现代密码学理论与实践(4)

Cryptography and Network SecurityChapter 7Confidentiality Using Symmetric EncryptionFourth Edition by William StallingsLecture slides by Shoubao Yhttp:/202.38.64.11/syangSeptember 20062023/9/51/35现代密码学理论与实践-07第7章 用对称密码实现保密性 本章讨论加密逻辑功能所处的位置，使用加密防止通信量分析攻击的方法，密钥分配问题及随机数的产生。7.1 密码功能的位置安全隐患从同一网上其他工作站发起的窃听使用拨号进入局域网或服务器进行窃听使用外部路由链接进入网络和窃听在外部链路上对通信业务的监听和修改2023/9/52现代密码学理论与实践-077.1.2 链路加密与端到端加密基本方法：链路加密与端到端加密link encryptionencryption occurs independently on every linkimplies must decrypt traffic between linksrequires many devices,but paired keysend-to-end encryptionencryption occurs between original source and final destinationneed devices at each end with shared keys2023/9/53现代密码学理论与实践-07链路加密与端到端加密Traffic Analysiswhen using end-to-end encryption must leave headers in clear,so network can correctly route informationhence although contents protected,traffic pattern flows are notideally want both at onceend-to-end protects data contents over entire path and provides authenticationlink protects traffic flows from monitoring2023/9/54现代密码学理论与实践-07Encryption Across a Packet Switching-Network 2023/9/55现代密码学理论与实践-07两种加密策略的特点2023/9/56现代密码学理论与实践-07We can place encryption function at various layers in OSI Reference Modellink encryption occurs at layers 1 or 2end-to-end can occur at layers 3,4,6,7as move higher less information is encrypted but it is more secure though more complex with more entities and keysPlacement of Encryption2023/9/57现代密码学理论与实践-07Traffic AnalysisTraffic analysis is monitoring of communications flows between partiesuseful both in military&commercial spherescan also be used to create a covert channelLink encryption obscures header detailsbut overall traffic volumes in networks and at end-points is still visibleTraffic padding can further obscure flowsbut at cost of continuous traffic2023/9/58现代密码学理论与实践-07端到端加密函数的逻辑位置采用前端处理器FEP实现加密功能端系统用户进程和应用使用同一个密钥采用同一个加密方案2023/9/59现代密码学理论与实践-07存储转发通信网络中的加密覆盖范围将加密设备用于端到端协议，不能提供网络之间的服务，如电子邮件、电子数据交换和文件传输等。因此，端到端加密需要到应用层上进行。2023/9/510现代密码学理论与实践-07不同加密策略的实现(1)2023/9/511现代密码学理论与实践-07不同加密策略的实现(2)2023/9/512现代密码学理论与实践-077.2 Traffic Confidentiality可以从通信量分析攻击得到的信息类型Identities of partnersHow frequently the partners are communicatingMessage pattern,length,quantity that suggest important information is being exchangedThe events that correlate with special conversations between particular partners隐蔽信道问题(covert channel)隐蔽信道就是以一种通信设施设计者未设想的方式进行通信的方法，通常这个信道被用于以一种违反安全规定的方式传送信息。2023/9/513现代密码学理论与实践-07链路加密方式使用链路加密时分组首部要加密，因此可以减少通信量分析的机会，但攻击者仍有可能估算出网络上的通信量并观察到进入和离开每个端系统的通信量的大小。有效防范措施是通信量填充(traffic padding)2023/9/514现代密码学理论与实践-07端到端加密方式端到端加密方式端到端加密方式使信息防护者可以采用的措施更有限，例如应用层加密可以使攻击者确定哪些通信实体参与了通信过程；传输层加密仍会透露网络层地址和通信量模式。解决办法是在传输层或应用层把所有数据单元都填充到一个统一的长度，以防止攻击者获得端用户之间交换的数据量信息，掩盖通信量模式。2023/9/515现代密码学理论与实践-07密钥分发问题symmetric schemes require both parties to share a common secret keyissue is how to securely distribute this keyoften secure system failure due to a break in the key distribution scheme 密钥分发可以采用的多种方法1.A can select key and physically deliver to B2.Third party can select&deliver key to A&B3.If A&B have communicated previously can use previous key to encrypt a new key4.If A&B have secure communications with a third party C,C can relay key between A&B7.3 Key Distribution2023/9/516现代密码学理论与实践-07端到端加密所涉及的密钥分配任务的难度N个结点需要的密钥数量是N(N-1)/21000个结点需要多达50万个密钥2023/9/517现代密码学理论与实践-07密钥层次结构的使用2023/9/518现代密码学理论与实践-07A和B各自拥有与KDC共享的主密钥KA和KB：A向KDC发出请求，要求得到与B通信的会话密钥KDC用KA加密传送给A如下内容：一次性会话密钥KS原始请求报文用KB加密的要发给B的会话密钥KS和A的标识符IDAA得到会话密钥KS并将有关信息发给BA和B之间进行认证，并正式秘密通信Nonces(现时，可以是时间戳、计数器或随机数)in authentication protocols to prevent replay一个密钥分配方案2023/9/519现代密码学理论与实践-07一种密钥分配过程：分配加认证2023/9/520现代密码学理论与实践-07层次化密钥控制层次化密钥控制建立一系列KDC，各个KDC之间存在层次关系，使得主密钥分配所涉及的工作量减至最小，因为大部分的主密钥都是由一个本地的KDC和它的本地实体共享的，并将出错或受到破坏的KDC的危害限制在它的本地区域会话密钥的使用寿命会话密钥更换越频繁就越安全对于面向连接的协议，每次会话使用新的密钥对于无连接的协议，每次交互使用新的密钥，或者每个固定时间或对于一定数量的交互使用一个给定的会话密钥2023/9/521现代密码学理论与实践-07一种透明的密钥控制方案2023/9/522现代密码学理论与实践-07分散式密钥控制要求每个端系统能够与所有潜在的伙伴以安全方式为了会话密钥分配的目的进行通信，因此对于一个有n个端系统的配置可能需要多达n(n-1)/2个主密钥2023/9/523现代密码学理论与实践-07控制密钥的使用方式因用途不同而定义的不同类型密钥数据加密密钥PIN加密密钥文件加密密钥依据密钥特征限制密钥的使用方式给予每个密钥一个关联标记，如DES64位密钥中留作做奇偶校验的8位非密钥比特1比特指示此密钥是主密钥还是会话密钥1比特指示此密钥是否可以用于加密1比特指示此密钥是否可以用于解密其余比特留待将来使用控制向量的方案2023/9/524现代密码学理论与实践-07控制向量的加密和解密2023/9/525现代密码学理论与实践-077.4 随机数的产生随机数random numbers的用途用于相互鉴别authentication，以防重放攻击会话密钥session keys的产生Public key generation，如在RSA算法中产生密钥Key-stream for a one-time padNonces(现时，可以是时间戳、计数器或随机数)in authentication protocols to prevent replayStatistically random(随机程度)uniform distribution,均匀分布，每个数出现的频率应该近似相等Independent，独立性，系列中的任意一个数都无法从其他数推测得到Unpredictable(不可预测程度)，cannot infer future sequence on previous values2023/9/526现代密码学理论与实践-07Best source is natural randomness in real world Find a regular but random event and monitor Do generally need special hardware to do this，e.g.radiation counters,radio noise,audio noise,thermal noise in diodes,leaky capacitors,mercury discharge tubes,etc.Problems of bias or uneven distribution in signal have to compensate for this when sample and use best to only use a few noisiest bits from each sampleSources of Random Numbers2023/9/527现代密码学理论与实践-07A few published collections of random numbers Rand Co,in 1955,published 1 million numbers generated using an electronic roulette wheel has been used in some cipher designs cf Khafre Earlier Tippett in 1927 published a collection Issues are thatthese are limitedtoo well-known for most uses Published Source2023/9/528现代密码学理论与实践-07Pseudorandom Number Generators(PRNGs)algorithmic technique to create“random numbers”although not truly randomcan pass many tests of“randomness”Linear Congruential Generator(线性同余)m，模数，m0a，乘数，0=a=mc，增量，0=c=mX0，初始值或种子，0=X0=mCommon iterative technique using Xn+1=(aXn+c)mod m伪随机数产生器2023/9/529现代密码学理论与实践-07given suitable values of parameters can produce a long random-like sequencee.g.a=7,c=0,m=32,X0=1,will produce 7,17,23,1,7,.,not satisfied since the period is 4e.g.a=5,c=0,m=32,X0=1,will produce 1,5,25,29,17,21,9,13,1,.,the period is 8随机数产生器的评价function generates a full-period,完整周期generated sequence should appear random，efficient implementation with 32-bit arithmeticConvenient implementation is to select m as a prime number,say m=231-1,then we have Xn+1=(aXn+c)mod(231-1),few a fails to pass the testNote that an attacker can reconstruct sequence given a small number of values2023/9/530现代密码学理论与实践-07用密码编码方式生成随机数循环加密从一个主密钥产生会话密钥Xi=EKmi2023/9/531现代密码学理论与实践-07DES输出反馈方式生成随机数Output Feedback ModeXi=EKmXi-1ANSI X9.17 PRNGuses date-time+seed inputs and 3 triple-DES encryptions to generate new seed&random2023/9/532现代密码学理论与实践-07Based on public key algorithmsUse least significant bit from iterative equation:xi+1=xi2 mod n where n=p.q,and primes p,q=3 mod 4Unpredictable,passes next-bit testSecurity rests on difficulty of factoring N It is unpredictable given any run of bits Slow,since very large numbers must be usedToo slow for cipher use,good for key generation Blum Blum Shub(BBS)Generator2023/9/533现代密码学理论与实践-07BBS产生器操作过程举例2023/9/534现代密码学理论与实践-07思考题与习题思考题与习题1.What is the difference between link and end-to-end encryption?2.What is the difference between a session key and a master key?3.What is the difference between statistical randomness and unpredictability?4.What is a nonce?5.What is traffic padding and its purpose?6.Problems:7.4,7.5,7.6,7.8,7.10 其中，7.5题原文“那么只要k小于m且m-1不可被k整除”应改为“那么只要k小于m且m-1与k互素”。2023/9/535现代密码学理论与实践-07