Black-Box Testing of Cryptographic Algorithms Based on Data Characteristics

Serving communications security, identity authentication, etc., cryptographic algorithms constitute the cornerstone of cyberspace security. During the past decades, cryptanalysts have proved that many once prevailing cryptographic algorithms (e.g., MD4, MD5, 3DES, RC4) are no longer secure now. However, insecure cryptographic algorithms are still widely deployed in practice, seriously endangering the security of cyberspace. The reasons for this dilemma are many-fold, one of which is difficult to detect the algorithms used in the legacy binaries. Most of the existing detecting methods of cryptographic algorithms, either require source code analysis (i.e., white-box testing) or depend on the dynamic execution information (i.e., dynamic testing), narrowing the testing scope where the source codes of commercial software are not provided and the running environment may be difficult to deploy. In this paper, we propose a method of static black-box testing of cryptographic algorithms, which can identify a specific algorithm based on the corresponding data characteristics. We have implemented the testing method and used it to check 150 binaries of three types, including cryptographic libraries, commonly-used programs that use cryptographic algorithms, and general-purpose Github projects without cryptographic algorithms. The empirical results demonstrate that 80.6% of the insecure cryptographic algorithm are implemented in the test files that contain the cryptographic algorithms. The false negative rate and false positive rate were 2.10% and 1.68% using our method. Moreover, we found that the insecure cryptographic algorithms (i.e., MD4, SHA-1) is still exist in some popular software, e.g., MbedTLS and 7-Zip.