Sponsor Message:
Non Aviation Forum
My Starred Topics | Profile | New Topic | Forum Index | Help | Search 
Spooks Break Most Internet Crypto, But How?  
User currently offlineRevelation From United States of America, joined Feb 2005, 12970 posts, RR: 25
Posted (1 year 3 months 2 weeks 3 days 8 hours ago) and read 2268 times:

Ars Technica says:

Quote:

As stated recently by Edward Snowden, the former National Security Agency (NSA) contractor who leaked highly classified documents leading to the reports, "Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on." How is it, then, that agents from the NSA and its British counterpart, known as the Government Communications Headquarters (GCHQ), are reportedly able to bypass the crypto protections provided by Internet companies including Google, Facebook, Microsoft, and Yahoo?

The short answer is almost certainly by compromising the software or hardware that implements the encryption or by attacking or influencing the people who hold the shared secrets that form one of the linchpins of any secure cryptographic system. The NYT alludes to these techniques as a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion." The paper went on to refer to technologies that had been equipped with backdoors or had been deliberately weakened. Snowden put it slightly differently when he said: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around" encryption. Exploiting the implementations or the people behind these systems can take many forms. What follows are some of the more plausible scenarios.

It goes on to say the compromises can be done by
* Getting a hardware vendor to ship a subtly flawed random number generator chip
* Getting on to a software standards committee and introducing a subtle flaw that makes it easier to break the standard
* Getting the crypto keys via theft, coercion or court order

So, in short, the math behind encryption works, yet the keys (data) and the implementations (software, hardware) are vulnerable to attack. The NSA has the time and the money to work on all aspects of these things. One thing to keep in mind is that the US government is certainly one of the world's largest purchasers of computers, and thus vendors will always try to do provide implementations that meet the US Federal standards, and the NSA has responsibility to ensure that the US government computers are secure, so they have a big hand in defining these US Federal standards.


Inspiration, move me brightly!
36 replies: All unread, showing first 25:
 
User currently offlineDreadnought From United States of America, joined Feb 2008, 8965 posts, RR: 24
Reply 1, posted (1 year 3 months 2 weeks 3 days 8 hours ago) and read 2253 times:

Quoting Revelation (Thread starter):
It goes on to say the compromises can be done by
* Getting a hardware vendor to ship a subtly flawed random number generator chip
* Getting on to a software standards committee and introducing a subtle flaw that makes it easier to break the standard
* Getting the crypto keys via theft, coercion or court order

You might say that those methods are "cheating" - you have a piece of the password already, or the whole thing.

You left out the most power-intensive method, known simply as Brute Force. If you know that a message is encrypted with a 256-byte encription key, you can use a computer to generate every possible key, and after millions of cycles, eventually you will hit the right one. That's why the NSA buys all these mega-computers.



Veni Vidi Castratavi Illegitimos
User currently offlineKlaus From Germany, joined Jul 2001, 21521 posts, RR: 53
Reply 2, posted (1 year 3 months 2 weeks 3 days 8 hours ago) and read 2229 times:

Quoting Dreadnought (Reply 1):
You left out the most power-intensive method, known simply as Brute Force. If you know that a message is encrypted with a 256-byte encription key, you can use a computer to generate every possible key, and after millions of cycles, eventually you will hit the right one. That's why the NSA buys all these mega-computers.

That works only with weak encryption (meaning outdated or compromised methods nobody should use any more anyway) or with good encrption but weak passwords or keys.

It is a myth perpetuated by lazy writers particularly for movies and TV that "you can break every encryption if you really want to". The inevitable "genius hacker" bypassing absolutely any possible "firewalls" and all kinds of other real or imaginary security measures in real time without breaking a sweat is an utterly ridiculous fiction – it just looks good in a movie or a TV show and saves lazy writes the hassle of actually dealing with the real complexity of the issue.

This myth is just not actually true as far as we know at this point – good encryption with good keys / passwords is practically unbreakable for longer than an attacker would plausibly maintain their interest in the data (which of course means that critical state secrets would need even stronger encryption than – for instance – my personal contact list). And, of course, today's proper encryption standards already take near-to-medium-range performance increases in cracking equipment into account.

Encryption algorithms are deliberately made more complex and thus slower to execute so cracking will be slowed down as well to become unfeasible with good keys being used, but normal use of the encryption is not too much of a burden. This is a known relationship which is constantly re-calibrated as computing performance increases.

But the main thing is this: Overall the principles of encryption still work – if they are applied properly. Which is possible, if sometimes complicated.

What is problematic is low-grade encryption like SSL as used on web sites in particular. It is attackable on several fronts, and it is very likely that the NSA has breached more than one of these already. It gets even worse, of course, when criminals and other spy agencies start to exploit the same weaknesses deliberately introduced by the NSA. Which is highly likely, and which is one of the reasons why this tactic is so odious – and ultimately self-defeating (except of course to underscore the perpetual clamouring of NSA and the others for even higher funding and even greater leeway in deliberately breaking all kinds of laws and treaties – that will of course continue to work, at least until a sufficient number of people start waking up).


User currently offlineRevelation From United States of America, joined Feb 2005, 12970 posts, RR: 25
Reply 3, posted (1 year 3 months 2 weeks 3 days 7 hours ago) and read 2203 times:

Quoting Klaus (Reply 2):
This myth is just not actually true as far as we know at this point – good encryption with good keys / passwords is practically unbreakable for longer than an attacker would plausibly maintain their interest in the data (which of course means that critical state secrets would need even stronger encryption than – for instance – my personal contact list). And, of course, today's proper encryption standards already take near-to-medium-range performance increases in cracking equipment into account.

Agreed, but will add that the article is hinting that due to flaws inserted by the NSA into either the implementation of the algorithms or the random number generators that provide input to the algorithms that they do not have to check as many possibilities as the authors of the algorithms presumed they would.

Add to that the supercomputers (which probably are farms of GPUs, custom DSP chips and/or ASICs) and you can knock off a few orders of magnitudes on the estimate of what it takes to block it.

We do/should note that US software vendors have had to have separate versions of it software for non-US use due to the fact that the US government has treated cryptography as a munition for a long time now.



Inspiration, move me brightly!
User currently offlineAesma From Reunion, joined Nov 2009, 6961 posts, RR: 12
Reply 4, posted (1 year 3 months 2 weeks 3 days 7 hours ago) and read 2191 times:

I use TrueCrypt. It doesn't use any specific hardware and is not made by any company that can be bribed or coerced. My password is long and complicated, and I use keyfiles on top, meaning I know how to create my password but I don't know my password per se.

With a computer farm, it's breakable, the idea is to attack the encryption keys though, not the password. Even with lots of money put into it, it would still take some years, so I'm not too worried as I'm not that important.



New Technology is the name we give to stuff that doesn't work yet. Douglas Adams
User currently offlineblueflyer From Northern Mariana Islands, joined Jan 2006, 4190 posts, RR: 2
Reply 5, posted (1 year 3 months 2 weeks 3 days 7 hours ago) and read 2182 times:
Support Airliners.net - become a First Class Member!

Here is what Bruce Schneier has to say for those wishing to stay a step ahead of the NSA.
http://www.theguardian.com/world/201...-how-to-remain-secure-surveillance

He does mention TrueCrypt and I have used it on occasions, mostly because I find it easier to use than PGP, but while I do not think any government agency should have easy access to private data, I am not concerned enough to spend a lot of efforts on NSA avoidance...

What I am wondering is if as alleged elsewhere, at least one American manufacturer has agreed to delay shipping an order of network gears to a foreign government to let the NSA install a backdoor, what will happen to the overseas sales of the likes of Cisco and Juniper? Might we see a jump in sales for competitors like Samsung, Nokia, Ericsson and, ironically, Huawei?



I've got $h*t to do
User currently offlineKlaus From Germany, joined Jul 2001, 21521 posts, RR: 53
Reply 6, posted (1 year 3 months 2 weeks 3 days 5 hours ago) and read 2118 times:

Quoting Revelation (Reply 3):
Agreed, but will add that the article is hinting that due to flaws inserted by the NSA into either the implementation of the algorithms or the random number generators that provide input to the algorithms that they do not have to check as many possibilities as the authors of the algorithms presumed they would.

That is indeed a concern.

Quoting Revelation (Reply 3):
Add to that the supercomputers (which probably are farms of GPUs, custom DSP chips and/or ASICs) and you can knock off a few orders of magnitudes on the estimate of what it takes to block it.

These are already factored in to the design of currently recommended encryption methods which are considered to be solid.

Quoting Aesma (Reply 4):
I use TrueCrypt. It doesn't use any specific hardware and is not made by any company that can be bribed or coerced.

The NSA is apparently also contaminating Open Source software by providing "accidentally" sub-par source code contributions via straw men which often take a long time before being thrown out or fixed.

Quoting blueflyer (Reply 5):
What I am wondering is if as alleged elsewhere, at least one American manufacturer has agreed to delay shipping an order of network gears to a foreign government to let the NSA install a backdoor, what will happen to the overseas sales of the likes of Cisco and Juniper? Might we see a jump in sales for competitors like Samsung, Nokia, Ericsson and, ironically, Huawei?

US-based cloud service providers are apparently already seeing a substantial dip in foreign interest. And there are voices in the EU Parliament to void the data sharing treaty with the US in light of recent events (yes!).

And since Microsoft (first), Google (later) and Apple (last) all seem to be subjected to NSA intrusion by now (according to documents produced by Snowden), such features like the fingerprint scanner in the new iPhone inherently raise the question whether the NSA would actually assent to this particularly juicy bit of information remaining untappable by them.

This is like a vampire in a blood bank – would you really trust the blood reserves to him? Or to the increasingly anemic-looking employee who was forcibly compelled to let him in there in the first place...?

I wouldn't. And correspondingly that fingerprint sensor is at least for now a strong incentive not to upgrade my iPhone to the new model, at the very least until the firmware is thoroughly vetted by independent researchers, if ever.

Having the NSA parasite sitting right within a manufacturer with effectively unchecked secret controlling power inherently excludes trust which otherwise might exist in light of objective and plausible self-interest of the host -– pardon: the company – on its own.

This inherent loss of trust is one of the consequences of subverting a company for spying purposes by a government agency. At a massive loss to the company, and with not even so much as a shrug from the controlling entity. Disgusting.   


User currently offlineBMI727 From United States of America, joined Feb 2009, 15839 posts, RR: 27
Reply 7, posted (1 year 3 months 2 weeks 3 days 2 hours ago) and read 2073 times:

Quoting Revelation (Thread starter):
So, in short, the math behind encryption works, yet the keys (data) and the implementations (software, hardware) are vulnerable to attack.

That's true of all information security. Eventually you always need a person to say "no" or think twice about plugging in this or downloading that. All the passwords and encryption in the world is just a means of trying to control who those people are, but even that is far from foolproof.

Quoting Dreadnought (Reply 1):
You left out the most power-intensive method, known simply as Brute Force. If you know that a message is encrypted with a 256-byte encription key, you can use a computer to generate every possible key, and after millions of cycles, eventually you will hit the right one. That's why the NSA buys all these mega-computers.

Some serious encryption will take literally until the end of the universe to be cracked that way. For weak encryption, it's still an option.



Why do Aerospace Engineering students have to turn things in on time?
User currently offlinePhilBy From France, joined Aug 2013, 673 posts, RR: 1
Reply 8, posted (1 year 3 months 2 weeks 2 days 21 hours ago) and read 2019 times:

Quoting Aesma (Reply 4):
We do/should note that US software vendors have had to have separate versions of it software for non-US use due to the fact that the US government has treated cryptography as a munition for a long time now.

Some non-US software has caveats stating the the encryption algorythms used are illegal for use in the US. Presumably they haven't given the keys away yet.

Quoting Klaus (Reply 6):
US-based cloud service providers are apparently already seeing a substantial dip in foreign interest.

We are advised when travelling to the US to make sure that there is an absolute minimum of data on USB keys, laptops etc. as US customs are allowed to take copies of any electronic data passing the borders 'to ensure that it does not infringe any regulations'. Some companies now keep a pool of 'clean' laptops that are re-imaged between uses for people to take when travelling.

This crossing the border also applies to electromic travel and it is for this reason that use of cloud systems based in the US is thoroughly not-recommended.


User currently offlinecomorin From United States of America, joined May 2005, 4903 posts, RR: 16
Reply 9, posted (1 year 3 months 2 weeks 2 days 14 hours ago) and read 1948 times:

Forget CPU farms. Quantum computing reduces Big O from super-polynomial to polynomial time. D-Wave is around the corner.

p.s. I am taking a course on Quantum Computing and felt the need to show off. Back to my mid-term...   


User currently offlineflyingturtle From Switzerland, joined Oct 2011, 2581 posts, RR: 14
Reply 10, posted (1 year 3 months 2 weeks 2 days 14 hours ago) and read 1937 times:

Quoting Revelation (Thread starter):
* Getting a hardware vendor to ship a subtly flawed random number generator chip
* Getting on to a software standards committee and introducing a subtle flaw that makes it easier to break the standard
* Getting the crypto keys via theft, coercion or court order

It's easier. There are certifying authorities, and every SSL key comes with a certificate. And you can buy such ones quite easily, because... they make good money selling these certificates. This is already one hole. One could use a certificate that is owned by Microsoft, and thus forge a Microsoft Windows software update server.

And the NSA might interfere with the software implementations of well-known and proven secure algorithms. Cryptography relies on generating random numbers, and one might bribe a company into selling software that does not have strong PRNGs. Short of physically measuring processes that are truly random (like atomic decay), one has to rely on pseudo-random number generators, PRNGs. And if somebody works sloppy - or is paid to work sloppy - there's a PRNG with more P than R. And presto, cracking the encrypted data gets from "impossible" to "very difficult".


David



Keeping calm is terrorism against those who want to live in fear.
User currently offlineRevelation From United States of America, joined Feb 2005, 12970 posts, RR: 25
Reply 11, posted (1 year 3 months 2 weeks 2 days 13 hours ago) and read 1929 times:

Quoting Klaus (Reply 6):
Quoting Revelation (Reply 3):
Add to that the supercomputers (which probably are farms of GPUs, custom DSP chips and/or ASICs) and you can knock off a few orders of magnitudes on the estimate of what it takes to block it.

These are already factored in to the design of currently recommended encryption methods which are considered to be solid.

You can only factor in that which you know about.

For instance when I worked at DEC in the 90s there was a rumour that we added instructions to the Alpha CPU because the NSA requested them. I kind of doubt the researchers of the time knew that.

Quoting Klaus (Reply 6):
Quoting Aesma (Reply 4):
I use TrueCrypt. It doesn't use any specific hardware and is not made by any company that can be bribed or coerced.

The NSA is apparently also contaminating Open Source software by providing "accidentally" sub-par source code contributions via straw men which often take a long time before being thrown out or fixed.

That is quite believable. One of my collegues works with OpenSSL and finds bugs in it all the time, It would not be hard to add even more flaws to it.

Quoting Klaus (Reply 6):
This is like a vampire in a blood bank – would you really trust the blood reserves to him? Or to the increasingly anemic-looking employee who was forcibly compelled to let him in there in the first place...?

The reality is that getting this stuff right is hard. The number of people who can implement the algorithms without flaws or detect flaws in other's implementations are small.

Quoting flyingturtle (Reply 10):
It's easier. There are certifying authorities, and every SSL key comes with a certificate. And you can buy such ones quite easily, because... they make good money selling these certificates. This is already one hole. One could use a certificate that is owned by Microsoft, and thus forge a Microsoft Windows software update server.

Yes, that was in the article, and you described it better than the article did. Those of us who watch the Windows updates fly by see the 'Root Certificate' update fly by all the time, and have no personal knowledge of any of the firms that Microsoft adds to the update.

Quoting flyingturtle (Reply 10):
And the NSA might interfere with the software implementations of well-known and proven secure algorithms. Cryptography relies on generating random numbers, and one might bribe a company into selling software that does not have strong PRNGs. Short of physically measuring processes that are truly random (like atomic decay), one has to rely on pseudo-random number generators, PRNGs. And if somebody works sloppy - or is paid to work sloppy - there's a PRNG with more P than R. And presto, cracking the encrypted data gets from "impossible" to "very difficult".

Bad random number generators have been mentioned. Another thing being mentioned is the class of eliptical curve algorithms. They depend on constants, and if these constants are flawed (intentionally or otherwise) then the encryption is flawed.

Quoting PhilBy (Reply 8):
This crossing the border also applies to electromic travel and it is for this reason that use of cloud systems based in the US is thoroughly not-recommended.

IMHO the NSA is destroying e-commerce world wide. They aren't even subtle about it. They have gone after US vendors who provide encrypted email services. All that will do is create a great business for off-shore vendors.



Inspiration, move me brightly!
User currently offlineNorthStarDC4M From Canada, joined Apr 2000, 3077 posts, RR: 36
Reply 12, posted (1 year 3 months 2 weeks 2 days 13 hours ago) and read 1910 times:
AIRLINERS.NET CREW
CHAT OPERATOR

I won't wade into this too much except to say this:

If a group like the TSA with all the assets at their disposal really wants to read your data, they will find a way to do it.



Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.
User currently offlineRevelation From United States of America, joined Feb 2005, 12970 posts, RR: 25
Reply 13, posted (1 year 3 months 2 weeks 2 days 12 hours ago) and read 1884 times:

Quoting NorthStarDC4M (Reply 12):
If a group like the TSA with all the assets at their disposal really wants to read your data, they will find a way to do it.

Sure, but in the end, we're the ones paying their salaries.

It's our reps who almost voted to defund the PRISM program a few weeks ago.

It's also our reps who will be voting in a few years to extend the Patriot Act.

I suspect these activities will get a LOT more scrutiny going forward.



Inspiration, move me brightly!
User currently offlinefrancoflier From France, joined Oct 2001, 3848 posts, RR: 11
Reply 14, posted (1 year 3 months 2 weeks 2 days 11 hours ago) and read 1875 times:

I have little technical knowledge when it comes to encryption or data privacy security, but reading this thread sends chills down my spine.

There is a government institution that will go length to forcibly obtain data from just about anything or anybody in the world, yet few people seem to be bothered by it at all.

I think I read a book like that once.

At least, the whole thing might encourage entities, mostly businesses, foreign governments and their institutions, to beef up their electronic data protection.



Looks like I picked the wrong week to quit posting...
User currently offlineNoWorries From United States of America, joined Oct 2006, 539 posts, RR: 1
Reply 15, posted (1 year 3 months 2 weeks 2 days 11 hours ago) and read 1859 times:

Quoting comorin (Reply 9):
Forget CPU farms. Quantum computing reduces Big O from super-polynomial to polynomial time. D-Wave is around the corner.

Intriguing to think that some massive government "Manhattan Project" has already enabled quantum computing far beyond any fledgling commercial capabilities. Could be that some properly implemented algorithms are already "unsafe" from prying government eyes. The only ones that would be safe would be the ones for which there is no known quantum algorithm that can "crack" it. Only quantum encryption can absolutely detect eavesdropping.


User currently offlineKlaus From Germany, joined Jul 2001, 21521 posts, RR: 53
Reply 16, posted (1 year 3 months 2 weeks 2 days 9 hours ago) and read 1819 times:

Quoting Revelation (Reply 11):
You can only factor in that which you know about.

You can factor in plausible developments, and that is not too hard with some insight into technology in development and research. Sometimes older encryptions lose their strength earlier than expected, sometimes they hold for longer.

Quoting NorthStarDC4M (Reply 12):
I won't wade into this too much except to say this:

If a group like the TSA with all the assets at their disposal really wants to read your data, they will find a way to do it.

As I've said above: That is a myth perpetrated by bad TV and movie writers first and foremost, but simply not true.

Good encryption with strong passwords works. It just needs to be selected and needs to be used – that is the main issue, which is in fact not trivial.

Quoting francoflier (Reply 14):
There is a government institution that will go length to forcibly obtain data from just about anything or anybody in the world, yet few people seem to be bothered by it at all.

It's a pretty big ongoing topic over here.


User currently offlineNorthStarDC4M From Canada, joined Apr 2000, 3077 posts, RR: 36
Reply 17, posted (1 year 3 months 2 weeks 2 days 6 hours ago) and read 1796 times:
AIRLINERS.NET CREW
CHAT OPERATOR

Quoting Klaus (Reply 16):
As I've said above: That is a myth perpetrated by bad TV and movie writers first and foremost, but simply not true.

Good encryption with strong passwords works. It just needs to be selected and needs to be used – that is the main issue, which is in fact not trivial.

Klaus I'm afraid it is true... just stop thinking purely of the technical issue, human factors can also be used to get in.



Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.
User currently offlinecmf From , joined Dec 1969, posts, RR:
Reply 18, posted (1 year 3 months 2 weeks 2 days 5 hours ago) and read 1785 times:

Quoting Klaus (Reply 16):
Good encryption with strong passwords works. It just needs to be selected and needs to be used – that is the main issue, which is in fact not trivial.

How do you define strong password?


User currently offlineflyingturtle From Switzerland, joined Oct 2011, 2581 posts, RR: 14
Reply 19, posted (1 year 3 months 2 weeks 2 days 5 hours ago) and read 1778 times:

Quoting cmf (Reply 18):
How do you define strong password?



As randomly and non-predictable as possible, choose a password from a huge set of possible passwords.

The following XKCD cartoon is not a joke.

http://xkcd.com/936/

(It works. We have 36 letters and numbers, thus a 20 characters long password has an entropy of 103.4 bits because there are 36^10 = 2^103.4 possible passwords.

Webster's dictionary has 475'000 entries, and so a six-word "password" like boeingbananaarctictroublesupersteak has an entropy of 113.1 bits, because of 475000^6 = 2^113.1 possible passwords.)

Becaues a function like the SHA-512 algorithm actually gives you the password that is directly used in decryption, at every guess the brute force attacker has to calculate that hash value first. This takes time. Even if a computer could try 100'000 passwords per second, it would take more than trillions of years to brute-force them - if the technology remains at the current state.



David

Edit: Corrected some numbers, and I hope it's right now...

[Edited 2013-09-11 15:19:23]


Keeping calm is terrorism against those who want to live in fear.
User currently offlineKlaus From Germany, joined Jul 2001, 21521 posts, RR: 53
Reply 20, posted (1 year 3 months 2 weeks 2 days 3 hours ago) and read 1759 times:

Quoting NorthStarDC4M (Reply 17):
Klaus I'm afraid it is true... just stop thinking purely of the technical issue, human factors can also be used to get in.

Human factors inherently defeat any "always" claim...!   

And no, the NSA can't get everything. This is also another just myth by itself.

They can't break everything, as much as they'd want. Of course one of the factors in this is the effort they can afford to invest, but some encrypted data is most likely impenetrable even to them, even if they wanted to get it.

They are utterly out of control and effectively free from legal or funding restraints – but their biggest (if worst-kept) secret is that their actually useful output is comparably pitiful in view of the gigantic effort and the damage they're doing themselves.


User currently offlinecomorin From United States of America, joined May 2005, 4903 posts, RR: 16
Reply 21, posted (1 year 3 months 2 weeks 2 days ago) and read 1728 times:

Quoting NoWorries (Reply 15):
Intriguing to think that some massive government "Manhattan Project" has already enabled quantum computing far beyond any fledgling commercial capabilities. Could be that some properly implemented algorithms are already "unsafe" from prying government eyes. The only ones that would be safe would be the ones for which there is no known quantum algorithm that can "crack" it. Only quantum encryption can absolutely detect eavesdropping.

Good to see you posting   

It really is amazing what quantum computers are capable of doing - from purer strings of random numbers, to superfast execution of algorithms. Most definitely, there must be a Manhattan Project of sorts going on for this.


User currently offlineRevelation From United States of America, joined Feb 2005, 12970 posts, RR: 25
Reply 22, posted (1 year 3 months 2 weeks 1 day 14 hours ago) and read 1668 times:

Quoting Klaus (Reply 16):
Quoting Revelation (Reply 11):
You can only factor in that which you know about.

You can factor in plausible developments, and that is not too hard with some insight into technology in development and research. Sometimes older encryptions lose their strength earlier than expected, sometimes they hold for longer.


Sure, but then you can never know if you are correct or not - you're just estimating based on what you think is plausible.

Quoting flyingturtle (Reply 19):
(It works. We have 36 letters and numbers, thus a 20 characters long password has an entropy of 103.4 bits because there are 36^10 = 2^103.4 possible passwords.

Webster's dictionary has 475'000 entries, and so a six-word "password" like boeingbananaarctictroublesupersteak has an entropy of 113.1 bits, because of 475000^6 = 2^113.1 possible passwords.)

The idea is correct, but many sites limit the length of passwords to something around 8-12 characters.

I too marvel at sites that tell you the rules that your password must follow - all it does is reduce the search space for the crackers!

Quoting Klaus (Reply 20):
And no, the NSA can't get everything.

They've got the People's Liberation Army to catch the rest!

Isn't it ironic how a few months ago we had a burst of outrage about the PLA breaking into web sites?  

The emperor has no clothes!

Quoting Klaus (Reply 20):
They are utterly out of control and effectively free from legal or funding restraints – but their biggest (if worst-kept) secret is that their actually useful output is comparably pitiful in view of the gigantic effort and the damage they're doing themselves.

And the damage they're doing to the e-commerce ecosystem...

Quoting comorin (Reply 21):
Most definitely, there must be a Manhattan Project of sorts going on for this.

No offense, friend, but IMHO that's a mis-credit to the Manhattan Project. The Manhattan Project was as big as the automotive industry and came together in an amazingly short period of time. They put major efforts into pretty much any feasible way of enriching uranium or separating plutonium (gaseous diffusion, thermal liquid diffusion, electromechanical separation, breeding reactors, etc) with very little idea of which ones would pan out, and when any given technique showed promise they just massively replicated it regardless of cost. They went from scribbles on a blackboard to two different working weapons designs (Fat Man, Little Boy) and the basis of the thermonuclear bomb (the Super) in around four years, not to mention applications for power generation too.

I keep hoping for a 'Manhattan Project' for power generation via fusion but what we are doing is quite lame in comparison to the Manhattan Project.

If you step back and think about it, the Manhattan Project accomplished more and changed our world more (for both good and bad) in a shorter period of time than did Apollo or any other technological program ever.

The only thing I see being so transformative is the Internet/Web, but it's happening over a much longer period of time.



Inspiration, move me brightly!
User currently offlineKlaus From Germany, joined Jul 2001, 21521 posts, RR: 53
Reply 23, posted (1 year 3 months 2 weeks 1 day 9 hours ago) and read 1627 times:

Quoting Revelation (Reply 22):
Sure, but then you can never know if you are correct or not - you're just estimating based on what you think is plausible.

Sure, but with sufficient headroom it usually still works out. Having a cracker initially needing a million years to crack an encryption may seem excessive, but when after 10 years that is degraded to "just" a hundred years even any files caught earlier would still effectively be unfeasible to crack; And when they're finally in reach their significance would basically just be historical, while you've switched to further upgraded encryptions in the meantime.

At least that's how it's supposed to work.
 

Quoting Revelation (Reply 22):
The idea is correct, but many sites limit the length of passwords to something around 8-12 characters.

I too marvel at sites that tell you the rules that your password must follow - all it does is reduce the search space for the crackers!

Yeah. Those kinds of "passwords" don't deserve the name. In such cases you'll have to expect them to be stored in clear text in some unguarded data base anyway since there is obviously zero security-oriented thinking at work (or zero competence). It's usually best not to bother with such sites in the first place.

Quoting Revelation (Reply 22):
They've got the People's Liberation Army to catch the rest!

Conveniently, it is practically certain that the chinese agencies simply tap the NSA from within with their internal safeguards as laughably bad as Snowden exposed them to be. How many moles hadn't gone to the press before Snowden but to the highest bidder instead?

Why should the chinese even bother to spy on the west themselves when the NSA does it for them anyway?   

Files under "self-defeating"...!

Quoting Revelation (Reply 22):
Isn't it ironic how a few months ago we had a burst of outrage about the PLA breaking into web sites?  

The emperor has no clothes!

Psst...! You're not supposed to actually acknowledge that!

Quoting Revelation (Reply 22):
And the damage they're doing to the e-commerce ecosystem...

Yeah, that is one big part of the damage.


User currently offlineDeltaMD90 From United States of America, joined Apr 2008, 7982 posts, RR: 51
Reply 24, posted (1 year 3 months 2 weeks 1 day 9 hours ago) and read 1619 times:

Quoting Revelation (Reply 22):
Quoting Klaus (Reply 16):
Quoting Revelation (Reply 11):
You can only factor in that which you know about.

You can factor in plausible developments, and that is not too hard with some insight into technology in development and research. Sometimes older encryptions lose their strength earlier than expected, sometimes they hold for longer.


Sure, but then you can never know if you are correct or not - you're just estimating based on what you think is plausible.

Well, while there is no proof, we have a pretty good idea of what it would need to take to be able to crack some of these encryptions. There could be some super secret products but I think they'd need to be many many years ahead of anything else we've seen so far. If they had this technology, I think we'd see the same technology spread to other areas of the government. So who knows, I don't know too much about it but I agree with Klaus... we watch too much TV and we get the impression that a good hacker can get past anything, any case can be solved, etc. Reality is much more interesting IMO, there are ways to keep data secret, and the secret organizations like the NSA often come up with unique ways of getting data that we've never thought of before

Quoting comorin (Reply 9):
p.s. I am taking a course on Quantum Computing and felt the need to show off. Back to my mid-term...   

Start a thread on that some time! I'm interested in quantum computing but I can't understand it, and I consider myself pretty smart when it comes to math and science



Ironically I have never flown a Delta MD-90 :)
25 Revelation : I'm reading "The Making of the Atomic Bomb: 25th Anniversary Edition"by Richard Rhodes (in fact, re-reading it since I bought the original version 25
26 NoWorries : The main idea to keep in mind is that it's computation not based on Newtonian mechanics -- it exploits two phenomenon that only manifest themselves i
27 Revelation : I might have called Babbidge's machine 'Newtonian', but having taken an entire one course on solid state physics and dealt with potential wells and S
28 Aesma : From some wikipedia pages I've read since the other post (tough read, most really difficult to grasp) I get the idea that most scientists are not conv
29 Klaus : They were commenting on poorly-understood physics, not on well-understood math. The enigma was created before cryptography was really conducted scien
30 Post contains links flyingturtle : Hmm, does Landauer's principle also apply to quantum computing? (See "Theoretical limits" here: http://en.wikipedia.org/wiki/Brute-force_attack#Theore
31 NoWorries : Newton, Maxwell, Turing, Von Neuman, etc., all emphasize the single-state notion -- that a 'classical' system is in but one state at a time -- quantu
32 NoWorries : My limited understanding is that it does not. It looks like a proposition based on classical physics. Quantum algorithms can, in a limited sense, be
33 Revelation : Thanks - your post clears up a lot for me!
34 Flighty : No it's not. I would argue it takes a "genius hacker" to actually use encryption properly. If your PC configuration has even 1 user side vulnerabilit
35 Aesma : Well it's true that practical implementation must be considered, and that's the problem huge organizations (public or private) have : they want data t
36 Klaus : Yes, it is. This is not how it works in real life. Not true. It is not extraordinarily complicated to use encryption properly. It's mostly about gett
Top Of Page
Forum Index

This topic is archived and can not be replied to any more.

Printer friendly format

Similar topics:More similar topics...
Neat Trick... But How Does It Work? posted Wed Jul 7 2004 15:38:03 by Yhmfan
Nice But How Do You Do It?! posted Sun Jun 27 2004 05:28:07 by Schweizair
Report: Most Muslims Want Sharia Law..But... posted Wed May 1 2013 06:44:10 by PHX787
How Is Internet Explorer 10? posted Fri Mar 8 2013 15:27:39 by dragon-wings
How Is Internet Explorer 8? posted Tue May 5 2009 22:15:57 by Dragon-wings
Reinstalled Win XP But Now Internet Won't Work? posted Tue Mar 24 2009 16:52:32 by Mirrodie
I Know The Internet Is Wacky But This Is Too Weird posted Sun Jan 6 2008 17:26:33 by Mirrodie
How Fast Is Your Internet Connection? posted Fri Nov 9 2007 10:18:30 by F.pier
How Great Is Prison Break! posted Sun Oct 22 2006 22:41:51 by Chris1976LBA
How To Break The Ice In A Conversation posted Wed Apr 26 2006 02:57:39 by Runway23