《crypto-10》由会员分享,可在线阅读,更多相关《crypto-10(63页珍藏版)》请在金锄头文库上搜索。
1、Cryptography and Network Security Chapter 10 Key Management; Other Public Key Cryptosystem,Fourth Edition by William Stallings,2/63,现代密码学理论与实践-10,2018/9/4,本章要点,公钥密码方案是安全的,仅当公钥的真实性能够得到保证。公钥证书方案提供了必要的安全性。 一个简单的公钥算法是Diffie-Hellman密钥交换协议。这个协议使得通信双方利用基于离散对数问题的公钥算法建立秘密密钥。这个协议是安全的,仅当通信双方的真实性能够得到保证。 椭圆曲线算术可
2、以用来开发许多椭圆曲线密码方案,包括密钥交换,加密和数字签名。 就ECC而言,椭圆曲线算术是指使用定义在有限域上的椭圆曲线方程。方程里的系数和变量都是域里的元素。已经开发了很多使用Zp和GF(2m)的方案。,3/63,现代密码学理论与实践-10,2018/9/4,10.1 Key Management,Public-key encryption helps address key distribution problems Have two aspects of this: distribution of public keys use of public-key encryption to
3、distribute secret keys,4/63,现代密码学理论与实践-10,2018/9/4,Public key can be considered as using one of: Public announcement Publicly available directory Public-key authority Public-key certificates Public Announcement users distribute public keys to recipients or broadcast to community at large e.g. append
4、 PGP keys to email messages or post to news groups or email list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user,10.1.1 Distribution of Public Keys,5/63,现代密码学理论与实践-10,2018/9/4,Public Announcemen
5、t,6/63,现代密码学理论与实践-10,2018/9/4,We can obtain greater security by registering keys with a public directory Directory must be trusted with properties: contains name, public-key entries participants register securely with directory participants can replace key at any time directory is periodically publi
6、shed directory can be accessed electronically It is still vulnerable to tampering or forgery,Publicly Available Directory,7/63,现代密码学理论与实践-10,2018/9/4,公开可访问的目录,8/63,现代密码学理论与实践-10,2018/9/4,A发送带有时间戳的消息给公钥管理员,请求B的当前公钥 管理员给A发送用其私钥KRauth加密的消息,A用管理员的公钥解密,可以确信该消息来自管理员: B的公钥KUb,用来加密; 原始请求,A可以验证其请求未被修改; 原始时间戳
7、,A可以确定收到的不是来自管理员的旧消息。 A保存B的公钥,并用它对包含A的标识IDA和Nonce1的消息加密,然后发送给B 与A检索B的公钥一样,B以同样方式从管理员处得到A的公钥 B用KUa对A的N1和B的N2加密,发送给A A用B的公钥对N2加密并发送给B,使B相信其通信伙伴是A,Public-Key Authority,9/63,现代密码学理论与实践-10,2018/9/4,Public-Key Distribution Scenario,10/63,现代密码学理论与实践-10,2018/9/4,Certificates allow key exchange without real-
8、time access to public-key authority A certificate binds identity to public key usually with other info such as period of validity, rights of use etc. With all contents signed by a trusted Public-Key or Certificate Authority (CA) It can be verified by anyone who knows the public-key authorities publi
9、c-key 对于申请者A,管理员提供的证书为: CA = EKRauth T, IDA, KUa 其他人读取并验证: DKUauthCA=DKUauth EKRauth T, IDA, KUa=(T, IDA, KUa),Public-Key Certificates,11/63,现代密码学理论与实践-10,2018/9/4,公钥证书的交换,12/63,现代密码学理论与实践-10,2018/9/4,Use previous methods to obtain public-key Can be used for secrecy or authentication Public-key algo
10、rithms are slow, so usually want to use private-key encryption to protect message contents Hence need a session key for encryption Have several alternatives for negotiating a suitable session,10.1.2 Public-Key Distribution of Secret Keys,13/63,现代密码学理论与实践-10,2018/9/4,Simple Secret Key Distribution,Pr
11、oposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use The problem is that an opponent can intercept and impersonate bot
12、h halves of protocol,14/63,现代密码学理论与实践-10,2018/9/4,Secure key-distribution with secrecy and authenticity,15/63,现代密码学理论与实践-10,2018/9/4,10.2 Diffie-Hellman Key Exchange,First public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts Note: now know that
13、 James Ellis (UK CESG) secretly proposed the concept in 1970 is a practical method for public exchange of a secret key used in a number of commercial products,16/63,现代密码学理论与实践-10,2018/9/4,A public-key distribution scheme Cannot be used to exchange an arbitrary message Rather it can establish a commo
14、n key Known only to the two participants Value of key depends on the participants (and their private and public key information) Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy Security relies on the difficulty of computing discrete logarithms (similar to f
15、actoring) hard,Diffie-Hellman Key Exchange,17/63,现代密码学理论与实践-10,2018/9/4,离散对数问题Discrete Logarithm Problem (DLP),如果a是素数p的一个原根(本原元素),则 a mod p, a2 mod p, , ap-1 mod p,生成模p的完全剩余集1, 2, , p-1 对于所有素数,其原根必定存在,即 对于一个整数b和素数p的一个原根,可以找到唯一的指数i,使得 b = ai mod p 其中0 = i = p-1 指数i称为b的以a为基数的模p的离散对数或者指数。,18/63,现代密码学理论
16、与实践-10,2018/9/4,离散对数问题,例:p=11, a=2, =20,21,22,210=1,2,4,8,5,10,9,7,3,6,1即:20=1 mod 11 26=9 mod 1121=2 mod 11 27=7 mod 1122=4 mod 11 28=3 mod 1123=8 mod 11 29=6 mod 1124=5 mod 11 210=1 mod 1125=10 mod 11 给定整数x,求y = ax mod p, 最多需要log2x+w(x)-1次乘法,w(x)为x中所有1的个数。如x =15,即x =(1111)2,w(x)=4,则a15 =(a2)a)2a)2a mod p,只需要3+4-1=6次乘法。但是若给定p, a及y,求x,则为DLP问题。最快方法需要L(p)=exp(lnpln(lnp)次运算。当p=512位时,L(p)约为22561077,计算上不可行。因为21001030,计算要1016年。,
