Cloud password cracking

For enterprises that require some computing capacity in the short term but do not want to invest in fixed assets for a long time, on-demand cloud computing is a magic tool. For the same reason, cloud computing is also very useful for hackers-many hacker activities involve password, key cracking, and other forms of brute force cracking, all these activities require expensive and highly parallel computing.

For hackers, there are two main sources of on-demand computing resources: botnets composed of consumer PCs and infrastructure provided by service providers (IaaS ). Each form provides the on-demand computing capability required for brute-force computing. The reliability of botnets is poor, and the use of special-shaped devices takes a long time to "provide services. But they are completely free to use and can be expanded to a very large scale; some researchers have found that some botnets are even composed of hundreds of thousands of PCs. As a product, cloud computing provides services faster, predictable performance, and payment can be made by stealing credit cards.

If you really know how much high-performance computing capability an attacker can obtain at a very low cost, you will find that the balance between security control and attack methods is quietly changing dramatically. Take password as an example. The length and complexity of a password determine the energy required for brute force password cracking. Assume that attackers can access the "random number" value in the password database, and Web servers or verification servers with vulnerabilities may leak the database. The random number is usually based on encryption algorithms and other types of algorithms, and is irreversible, but it can be cracked by trying all possible password values. This type of brute-force computing is performed far away from the verification server, so it is not limited by the locking mechanism after three attempts.

If a single-core CPU is used, it takes a long time to crack an 8-character password. Depending on the complexity of algorithms and passwords, it may take months or years. However, this problem can be solved in highly parallel mode: the search space can be divided into multiple "batches" as needed and handed over to multiple CPUs for parallel processing. When using a botnet or IaaS, attackers can calculate the results that may take several years in a matter of minutes or hours.

A german researcher demonstrated using Amazon's Elastic Computing cloud and a new cluster computing service specifically designed for CPU-intensive graphics computing. From the algorithm perspective, the calculation process of graphics and password cracking is very similar: matrix and vector mathematical computing. The results were enlightening: using a single cluster instance, the researchers cracked a password consisting of up to 6 letters in just 49 minutes. Total cost of this test: the hourly Calculation of $2.10 is billed on an hourly basis ).

With the prevalence of cloud computing, like any other technology, cloud computing will be discovered by bad people and become their new tools. When considering the balance between risks and benefits, we must evaluate the cost/benefit of security control, and take into account that everyone's computing costs have been greatly reduced, including attackers. In this case, we must reevaluate passwords, wireless keys, static encryption, and even old-fashioned SSL algorithms. You think that the "unfeasible" problem may have become very easy for "common" hackers.

Edit recommendations]

1. Setting up a Web credibility query server to speed up to 50 times for "cloud security" in China
2. Threat trends in the New Age cloud security is imperative