Cloud computing service pushes password deciphering technology into a new era

Questions raised:

Password attacks (that is, hacking or stealing passwords from known accounts) are the most direct and efficient way for hackers, and we know the most vulnerable system administrator accounts.

Password deciphering the simplest way is brute force, is to traverse all the password space, must be found to find the password. The strength of the password is mainly from two aspects: one is its own complexity, such as length and space (character set number), and the second is the way of identity authentication, such as encryption algorithm and authentication process. The password security strength of most systems is based on the password length. The principle of brute force is also very simple, the biggest difficulty of its realization is the lack of computational ability (complete the traversal of password space in a limited time), most of the large computational resources are state institutions or large enterprises, it is possible to use these resources to decipher the password unless it is a political attack. This is hard to imagine for most attackers.

Grid computing used to excite attackers, this technology can be used in the hands of a large number of "broiler" concentrated deciphering, but the practice has proved that: one is the management of complex, easy to be "broiler" found, "broiler" loss is serious; second, the effectiveness is not strong, attack as war, the sensitivity of time is very critical.

The rise of cloud computing services is likely to fundamentally address this dilemma, cloud computing can provide a strong computing power of the rental, and cheap, most importantly, on the network to rent services, can be across geographies, across countries, the identity of users to hide easily. This is tantamount to an attacker owning the world's most powerful computer resources, and it is possible to confront a powerful national resource, a dream for an unstructured attacker.

On the one hand, many years of difficult problems, on the one hand is moving towards our new service, need is action, the security of user identity is again a strong challenge, perhaps even the provider of cloud computing services is hard to imagine, they rely on the survival of the "security" Identity authentication mode also face the same problem ...

Brute Force crack Way:

The brute force of the password is divided into two ways: online cracking and offline cracking. On-line cracking is directly entered on the target system, to verify, of course, most of the current system support account lockout, a short period of 3 to 5 consecutive password errors, automatically lock the account for a period of time, so the line to crack the way can not continue to work, need to interval a certain time to avoid the account is locked. Online mode is mainly used for password guessing, guessing the number of passwords less the better, generally within hundreds of of the suspected password can be used automatically detection, such as an hour to try one, a day to experiment 24.

Most of the violent cracking is the line to crack, at least under the line to crack the first possible password (already within hundred), and then through the online way to verify.

Offline cracking needs to get some information related to the target identity authentication, such as ciphertext, or the user's public key, as to crack the calculation of the comparison verification. How to obtain this information, we need to understand the process of identity authentication.

Identity authentication Method:

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/