提高网站安全性
Imagine if an electrical engineer found a fault in the wiring in your house, but said, “You have a fault, but it’ll take me 10 months to fix it!”, and then walked away, and said, “I’ll be back in 10 months time”.
想象一下,如果电气工程师在您房屋的布线中发现了一个故障,但是说:“您有故障,但是修理它需要我10个月!”然后走开,然后说:“请在10个月后回来”。
Now imagine, if the electrical engineer did not understand Ohm’s Law, and where you couldn’t trust them to even wire a plug. Well, in computer security, one of the weakest areas for the profession is in encryption, and where the majority of security professionals would struggle to get past the basics of symmetric key encryption, and then lose it when it comes to the basics of PKI. At the core of the problem, too, is the general lack of understanding of encryption by software developers, and where security is seen as an after-thought.
现在想象一下,如果电气工程师不了解欧姆定律,而您甚至不相信他们连插头都可以。 嗯,在计算机安全方面,该行业最薄弱的领域之一是加密 ,而大多数安全专业人员都在努力克服对称密钥加密的基础知识,然后在涉及PKI的基础知识时就迷失了方向。 问题的核心也是普遍缺乏软件开发人员对加密的理解,并且安全性被视为事后考虑。
This problem was highlighted this week by a bug found in some of Fortinet’s products, and where a hard-coded encryption key was used to pass information from a device to a central server. This used an XOR operation and a static key. The discovery of the key is basically done by taking the cipher, and XOR’ing it with the original message:
本周在Fortinet的某些产品中发现了一个错误,此问题凸显了该问题,其中使用了硬编码的加密密钥将信息从设备传递到中央服务器。 这使用了XOR操作和静态密钥。 密钥的发现基本上是通过采用密码并将其与原始消息进行XOR运算来完成的:
Key = Cipher XOR (Message)
密钥=密码异或(消息)
and that’s it. Once the key is known, every other cipher is then cracked! The packages which had the weaknesses included data on Web filtering, email and antivirus information.
就是这样。 知道密钥后,其他所有密码都会被破解! 具有弱点的软件包包括有关Web过滤,电子邮件和防病毒信息的数据。
Overall the weakness was found in May 2018 (by Stefan Viehböck,from SEC Consult), but has since not been fixed. The key was finally removed in May 2019, but where it took 10 months to update the latest product range, and another eight months to update older products.
总体而言,该漏洞是在2018年5月发现的(来自SEC Consult的StefanViehböck),但此后并未得到解决。 该密钥终于在2019年5月被删除,但是更新最新产品范围花了10个月,而更新旧产品又花了8个月。
异或挑战 (XOR challenge)
If you want to examine the XOR operator, I have created a challenge here (go to Q60). Here is one for you to crack:
如果要检查XOR运算符,我在这里提出了一个挑战(转到问题60)。 这是您需要破解的一个:
60. What is the XOR cipher for the cipher bitstream of (with a repeated key of ‘a’ — 0x61 or 0110 0001b): 00010010 00010001 00000000 00000101 00000100
60.(的重复密钥为“ a” — 0x61或0110 0001b)的密码比特流的XOR密码是什么:00010010 00010001 00000000 00000101 00000100
Additional information:
附加信息:
The bitwise operation we use is Z=A XOR B:A B Z
-----
0 0 0
0 1 1
1 0 1
1 1 0If we use an 'a' (0110 0001) and plain text of "shape" we get: 's' 'h' 'a' 'p' 'e'
Input: 01110011 01101000 01100001 01110000 01100101
Key: 01100001 01100001 01100001 01100001 01100001
---------------------------------------------------
Cipher 00010010 00001001 00000000 00010001 00000100If we use an 'a' (0110 0001) again we get:Input: 00010010 00001001 00000000 00010001 00000100
Key: 01100001 01100001 01100001 01100001 01100001
---------------------------------------------------
Decoded 01110011 01101000 01100001 01110000 01100101
's' 'h' 'a' 'p' 'e'
结论 (Conclusions)
We need to get better as a profession - both generally for cybersecurity and for software developments — at encryption, as it’s the lowest level of defense that we can create. To use a static key with an XOR operation, is just sloppy. And then to take 10 months to fix, it really not a good sign for an industry that aims to put security at the top of everyone’s agenda.
我们需要在加密方面提高专业水平,无论是在网络安全还是软件开发方面,因为这是我们可以创建的最低级别的防御。 要对XOR操作使用静态密钥,只是草率。 然后需要花费10个月的时间修复,对于一个旨在将安全放在每个人的首要任务的行业来说,这确实不是一个好兆头。
翻译自: https://medium.com/asecuritysite-when-bob-met-alice/we-need-to-get-better-at-security-2adb5340578c
提高网站安全性
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
