Re: Detecting/estimate whether data is encrypted

[john s <rwnin.security () gmail com>]

<notacryptoguy>

your brainstorm sounds good at first glance...

any data crypted with an algorithm that has headers and structure
should be easy to find.

other than that, most data used by systems and end-users should be
structured or ordered (if you're collecting packets you may need to
carve out the payload and do some re-assembly to get a good picture of
the non-random structure), but well implemented crypto should (?)
generate output with relatively high levels of entropy.  keying in on
data with relatively high entropy might be the place to start.

no idea if compression would look similar or not.  even if it does,
many compression algorithms are well known, so running high-entropy
data through a battery of decompression algorithms should remove many
of your false positive results.

your final results should be blobs of decently crypted data and random
junk/noise.  most systems and processes make attempts not to waste
resources, so in theory the distribution of crypted data vs junk in
the results should tilt in favor of crypted data...?

</notacryptoguy>

On Wed, Feb 17, 2010 at 11:19 AM, chris <chricki () gmx net> wrote:
> Hi list,
>
> For the purpose of some research, I'd like to check if (or how likely) a
> piece of data is encrypted. I'm particularly interested in analyzing
> whether network traffic is encrypted. To make things easier: I don't
> mind which algorithm and/or key lengths are used, but just would like
> express on a scale from 0% to 100% how likely the data is encrypted.
>
> Some brainstorming led me to the conclusion that measuring the entropy
> of data may be a good start. Drawback: there may be false positives,
> mostly due to compression).
>
> Any other ideas?
>
> Thanks in advance,
> Chris
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------