Topic: How long will existing encryption last? - page 4. (Read 2214 times)

-----------------------------
You correctly noticed that this is really a problem.

Speaking directly, but not counting on the support of a large number of people, the problem with any key encryption system is the keys.

We develop thought in this direction.
The problem with any password authentication system is passwords.
Once upon a time, this was not so noticeable.
This problem emerged over time, after a statistical analysis of the causes of successful cybercrimes.

For this reason, I advocate only new passwordless authentication methods that are based on the new keyless cryptography. Interestingly, in this field of knowledge, there are almost no publications and studies.
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368

The whole world sees no alternative to either keys or passwords.

In a wonderful world we live, we find it hidden from our eyes, but we don’t notice the obvious on the surface.

---------------------
As for improving the IT security sector, my opinion is that we are always trying to be inspired by the idea that the new security product you buy or use is better than the old one.
But it is not always the case.
More often than not, it is a myth that is spread by the sellers of products for our security.
History knows a lot of cases when new top IT products were hastily made and were inferior to the old proven software solutions.
We live in a world of public opinion.
And as long as huge efforts are made to support this public opinion, there is no way to find out if the new is better than the old until time itself settles the dispute between the disputing parties.

And now, about the facts of time.

Try to look at statistical studies, about successful attacks today compared to what happened 5 years ago.
This is the right indicator of how our IT security is evolving. 

Yes, you will find that many of the bugs of the past have been fixed, and seem to be reliable.
You will also find that cheaters are developing very much ahead of the security industry.
You will also find that security administrators will find out about their bugs once they are detected by scammers.

And you're always told, like this:
- a dangerous vulnerability has been discovered, so urgently install the latest update;
- or so: the vulnerability cannot be fixed with an update, you need to change the software;
- or so (as with the vulnerability of almost all Apple iPhones since model 7): this vulnerability cannot be corrected programmatically, a hardware replacement is required...

And beyond that is the paradox of our perception:
- the first group thinks it's okay, because the vulnerability was discovered and warned about it (the question remains behind the scenes, but what security holes weren't warned about?);
- the second group, more courageous, believes that in such cases, the security system fails to perform its duties, especially when the found shortcomings have already been exploited by criminals.

The pseudo-security industry does everything to make the first group of users dominate the second.

And what group do you think you belong to?

P.S.
Given that, year after year, the financial and reputational losses from cybercriminals are steadily increasing, not decreasing.

Actually hacking is really hard and requires n number of softwares , the thing what people call hacking now a days might just be your accidental mistake , like opening up your FB id from a link sent to you , therefore that's two different fields , what can be done is :-
You need to secure your own system first , after that you need to limit your usage of apps and devices .
It is gonna take a while for people to figure out how to hack something like cryptography that we are using today but we all know that it is inevitable , that's what the whole thing is about , the IT sector improves every hour, every minute therefore expecting any less would be wrong .

Phishing = not "real" hacking, but rather a social engineering attempt at getting users to give up their own credentials. It's not the fault of the system or the bank, but user error.

Even more effective are invisible keyloggers, as they can then get passwords for any other website or online banking account the victims log into.

Again, that's not the fault of the encryption or the bank.

But it is indeed a problem.

Another example of how quietly and for a very long time it is possible to exploit the vulnerability of banking security systems.

It should be noted that these are not the last banks in the world.

And yet, it is impossible to keep silent that phishing, which is the basis of many attacks, is possible only in password authentication systems, in systems with a permanent client ID.

These improperly built security systems guarantee the existence of such facts.

14 Canadian banks were affected, among others:
1. CIBC bank;
2. TD Canada Trust;
3. Scotiabank;
4. Royal Bank of Canada (RBC);
5. other banks.
 - were the victims of a large-scale phishing campaign that lasted for two years.

What good is it if fraudsters worked without problems for 2 years.

As noted by researchers from Check Point in their report, in the case of RBC attackers simply took a screenshot of the official site and added invisible text fields over the input fields to collect the credentials of the victim.

If you start collecting these facts, it's very quick to get a very thick and sad book... 

Scammers who specialize in hacking into bank security systems are not just looking for access to their victims' money.
It's complicated and thoughtful on their part.
They're hunting for the information they need.
Fraud not only involves using the money in the accounts themselves, but also often opens the door for further fraudulent activity. Criminals may use information obtained as a result of the successful theft of your personal data to further manipulate other financial products, such as consumer loans or credit cards.

Criminals have found and continue to find many opportunities for their illegal activities.

Do not believe advertisements about the boundless reliability of banking security systems. If this were the case, you wouldn't spend a lot of effort constantly modernizing such systems.

In general, a security system cannot be more reliable than the elements of which it consists.
I'm interested in its most important element - cryptographic.
A system built on key cryptography and password authentication methods will always be in danger.
Probably the only way out is with keyless encryption and passwordless authentication.

These options are discussed here:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.

And the possible first implementation of such a fundamentally new security system may be in this project:
https://toxic.chat/

---------------------
Cryptography in bank security systems is common, household, conditionally reliable.

Attacking a bank's security system through a cryptographic attack itself is not necessary.

Cyber security in banks is so low that there are many other, more effective means of attack. And scammers always choose the easiest way.

Very strange solved the issue of cryptography, without our consent, in the protection systems of all banks. 

They (I do not know who these people are) make a distinction between "commercial" or general cryptography (this is the one for us) and state cryptography.

Commercial cryptography must be based on the same standards throughout the world, because modern business, let alone banking, often goes beyond the borders of a single country.

But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within government structures and as is done in the United States.

And despite this high level (relative to "our" bank cryptography), they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, the simple and naive, and for the celestials - to ensure the normal preservation of state secrets and other important secrets.

We, bank customers, ordinary customers, not VIPs, are confronted by organized cybercrime, which has a huge, well-organized business that operates billions of dollars annually around the world.

Far from cyberattacks are not always protected by antivirus programs or data protection technologies, because hackers' technologies are always and constantly being improved.

The case has gone so far in the bad direction that:

1) American banks and online lenders Citigroup, Kabbage, Depository Trust & Clearing Corporation, Hewlett Packard and Swiss Zurich Insurance Group announced the creation of a consortium on cyber security - it will be managed by the World Economic Forum.

2) SWIFT management has sent a letter to client banks warning of the growing threat of cyber attacks. A similar document was made available to Reuters editorial staff.
The letter from SWIFT also says that hackers have improved their cyberattack techniques on local banking systems. One new tactic involves using software that allows hackers to access technical support computers.
"Threats are constant, sophisticated and have a good degree of adaptability - and are already normal," says the letter SWIFT.
 Unfortunately, we continue to see cases in which some of our clients are now compromised by thieves who then send out fraudulent payment instructions via SWIFT.

3) Check Point: The number of attacks on mobile banking has doubled in the first half of the year:

On August 1, 2019 Check Point Software Technologies released Cyber Attack Trends: 2019 Mid-Year Report. Hackers continue to develop new toolsets and methods aimed at targeting corporate data stored in the cloud infrastructure; personal mobile devices; various applications; and even popular email platforms. Researchers note that none of the sectors is fully protected against cyber attacks.


4) The Neutrino Trojan once again confirms that cyber threats are constantly evolving. New versions of known spies are becoming more complex, their functionality is expanding, and appetites are growing. And as the number of different digital devices grows, malware areas are also becoming wider.

5) Cyber criminals have learned how to steal data by distributing malicious plug-ins from over 80,000 sites on the Internet.

By installing unproven malicious plug-ins, the user gives cybercriminals access to passwords, logins and bank card data.

6) German banks refuse to support authorization via one-time SMS code
Several German banks announced in July 2019 that they planned to abandon the use of one-time SMS passwords as a method of authorization and transaction confirmation.

Over the past few years, the number of attacks using the "SIM swapping" method has increased, thanks to which a fraudster can deceive a telecom operator and transfer a user's phone number to another SIM card, gaining access to the user's online accounts with banks and crypt currency exchanges.

Cyber security specialists have been warning against using one-time SMS passwords for several years, but not because of "SIM swapping" attacks. The problem lies in the inherent and unrecoverable weaknesses of the protocol (SS7), which is used to configure most telephone exchanges around the world. Vulnerabilities in this protocol allow attackers to steal a user's phone number invisibly, even without the knowledge of a provider, allowing them to track the owner of the phone and authorize online payments or login requests.

And banks use this and impose it on their users as an "additional" security measure. A paradox?


7) 97% of large banks are vulnerable to cyber attacks.
On July 10, 2019 it became known that only three banks out of a hundred received the highest score in terms of ensuring the security of their sites and implementation of SSL encryption.
The vast majority of large financial institutions in the S&P Global rating are vulnerable to hacker attacks. This conclusion was made by the experts of the Swiss company ImmuniWeb on the basis of a large-scale study, which examined 100 sites owned by large banks, 2,336 subdomains, 102 Internet banking applications, 55 mobile banking applications and 298 mobile banking APIs.

Positive Technologies: All online banks are under threat of unauthorized access to bank secrecy.
On April 5, 2019 Positive Technologies reported that its experts assessed the level of security of online banks in 2018 and found that 54% of the surveyed systems allow attackers to steal money, and all online banks are under threat of unauthorized access to personal data and bank secrecy. According to the analysis, most of the online banks studied contain critical vulnerabilities. As a result of the online bank security assessment, vulnerabilities were identified in each system studied, which could lead to serious consequences.

9) Trojan under the name Android.BankBot.149.origin is distributed as harmless programs. After downloading to your smartphone, tablet and installation, it requests access to the mobile device administrator functions to make it harder to remove it. It then hides from the user by removing its icon from the home screen.

Then the virus connects to the management server and waits for commands.
It can do the following:
1. Send SMS messages;
2. to intercept SMS messages;
3. to request administrator rights;
4. to execute USSD requests;
5. Receive a list of the numbers of all available contacts from the phone book;
6. To send SMS with the text received in the command to all numbers from the telephone book;
7. To track the location of the device via GPS satellites;
8. to request additional permission to send SMS messages on devices with modern versions of Android OS,
9. making calls,
10. access to the phone book
11. Working with a GPS receiver;
12. obtaining a configuration file with a list of bank applications under attack;
13. display of phishing windows.

What do you think he can do with your "bank security"? 
Whatever he wants to do!!!

And beyond that:

14. the Trojan steals confidential information from users, tracking the launch of "bank-client" applications and software to work with payment systems.
15. controls the launch of over three dozen such programs.
16. as soon as the virus detects that one of them has started working, it downloads from the management server the corresponding phishing form for entering the login and password to access the bank account and shows it on top of the attacked application.
17. In addition to stealing logins and passwords, the Trojan attempts to steal information about the bank card of the owner of an infected mobile device.

To do this, the virus monitors the launch of popular applications such as Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, Play Market and shows a phishing window of the payment service settings on top of them.

18. Upon receipt of SMS, the Trojan turns off all sound and vibration signals, sends the content of messages to attackers and tries to remove intercepted SMS from the list of incoming ones.

As a result, the user may not only fail to receive notifications from credit organizations with information about unplanned money transactions, but also fail to see other messages that come to his number.

Conclusion:
- The imperfect security system (first of all, the bank system) does not allow us to use the mobile phone, which receives one-time SMS-passwords, for other purposes!
It should not be used for online banking (mobile banking)!
It is necessary to allocate a separate device (computer, smartphone, tablet) from which you can access and manage your bank account.

Moreover, this device should not be used for any other purposes other than online banking, including it should not be used for any other purpose:
- browsing the Internet;
- social networks;
- email;
- the device must be equipped with special software implementing the "default ban" function.

These are the restrictions that each of us has to apply - if we want to use banking products that are very vulnerable to attack, not cryptographic nature.

It is possible to live well and quietly, but only when you don't know this information.
The banking security system is a false myth, in our time.

Existing encryption is already a model used in banking. It's very good for security. Hack cases usually occur with the method of fake. Or ponzi systems, people are losing their money. Very powerful computers need to emerge. I think there's still a good security structure.

Exisiting mass encryption will be exist for a long time after quantum computer.
They should recieve really mass adoption to change it

You're talking about one time pads. That's the really old school way of encrypting messages, using pen and paper, with no computer. But it requires code books.

When I said they use codes, I meant they use like code words so normal eavesdroppers don't easily figure it out. It's not the most secure, since they enemy can be listening in and eventually figure out what the words mean, but during the last world war, the US forces used "code talkers" who spoke a different language, over unencrypted radio. They even made movies about it.


When we talk about using RSA, yes, that's usually the method, you only actually use RSA to encrypt a one time use for that email symmetric key. Or in most cases, just use GPG.

But when there has been previous physical contact between the two parties, they can securely exchange keys that way.


As for the Apple thing, they still require physical possession of the device, and have to jailbreak it.

That's why it's dangerous to use, even the most secure devices to encrypt secrets, fresh news:

Way to crack passwords from email in iOS 13.3 has been found

Elcomsoft has released iOS Forensic Toolkit, which extracts data from the locked iPhone on all versions of the system starting from iOS 7.

It will require a Checkra1n jailbreak. It uses the checkm8 vulnerability, which is present in many Apple processors. There is no way to fix it.

The list of supported devices is impressive:
▪ iPhone 5s▪ iPhone 6▪ iPhone 6s▪ iPhone 7▪ iPhone 8▪ iPhone X▪ iPad mini 2▪ iPad mini 3▪ iPad mini 4▪ iPad Air▪ iPad Air 2▪ iPad 2017▪ iPad 2018▪ iPad 2019▪ iPad Pro 10,5▪ iPad Pro 12,9

The company claims that its software works even when the device is in BFU mode. It activates after the gadget is rebooted, when the user has not yet entered the password.

With iOS Forensic Toolkit, you can copy your iPhone and iPad file system, access your call history, access accounts for a variety of services including messengers and social media, and access Signal and WhatsApp encryption keys.

The iOS Forensic Toolkit costs $1495. It can be purchased by anyone.

-------------
You write passwords, but you probably mean keys?
If you mention a 256 bit password, then maybe you mean a 256 bit encryption key on elliptical curves to create a digital signature?

If that's the case, I have to disappoint you.
Such tasks of cracking such a cryptography are solved by cryptoanalytic methods, which are not disseminated.

And wait for the quantum computer to solve this problem too, only those little swindlers who do not know cryptanalysis can.

When the creators of the blockbuster, whoever they were, chose which cryptographic system to make the digital signature, there was no information about the problems in ECC (cryptography on elliptical curves).

On the contrary, the NSA was actively buying up and buying up all the patents for this cryptography.

And then the sad events happened, and the NSA gave up on this cryptography.

If you're interested in verifiable details, check out the December 4 post, the second one for that date here:
https://bitcointalk.org/index.php?topic=5204368.40.

Interestingly, after this story, the NSA recommended switching from ECC-256 to RSA with a key length of 3000 bits and more.
What's so unusual about that?
The fact that the ECC-256 key corresponds in reliability to the key from 8000 bits in RSA.

But cryptography on elliptical curves turned out to be so suspiciously unreliable, that in their opinion RSA even with such a small key, 3000 bits, is much more reliable than the ECC-256.

So it's worth thinking about what we use, not just in block technology, but in general, what we use...

Blokchain encryption is too strong. This is an important issue for security. Today's technology is slow for these passwords. So passwords provide security. But Quantum Computers will increase post processing speeds. The Bitcoin algorithm will handle this. However, the problem is that 256 bit passwords can be broken.

--------------
Yes, another question, if I may, you mention:
"...they also often use unencrypted radio, so they have codes for that."

Does that mean they use disposable paper books with codes? Once they accept the code, they use one page of the notebook.  The second time I took the code, the second page of the notebook. Is that it?

If that's true, it's a disposable notebook system, basically Vernam's class encryption. It's the most secure kind of encryption available today.

Not only that, it's the only type of encryption that is absolutely reliable of all the encryption systems that ever existed!
It is the only system for which the Shannon theorem of absolute reliability was proven back in 1945.

To change this system to RSA with any length of key is a loss of reliability. In addition, everything that is encrypted by the RSA system is carefully written down because there is a public key, which means that sooner or later everything will be decrypted.  And why allow that?

So your way of working is the best and most reliable. I think it is.

_-------------
My clarifying question to you, if you are allowed to answer:
- why can't you use RSA-4096 to create and generate shared keys that are used for symmetric encryption?
No computer?

Because it is convenient and considered secure. The keys are created via RSA, and the secret information is encrypted via AES.

In this case, the keys for AES can be constantly changed by the double ratchet of Mackley Marlinspike, as in E2E.

I mean they only care when it comes to scam themself so I'd say u r totally right

There are other things to consider, encryption is just a tool. I was (still am) in the military, so top secret communications are dealt with differently, but as an officer, I wouldn't mind using 4096 RSA. However, since I do have physical contact with most of the operators in the field, then it would be fine to also just use AES256 and use shared keys that they keep. (as opposed to one time pads, which was the traditional way of communicating with field agents.)

Of course, that would mean said agents need a computer and can no longer decode by hand, but they should be resourceful enough to have them available from regular consumer hardware, or bring it with them in the form of some small device like a smart phone or small laptop.

They also frequently use unencrypted radio anyway, so they have codes as well for that.

We ask ourselves the question, who cares about our safety?

Who cares about making sure our cryptography is reliable?

Is there anyone who will tell us that this cryptography can no longer be used?

These are questions from the same logical series, the continuation of which is the question of "How long will existing cryptography last"?

We tend to trust authorities, big world companies. Our psychology is organized in such a way that we believe big and strong, we think that they are very concerned about their authority and, therefore, about their users.

But how to treat us, the ordinary consumers of cryptography and other means of protection, the actions of world industry leaders, given this example:

"Two months after security researchers unveiled a new way to listen to Amazon Alexa and Google Home users talk, the same researchers found that Amazon and Google never fixed the problem.

Back in October 2019, Security Research Labs (SRLabs) demonstrated how smart assistants can be used by criminals to eavesdrop on conversations, phishing and password theft.

But as of December, nothing has changed!

This was reported by SRLabs Managing Director Karsten Nohl.
https://srlabs.de/bites/smart-spies/.

What conclusions can we draw from this?

I agree with all the above. But once again, I want to turn the conversation the other way.

The danger of quantum computers is conditional, even with the rapid development of this industry.

And the danger of cryptanalysis for cryptography on elliptical curves is already present, even yesterday. It was already at a time when no one had ever announced their intention to build this technological quantum masterpiece.

Let's think together, how to explain what happened.

The facts:

1. NSA is buying every single patent from the creators of elliptical cryptography.
(detailed in my topic by clicking here:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.
December 4th post, second in line, check it out.)
 
2. Everyone is agitated for this new kind of asymmetric cryptography, because of the very strong reduction in key length relative to RSA with the same level of reliability.

3. Then, NSA orders a new ECC cryptography study from British mathematicians, for money.

4. Time passes, and in 2016 Toronto will bring together all the leaders of encryption and cryptanalysis and all the heads of the most important intelligence agencies in the Western world.
What for?
British mathematicians make a report on the ECC, which disappears from all available sources that publish not only materials on the subject, but even from the sources where the reports of these mathematicians were published personally.

5. The NSA makes a reversal and urgently recommends everyone to go back to RSA cryptography but with a key length of at least 3000 bits. Miracles.

The most unexpected thing is the secrecy mode. It's come to the point where even the creators of the ECC, from whom the patents were bought, have not been informed of the reasons for refusal.

6. NIST (USA) standardizes elliptical curves, which are later recognized as weak and unreliable by external researchers. Why would NIST do this? Who knows, is silent.

And we are left to conclude that there will be quantum computers of 100 cubic meters (this is enough, according to specialists from IBM, look above my posts) or not, the main danger for us will come from cryptoanalysts.

Therefore, we closely observe, distrust and draw conclusions.

For example, how many post quantum encryption systems have been rejected is a lot.
Were they cracked by a quantum computer? - NO!
And how were they broken?

In all post quantum encryption systems, the key length is not available (even in the distant future) to any quantum computer. The keys to these systems are huge, from 32,000 bits to 2,000,000 bits.
And by what methods were they discredited and removed from the list of candidates?

The truth is, they've been broken without any quantum computing. And these systems are more complicated than RSA!
That's what I suggest you think about.

Apart from the monkey road, there's another one.

By the way, did you know that Darwin never said or wrote anywhere that man was descended from an ape!

He never thought so. He wrote openly what he thought.
And we, as monkeys, are told that Darwin claimed that man was descended from a monkey!

So until we see what's really going on with cryptography, or rather has already happened, we will remain monkeys who will be afraid and argue about the quantum computer. 

Let's take a broader look at this problem.
The brute force method is not so dangerous.

Darwin, I've always said that man is descended from a human monkey, not a monkey - it turns out they are completely different animals.

Our ancestor is still being dug up, but they can't find him yet. And everyone needs him as proof of that theory...
Or as proof that we're not monkeys?

I think we have to look history to have a very educated guess as the way this will develop.

You see, classic computers started as large beasts only able to be built and own by the government (military) and later some large entities like banks.

Yes there are rules, yes the first few ones will be closely monitored, but as time passes, technology improves, more will be built. Next stage is academia, for you know, research and serious use... And there you get students.

The very first video games were written in such institutional computers. Certainly not for what they were primarily intended for... Also the first "hacks" and worms were coded in these types of shared use computers, back when it was impossible to personally own one (before the 70ies).

This is the same that is happening to Quantum computers. They are giant monsters and can only have tens of qbits. But that is today, not tomorrow. I don't know about "home", but i think in 10 to 15 years, some more quantum computers will exist, and they will get to education because its needed for them to be used in the first place.

Once they start getting into private hands and academia, you can guess that the first attempts at cracking classic crypto will be made, perhaps in secret. I frankly don't know if the very first users (the intelligence agencies) will try something against Bitcoin, just as proof of concept, or perhaps trying to do some operation against some target that happens to own bitcoin or so. It would be interesting to know what the NSA thinks of this, but its probably something that cannot be revealed in public.

If i were to guess, they will go after communications first, and then slowly privately break their way into everything else.

Remember that by the time quantum computers become personal, possible to own by individuals, the solution to this issue comes as well. I wouldn't be surprised if that would be the first reason to own one, to use quantum encryption.

The dangers lie in the period from this very first early primitive institutional machines, to the point were they "reach home". Maybe we won't be alive to witness it, but that is no reason to not consider the issue and plan ahead.

I also believe, that there will be a period of silence, when the real nasty stuff starts occurring. Also look at the international level. Why would Google go it AND tell you? If anything, they will want to have something to sell services to the NSA (like they currently do with data mining). That could be renting the computer, or having them commissioned to build one for them, etc. This is pretty much a given, contract might be given to IBM or someone else, i wouldn't be surprised if that's what they are actually racing for (and i bet they both will be contracted anyway). And these come with their respective gag order, don't expect them to announce it.

"Oh, we have 100 qbit, o we have 300 qbit, oh we have 1000 qbit... silence". Then China announces 100 qbit, Russia announces 50 qbit, etc...

Just look at how classical computers evolved, how much memory they had, what storage device (if any) and what capacities. The very first Hard drive was 5mb and the size of a refrigerator, iirc it didn't even use 8 bit but 7 or 6 (forgot). Go back in time, and think what the people then thought it would take for computers to have more storage, or ram.

You laugh now but the infamous Xerox from Palo Alto (where both Apple and Microsoft copied the GUI ideas from) had only 3k of ram. It was a novel concept ahead of its time, because it also was "personal" of sorts, you only needed a large desktop rather than a whole room or building to set up one, it was meant as the office desktop computer that the world would see a decade or two later. Try to watch the videos of some restored ones on youtube. They had no "computer desktop" only gui in programs you start from console as ram was too limited...

So in the 70ies the board from Xerox, despite having their own R&D literally inventing the future, paid no attention. This is similar to the current attitude some people have today about quantum computing. There are things being conceptualized today, that will require them.

Quantum communications also have the ability to break (or tell) if spied upon. The mere observing changes the state, so if a third party sniffs, its caught upon instantly, or more accurately, the data becomes corrupted. Try to think the implications of this...

And yes there are many kinds of things that would take years to solve that could be theoretically possible to do in minutes with them, and there will be new things to do as well, including quantum crypto.