Topic: How long will existing encryption last? (Read 2149 times)

---------------------
There is no way to predict the level of future computers based on information about today's technology.
This has always been the case. But one thing is clear, in general terms, that technology will evolve. Therefore, first of all, the technology of stealing and phishing our confidential data, our keys and our passwords will develop and become more and more dangerous.
Fraudsters will never attack cryptography, any cryptography, even the weakest one - they won't. They will always steal keys and passwords.
Therefore, the time of key-based modern cryptography, in general any post-quantum cryptographic system based on keys - is a thing of the past.
We are waiting for totally new technologies of keyless encryption, passwordless authentication, a world without phishing.
In fact, it seems fantastic, seems silly and irrelevant.  But this has always been the case, the most fantastic assumptions have always come true and surprised people of the future, how someone in the past was able to foresee our future.
Think about it.
What will happen to our security when computers are millions of times more powerful than they are today? Will our security increase or decrease? This is not as simple a question as it may seem at first glance.
I invite discussion. 

Supercomputers can only help those who attack cryptography (cryptanalysts) or your security (hackers). In addition to all of the above, you should understand that your security will be attacked not through hacking cryptography, but through hacking the systems that protect your crypto keys and passwords.
Today, artificial intelligence is beginning to serve hackers, fraudsters, and other security attackers, not the other way around. This is no longer a theory, but a statistic. For example, artificial intelligence picks up passwords to your account using your social graph.
Interesting question.
We all use cryptography, although we don't notice it, because it is built into our security systems, is inside them.
We also use keys to our ciphers, but we don't know them, we haven't even seen them.
The question is, if they were switched, with ones that someone else knows, would we be able to notice it?
That is the question, the answer to which can change the attitude to cryptography based on keys and to authentication based on passwords or other stable factors - as a vestige of old technology, as a source of potential danger, and not vice versa.  

You are wrong if you think that supercomputers and other technical innovations can improve the quality or reliability of encryption.
Good cryptorgery is not a technology and technique, but mathematics and the thoughtfulness of a system that creates a cipher on paper. This is theory and science, not a supercomputer.

This couldn't be a danger, in spite of the fact that there are various amazing supercomputers these days, encryptions are made in crypto to totally scramble information. I realize somewhat about hashing however I'm not a PC proficient individual. I accept, what we are utilizing are hashing calculations that principally not permitting the information to be decoded returning to its source. Also, that innovation makes it the most secure and solid for individuals. Before long, these ground-breaking supercomputers won't be centered around decoding previously existing information, yet principally to make more grounded encryption.

-------------------
In fact, no matter how much computing power a person invents, no matter how fast the computer that will be used to break cryptography, this battle will always be won by cryptographers, because mathematics is endless now, it can work with any numbers. And technologies are always finite for the present moment in time, so they are always limited in their capabilities.
I pay attention to modern cryptography, and raise the topic of its long or short life, precisely from the point of view of the availability and use of keys for encryption. No matter how perfect cryptography is, the presence of a key always instantly weakens it to zero in the event of an attack. All modern attacks are attacks to steal keys and passwords. And not a single attack from fraudsters - not on cryptography.
All talk about the threat of quantum computing is a false trail.
All conversations should be about how to protect the user from theft of keys, passwords, phishing.
It is this vector - no one discusses or, in the best case, offers "password managers" or two-factor authentication. And that and that way is a utopia, and cyber defenders pumping money out of users. This is their way of being and, moreover, forever. They do not offer a solution to the problem at the root, but polish an outdated mechanism.
I suggest looking the other way.
We need cryptography without a key and authentication without a password, and this means the main thing - without any permanent, long-assigned digital identifier.

Although many of my posts were deleted by the administrator, something remained here, this is the topic I'm trying to discuss there:
https://bitcointalk.org/index.php?topic=5204368.60

Is it really possible to have that kind of computers that could do so much cryptography? Really our world now are going through so much in computerization and it will be a matter of fact when all of the advance technology will become more advance. We had already seen heart transplant in medical and there is also a study about head transplant. I do not know if it was being successful but it is indeed true that a certain man who is sick and had having hard time on his condition made him decide to volunteer for the said experiment.

Computerization is really great and hoping that it will be apply to do things for comfort and not just creating it by the purpose of doing evil things.

The Office of Advanced Research Projects of the U.S. Department of Defense (DARPA) has signed a contract with ColdQuanta to create a new quantum computer.
As we were informed, the construction of a quantum computer for 1000 cubic meters will be possible in the next 40 months.

According to Bo Ewald, CEO of ColdQuanta, within the next 40 months, under the terms of this contract, a machine will be created which will consist of 1000 (one thousand!!!!) cubic meters, and it will be able to make the necessary calculations ... to create the drugs and... (it's not interesting and probably not true that it will be used for this) - and to break the ciphers.

All this suggests that users of today's asymmetric key cryptography have less and less time left. I don't think 1000 kbit will be able to crack a key longer than 2000 bits, but I think 10,000 kbit will appear after a 1000 kbit quantum computer. That's the problem.
In 40 months, the era of quantum cryptography for a strong world and keyless encryption for ordinary people will begin.
If there is much talk about quantum cryptography, then keyless encryption methods are considered fiction and not worthy of public attention.

The number of attacks is constantly growing, the main vector of which is theft of keys and passwords. All over the world, confidential user data, including keys, passwords and user IDs, are fraudulently transferred or banally sold. It is possible to attack through keys and passwords quietly, crushingly, for a very long time, imperceptibly. What are the consequences of these crimes? Why is the statistics of this type of cybercrime steadily growing? 
The root of our protection is so weak that there are ready-made programs in free access for stealing private information and selling complex package solutions, which can be used even by an inexperienced cheater. The resource that dedicates humanity to fighting cybercrime is steadily growing, but we have not seen adequate positive results. 
The conclusion is obvious - the modern security system available to an ordinary user does not cope with its tasks and probably can only protect us from the same ordinary user, the user, but not a trained attacker.
Perhaps this is done intentionally, a real race of cyber weapons is unleashed. Perhaps some people are comfortable living in such a translucent digital world? Who knows? Who knows, is silent..

--------------------------------------
Nobody really knows when it's time for the Bitcoins to be completely vulnerable. Everyone here has different opinions.
I agree with those who are in a hurry, who want to speed up the transition of block-chain technology to more robust encryption algorithms.
But the key problem will never be solved in the future and will be just as dangerous as it is today - because of the possibility of compromising it.
As long as the encryption used by the user has the same key for all the information that the user encrypts, there will be a danger that not only the key will be stolen, but also cryptanalysis.

For these reasons, I don't think it makes much sense to implement more robust cryptography and leave the keys as a necessary encryption component.

Scammers don't break cryptography, they steal keys.

And a normal person, always wonders how to do that?
But statistics on cybercrime clearly show what can and isn't as difficult as we might think.
Yes, and most importantly, the keys cannot be stored in human memory, we have to trust the devices, and this is a vulnerability.

The only radical solution to the key problem is their absence. There is keyless encryption technology. Essentially, it is a technology that encrypts every little piece of information - with different encryption schemes, as if it were similar - encrypting every little piece of information - with new keys that are not passed from user to user, are not stored anywhere, and any new encryption rule (as if a new key) cannot be calculated from the old encryption rule (as if the old key) knowing only the encryption and the old encryption rule (old key).
This is the new technological solution to the key problem.

Current encryption innovation goes to be less steady than we recently anticipated.

Bitcoin encryption and personal keys are going to be unprotected by 30.

In any case, just significant activities chipping away at it'll accomplish this accomplishment and expectation that none of them will ever assault Bitcoin.
 

Cloud vaults break like nuts.
Who needs this protection if the cryptography on the keys is only opened with the key, no matter who brought the key?
Here are the consequences, according to court documents published by the NSO Group, Facebook intended to purchase Pegasus, a spyware product capable of extracting user data from Apple, Google, Facebook, Amazon and Microsoft cloud storage. The data is being exported, giving software operators access to confidential user data. The data collected includes... that's where three dots are best, because there's not much to steal, there's enough keys and passwords. The rest is that you've already put everything in the box that's already got the key.

The danger of modern cryptography on keys is that it gives an imaginary security, you feel free, and then the vase is cracked, all your secrets and private data.

Key cryptography as well as password authentication are the rudiments of the 20th century, temporarily living in the 21st century.

In addition, we can say that the interfaces of programs that attack two-factor authentication are very much simplified. They are getting bigger and bigger and more accessible.
Be vigilant, especially if you are using this obsolete mechanism.

The modern protection system is a modern protocol, a set of instructions on the technologies underlying these protocols.
The main technology underlying the security systems is cryptography.
Cryptography, any system, is built on the methods of using the key, which is used as the instruction needed to configure individual (for this key) encryption algorithms.
Therefore, any protocol based on modern cryptography will always ask you for the key, password, biometric identifiers, which are essentially the same password, password-constant, it cannot be changed.

As soon as you build a system that has a weak link in its foundation - a password or key, so prepare yourself immediately for the fact that scammers will not break you in the forehead, they will look for access to keys and passwords.

Modern cyber crime research, their statistics, reports from companies dealing with this issue, even a Microsoft report - all this clearly shows that keys and passwords are almost always stolen.

Any security system, the most sophisticated and modern, even postquantum ones, if based on passwords or keys, will have a vulnerability in this very weakest link - the key (password).

Only keyless encryption systems will allow to build more reliable security systems.

In password authentication systems - there are passwords, there are digital identifiers. 2FA is a way to combine your permanent digital identifier (e.g. password) and a variable (e.g. code in the SMS that is not repeated anymore). The essence has not changed, the response time of the cheater has changed and the complexity of the attack.

Today, the most reliable system 2FA - is no longer reliable.

Any 2FA - easy to break, especially if the second factor is your smartphone! SMS - much easier to intercept than to find out your master password.

You need the next step, 3FA, 4FA ... - playing cat mouse, not solving the authentication problem.
Only passwordless authentication, real authentification without a password, not a temporary password like 2FA is the solution.

For those who trust 2FA, this is the material:

1. scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money that is on the card. Not so long ago this way in Germany cybercriminals pulled off a major operation to steal money from credit cards of hapless users.
It should be noted that 2FA via SMS has already been officially recognized as an insecure authentication method due to unrecoverable vulnerabilities in Signaling System 7 (SS7), which is used by mobile networks to communicate with each other.
A few years ago Positive Technologies specialists showed how SMS is intercepted.

2. In fact, the assumption of inconvenience (and insecurity) was confirmed by Grzegorz Milka, the same speaker from Google. The Register journalists asked him why Google will not enable two-factor authentication by default for all accounts? The answer was usability. "It's about how many users will leave if we force them to use additional security."
That's a good, honest answer.

3. Even before I started studying IT security science, I thought 2FA authentication was a guaranteed way to secure my account and no "these hackers of yours" could, say, steal my internal currency to buy... on your account. But over time, it has been proven by experience that a two factor authentication system can have many vulnerabilities. The code authentication system is very common, used everywhere on various sites and can connect for both primary and secondary login.

4. - bypass rate-limit by changing the IP address...
Many blockages are based on the restriction of receiving requests from IP, which has reached the threshold of a certain number of attempts to make a request. If you change the IP address, you can bypass this restriction. To test this method, simply change your IP using Proxy Server/VPN and you will see if the blocking depends on the IP.

5. - Bypass 2ph by spoofing part of the request from a session of another account...
If a parameter with a specific value is sent to verify the code in the request, try sending the value from another account's request. For example, when sending an OTP code, it verifies the form ID, user ID or cookie that is associated with sending the code. If we apply the data from the account settings where we need to bypass the code-verification (Account 1) to a session of a completely different account (Account 2), get the code and enter it on the second account, we can bypass protection on the first account. After rebooting the 2FA page should disappear. This is like another example.

6. - bypassing 2FA with the "memorization function"...
Many sites that support 2FA authorization have "remember me" functionality. This is useful if the user does not want to enter the 2FA code when logging into the account later. It is important to identify the way that 2FA is "remembered". This can be a cookie, a session/local storage value, or simply attaching 2FA to an IP address.

7. - insufficient censorship of personal data on page 2FA...
When sending an OTP code on a page, censorship is used to protect personal data such as email, phone number, nickname, etc. But this data can be fully disclosed in endpoint APIs and other requests for which we have sufficient rights during the 2FA phase. If this data was not originally known, for example we entered only the login without knowing the phone number, this is considered an "Information Disclosure" vulnerability. Knowing the phone number/email number can be used for subsequent phishing and brute force attacks.

8. - Impact of one of the reports:
Linking to other vulnerabilities, such as the previously sent OAuth misconfiguration #577468, to fully capture the account, overcoming 2FA.
If an attacker has hijacked a user's email, they can try to regain access to the social network account and log on to the account without further verification.
If the attacker once hacked into the victim's account, the attacker can link the social network to the account and log into the account in the future, completely ignoring 2FA and login/password entry.

9. - Everybody is so confident in the reliability of 2FA that they use it for the most demanding operations - from Google authorization (which is instant access to mail, disk, contacts and all the history stored in the cloud) to client-bank systems.

The ability to bypass such a system has already been demonstrated by the Australian researcher Shubham Shah.

In early 2019, Polish researcher Piotr Duszyński made Modlishka reverse proxy available to the public. According to him, this tool can bypass two-factor authentication...

10. - A security breach was discovered by the leading hacker at KnowBe4, Kevin Mitnick. The new exploit allows you to bypass protection with two-factor authentication (2FA). An attacker can direct a user to a fake authentication page, thus gaining access to the login, password, and cookie session.

11. - The "ethical hacker" Kuba Gretzky developed the evilginx tool to bypass two-factor authentication. The system uses social engineering principles, and can be directed against any site.

12. - Two-factor authentication mechanisms are not reliable enough. Shortcomings in the implementation of such mechanisms are found in 77% of online banks.

13. Nothing new, the issue of hacking into the 2FA mechanism was commented by Pavel Durov himself.  The mechanism is simple, here it is:

1. Interception of SMS by various means.

2. Login to your account on a new device or web version of Telegram.

3. Resets two-factor authentication via tied mail.

4. Mail is "opened" by receiving the same sms through the "Forgot Password" button (you will be lucky if the numbers do not match).

5. We enter the mail and enter the code in Telegram.

6. We open all chats, groups and not remote correspondence, except for secret chat rooms (green chat rooms with a lock).


So what are we doing?
We're waiting for 3FA, 4FA... PFA or looking for technology, options for new password-free authentication methods?

--------------------------
The existing encryption is not under anyone's control.
There is a general consensus, there is certification, there is advertising, it is enough for everyone to be vigilant.
This is used by large companies using their authority to produce products based on publicly available encryption libraries.
Small companies mistakenly think that what big companies have done is 100% correct and they do the same.
And so the whole world is connected by a chain of authoritative opinions, a pyramid from one "guru" to all ordinary pipels.
This is a system of general trust, on which the security for ordinary users is built.
Very few brave people who understand themselves, make their own conclusions, come to the essence, but make mistakes themselves.

It's good to be able to dig that deep.
And if you're not, if you don't even have time for it, what do you do?
I'm trying to find the answer to that question.

In my opinion, the only thing left to us who have not studied cryptography is to draw conclusions by getting indirect information, namely:
- why is there domestic cryptography and government cryptography?
- why in household cryptography the system of encryption at the level of algorithms is not updated, and in government cryptography it is obligatory?
- why are they so stubbornly searching for replacements for existing systems rather than just increasing the length of the key?

And here's another thing that can happen to those who believe in this general trust system:
- the Swiss government has filed a complaint in a criminal case against the CIA for using a Swiss supplier of encryption equipment to intercept communications from 120 governments over 50 years. The encryption products supplied by Crypto AG contained backdoors allowing the US and German intelligence agencies to easily read encrypted correspondence.

The security system, built on trust, which now exists in the world, seems to have collapsed completely.

Key-based encryption systems will never provide security for the average client, the average user, because it is the keys that will be stolen, this is the easiest way, because encryption algorithms are known and established as a constant.

---
Quantum computers cannot generate new encryption.
It is just a tool in human hands, not smart machines that can encrypt better than classic, ordinary, modern computers.
But they can decrypt, crack and do cryptoanalysis. Well, at the very least, they can do the whole thing, the brute force attack.
A new encryption, which should be absolutely stable against quantum computers, is now being generated by the best minds of mankind. And new encryption technologies will only work on ordinary computers, on our consumer digital devices.
But the problems of stealing encryption keys, the vulnerabilities that are exploited today, will also be relevant for all new postquantum encryption technologies without exception.
The only global method that eliminates these flaws is the keyless encryption technology that may emerge in the near future.

Here's another, another example, confirming the failure of modern security systems based on key and password cryptographic protocols.
Obviously, for modern cryptography, including post quantum cryptography, the fact of having a key will level out any cryptography. Fraudsters always scream the keys, not crack the encryption.
We study the news carefully:
-
Officers of the Cyber Police Department of the National Police of Ukraine identified a 25-year-old local resident who had broken into and emptied crypt currency wallets.
Crypt wallets, not any others!
According to the press service of the Cyberpolice, the man was a participant in closed forums where he bought logins and passwords from crypt wallets. In addition, he purchased and modified malware to gain unauthorized access to protected logical systems of protection of Internet resources. With its help, the attacker gained access to accounts on crypt-currency exchanges and withdrew funds.

This is the price for key protection systems - a paradise for scammers, and a fiction for users.

Here's a confirmation:

- During the search of the residence of the case, a laptop, a mobile phone and a computer were seized. A preliminary inspection of the equipment revealed that it contained malware and confidential data related to electronic payment systems, e-mail passwords and keys to cryptocurrency wallets.

Clearly, keyless encryption systems and passwordless authentication, if created, would be more secure than today's.

You've noticed correctly that this is the most famous example. What I don't like here, or rather a security concern:
1. And what examples do we not know?  What have mathematicians found, whose names do not appear in public publications?
2. it's a crude attack on 795 bit number, it's a crude force, it's not as effective as cryptanalysis as mathematical solutions, because in the schemes with public and private keys of the whole set of numbers, only prime numbers are involved in the encryption scheme.

If I concealed information that there are mathematical solutions to the problem of factoring and discrete logarithmization, I would contribute in every possible way to the spread of such information.

What does it mean to introduce quantum computers into a locking system?
As for encryption, I agree, encryption will change. But the existing encryption can only change to some post quantum public key cryptographic system.
The fact is, all post quantum systems require more computing resources than the existing elliptic encryption.
That's why I don't understand how I can increase the speed. After all, today if you buy a cup of coffee for bitcoin, it will become cold while the calculation is done.
How can I increase the speed in the future?

Quantum computers will be integrated into the blockchain system. In this case, the existing encryption may change. Because enormous processing powers or super-superchargers may require the system to change. The most important thing for Bitcoin is encryption and speed.

-----------
The reliability of a cryptographic system is determined by the reliability of its keys.
It makes no sense to use AES-256 (or a longer key length) to transfer keys - disposable notebooks, because the key length is equal to the length of the message, and Vernam's encryption reliability will drop to AES reliability.

The problem of generating disposable notebooks is solved by the technologies mentioned in my previous posts. It makes no sense to transfer a disposable notebook using any, even a post (double post) cryptography. If you want to make the most secure of all possible ciphers - the Vernam cipher - then your keys should never and never be transmitted, not even through the channels of quantum cryptography (solving the problem of common key coordination for a symmetric encryption system). It is connected with that fact, quantum communication is communication with the big errors, on small distances, and the quantum channel is easily muffled by hindrances. besides, it supposes up to 11 % of information leakage. It's a huge drop in reliability relative to Vernam's cipher.

How to create identical disposable notebooks symmetrically, without necessity of their transfer on communication channels, to create Vernam's cipher, it is solved in technology of keyless ciphering and password-free authentication, in a variant of vector-geometrical model which author I am. We can talk about this topic in detail.