Go homepage(回首页) Upload pictures (上传图片) Write articles (发文字帖)
The author:(作者)归海一刀published in(发表于) 2014/6/1 9:20:05 “Running of the Bulls“ project, explains the global password,
"Running of the Bulls" project, explains the global password-the running of the bulls, passwords, Internet Security-IT information "Running of the Bulls" project, explains the global password
On September 6 last year, aidehua·sinuodeng disclosed the United States National Security Agency (NSA)--a secret project "running of the Bulls" (Bullrun), already in the "cusp" NSA faces a full court press on. "Running of the Bulls" is a "improve the ability of decrypting" projects, including not only break the cipher algorithm, but also using other methods to crack the encryption information and resources. Sadie think-tank, Institute of information security that "running of the Bulls" have posed a serious threat to Internet security, and reflects the many problems of information security in China.
On September 6 last year, the New York Times and the Guardian reported aidehua·sinuodeng disclosure of a secret project to get shocked and dismayed--"running of the Bulls" (Bullrun), has once again stirred world opinion. Disclosed NSA since 2000 has introduced a "running of the Bulls", ten years to take a wide range of very aggressive practices, including wanton to crack the encryption information, placed a backdoor in the commercial password products, modify the encryption standards, poses a serious threat to password security. Cryptography is the cornerstone of information security technology, we consider to be reliable, password has been rigged by the NSA, which means global encryption information before the NSA have clear evidence.
"Running of the Bulls" will impact how?
1. violation of users ' privacy
NSA adopted the "running of the Bulls" project for Internet passwords to various forms of attacks. With its powerful technical means, deliberately cracked passwords of Internet users, monitor online information, like protecting our last door quietly opened and any activity becomes transparent. In addition, the NSA request United States cooperate on numerous technology companies, enabling them to circumvent encryption technology to collect user information. As these companies provide products and services to worldwide markets, global Internet users ' privacy and security is undoubtedly a serious threat.
2. global encryption technique
NSA has a wealth of experience in cipher design and international influence, according to classified documents show, NSA, with its rich experience in cipher design, had deliberately designed a fatal flaw security standards by the United States National Bureau of standards and technology (NIST) released in 2006, and subsequently was adopted by the International Organization for standardization. Although the vulnerability has been discovered in 2007 two of Microsoft's Cryptography home, but other standards developed by the NSA for any loopholes in the same unknown. NIST has played a pivotal role in information security-related standards, the global information security vendor compliance with NIST standards and NIST proposed standards for the global information security technology developments will have a significant impact. NSA has developed this vulnerability criterion, and trying very hard to bring it to the international community, their motivation was clear: by modifying the Internet encryption standard, have control and encryption technology, so as to achieve the purpose of robbing the intelligence information.
3. harm other countries ' economic and national security
"Running of the Bulls" is exposed, despite numerous United States technology companies spare no effort to bypass, but the NSA and other United States intelligence agency is the close relationship between "simazhaozhixin and well known". Who worked for United States Government and large defense contractor projects said technology companies to cooperate with intelligence agencies broad and deep, United States intelligence agencies had paid large sums of money to a technology company executives, let him to chip products sold to overseas "saboteur", for the purposes of espionage. It has also increased their risk of theft of important information, confidential business information, and may even endanger the economy and national security.
"Running of the Bulls" reflects our many information security problems
1. external cryptographic algorithm dominates
Cryptographic algorithms and security products is the primary means of information security, is the core of all kinds of network security protection system. Currently, RSA, SHA-1, MD2, and other foreign research institutions or staff application password password algorithm research in China dominates the market, it is an indisputable fact. Many domestic enterprises and sites, and even completely uses the password system and product to address security issues in foreign countries, difficult to change this situation in the short term. It is understood that the United States Government since the beginning of 20th century began with a number of private institutions or individuals collaborate in password establishment, decipher, the SHA-1 algorithm is widely used in computer cryptography is the masterpiece of NIST and NSA together. Just imagine, if the cipher is a preset back door, once abused by unlawful elements or the intelligence agencies, is bound to pose a serious challenge to China's information security.
2. the focus on password security issues in foreign countries is not enough
Cipher technology and products are the Foundation of information security, for security reasons, passwords product import and export in many countries to take a cautious attitude. United States to impose strict controls on export of encryption products, require companies to export high-performance encryption products to foreign Governments or the military required prior government approval. Although the United States there are no restrictions on imports of products, but it was preventing foreign information technology products have been dying. Huawei and ZTE in China in 2012 to be a year-long security review, issue here has nothing to do the price nor the quality, information security.
Compared with them, enough attention to the password security question. Although it provides no units or individuals may use the password products produced overseas production, but many areas due to the lack of awareness of information security, using persistent encryption products abroad. For example, China financial IC card is using foreign cipher algorithm chip and abroad; many important areas of the site is also using server certificates issued abroad, causing foreign organizations can gather lots of information to key industries and institutions in China, where safety is beyond doubt.
3. lower rates of independent information security standard
Information security standards directly related to product research and development, production and use of technology for information security, "running of the Bulls" gave us a wakeup call, if the standard of artificial hole or the back door, the related products will not be able to do independent and in control, information security and even national security, will be controlled by someone else. We now publish a lot of information safety standards are based on United States, standardization of relevant EU institutions or global enterprises to formulate standards, some of which are "the doctrine of" direct translation. Information security technologies with independent intellectual property rights and product standards is lacking, there is a serious security risk.
How to strengthen information security?
1. drive the domestic cipher development and use
Despite foreign occupies absolute dominance of the field of cryptographic algorithms in passwords, but Chinese experts and scholars in the cipher design and cracking is accomplished. For example, the State password administration led the development of the SM series cipher algorithm RSA algorithm is faster, more secure; Shandong University Professor Wang Xiaoyun has succeeded in finding effective ways to crack the mainstream international cryptographic algorithm MD5, and NIST directly to the United States Government's proposal to stop using MD5 algorithm. For ensuring the security of cryptographic products can be managed, we have the necessary capacity to carry out domestic encryption algorithm research and development work. Government departments, major industry should actively use national cryptography products, to ensure that the password used for products not available outside the back door.
2. accelerating the pace of foreign encryption products, substitute for localization
According to the relevant regulations of the State, domestic production and use of encryption products to be used by State secret code Regulatory Commission approval of cryptographic algorithms, but due to the chip, not provided, such as operating system, resulting in the majority of our products are from abroad, thereby laid a security risk. In view of this, China's urgent need to establish a password management system, formed with a combination of Government's macro-economic management and technical support work. On one hand, vigorously carry out the safety inspection and review of the cryptographic products, improve the capability of security holes found and dealt with. The other hand, to strengthen safety management of encryption products abroad, the implementation of the necessary security review and access systems, but also simultaneously substitute for localization of foreign encryption products.
3. strengthening information security standardization
Perfecting the system of information security standards as soon as possible, take a variety of ways and means to improve the quality of our information security standards. To expedite the development of foreign encryption technology and product security reviews and testing standards, in addition to functional testing standards, should also be increased performance, stability, vulnerability, and other aspects of testing standards. For the introduction of foreign standards, to in-depth research, analysis, and critical for our use, and continue to improve in practice. When standards have been revised or cancelled, and timely revision of the corresponding standard or set aside. Standard for information security management institutions should be appropriate to increase funding for research on information security standards, and to turn off the well project, arouse the enthusiasm of industry, academia and other forces, and safety standards for the development of China's independent intellectual property rights.
“奔牛”项目,破解全球密码 - 奔牛,密码,互联网安全 - IT资讯“奔牛”项目,破解全球密码
去年9月6日,爱德华·斯诺登披露了美国国家安全局(NSA)的一个秘密项目——“奔牛”(Bullrun),让本已处在“风口浪尖”上的NSA面临了巨大的压力。“奔牛”是一个“提升解密能力”的项目,不仅包括攻破密码算法,还包括使用其它方法和资源破解加密信息。赛迪智库信息安全研究所认为,“奔牛”已经对互联网安全构成严重威胁,并折射出我国信息安全的诸多问题。
去年9月6日,《纽约时报》和《卫报》报道了爱德华·斯诺登披露的一个让世人震惊和不安的秘密项目——“奔牛”(Bullrun),再次搅动了全球舆论。据披露,NSA从2000年开始实施“奔牛”,十年来采取了多方面极具侵略性的做法,包括肆意破解加密信息、在商业密码产品中安插后门、修改加密标准等,对密码安全造成了严重威胁。密码技术是信息安全技术的基石,一直被我们视为可靠的密码却已经被NSA动了手脚,这意味着全球加密信息在NSA面前已无所遁形。
“奔牛”将带来怎样的影响?
1.侵犯用户隐私
NSA通过“奔牛”项目,针对互联网密码展开了多种形式的攻击。凭借强大的技术手段,蓄意破解互联网用户密码,监控网民信息,这就犹如保护我们的最后一道门被悄悄打开,任何活动都变得透明。此外,NSA要求美国众多科技企业与其合作,使其能够避开加密技术收集用户信息。由于这些企业提供的产品和服务遍布全球各国市场,全球网民的隐私安全无疑受到了严重威胁。
2.影响全球加密技术
NSA在密码设计方面拥有丰富的经验和国际影响力,据机密文件显示,NSA凭借其在密码设计方面的丰富经验,曾故意设计了一份含致命漏洞的安全标准,由美国国家标准与技术局(NIST)于2006年发布,随后又被国际标准化组织采纳。尽管该漏洞已经被微软的两位密码学家在2007年发现,但NSA制定的其它标准中是否同样存在漏洞则不得而知。NIST在信息安全相关标准领域具有举足轻重的地位,全球信息安全厂商大都遵循NIST的标准,所以NIST提出的标准对全球信息安全技术发展都会带来重要影响。NSA编制了这个含有漏洞的标准,并花大力气把它推向国际社会,其动机很明显:通过修改国际互联网的加密标准,掌握并控制相关加密技术,进而达到其窃取情报信息的目的。
3.危害他国经济及国家安全
“奔牛”被披露后,尽管众多美国的科技公司不遗余力地撇清关系,但其与NSA等美国情报机构之间的密切关系已是“司马昭之心,路人皆知”。一位曾任职美国政府和大型国防承包商项目的人士表示,科技公司与情报机构的合作广泛且深入,美国情报机构曾向某科技公司高管支付巨额报酬,让他对卖到海外的芯片产品“做手脚”,以便开展间谍活动。这无疑加大了他国重要信息、商业机密等情报失窃的风险,甚至会危及经济和国家安全。
“奔牛”折射出我国诸多信息安全问题
1.国外密码算法占主导地位
密码算法及安全产品是信息安全保障的主要手段,是各类网络安全防护体系的核心。目前,RSA、SHA-1、MD2等国外研究机构或人员研发的密码算法在我国密码应用市场中占据主导地位,已是不争的事实。国内很多企业和网站甚至完全采用国外密码体系和产品来解决安全问题,这种情况在短期内难以改变。据了解,美国政府自20世纪初就开始与一些私营机构或个人在密码编制、破译等方面展开合作,被广泛应用于计算机密码系统的SHA-1算法就是NIST和NSA共同的杰作。试想,如果密码算法被预置了后门,一旦被不法分子或情报机构利用,势必会对我国信息安全带来严峻挑战。
2.对国外密码产品安全问题的重视程度不够
密码技术和产品是信息安全之基,出于安全考虑,很多国家都对密码产品的进出口采取了谨慎的管理态度。美国对密码产品的出口实行严格控制,要求企业向外国政府或军队出口高性能密码产品时需事先获得相关部门批准。虽然美国对密码产品的进口没有限制,但对外国信息技术产品一直是严防死守。2012年对我国华为和中兴进行的长达一年的安全审查,问题的焦点无关产品价格也非质量,而是信息安全。
与之相较,我国对密码产品的安全问题重视得不够。尽管我国规定任何单位或者个人都不得使用国外生产的密码产品,但很多领域由于缺乏信息安全意识,使用国外密码产品的现象仍然存在。例如,我国金融IC卡一直都是用国外密码算法和国外芯片;很多重要领域的网站也在使用国外机构签发的服务器证书,导致国外机构可以收集到我国重点行业和机构的大量资料,其中的安全隐患毋庸置疑。
3.信息安全标准自主率较低
信息安全标准直接关系到信息安全技术产品的研发、生产及使用,“奔牛”给了我们一个警醒,如果标准存在人为设置的漏洞或后门,那么相关产品将无法做到自主和可控,信息安全甚至国家安全都将会被他人掌控。我国现在发布的很多信息安全国家标准都是参照美国、欧盟相关标准化机构或全球性企业所制订的标准,有些甚至是采用了“拿来主义”直接翻译。拥有自主知识产权的信息安全技术和产品标准较为缺乏,存在着严重的安全隐患。
该怎样加强我国的信息安全?
1.推动国产密码算法的研发和使用
尽管国外密码算法在密码领域占有绝对的主导地位,但我国专家学者在密码算法设计及破解方面也颇有造诣。例如,国家密码管理局主导研发的SM系列密码算法较RSA算法速度更快、安全性更高;山东大学王小云教授成功找到了破解国际上主流密码算法MD5的有效方法,并直接促使NIST向美国政府建议停止使用MD5算法。为确保密码产品的安全可控,我们有必要也有能力开展国产加密算法研发工作。政府部门、重要行业应积极使用国产密码技术产品,以确保使用的密码产品无国外可利用的后门。
2.加快国外密码产品的国产化替代步伐
根据国家有关规定,国内生产和使用的密码产品需使用通过国家密码管理委员会审批的密码算法,但由于对芯片、操作系统等未作规定,致使我们的大部分产品都来自国外,从而埋下了安全隐患。鉴于此,我国急需建立健全密码产品的管理体制,形成政府宏观管理与机构技术支持相结合的工作机制。一方面,要大力开展对密码产品的安全检测与审查,提升安全漏洞的发现和处理能力。另一方面,要加强对国外密码产品的安全管理,实行必要的安全审查与准入制度,更要同步推进国外密码产品的国产化替代。
3.加强信息安全标准化建设
要尽快完善我国信息安全标准体系,采取多种途径和手段提高我国的信息安全标准质量。加快制定国外加密技术及产品的安全审查及检测标准,除了针对功能性的检测标准外,还应增加性能、稳定性、安全漏洞等方面的检测标准。对于引进的国外标准,要深入研究、分析,批判性地为我所用,并在实践中不断改进。当国外标准已经修订或作废时,我国应及时对相应的标准进行修订或作废。信息安全标准管理机构应适当增加信息安全标准研究经费,并把好立项关,调动产业界、学术界等各方力量的积极性,制定我国自主知识产权的安全标准。
赞