| 摘 要: 针对现有内存取证工具及研究多聚焦于现代加密算法的密钥提取,对传统DES密钥缺乏针对性搜索能力,导致处理DES加密数据时取证效率与完整性受限等问题,提出了一种面向内存取证的DES密钥搜索算法。首先,基于OpenSSL库中DES密钥的反混淆机制,解析其初次字节调换与二次位运算的混淆逻辑,通过逆向循环移位、字节置换及滑动窗口定位,将字节混淆序列还原为标准子密钥;然后,通过汉明距离结构验证方法,利用DES轮密钥循环群关系,通过PC-2逆置换、循环右移及汉明距离计算验证候选密钥合法性,结合位填充补全置换丢失位;最后,通过熵阈值过滤策略,基于DES子密钥高熵特性,选定熵阈值最优值。实验结果表明,算法搜索性能良好,在多次实验中误检率均为0,漏检率在选取最优熵阈值的情况下仅有7%。 |
| 关键词: 密钥搜索 内存取证 DES密钥 |
|
中图分类号:
文献标识码:
|
|
| DES Key Search Algorithm for Memory Forensics |
|
huangjinghao, wulifa
|
NJUPT
|
| Abstract: Aiming at the problems that existing memory forensics tools and research mostly focus on key extraction of modern encryption algorithms, and lack targeted search capabilities for traditional DES keys, resulting in limited forensics efficiency and integrity when processing DES-encrypted data, this paper proposes a DES key search algorithm for memory forensics.First, based on the deobfuscation mechanism of DES keys in the OpenSSL library, the algorithm analyzes the obfuscation logic involving initial byte permutation and secondary bitwise operations. By reversing cyclic shifts, performing byte permutations, and applying sliding window positioning, the byte-obfuscated sequence is restored to standard subkeys.Second, a Hamming distance structural verification method is employed. Leveraging the cyclic group relationship of DES round keys, the algorithm verifies the legitimacy of candidate keys through PC-2 inverse permutation, cyclic right shifts, and Hamming distance calculation, while filling in missing bits caused by permutation through bit padding.Finally, an entropy threshold filtering strategy is implemented. Based on the high-entropy characteristics of DES subkeys, the optimal entropy threshold value is determined.Experimental results demonstrate that the proposed algorithm exhibits excellent search performance, with a false detection rate of 0 in multiple experiments and a missed detection rate of only 7% when the optimal entropy threshold is selected. |
| Keywords: Key Search Memory Forensics DES Key |
