ID numbers, phone numbers, names, etc.
To obtain the download link: Follow the public account and reply with “250219”.