Encrypted communication is a very old technical means to ensure that the content of communication is not "peeped" and "tampered" in an open environment. In different periods, different levels of security requirements, and different open environments, encrypted communication technologies will have different technical connotations and different external performances.
In the use environment of network communication, encrypted communication is still a common technology.
In civilian network applications, the Internet prefix of some network login URLs that provide network services has changed from "http://" to "https://", and the extra "s" means The meaning of the communication at this time is the "encrypted communication" communication method. The purpose of using the "encrypted communication" communication method is to ensure that the communication content between the Internet terminal and the server at this time will not be "peeped" due to "encryption".
Compared with the "plaintext communication" communication method without "s", this "encrypted communication" with "s" can really serve the purpose of "encrypted communication" (that is, the communication content is "encrypted" so that voyeurs "see" it. less than), or is it just a piece of "emperor's new clothes" to achieve self-comfort?
The following may give the corresponding answer.
1) General expression for encrypted communication
Generally speaking, any encrypted communication can be expressed by the following expression:
A=f(a,b)
a is the plaintext to be transmitted, b is the initial value during encryption, f is the encryption algorithm, and A is the ciphertext encrypted by a through the algorithm f.
The meaning expressed by the above expression is that the plaintext a to be transmitted, under the condition that the initial value is b, becomes A transmitted on the public channel through the encryption algorithm f.
2) Several basic conclusions about encryption:
Conclusion 1: Any encryption algorithm, as long as it is not a one-time pad, is breakable
Conclusion 2: As long as enough samples of A can be collected, the encryption algorithms f and b can be reversely calculated. Once you get the cracked f and b, as long as you get A, you get a. At this time, "encryption" is equal to "plaintext"
Conclusion 3: As long as it is not a one-time pad, the security of encrypted communication is achieved on the premise that the encryption algorithm is not broken. And once this algorithm is broken, that is, f and b are solved, then for the attacker of the encryption algorithm, "encrypted communication" is equivalent to "plaintext communication".
The security and effective security time of this "encrypted communication" consists of two parts. Time 1 is the time when the attacker can collect the number of valid samples A; Time 2 The attacker uses the collected valid communication sample A as the sample. , the time required to solve f and b by reverse engineering of the encryption algorithm.
Generally speaking, solving f and b by reverse engineering of encryption algorithm is often accompanied by massive computation. In this way, for an attacker of a communication encryption algorithm, whether it can organize a super high "computing power" becomes the key to whether it can effectively crack the target encrypted communication algorithm.
However, what is frightening is that in the online world, it is not difficult to obtain super high "computing power", and the price is also very low (Note 1)
3) How to capture "encrypted communication" in civilian network applications?
This case takes the encrypted communication of "username + password" that compromises a website as an example. And this process is applicable to the deciphering of "encrypted communication" in all civil network applications.
Step 1: Get "Username + Password"
Apply for registration on the target website and get "username + password"
Step 2: Sample collection of A and a.
By changing the password and logging in, use the data monitor to obtain A and a of multiple groups of "username + password".
Step 3: Disassemble f, b.
Organize strong "computing power" and violently dismantle f and b.
Step 4: Verify f, b.
Verify f and b by changing the password and applying for a new "username + password".
Step 5: Steal A of "username + password"
By deploying a data interceptor, the intercepted virus is deployed on the terminal and router, and the A of "username + password" is stolen.
Step 6: Verify
Use the stolen A and the disassembled f and b to obtain a ("username + password") in reverse, and use the cracked "username + password" to do the final login verification on the target website.
4) Conclusion
In civilian network applications, there is no essential difference between "encrypted communication" and "clear text communication". And the civilian network service marked with "https://" is just wearing a "emperor's new clothes" for masturbation. Even if it may have a little effect at the beginning of use, it will be broken every minute and second like the "King of Glory" anti-addiction system.
V) Countermeasures
In the face of more and more unlimited "computing power" at your fingertips, can't ordinary netizens protect the "username + password" that only proves who I am in the online world?
Note 1:
Generally speaking, the more difficult the encryption algorithm is, the more valid samples A are required, and the longer it takes to "crack" the massive operations. However, in the era of the Internet of Everything, attackers of encryption algorithms can "instantly" gather super "computing power" by "hijacking computing power", and this super "computing power" makes the original theoretical need for a certain length of An encryption algorithm that can only be deciphered by the "brute force operation" of time may be broken in a very short period of time and at a very low cost.
The following cases of "violent computing power" will completely subvert your fantasy of "unbreakable" encryption algorithms.
Case 1:
Quantum computers are the top engineering technology in computational engineering science today. According to reports, a system of equations that would take 100 years to solve by today's top supercomputers can be solved in just 0.01 seconds by a quantum computer.
At present, quantum computers are still in the laboratory stage, and outsiders are inaccessible. But once it is commercialized, who can guarantee this powerful "computing power": 1) It will not be "hijacked" by others? 2) Won't be used "legitimate" to wrap "illegal purposes"?
Case 2:
According to reports, in 2014, the "computing power" of 2,500 "Bitcoin" mining machines had reached 230 billion hash calculations per second. And the electricity bill for a month of these computing power is only a mere 400,000 yuan.
Hash operation is the basic core algorithm for online banking to verify the user's input password. The withdrawal password is just a combination of 6 -digit pure numbers, and there are only 1 million combinations. For an online banking hash operation attacker, as long as he knows a limited number of sets of passwords and the hash values corresponding to these sets of passwords, with the above "computing power", it should not take a few seconds to "brute force" Solve" to find f and b .
There are more than 10 million various " mining machines" online now . Are these "digging machines" just digging this coin and that coin honestly? It shouldn't be difficult to make a cameo appearance in "Deciphering the Brick" occasionally.
Case 3:
IoT botnet
Internet of Things (IoT) devices have increasingly penetrated into people's lives. Smart TVs, cameras, cars, wearables, routers, etc., these devices, in the eyes of attackers, are undoubtedly perfect nodes for botnets. Compromising thousands of IoT devices is not difficult for botnet builders. How much "computing power" can these thousands of IOT devices gather?
As of the summer of 2017, the Mirai botnet virus compromised 2.7 million IoT devices in less than a year, according to researchers at 360 Network Security Labs. The more vicious Satori botnet virus captured 280,000 IOT devices within 12 hours.
These compromised IOT devices can undoubtedly provide infinitely huge "computing power".
Rent 50,000 botnet devices on the dark web and perform intermittent attacks with a 5-10 minute cooldown per hour for 2 weeks for a mere $3K to $4K.
Case 4: Artificial Intelligence
Since " AlphaGo " defeated Li Shishi 4:1 in 2016, defeated Ke Jie 3:0 in 2017, and at the beginning of 2018, Tencent's " Exquisite Art " defeated Ke Jie in the game of letting 2 children, artificial intelligence is growing at a fast speed" growing up". I believe no one will think that the encryption algorithm of civilian level is more difficult to crack than the "Go" in Ke Jie's brain, right? Isn't it a matter of minutes to use " Exquisite Art " to crack a civilian-level encryption algorithm? Please don't forget how many "stunning arts" are waiting to be born!
When Tencent is striving for perfection in the laboratory to build artificial intelligence machines that can defeat Ke Jie with 2, 3, and 4 children, it is believed that some people are already walking on the road of using artificial intelligence to crack the "encryption algorithm" of civilian network applications. .