前言
原文链接:https://medium.com/young-coder/famous-cryptography-quotes-explained-1d0012e03c11
转载自:https://blog.csdn.net/weixin_26720549/article/details/109070352
相关链接:
《 5个著名的编程语录,解释》(https://medium.com/young-coder/5-famous-programming-quotes-explained-4da607906c1)
Young Coder时事通讯(https://mailchi.mp/45668e72578c/yc)
开个玩笑:
编程和英语有关系吗?
个人觉得还是有一定的关系的。英语学的好的程序员比起英语学得不好的程序员有以下的优势:
1.更加不易违法:比起英语学得不好的程序员,英语学的好的程序员可选择的不用违反《*劳动法》法定工作时间的工作制度的工作岗位更多。
2.更好的在英文世界学习:其一,一些计算机领域的文献原版是英文,原版便于理解,就像是想要更好的学习《资本论》一类的马克思主义经典需要德语不错一样;其二,借助魔法穿越结界,会英语可以浏览许多不错的文章,可以学习一些好的课程,可以与一些物理上离你很远的不错的人交流,学习更多的东西。
摘录
1.
Cryptography is the science of secrets. In the distant past, it was simply about scrambling messages so adversaries couldn’t read them. In the modern computing era (a span of time that stretches less than 50 years), cryptography has become a keystone of computer security, encompassing all the ways we hide data, verify identities, communicate privately, and prevent message tampering.
Cryptography是秘密的科学。 在遥远的过去,这仅仅是关于扰乱消息,使对手无法阅读它们。 在现代计算时代(时间跨度不到50年)中,密码学已成为计算机安全的基石,涵盖了我们隐藏数据,验证身份,私下通信以及防止消息篡改的所有方式。
Something else has changed, too. Today, every developer needs a solid grasp of security and cryptography basics. The stakes are simply too high to ignore them. You can’t reverse an exploit that’s already happened. And you can’t bolt security onto a system after the fact, no matter how many highly paid consultants you’re willing to hire.
其他情况也发生了变化。 如今,每个开发人员都需要扎实地掌握安全性和加密基础知识。 赌注太高了,不能忽略它们。 您无法撤消已经发生的漏洞利用。 事实上,无论您愿意雇用多少名高薪顾问,您都无法在系统上增加安全性。
2.
“Every secret creates a potential failure point.” — Bruce Schneier
“每个秘密都会造成潜在的故障点。” —布鲁斯·施耐尔
One of the most dangerous security mistakes a programmer can make (other than rolling their own crypto) is trusting that the things that are secret during development can stay secret forever.
程序员可能会犯的最危险的安全错误之一(而不是使用自己的加密算法)是相信开发过程中的秘密可以永远保持秘密。
Imagine you write an algorithm to verify promotional codes. As soon as someone discovers its rules of logic — by research, reverse engineering, trial-and-error, or just asking questions — it ceases to be a reliable test for finding fakes. No secret lasts forever, and every secret is just one exploit away from being compromised.
假设您编写了一种算法来验证促销代码。 只要有人通过研究,逆向工程,反复试验或只是提出问题发现其逻辑规则,它就不再是寻找假货的可靠测试。 没有秘密会永远存在,每个秘密都只是一个被利用而不会受到损害的漏洞。
This concept can seem confusing at first, because computer security does rely on secret ingredients like passwords and keys. But if you look more carefully, you’ll find that these are the exact weak points of a system, to be minimized, managed, or avoided wherever possible. Passwords are a notorious failure point — all it takes is one email spoofing attack or improperly discarded hard drive to pinch one. (Biometric data, which isn’t secret but isn’t easy to acquire, is far more secure.)
起初,这个概念似乎令人困惑,因为计算机安全确实依赖于密码和密钥之类的秘密成分。 但是,如果仔细看,您会发现,这些是系统的确切弱点,应尽可能地对其进行最小化,管理或避免。 密码是一个臭名昭著的失败点,它所需要的只是一种电子邮件欺骗攻击或不当丢弃的硬盘驱动器。 (不是秘密的但不容易获取的生物特征数据更加安全。)
Above all else, do not rely on secrecy in the implementation details of your system. Passwords can be changed after an attack. But there’s no practical way to build a new system once its inner workings are discovered. Not only is there no lasting security through obscurity, but when obscurity fails, it fails big.
最重要的是,不要在系统的实现细节中保密。 攻击后可以更改密码。 但是,一旦发现新系统的内部运行原理,便没有实际的方法来构建它。 通过模糊不仅不存在持久的安全性,而且当模糊失败时,失败也很大。
Cryptography nerds may recognize that “Every secret creates a potential failure point” is actually a generalization of Kerckhoffs’s law, a famous rule of the 19th century cryptographer.
密码学的书呆子可能会认识到“每个秘密都会造成潜在的故障点”,实际上是对Kerckhoffs法则的概括,它是19世纪密码学家的著名法则。
“A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.” — Auguste Kerckhoffs
“即使系统中除密钥之外的所有内容都是公共知识,加密系统也应该是安全的。” —奥古斯特·克尔科夫斯(Auguste Kerckhoffs)
This applies the same philosophy (there is no security through obscurity) to the cryptographic algorithms we use. Time and time again, it’s been shown that the most reliable encryption comes from heavily explored public algorithms. The least reliable encryption is from secret algorithms that haven’t been tested by the broader community and are almost certainly full of undiscovered vulnerabilities.
这对我们使用的密码算法应用了相同的原理(通过模糊性没有安全性)。 一次又一次地证明,最可靠的加密来自经过深入研究的公共算法。 最不可靠的加密来自尚未经过更广泛的社区测试的秘密算法,并且几乎可以肯定充满了未被发现的漏洞。
3.
“Cryptography is typically bypassed, not penetrated.” — Adi Shamir
“密码术通常被绕开,而不是被渗透。” —阿迪·沙米尔(Adi Shamir)
Most cryptography is never broken, and most attacks don’t even try. Instead, cryptography is like a dead-bolted door on a house — once it establishes a moderately high threshold of protection, it simply moves an attack elsewhere (say, to a side window or a neighbor with a spare key).
大多数加密技术永远不会中断,并且大多数攻击甚至都不会尝试。 取而代之的是,密码学就像是一扇房屋门上的锁死的门—一旦建立了适当高的保护阈值,它就将攻击简单地转移到其他地方(例如,移至侧窗或带有备用钥匙的邻居)。
There are many ways to attack a system. Relying on known flaws in hardware or unpatched software is common. But without doubt, the weakest links in every security system are the human ones.
有许多方法可以攻击系统。 依靠硬件或未修补软件中的已知缺陷很常见。 但是毫无疑问,每个安全系统中最薄弱的环节是人为的。
“Cryptography without system integrity is like investing in an armored car to carry money between a customer living in a cardboard box and a person doing business on a park bench.” — Gene Spafford
“没有系统完整性的密码学就像投资一辆装甲车,在居住在纸板箱中的客户和在公园长椅上做生意的人之间运送金钱。” — Gene Spafford
Good programmers already know that if they want to optimize the performance of their code, they need to focus on the bottlenecks. Improvements in other places won’t yield results. The same is true of security systems. You need to improve the weakest areas, and if there’s a backdoor that can evade your security measures, it doesn’t matter how fantastic your cryptographic algorithms are.
优秀的程序员已经知道,如果要优化代码的性能,则需要关注瓶颈。 其他地方的改善不会产生结果。 安全系统也是如此。 您需要改进最薄弱的区域,如果有后门可以规避您的安全措施,那么加密算法的出色程度也无关紧要。
4.
“Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin.” — John von Neumann
“任何试图通过确定性手段生成随机数的人当然都处于犯罪状态。” —约翰·冯·诺依曼
As you already know, ordinary attackers rarely bother to attack the cryptography of a system. But there are exceptions. The most common cases are when the value of the encrypted data is very high—for example, it’s protecting trade secrets or the ownership of a block of cryptocurrency.
如您所知,普通攻击者很少会费心去攻击系统的密码学。 但是也有例外。 最常见的情况是加密数据的价值很高时,例如,它在保护商业秘密或加密货币区块的所有权。
When hackers attack cryptography, they would like to attack the implementation — particularly, the way the cryptography is integrated into the rest of the system. Often, there are gaps or outright sloppiness, information leaking out of overly detailed error messages, defective hardware, or buggy software. But if that doesn’t work, another common way to break encryption is by exploiting poor randomness. It sounds like an edge case, but it’s actually a common tactic behind plenty of legendary exploits, including attacks on slot machines, lotteries, internet games, bitcoin wallets, and the digital signing system used by the PlayStation 3.
当黑客攻击加密技术时,他们想攻击实现,尤其是将加密技术集成到系统其余部分的方式。 通常,会有间隙或完全草率,信息从过于详细的错误消息中泄漏,有缺陷的硬件或有缺陷的软件。 但是,如果这不起作用,则破解加密的另一种常见方法是利用不良的随机性。 这听起来像是一个边缘案例,但这实际上是许多传奇性漏洞利用背后的通用策略,其中包括对*,彩票,互联网游戏,比特币钱包以及PlayStation 3使用的数字签名系统的攻击。
The problem is well known — computers create random-seeming numbers using algorithms, and if you know the inputs to these algorithms you can regenerate the same “random” numbers. What’s less obvious is that you can choose random-seeming inputs, and still be wide open to attacks.
这个问题是众所周知的-计算机使用算法创建随机数,并且,如果您知道这些算法的输入,则可以重新生成相同的“随机”数。 不太明显的是,您可以选择随机寻找的输入,但仍然容易受到攻击。
For example, if you seed a basic ordinary random number generator using the current millisecond of the computer clock, you’ve narrowed down the possible random values enough that they can easily be guessed. Even using multiple inputs with one guessable value compromises the whole system, opening the door to relatively easy brute force attacks. And if you can figure out the random numbers that someone else has used, you’re well on your way to decrypting the messages they’ve sent, or even figuring out the private key that they used.
例如,如果使用计算机时钟的当前毫秒作为基本普通随机数生成器的种子,则已将可能的随机值范围缩小到足以轻易猜到的程度。 即使使用具有一个可猜测值的多个输入也会损害整个系统,从而为相对容易的暴力攻击打开了大门。 而且,如果您能弄清楚别人使用的随机数,则可以很好地解密他们发送的消息,甚至可以弄清楚他们使用的私钥。
“Random numbers should not be generated with a method chosen at random.” — Donald Knuth
“不应该使用随机选择的方法来生成随机数。” —唐纳德·努斯
Humans confuse themselves about randomness all the time, because the way we use it in casual conversation (to mean something arbitrary) is different from the way we use it in solid cryptographic programming (to mean something non-deterministic). Here, computer pioneer Donald Knuth plays with this double-meaning.
人们一直对随机性感到困惑,因为我们在随意对话中使用它的方式(表示任意的意思)与在固态密码编程中使用它的方式(表示不确定性的东西)不同。 在这里,计算机先驱Donald Knuth扮演了双重角色。
5.
“Crypto is like catnip for programmers. It’s hard to keep us away from it, because it’s challenging and fun to play with. And programmers respond very badly to the insinuation that they’re not clever enough to do something.”—Maciej Cegłowski
“对于程序员来说,加密就像猫薄荷。 很难让我们远离它,因为它具有挑战性并且很有趣。 而且程序员对这种愚蠢的回应非常愚蠢,即他们不够聪明,无法做某事。” — MaciejCegłowski
Even before the creation of bitcoin, crypto was cool. Once we learn about cryptographic algorithms, we want to play with them. Often, we misjudge the risk. A developer that ignores security is a dangerous person to have around. But a smart developer that thinks they understand cryptography is the most dangerous company of all.
甚至在创建比特币之前,加密就很酷。 一旦我们了解了加密算法,我们就想使用它们。 通常,我们会误判风险。 忽视安全性的开发人员是危险的人。 但是,一个聪明的开发人员认为他们了解加密技术是最危险的公司。
Incidentally, Maciej Cegłowski also offers the perfect solution for programmers who are curious about crypto — spend at least a little time learning to break encryption. Once you realize how tiny details (improperly sized buffers, reused nonces, careless string manipulation) open up massive, well known security gaps, you’ll think twice about blazing a new trail. To get a grasp on the scope of the problem, work through some of the Matasano Crypto Challenges. As Cegłowski explains, it’s a good way to “shake your sillies out” and make sure you never dare to pilot the cryptographic F-16 on your own.
顺便说一句,MaciejCegłowski还为对加密好奇的程序员提供了完美的解决方案-花费至少一点时间来学习破解加密。 一旦意识到微小的细节(大小不适当的缓冲区,重用的随机数,粗心的字符串操作)造成了巨大的,众所周知的安全漏洞,那么您将三思而后行。 要了解问题的范围,请应对一些Matasano加密挑战。 正如Cegłowski解释的那样,这是“摆脱傻瓜”并确保您永远不敢独自驾驶加密F-16的好方法。
“Anyone can create an algorithm they can’t break.” — Bruce Schneier
“任何人都可以创建他们不会打破的算法。” —布鲁斯·施耐尔
Often described as Schneier’s law, it’s a stark reminder not to be overconfident or use custom cryptographic solutions, even if you’re a better-than-average cryptographer. Programmers are problem solvers, and for us it’s easy to think of dozens of clever cryptography tricks. With cryptographic training, it’s trivial to defeat them all.
通常被描述为施耐尔定律,这是一个鲜明的提醒,即使您是比平均水平更好的密码专家,也不要过分自信或使用自定义密码解决方案。 程序员是解决问题的人,对我们来说,很容易想到许多巧妙的密码学技巧。 借助密码培训,击败他们都是微不足道的。
6.
“All the magic crypto fairy dust in the world won’t make you secure.”— Gary McGraw
“世界上所有神奇的加密神仙尘不会确保您的安全。”-Gary McGraw
The math, science, and computing power that goes into modern day encryption is dazzling. It’s hard not be impressed by shiny things like quantum cryptography.
当今加密技术的数学,科学和计算能力令人眼花缭乱。 量子密码学之类的闪亮事物很难令人印象深刻。
But there is one time that high-grade cryptography can be dangerous to the people using it. That’s when it gives them a false sense of security, and an excuse to ignore more likely attack vectors. The advice is obvious — but often overlooked.
但是,有一次,高级密码术可能会对使用它的人们造成危险。 那时,它给了他们一种错误的安全感,并且是忽略更可能的攻击媒介的借口。 该建议是显而易见的,但经常被忽略。
“If you think cryptography will solve your problem, either you don’t understand cryptography, or you don’t understand your problem.” — Peter G. Neumann
“如果您认为加密技术可以解决您的问题,要么您不了解加密技术,要么您不了解您的问题。” 彼得·诺依曼(Peter G. Neumann)
It’s sometimes said that cryptography doesn’t fix problems, it changes them. You start with a data privacy problem, and cryptography replaces it with a key management problem. This quote from Peter G. Neumann has been repeated in slightly different versions by nearly a dozen famous cryptography researchers. The bottom line stays the same. Proper security is not tied up with any one technology. Instead, it’s a process that encompasses the design of an entire system.
有时有人说,加密不能解决问题,而是可以解决问题。 您从数据隐私问题开始,然后密码术将其替换为密钥管理问题。 彼得·诺伊曼(Peter G.Neumann)的这段名言已被将近十二位著名的密码学研究人员以略有不同的版本重复。 底线保持不变。 适当的安全性不会与任何一种技术捆绑在一起。 相反,它是一个包含整个系统设计的过程。
END