How did the classic password kill Queen Mary? Will your account password be cracked?

Audit expert: Liu Weihua

Senior Information Security Standards Expert at Xindajiean Beijing Branch

In the era of mobile Internet, as long as we have the Internet, we can carry out various online activities. Login to various platforms and financial transactions all require "passwords" to enter, but are the "passwords" we are familiar with consistent with the strict definition of passwords? Let's find out together!

01

What is a "password"?

On January 1, 2020, the Cryptography Law of the People's Republic of China (hereinafter referred to as the "Cryptography Law") was officially implemented. In the "Cryptography Law", cryptography is defined as follows: Cryptography refers to technologies, products and services that use specific transformation methods to encrypt and protect information and perform security authentication.

The mobile phone power-on passwords, bank card withdrawal passwords, email login passwords, etc. that we use in our daily lives are not the passwords mentioned in the "Cryptography Law". To be precise, the above-mentioned "passwords" should be called "passwords."

It seems that what we commonly call "password" is not correct, so let us first understand the real password and its history.

02

The story of password

The Caesar cipher is an ancient, simple and most widely known encryption method. It is to evenly push each letter of the alphabet back a few positions, such as each letter moves back 3 places (a becomes d, b becomes e... and so on), for example, the word apple becomes dssoh. This encryption method is named after Caesar during the Roman Republic, who used this method to communicate with his generals. However, this method is relatively simple and easy to crack.

Source of the bronze statue of Caesar in Italy丨Wikipedia

About 500 years ago, Mary Queen of Scots was sentenced to prison for treason. During the years in prison, she did not give up and was always ready to make a comeback. To this end, she had been using encrypted letters to communicate with her accomplices outside, preparing to plot to assassinate Queen Elizabeth I of England.

Source: TV series screenshots

In order to keep the letters confidential, Queen Mary invented a very complex encryption method at the time: 23 symbols and numbers were used to replace 23 letters, and another 36 symbols were used to represent fixed words and phrases. Four additional symbols were added that had no meaning at all, and one special symbol was used to indicate that the next symbol represented the repeated symbol of two letters. This was a very complex encryption method at the time, and it was thought to be foolproof, but in the end it failed because of one person, linguist Thomas Phillips who was good at using frequency analysis.

Phillips established a frequency analysis method, summarizing the frequency of each symbol and trying to substitute the most frequently occurring words and letters. He first picked out four meaningless symbols, then analyzed the meanings of most of the remaining symbols one by one, and then roughly guessed the content of the letter based on the remaining context.

This method successfully cracked Queen Mary's code. Phillips also imitated Queen Mary's handwriting and encryption method at the end of a secret letter, added a paragraph, and tricked her accomplices into revealing the identities of several assassins, and eventually sent them to the guillotine together.

03

Deciphering Traditional Cryptographic Algorithms

Given the importance of cryptography, in areas such as war or confrontation, it is necessary to decipher the original text before encryption, so how to decipher cryptographic algorithms has also become a very important research field. Classical cryptographic algorithms have strong regularity and are usually easy to crack. Many classical cryptographic algorithms can be cracked only through ciphertext, so they are vulnerable to ciphertext-only attacks (attacks only on encrypted information).

As in the example above, frequency analysis was often used for deciphering in the early days. This deciphering method was used in "The Dancing Man" in "The Return of Sherlock Holmes" by the famous detective novelist Conan Doyle. Sherlock Holmes saw five paintings of dancing people on the wall. He guessed that the word represented by one of the paintings of dancing people was "Never" based on the commonness of English phrases and the most frequently used letter E in English, thus solving the riddle.

Source: TV series screenshots

Later cryptographic algorithm designs were designed to be resistant to "frequency analysis", such as the "Viginère cipher": a key is specified, and when encrypting, the plaintext must be written first, and the key is repeated continuously below the plaintext; then the key letter position is offset according to the key, such as A for no offset, B for offset to the next letter, C for offset to the next two letters, and so on. This cryptographic algorithm is resistant to "frequency analysis" to a certain extent.

The Enigma cipher machine used by the German army during World War II

Source: Wikipedia

Until World War II, the most famous "ENIGMA cipher machine" also adopted this principle. The encryption possibilities reached 1 5896 2555 2178 2636 0000, so it was extremely difficult to crack. It was not until Alan Turing, the "father of modern computers", developed a machine specifically for cracking it, using powerful computer machines to fight against this huge decryption algorithm, that he finally completed the deciphering of the ENIGMA cipher algorithm.

The rotors of the Enigma machine

Source: Wikipedia

04

The 21st Century Code

In 2004, Wang Xiaoyun, a professor from Shandong University in China, went to the United States to attend a cryptography conference. At the conference, Wang Xiaoyun directly announced that she and her team had successfully cracked the MD5 password hash algorithm. After the conference, the United States quickly replaced MD5 with SHA-1. Since 2005, Wang Xiaoyun has started to crack the new American password hash algorithm SHA-1. It took Wang Xiaoyun only two months to successfully crack it again. Wang Xiaoyun has now become a world-renowned top cryptography expert, allowing China to have the world's most advanced password cracking technology, becoming the pride of the Chinese people, and leading Chinese cryptography to the forefront of the world.

After becoming famous, Wang Xiaoyun continued to study cryptography. She led her team to develop an original cryptographic analysis method and successfully found loopholes in the two cryptographic systems, MD5 and SHA-1, which she had previously cracked. Wang Xiaoyun also continued to fill in the gaps and successfully developed a more advanced cryptographic system in 2007 that was much more difficult to crack than MD5 and SHA-1. It was named SM3 and is also the new standard for Chinese cryptographic hash functions.

Our country attaches great importance to the standardization of commercial cryptography. While completing the cryptography industry standards and national standards, we vigorously promote the inclusion of China's commercial cryptography standards represented by the SM series of cryptographic algorithms independently designed and developed by my country (including symmetric encryption, digital signature/asymmetric encryption, cryptographic hashing, identification cryptographic algorithms, etc.) into international standards, actively participate in international standardization activities, and strengthen international exchanges and cooperation.

In September 2011, the Zu Chongzhi (ZUC) algorithm designed by my country was incorporated into the 4G mobile communication standard of the International Third Generation Partnership Project (3GPP) for information encryption and integrity protection of the air transmission channel of the mobile communication system. This was the first time that my country's cryptographic algorithm became an international standard. Since May 2015, my country has successively proposed to ISO to include SM2, SM3, SM4 and SM9 algorithms in international standards. In 2017, SM2 officially became an ISO/IEC international standard. In 2018, the SM3 algorithm officially became an ISO/IEC international standard. In 2021, SM4 and SM9 also officially became ISO/IEC international standards. In this way, my country's international standard system for commercial cryptography has basically taken shape, providing a Chinese solution and contributing Chinese wisdom to the development and application of cryptography on a global scale.

At all times, cryptographic technology is a protective umbrella for protecting important information, involving all aspects of our lives and work. Their security is also related to our wealth and privacy security. Therefore, we also hope that with the development of the times and the advancement of science and technology, although the methods of deciphering cryptographic algorithms are constantly improving, our cryptographic "shield" is also constantly improving, providing a peace of mind for our lives.