[Cryptography] quantum computers & crypto
cherry
cherry at cpal.pw
Mon Nov 1 18:19:18 EDT 2021
On 10/31/21 10:07 AM, Jerry Leichter wrote:
> we really shouldn't be sending passwords around anyway - we have
> plenty of protocols that do "proof of knowledge" without sending
> the actual secret. How do those hold up in a post-quantum world?
The same way as they do in today's world. They don't hold up.
Empirically, if you go on a war drive, you will get the hash of the
password of every wifi network you pass through, and you can run a
dictionary attack that breaks seventy percent of the wifi networks you
drove through in a few hours.
And then, everywhere you go that you have been before, you have free wifi.
This attack is only acceptably efficient if you intend to break
thousands or millions of of wifi networks at once. If you just want to
login right now on someone's network, it is going to take hours to find
his password if your cracker is running on a laptop - the same length of
time as it would take to find ten million passwords, so this break is
most useful for state level actors, which is probably why we have gone
over two decades without this bug being fixed, and are strangely unable
to fix it.
This attack is still useful for individuals who want free roaming wifi -
they just have a process running in the background that collects hashes,
every few days they run an overnight dictionary attack against those
hashes, and thereafter, when roaming, they have free wifi. They don't
get instant gratification, but they get gratification in due course.
There are related breaks in every widely deployed sign on, privacy, and
security technology - breaks that are most useful for state level
actors, but still handy for individuals - breaks that rely on the
collection of large amounts of data, and grinding through that data in
big computers.
Well, when originally written into the protocol decades ago they were
most useful for state level actors, but today, they are in reach of
everyone. Today, if you want to do a ransomware attack against a
business, first you go on a wardrive, collect a pile of passwords, look
for wifi networks of interesting businesses, and then start hacking
their network from the inside. You will find plenty of information in
the clear on the inside to mount a spearfishing attack, not to mention
you will be able to collect a pile of hashes of passwords used on the
internal network, and then find a pile of administrative passwords.
More information about the cryptography
mailing list