0

I have a requirement to identify if the data is encrypted or not. The data is a field that will be in Json format. I found another question hear at

How to identify Encryption algorithm for data coming in field/attribute values of an xml

But this for identifying the kind of encryption technique and its from 2014 don't know if that is still valid.

Another thing I just want make sure that the field is encrypted don't want to identify the encryption technique.

Anoop
  • 9
  • 1
  • 2
  • 1
    Read the second answer in your linked question. If the encryption algorithm leaves a fingerprint, you can check IF the data is encrypted by finding out what algorithm is used. That being said, you can probably never know for sure, if a portion of data is encrypted if you don't know, what algorithm might have been used. – Tom K. Sep 07 '17 at 16:29
  • This might also be helpful: https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used – Tom K. Sep 07 '17 at 16:31
  • As I mentioned in my question I read the solution but my concern is that the answer is from 2014 and in 3 years the fingerprint could have changed a new version has come and so on. – Anoop Sep 07 '17 at 16:34
  • A new version of what? A version would imply some type of software which isn't mentioned here. Fingerprints also depend on the software that's used. Do you have something in mind? – RoraΖ Sep 07 '17 at 16:45
  • Tom thanks for the 2nd link. It has more information But I have not read the full chain yet. Will read the full chain and then come back with my comments – Anoop Sep 07 '17 at 16:55
  • RoraZ I was referring to any changes in the algorithm and may be if that could change the finger print. – Anoop Sep 07 '17 at 16:56
  • 1
    Can you provide a little more information? Why do you need to know if it's encrypted (this may help us determine a shortcut)? Do you have access to the plaintext? Do you know how it will be encrypted and whether it is possibly hashed (hashes and encryption are slightly different)? – Cody P Sep 07 '17 at 17:44
  • usually, hashed/encypted values are shipped in base64 or hex-encoded strings, so a RegEx looking for non-wordy chars should be fairly reliable, depending on the competing plaintext. – dandavis Sep 07 '17 at 18:50

3 Answers3

5

Depending on what types of data you're expecting, you could try looking at the entropy (randomness) of the data. Properly encrypted data should be pretty much indistinguishable from random noise, and will have a much higher entropy than any kind of structured data.

Shannon entropy is a common way of determining the level of "randomness" of strings - you can find plenty of example code in various languages.

There are some other kinds of data that will also have very high entropy (images, compressed data, etc), but you can probably check for these looking at the signatures/magic bytes.

Not foolproof, but might give you a good starting point.

rbsec
  • 81
  • 1
  • 3
  • interestingly, some military-grade encryption schemes does not increase entropy, like rot13 (used by the Roman military around 60BC) – user1067003 Jul 31 '20 at 14:14
1

Unless you are in the business of performing penetration test/Security auditing, then you will run a set of hash decoding tools to see whether the data is encoded. Dictionary check is the first phase, which secondary phase is running hash decoder to decode popular hash such as Base64, ROT, 7bit encoding ; or using simple XOR/NOR bit(from +1 bits and up) switching obfuscation.
Then you need to run a filter to check the data format and hope it will match some sort of file pattern.

However, it is impossible to check what the exact encryption mechanism for file that encrypt using strong PKI.

mootmoot
  • 2,387
  • 10
  • 16
0

You could perfom some tests with different data to check for example if the string obtained has always the same length or not. If it is always the same that data is probably being hashed and not encrypted (i.e.: AES). Another possibility is that is just encoded for example in Base64, Hex, etc (here the length will not be fixed either). For these encoding checks I like this web that provides several encoders at the same time so it eases testing: http://www.asciitohex.com/

Even though you are not interested in the type of encryption, there is a useful tool that may help you to identify the hash algorithm (if this applies!) used and thus determine that it is encrpyted (hashed in this case): http://psypanda.github.io/hashID/

Simply run it against your code and it will check for patterns, lenght, special characters and other marks that may give a hint about the type of hash algorith used.

b0rt
  • 335
  • 1
  • 4