2026-03-12 23:41:23 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 该文档是一道商用密码测评实战题，背景为等保三级系统用户数据加密。分析代码发现系统使用SM4算法并手动实现CTR模式，因计数器初值直接复用用户ID导致密钥流碰撞重用。该漏洞允许攻击者利用已知明文推导密钥流，进而解密其他用户敏感信息。题目要求识别算法模式、剖析安全风险并实施具体的解密计算。 综合评分： 85 文章分类： CTF,代码审计,漏洞分析,数据安全

cover_image

【商密测评】分组密码算法的工作模式

利刃信安利刃信安

利刃信安

2026年3月11日 16:49 北京

题目背景

某等保三级信息系统使用服务器密码机加密用户敏感信息，该服务器密码机具有商用密码产品认证证书且密码模块安全等级为二级。

密码应用安全性评估人员查看其用户信息加密存储实现的代码（表1-1）和用户信息存储的数据库文件内容（如表1-2），假定用户ID不超过100万。

表1-1 数据加密核心代码

typedef&nbsp;struct&nbsp;USER_INFO_st
{
&nbsp; &nbsp;&nbsp;char&nbsp;userid[8]; &nbsp; &nbsp; &nbsp;// 用户ID
&nbsp; &nbsp;&nbsp;char&nbsp;username[24]; &nbsp;&nbsp;// 用户名
&nbsp; &nbsp;&nbsp;char&nbsp;phone[16]; &nbsp; &nbsp; &nbsp;// 手机号
&nbsp; &nbsp;&nbsp;char&nbsp;email[32]; &nbsp; &nbsp; &nbsp;// 邮箱
} USER_INFO_st; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 总计80字节

typedef&nbsp;struct&nbsp;cipher_ctx_st
{
&nbsp; &nbsp;&nbsp;void&nbsp;*hSession;
&nbsp; &nbsp;&nbsp;void&nbsp;*hKey;
} CIPHER_CTX;

int&nbsp;Encrypt_User_Data(void&nbsp;*hSession,&nbsp;void&nbsp;*hKey,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;userID, &nbsp; &nbsp; &nbsp; &nbsp;// 用户ID（数字）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;const&nbsp;unsigned&nbsp;char&nbsp;*plaintext,&nbsp;unsigned&nbsp;int&nbsp;plaintextLen,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;unsigned&nbsp;char&nbsp;*ciphertext,&nbsp;unsigned&nbsp;int&nbsp;*ciphertextLen)
{
&nbsp; &nbsp;&nbsp;unsigned&nbsp;char&nbsp;counter[16] = {0};
&nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;count = userID; &nbsp; &nbsp; &nbsp; &nbsp;// 计数器初值 = 用户ID
&nbsp; &nbsp;&nbsp;memcpy(counter +&nbsp;12, &count,&nbsp;4);

&nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;offset =&nbsp;0;
&nbsp; &nbsp;&nbsp;unsigned&nbsp;char&nbsp;keystream[16];
&nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;keystreamLen;
&nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;remaining = plaintextLen;

&nbsp; &nbsp;&nbsp;while&nbsp;(remaining >&nbsp;0) {
&nbsp; &nbsp; &nbsp; &nbsp; keystreamLen =&nbsp;sizeof(keystream);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;int&nbsp;ret = SDF_Encrypt(hSession, hKey,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0000000401, &nbsp;// SM4-ECB
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;counter,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;16,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;keystream,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&keystreamLen);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(ret != SDR_OK) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; SDF_DestroyKey(hSession, hKey);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;ret;
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;unsigned&nbsp;int&nbsp;chunk = (remaining <&nbsp;16) ? remaining :&nbsp;16;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;(unsigned&nbsp;int&nbsp;i =&nbsp;0; i < chunk; i++) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ciphertext[offset + i] = plaintext[offset + i] ^ keystream[i];
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; count++;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;memcpy(counter +&nbsp;12, &count,&nbsp;4);
&nbsp; &nbsp; &nbsp; &nbsp; offset += chunk;
&nbsp; &nbsp; &nbsp; &nbsp; remaining -= chunk;
&nbsp; &nbsp; }
&nbsp; &nbsp; *ciphertextLen = offset;
&nbsp; &nbsp; SDF_DestroyKey(hSession, hKey);
&nbsp; &nbsp;&nbsp;return&nbsp;SDR_OK;
}

int&nbsp;Encrypt_and_Store_User(USER_INFO_st *userinfo,&nbsp;int&nbsp;userID, CIPHER_CTX *ctx)&nbsp;{
&nbsp; &nbsp; USER_INFO_st userinfo_ct = {0};
&nbsp; &nbsp; Encrypt_User_Data(ctx->hSession, ctx->hKey,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; userID,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (unsigned&nbsp;char&nbsp;*)userinfo,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sizeof(USER_INFO_st),
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (unsigned&nbsp;char&nbsp;*)&userinfo_ct,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sizeof(USER_INFO_st));
&nbsp; &nbsp; Store_User_Data(&userinfo_ct, userID);
&nbsp; &nbsp;&nbsp;return&nbsp;0;
}

表1-2 数据库部分密文

| 用户ID | 密文（十六进制） | | — | — | | 1 | 21A5DAC8797A8B4F1C6C29AA8FAEB1B402986C72775C42FEFA522AD6FB734A9CE9B6131FFE5F8F051FCC735A0D1B9F7D269F61AC5780CCFA7AD52D7F2205316FB96FFF0BF3B1AE2DDC041DB6D1310FAC | | 2 | 32A85C42476C72CC8E3759A28E002FEED8852B2FCE6EBC3D2FFC435A0D1B9F7D76C835F509F18BA63991331C4D68316FCD0A8C7FB3C5CB5EA82A7ED9BC310FACDC0D04CF405837E63C44C0CF6EA44DC2 | | 3 | E8B51B1FFE5E8C0ECA74EABF85987BC2E61EA24C39C0B89F09A1031C4D68316F8858C93BC3839E1DE83C25B6D1310FACB06476AA2E1846971227AFA26EA44DC2F0B417C6C8381FB5C6AAD9DE33A4BAF6 |

表1-3 已知用户明文数据

| 用户ID | userid | username | phone | email | | — | — | — | — | — | | 1 | 00000001 | admin | 13800138000 | [email protected] | | 2 | 00000002 | testuser | 13900139000 | [email protected] | | 3 | ? | ? | ? | ? |

问题

（1）请指出该系统加密所使用的密码算法和算法工作模式；

（2）根据用户信息加密存储实现的代码，指出其存在的密码应用安全风险；

（3）已知用户ID为1和2的明文数据，请计算用户ID为3的完整信息。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：利刃信安利刃信安利刃信安《【商密测评】分组密码算法的工作模式》