bytedeez Posted March 31, 2015 Share Posted March 31, 2015 I found this blog/article. Claiming that the new form of SSL encryption is uncrackable What do you guys think? https://blog.digicert.com/cost-crack-256-bit-ssl-encryption/ Personally my only response to this is "challenge accepted." But I must say from doing research it seems that the article is spot on. Quote Link to comment Share on other sites More sharing options...
misfitsman805 Posted March 31, 2015 Share Posted March 31, 2015 Anything man made is crackable\hackable, one way or another. Quote Link to comment Share on other sites More sharing options...
bytedeez Posted March 31, 2015 Author Share Posted March 31, 2015 of course, in theory. but let's talk practical implementations of doing so. Quote Link to comment Share on other sites More sharing options...
cooper Posted March 31, 2015 Share Posted March 31, 2015 (edited) Haven't read the article yet, but most of the current crypto is based on the concept of using numbers so large an exhaustive search of the keyspace isn't feasible. As soon as another Einstein jumps up and say "Yeah, but did you consider ..." and a crypto guy goes "Yeah we... umm.. what? No. Is that even possible?" you're fucked. Supposedly quantum computing is going to be that silver bullet, although the tech is still some ways off from practical use. Update: I checked the link. The article is from august of last year and refers to a StackExchange question from november 2011 which, incidentally, I didn't see a link to in the original article (Bad reporter! Bad! No coffee for you). What they wondered was what the cost would be to crack a 256-bit AES key in 1 year. So, given that timeframe what computational might needs to be put to task to crack the crypto and what would the power cost of that be. Assumptions: - Price of enercy = $0.12/kWh - Server power consumption = 430 W - Computational might of 1 server = 10^14 decryptions per second They cite the computational power as very optimistic but considering a single Titan X is already at 5^11 I would call it nothing more than 'just' optimistic. Give it a few more years and we're probably down to 'available but very expensive' level. Put some financial incentive into the mix as has happened with Bitcoin mining and you'd be amazed what can happen. The problems start when you realize you need quite a few of these machines to be able to crack it within a year. It comes down to 1.84∗10^55 machines. Let's say you could cram that machine into the size of an 11" pizza box which would be 29*29*4.5 cm for those that left the dark ages. That amounts to 696.348 *10^44 cubic meters. The volume of the earth is just 1.1 * 10^20 cubic meters. In conclusion: Going by the numbers and playing by the rules it can't be done. You need more computers than there is mass in the earth, run it non-stop for a year and in the process consume more electricity than can be imagined (I'm thinking more energy would be expelled than our sun is currently managing...). The only way to solve the problem is using some breakthrough in looking at the algorithm - something that would allow you to reduce the keyspace by several orders of magnitude. And I'm quite confident such a thing will eventually occur, probably still within my lifetime. I mean, my next phone is likely to have a processor in it that can put a typical desktop machine from the previous century to shame. Back then SHA-1 was considered pretty good. Technology progresses at a merciless pace and it's going to catch up one way or the other. It's one of the reasons why we have multiple algorithms aswell as multiple keysizes - if something gets broken you know you have alternatives. Edited March 31, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
digininja Posted March 31, 2015 Share Posted March 31, 2015 Since the last set of attacks against SSLv3 the concept of SSL has been considered dead, to be replaced by TLS. TLS will last a few years and then someone will find either a weakness in the crypto or the common implementations of it and it to will become weak and breakable and we will move on to something else. Quote Link to comment Share on other sites More sharing options...
overwraith Posted March 31, 2015 Share Posted March 31, 2015 Give it time, humans can be very innovative, especially when it comes to reading other people's mail. Quote Link to comment Share on other sites More sharing options...
Crypiehef Posted March 31, 2015 Share Posted March 31, 2015 I figure someone (me maybe?) will figure out a problem with how the new SSL is implemented and controled. Think POODLE. That's probably a good start. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted March 31, 2015 Share Posted March 31, 2015 Advances in mathematics are not that frequent but when they happen the revolutionize encryption. The most secure cryptography today will one day be weak encryption that you shouldn't use. Quote Link to comment Share on other sites More sharing options...
alcatos Posted April 2, 2015 Share Posted April 2, 2015 If you're looking to decrypt SSL/TLS traffic, you're going to need to think outside of the box a bit... One way or another, you are going to need to get your hands on a valid private key that the client sees as a trusted authority... Lots of ways to do that, really depends on circumstances... If you are already authorized on the victim network, you could perform a MitM-style attack + DNS spoof, in which you'd lure the victim to accept your self-signed certificate... Lots of ways to do that. Really, at the end of the day there is more than one way to skin a cat. Quote Link to comment Share on other sites More sharing options...
bytedeez Posted April 2, 2015 Author Share Posted April 2, 2015 These responses are great. You see i agree with what you all are saying. I believe that today the easiest way is good ole fashioned SE. Along with improper implementation based on either SSL/TSL protocol or human error. I personally think the guys at sensepost are on the right track to fully exploit the implementation. Now they are just at the tip of the iceberg but it is a start. I don't believe its going to be a single individual that does crack the encryption, the encryption is strong. I think for now its a waste of time and resources for people or organization of people to worry about. but the protocol that which its implemented now that something is say we'll see exploited within in the next few years. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.