So why haven't hackers cracked IE's 128bit encryption yet?
- Thread starter JEDI
- Start date
I think this is the key. It is possible to brute-force crack 128bit encryption, it just takes a very long time (even on modern hardware).
Also there is a lot more to it than just the number of bits used for the key. Like what encryption algorythm is used, etc.
There is enough computing resources, definately. But it's not something that is going to be worth it.. you'd have to have a fairly substantial cluster or supercomputer to be sure that it gets done within a year or so. (I am guessing, don't know the specifics)
(think governments.. NSA type stuff. Depending on the encryption it's actually been done before)
However it's generally easier if your going to attack a person using encryption to hide infromation to go about it a different way.
You could install spyware, or a keylogger. You could call them and try some 'social engineering' to convince them you work for their bank and get information that way. You could exploit a vunarabilities in the server they connect to and simply take the information want that way. You can pose as a janitor and simply walk into the computer room and walk out with a harddrive, backup media, or cd/flashrom copy of the information you want. You could use forged certificites and a hacked DNS server to have a target log into YOUR encryption-protected server and relay the persons inputs into the real server and obtain account information that way. Often online programs will use encryption for protection, but use the encryption in such a way that it's vunerable.. maybe let people obtain sensitive information before the encryption kick in. You can do some research on the target and simply guess at the passwords/keyphrases.
Those are just things that pop into my head right now.
So many ways to thwart security that it makes encryption irrelevent. Brute force would be the most expensive, difficult, and time consuming way aviable. So right now there is no real point at breaking the encryption when you have much easier ways aviable. If security gets to the point were brute force attack would be easier, then you'd see it broken fairly quickly. Especially since computers increase in proccessing capacity by leaps and bounds.
While on that topic (drag) the other end is also equally responsible for data security. It doesnt matter how secure the transport is if on the other end the server storing your credit card information has been compromised...
(I think billions was the figure I first heard when 128bit was first starting to get used, and it was based on cracking it from a single computer)
I could be wrong, but I was under the impression that with a decent sized DC group it would be possible to crack within a number of years; not billions...
(I think billions was the figure I first heard when 128bit was first starting to get used, and it was based on cracking it from a single computer)
It would take a significant amount of time to mount a successful brute force attack on RSA/DSA. Not just a couple of years.
It wouldn't be an exaggeration if we were talking about AES. It would actually be woefully underestimated.
I always wondered about the encryption in web browsers. Sure looking at a single encrypted data packet, it's going to be dang tough to decrypt it back to its original form. But on the other hand, before the transmition of encrypted packets, the web browser must somehow learn from the server how to decrypt the data packets, so why can't a hacker just look at those initial data trasmitions and learn how to decrypt the future data?
My understanding is that it is a combination of problems. The first is that currently available public key cryptography(which uses a rather cool asymetric system to get around the problem cubby1223 mentioned) is pretty much uncrackable by any tech that is publicly acknowledge to exist. 56 bit DES has, if I remember correctly, been 0wn3d with specialized hardware; but any decent 128 bit system that doesn't have hideous implimentation problems cannot be broken in useful amounts of time(somewhere between "we'll all be dead by the time we finish, even with all the computers on earth" and "all the protons in the universe will have decayed before we finish"). It appears that MS generally does alright with their encryption schemes, so there are no cryptographic shortcuts of note.
Problem two is that it is much, much easier to get the data some other way. Given the amount of malware on the average Windows desktop, you'd be much better off with a screen scraper, keylogger, or similar for general data collection and just stealing the data physically if you really care about it all that much.
Problem two is that it is much, much easier to get the data some other way. Given the amount of malware on the average Windows desktop, you'd be much better off with a screen scraper, keylogger, or similar for general data collection and just stealing the data physically if you really care about it all that much.
MrChad
Lifer
- Aug 22, 2001
- 13,507
- 3
- 81
SSL encryption is asymmetric; i.e. it uses public and private keys. The browser first sends a request for a secure session. The server replies with its public key. The browser creates a session key, then encrypts this session key using the server's public key. Only the server's private key can decrypt the encrypted session key. Once the session key has been established, secure communication can begin.
Here's a nice diagram
I wouldn't panic yet. The work factor that is reported by these researchers is still 2^69. That still requires an enourmous amount of computer power. The articles on this are overly sensationalist, IMO. SHA-1 hasn't exactly been broken, but these researchers are postulating that it can be done ~2000 times more easily (you would expect to see random collisions after 2^80 hashes with 160-bit SHA-1).
So is this research a concern? Sure, if it is true. Even if it isn't true, we should always be moving toward more secure crypto. All crypto can be broken, given enough time and money. So I don't really see anything new here. SHA-1 should be fine for a least a couple more years. People should being moving toward using more secure crypto though, as always. SHA-2 is available, so now is the time to start shifting toward that. Not at an all out panic, but it should be something that we move toward diligently.
So is this research a concern? Sure, if it is true. Even if it isn't true, we should always be moving toward more secure crypto. All crypto can be broken, given enough time and money. So I don't really see anything new here. SHA-1 should be fine for a least a couple more years. People should being moving toward using more secure crypto though, as always. SHA-2 is available, so now is the time to start shifting toward that. Not at an all out panic, but it should be something that we move toward diligently.
Its only safe for a while. They'll come out with 256 bit encryption and then find out how to hack it.
MrChad
Lifer
- Aug 22, 2001
- 13,507
- 3
- 81
They wouldn't need to. PGP's 1024-bit encryption uses RSA's algorithm, which is publicly available.
EDIT: Most (all?) encryption algorithms are open source. It would be extremely foolish to develop a proprietary encryption algorithm and not open it up to the academic and professional community. By opening up algorithms, the community can analyze and tighten them up to make them more secure.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,574
- 10,211
- 126
Considering how long Distributed.net took (or perhaps is still working on - I stopped participating years ago) in the RC5-64 (64-bit) cracking challenge - I don't think that brute-forcing a 128-bit, presumably RC5 or AES key, is going to be feasable anytime soon.
Thank you for asking this question. I have always wondered the exact same thing! (Answered above.)
KeyserSoze
If I understand things correctly, man in the middle attacks are still possible, which is why it's important to make sure the SSL cert verifies correctly.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter