A unified evaluation framework for cryptographic algorithm identification tools in IoT firmware

Yi-Fei LI; Xiao-Yang ZHOU; Jie-Wei DU; Cheng-Yu HU; Jin SHI; Shan-Qing GUO

doi:10.1007/s11704-025-50357-5

Front. Comput. Sci. ›› 2026, Vol. 20 ›› Issue (10) : 2010810 DOI: 10.1007/s11704-025-50357-5

Information Security

RESEARCH ARTICLE

A unified evaluation framework for cryptographic algorithm identification tools in IoT firmware

Yi-Fei LI ¹
, Xiao-Yang ZHOU ²
, Jie-Wei DU ³^,⁴
, Cheng-Yu HU ¹^,⁵^,⁶
, Jin SHI ⁷
, Shan-Qing GUO ¹^,⁵^,⁶

Author information +

History +

PDF (1835KB)

Abstract

The rapid growth of Internet of Things (IoT) devices has increased security risks due to cryptographic misuse in firmware, including vulnerable algorithms and misconfigurations. Accurate identification of cryptographic algorithms in firmware is fundamental for firmware analysis, while existing tools, usually designed for x86 platform, struggle with IoT-specific architectures, file formats, and instruction sets. Currently, it lacks a unified and scalable evaluation framework, and standard datasets. Besides, there are challenges to be addressed: unverified tool applicability, unexplored impacts of instruction sets and compilation optimizations, and insufficient empirical data on cryptographic implementations. To this end, this study proposes a modular framework for IoT firmware cryptographic algorithm identification, which supports plug-and-play integration of tools via standardized interfaces, a three-dimensional evaluation metric (algorithm types, function counts, constant quantities) and a standardized test dataset covering seven cryptographic libraries, six instruction set architectures, and four compilation optimization levels. Through four experimental studies including tool performance comparison, compilation optimization impact analysis, architecture difference evaluation, and real-world firmware cryptographic usage investigation, it demonstrates that constant-based identification techniques achieve optimal performance in IoT scenarios while revealing the impact mechanisms of ISA architectures and compilation optimizations on identification effectiveness. It also provides methodological guidance and empirical data foundations for IoT firmware cryptographic algorithm identification studies in the future.

Graphical abstract

Keywords

IoT firmware / cryptographic misuse / static analysis / cryptographic algorithm identification

Cite this article

Download citation ▾

Yi-Fei LI, Xiao-Yang ZHOU, Jie-Wei DU, Cheng-Yu HU, Jin SHI, Shan-Qing GUO. A unified evaluation framework for cryptographic algorithm identification tools in IoT firmware. Front. Comput. Sci., 2026, 20(10): 2010810 DOI:10.1007/s11704-025-50357-5

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Zhang L, Chen J, Diao W, Guo S, Weng J, Zhang K. CryptoREX: large-scale analysis of cryptographic misuse in IoT devices. In: Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses. 2019, 151–164

[2]	Li X, Chang Y, Ye G, Gong X, Tang Z . GENDA: a graph embedded network based detection approach on encryption algorithm of binary program. Journal of Information Security and Applications, 2022, 65: 103088

[3]	Massarelli L, Di Luna G A, Petroni F, Baldoni R, Querzoni L. SAFE: self-attentive function embeddings for binary similarity. In: Proceedings of the 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2019, 309–329

[4]	Aigner A. FALKE-MC: a neural network based approach to locate cryptographic functions in machine code. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. 2018, 2

[5]	Radhika K, Verma S, Sathya R, Kathirvel T, Vishnu K H, Rajan N M. AI powered crypt-analysis for identification of encryption algorithm. In: Proceedings of the 4th International Conference on Sustainable Expert Systems. 2024, 1880–1884

[6]	Lestringant P, Guihéry F, Fouque P A. Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 2015, 203–214

[7]	Meijer C, Moonsamy V, Wetzels J. Where’s crypto?: automated identification and classification of proprietary cryptographic primitives in binary code. In: Proceedings of the 30th USENIX Security Symposium. 2021, 555–572

[8]	danielplohmann. danielplohmann/IDAscope: an IDA Pro extension for easier (malware) reverse engineering. See Github.com/danielplohmann/idascope website, 2024

[9]	Calvet J, Fernandez J M, Marion J Y. Aligot: cryptographic function identification in obfuscated binary programs. In: Proceedings of the 19th ACM conference on Computer and Communications Security. 2012, 169−182

[10]	Lee S, Jho N S, Chung D, Kang Y, Kim M . Rcryptect: real-time detection of cryptographic function in the user-space filesystem. Computers & Security, 2022, 112: 102512

[11]	Matenaar F, Wichmann A, Leder F, Gerhards-Padilla E. CIS: the crypto intelligence system for automatic detection and localization of cryptographic functions in current malware. In: Proceedings of the 7th International Conference on Malicious and Unwanted Software. 2012, 46–53

[12]	Zhao R, Gu D, Li J, Yu R. Detection and analysis of cryptographic data inside software. In: Proceedings of the 14th International Conference on Information Security. 2011, 182–196

[13]	Chao W C, Chen C K, Cheng C M. Cryfind: using static analysis to identify cryptographic algorithms in binary executables. In: Proceedings of IEEE Conference on Dependable and Secure Computing. 2021, 1–2

[14]	x3chun. x3chun’s Crypto Searcher. See Reversing.gr/viewtopic.php?t=29 website, 2024

[15]	nihilus. IDA Signsrch. See Github.com/nihilus/IDA_Signsrch website, 2024

[16]	Aikar. SigScan. See Aikar.github.io/SigScan/ website, 2024

[17]	fwhacking. fwhacking/bfcrypt: crypto scanner. See Github.com/fwhacking/bfcrypt website, 2024

[18]	Literatecode Inc. Draft crypto analyzer. See Literatecode.com/draca website, 2024

[19]	Polymorf. findcrypt-yara. See Github.com/polymorf/findcrypt-yara website, 2024

[20]	Prednaska. KANAL - Krypto analyzer for PEiD. See Dcs.fmph.uniba.sk/zri/6.prednaska/tools/PEiD/plugins/kanal website, 2024

[21]	National Security Agency. Ghidra software reverse engineering framework. See Github.com/NationalSecurityAgency/ghidra website, 2024

[22]	Hex-rays. IDA Pro. See Hex-rays.com/ida-pro website, 2024

[23]	Bngroup. BinaryNinja. See Binary.ninja/ website, 2024

[24]	Flask. Welcome to Flask — Flask documentation. See Flask.palletsprojects.com/en/stable/ website, 2024

[25]	Team Docker. Docker: accelerated container application development. See Docker.com/ website, 2024

[26]	Cryptlib. Cryptlib - encryption security software development toolkit. See Cryptlib.com/ website, 2024

[27]	OpenSSLWiki. Libcrypto API. See Wiki.openssl.org/index.php/Libcrypto_API website, 2024

[28]	Free Standards Group. Interfaces for libcrypt. See Refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-AMD64/LSB-Core-AMD64/libcrypt website, 2024

[29]	Team Nettle. Nettle- a low-level cryptographic library. See www.lysator.liu.se/~nisse/nettle/ website, 2024

[30]	Team LibTom. LibTom. See Libtom.net/LibTomCrypt/ website, 2024

[31]	GnuPG Project. Index. See Gnupg.org/software/libgcrypt/index website, 2024

[32]	wolfSSL Inc. wolfSSL – embedded SSL/TLS library. See Wolfssl.com/ website, 2024

[33]	ITh4cker. ITh4cker/CryptGrep. See Github.com/ITh4cker/CryptGrep website, 2024

[34]	felixgr. felixgr/kerckhoffs: automatic identification of cryptographic primitives in software. See Github.com/felixgr/kerckhoffs website, 2024

[35]	sceners. sceners/snd-reverser-tool: SND reverser tool. See Github.com/sceners/snd-reverser-tool website, 2024

[36]	Loki. Snd crypto scanner. See Bbs.kanxue.com/thread-61271 website, 2024

[37]	decalage2. Balbuzard: malware analysis tools. See Github.com/decalage2/balbuzard website, 2024

[38]	Caballero J, Poosankam P, Kreibich C, Song D. Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 621–634

[39]	Xu D, Ming J, Wu D. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: Proceedings of 2017 IEEE Symposium on Security and Privacy. 2017, 921–937

[40]	Gröbert F, Willems C, Holz T. Automated identification of cryptographic primitives in binary programs. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection. 2011, 41–60

[41]	Ithape S, B R P. Identification of encryption method for block ciphers using machine learning methods. In: Proceedings of the 20th IEEE India Council International Conference. 2023, 1228–1233

[42]	Guo Y, Dong H, Bian Y, Xu G. A binary cryptographic algorithm identification method based on complementary features. In: Proceedings of the 9th International Conference on Computer and Communications. 2023, 793–797

[43]	Kim H, Park J, Kwon H, Jang K, Seo H . Convolutional neural network-based cryptography ransomware detection for low-end embedded processors. Mathematics, 2021, 9( 7): 705

[44]	Jia L, Zhou A, Jia P, Liu L, Wang Y, Liu L . A neural network-based approach for cryptographic function detection in malware. IEEE Access, 2020, 8: 23506–23521

[45]	Hill G D, Bellekens X J A. Deep learning based cryptographic primitive classification. 2017, arXiv preprint arXiv: 1709.08385

[46]	Barbosa F, Vidal A, Mello F . Machine learning for cryptographic algorithm identification. Journal of Information Security and Cryptography (Enigma), 2016, 3( 1): 3–8

[47]	de Mello F L, Xexeo J A M . Cryptographic algorithm identification using machine learning and massive processing. IEEE Latin America Transactions, 2016, 14( 11): 4585–4590

[48]	Hosfelt D D. Automated detection and classification of cryptographic algorithms in binary programs through machine learning. 2015, arXiv preprint arXiv: 1503.01186