CISP--密码技术基础介绍

CISP-密码技术基础介绍第第0章章 绪论绪论密码学与信息安全n n信息的私密性信息的私密性信息的私密性信息的私密性(Privacy)(Privacy)对称加密对称加密对称加密对称加密n n信息的完整性信息的完整性信息的完整性信息的完整性(Integrity)(Integrity)数字签名数字签名数字签名数字签名n n信息的源发鉴别信息的源发鉴别信息的源发鉴别信息的源发鉴别(Authentication)(Authentication)数字签名数字签名数字签名数字签名n n信息的防抵赖性信息的防抵赖性信息的防抵赖性信息的防抵赖性(Non-Reputation)(Non-Reputation)数字签名时间戳数字签名时间戳数字签名时间戳数字签名时间戳互联网困境Overview of Cryptographyn nInformation security and cryptography Information security and cryptography n nBackground on functions Background on functions n nBasic terminology and concepts Basic terminology and concepts n nSymmetric-key encryptionSymmetric-key encryptionn nDigital signatures Digital signatures n nAuthentication and identification Authentication and identification n nPublic-key cryptography Public-key cryptography n nHash functions Hash functions n nProtocols and mechanismsProtocols and mechanismsn nKey establishment,management,and certification Key establishment,management,and certification n nPseudorandom numbers and sequencesPseudorandom numbers and sequencesn nClasses of attacks and security modelsClasses of attacks and security modelsMathematical Backgroundn nProbability theory n nInformation theoryn nComplexity theory n nNumber theory n nAbstract algebran nFinite fieldsSome information security objectives密密密密码码码码学学学学分分分分类类类类第第1章章 密码学基础密码学基础1.1 密码学的历史与发展n n密码学的演进密码学的演进密码学的演进密码学的演进单表代替单表代替单表代替单表代替 多表代替多表代替多表代替多表代替 机械密机械密机械密机械密(恩格玛恩格玛恩格玛恩格玛)现代密码学现代密码学现代密码学现代密码学(对称与非对称密码体制对称与非对称密码体制对称与非对称密码体制对称与非对称密码体制)量子密码学量子密码学量子密码学量子密码学n n密码编码学和密码分析学密码编码学和密码分析学密码编码学和密码分析学密码编码学和密码分析学n n应用领域应用领域应用领域应用领域军事，外交，商业，个人通信，古文化研军事，外交，商业，个人通信，古文化研军事，外交，商业，个人通信，古文化研军事，外交，商业，个人通信，古文化研究等究等究等究等1.2基础术语n n点对点通信点对点通信n n消息与加密消息与加密n n鉴别、完整性与抗抵赖鉴别、完整性与抗抵赖n n算法与密钥算法与密钥n n对称算法对称算法n n公开密钥算法公开密钥算法n n密码分析与密码攻击密码分析与密码攻击点对点通信n n通信由发起方（发送方）与接收方组通信由发起方（发送方）与接收方组成成n n通过通信基础设施传送通过通信基础设施传送消息与加密n n消息（消息（message）-明文明文Mn n加密（加密（encryption）-逻辑扰乱逻辑扰乱E目的：对消息进行伪装目的：对消息进行伪装C，为非授，为非授权或非意向接收者制造麻烦。权或非意向接收者制造麻烦。n nE(M)=C鉴别、完整性与抗抵赖n n鉴别（鉴别（authentication）消息来源确认、防假冒、证明你是否消息来源确认、防假冒、证明你是否就是你所声明的你就是你所声明的你n n完整性（完整性（integrity）防篡改、证明消息与过程的正确性防篡改、证明消息与过程的正确性n n抗抵赖（抗抵赖（nonrepudiation）你或其他主体对所作所为的可确认性你或其他主体对所作所为的可确认性算法与密钥n n数学理论的应用算法数学理论的应用算法n n算法保密算法保密n n算法参数控制密钥算法参数控制密钥n n密钥保密为了消息保密密钥保密为了消息保密对称算法与公开密钥算法n n锁门的钥匙与开门的钥匙是同一把钥锁门的钥匙与开门的钥匙是同一把钥匙对称算法匙对称算法n n锁门的钥匙与开门的钥匙不是同一把锁门的钥匙与开门的钥匙不是同一把钥匙两把或更多公开密钥算法钥匙两把或更多公开密钥算法密码分析与密码攻击n n攻击（数学方法与计算支持）攻击（数学方法与计算支持）密文攻击、已知明文攻击、选择明文密文攻击、已知明文攻击、选择明文攻击、选择密文攻击、野蛮攻击攻击、选择密文攻击、野蛮攻击n n泄露（非技术方法）泄露（非技术方法）1.3密码政治n n国家政策国家政策绝密、普密、商密绝密、普密、商密n n国际惯例国际惯例 国家安全国家安全密码技术密码技术出入控制出入控制第第2章传统密码学章传统密码学2.1 传统密码学简介n n历史悠久，最古老与最现代的密码学历史悠久，最古老与最现代的密码学历史悠久，最古老与最现代的密码学历史悠久，最古老与最现代的密码学n n基本特点：加密和解密采用同一个密钥基本特点：加密和解密采用同一个密钥基本特点：加密和解密采用同一个密钥基本特点：加密和解密采用同一个密钥let let C C=Cipher text,=Cipher text,P P=Plain text,=Plain text,k k is key,is key,E()/D()is the encryption/decryption function,E()/D()is the encryption/decryption function,thenthenC C=E(=E(P P,k k),),P P=D(=D(C C,k k)n n基本技术基本技术基本技术基本技术替换替换替换替换/置换和移位置换和移位置换和移位置换和移位2.2 DESn nDESDES是第一个得到广泛应用的密码算法；是第一个得到广泛应用的密码算法；是第一个得到广泛应用的密码算法；是第一个得到广泛应用的密码算法；n nDESDES是一种分组加密算法，输入的明文为是一种分组加密算法，输入的明文为是一种分组加密算法，输入的明文为是一种分组加密算法，输入的明文为6464位，密钥为位，密钥为位，密钥为位，密钥为5656位，生成的密文为位，生成的密文为位，生成的密文为位，生成的密文为6464位；位；位；位；n nDESDES是一种对称密码算法，源于是一种对称密码算法，源于是一种对称密码算法，源于是一种对称密码算法，源于LuciferLucifer算法，算法，算法，算法，其中采用了其中采用了其中采用了其中采用了FeistelFeistel网络网络网络网络(Feistel Network)(Feistel Network)，即，即，即，即n nDESDES已经过时，基本上认为不再安全；已经过时，基本上认为不再安全；已经过时，基本上认为不再安全；已经过时，基本上认为不再安全；http:/ IDEAn nXuejia LaiXuejia Lai和和和和James MasseyJames Massey提出；提出；提出；提出；n nIDEAIDEA是对称、分组密码算法，输入明文为是对称、分组密码算法，输入明文为是对称、分组密码算法，输入明文为是对称、分组密码算法，输入明文为6464位，密钥为位，密钥为位，密钥为位，密钥为128128位，生成的密文为位，生成的密文为位，生成的密文为位，生成的密文为6464位；位；位；位；n nIDEAIDEA是一种相对较新的算法，虽有坚实的理是一种相对较新的算法，虽有坚实的理是一种相对较新的算法，虽有坚实的理是一种相对较新的算法，虽有坚实的理论基础，但仍应谨慎使用论基础，但仍应谨慎使用论基础，但仍应谨慎使用论基础，但仍应谨慎使用(尽管该算法已被证尽管该算法已被证尽管该算法已被证尽管该算法已被证明可对抗差分分析和线性分析明可对抗差分分析和线性分析明可对抗差分分析和线性分析明可对抗差分分析和线性分析)；n nIDEAIDEA是一种专利算法是一种专利算法是一种专利算法是一种专利算法(在欧洲和美国在欧洲和美国在欧洲和美国在欧洲和美国)，专利，专利，专利，专利由由由由Ascom-Tech AGAscom-Tech AG拥有拥有拥有拥有;n nPGPPGP中已实现了中已实现了中已实现了中已实现了IDEAIDEA；2.4 RC系列n nRCRC系列是系列是系列是系列是Ron RivestRon Rivest为为为为RSARSA公司设计的一系公司设计的一系公司设计的一系公司设计的一系列密码列密码列密码列密码：RC1RC1从未被公开，以致于许多人们称其只出现在从未被公开，以致于许多人们称其只出现在从未被公开，以致于许多人们称其只出现在从未被公开，以致于许多人们称其只出现在RivestRivest的记事本上；的记事本上；的记事本上；的记事本上；RC2RC2是变长密钥加密密法；是变长密钥加密密法；是变长密钥加密密法；是变长密钥加密密法；(RC3(RC3在设计过程中在在设计过程中在在设计过程中在在设计过程中在RSADSIRSADSI内被攻破内被攻破内被攻破内被攻破););RC4RC4是是是是RivestRivest在在在在19871987年设计的变长密钥的序列密年设计的变长密钥的序列密年设计的变长密钥的序列密年设计的变长密钥的序列密码；码；码；码；RC5RC5是是是是RivestRivest在在在在19941994年设计的分组长、密钥长的年设计的分组长、密钥长的年设计的分组长、密钥长的年设计的分组长、密钥长的迭代轮数都可变的分组迭代密码算法；迭代轮数都可变的分组迭代密码算法；迭代轮数都可变的分组迭代密码算法；迭代轮数都可变的分组迭代密码算法；n nDES(56),RC5-32/12/5,RC5-32/12/6,RC-DES(56),RC5-32/12/5,RC5-32/12/6,RC-32/12/732/12/7已分别在已分别在已分别在已分别在19971997年被破译；年被破译；年被破译；年被破译；2.5 AES Candidate和Rijndealn nAESAES评选过程评选过程评选过程评选过程n n最后的最后的最后的最后的5 5个候选算法：个候选算法：个候选算法：个候选算法：Mars,RC6,Rijndael,Mars,RC6,Rijndael,Serpent,and TwofishSerpent,and Twofishn nRijndaelRijndael算法的原型是算法的原型是算法的原型是算法的原型是SquareSquare算法，其设计算法，其设计算法，其设计算法，其设计策略是宽轨迹策略策略是宽轨迹策略策略是宽轨迹策略策略是宽轨迹策略(Wide Trail Strategy)(Wide Trail Strategy)，以，以，以，以针对差分分析和线性分析；针对差分分析和线性分析；针对差分分析和线性分析；针对差分分析和线性分析；n nRijndaelRijndael是迭代分组密码，其分组长度和密钥是迭代分组密码，其分组长度和密钥是迭代分组密码，其分组长度和密钥是迭代分组密码，其分组长度和密钥长度都是可变的；为了满足长度都是可变的；为了满足长度都是可变的；为了满足长度都是可变的；为了满足AESAES的要求，分的要求，分的要求，分的要求，分组长度为组长度为组长度为组长度为128bit128bit，密码长度为，密码长度为，密码长度为，密码长度为128/192/256bit128/192/256bit，相应的轮数，相应的轮数，相应的轮数，相应的轮数r r为为为为10/12/1410/12/14。2.6分组密码工作模式n nECB(The Electronic Codebook)n nCBC(Cipher Block Chaining)n nCFB(Cipher Feedback)n nOFB(Output Feedback)n n CTR(Counter).Electronic Codebook(ECB)moden nThe Electronic Codebook(ECB)mode is a The Electronic Codebook(ECB)mode is a confidentiality mode that features,for a given key,the confidentiality mode that features,for a given key,the assignment of a fixed ciphertext block to each assignment of a fixed ciphertext block to each plaintext block,analogous to the ssignment of code plaintext block,analogous to the ssignment of code words in a codebook.words in a codebook.n nIn ECB encryption,the forward cipher function is In ECB encryption,the forward cipher function is applied directly and independently to each block of applied directly and independently to each block of the plaintext.The resulting sequence of output blocks the plaintext.The resulting sequence of output blocks is the ciphertext.is the ciphertext.n nIn ECB decryption,the inverse cipher function is In ECB decryption,the inverse cipher function is applied directly and independently to each block of applied directly and independently to each block of the ciphertext.The resulting sequence of output blocks the ciphertext.The resulting sequence of output blocks is the plaintext.is the plaintext.Electronic Codebook ModeECB Encryption:Cj=CIPHK(Pj)for j=1 n.ECB Decryption:Pj=CIPH-1K(Cj)for j=1 n.Cipher Block Chaining Moden nThe Cipher Block Chaining(CBC)mode is a The Cipher Block Chaining(CBC)mode is a confidentiality mode whose encryption confidentiality mode whose encryption process features the combining(“chaining”)process features the combining(“chaining”)of the plaintext blocks with the previous of the plaintext blocks with the previous ciphertext blocks.The CBC mode requires an ciphertext blocks.The CBC mode requires an IV to combine with the first plaintext block.IV to combine with the first plaintext block.The IV need not be secret,but it must be The IV need not be secret,but it must be unpredictable;unpredictable;Cipher Block Chaining Moden nIn CBC encryption,the first input block is formed by exclusive-In CBC encryption,the first input block is formed by exclusive-ORing the first block of the plaintext with the IV.The forward ORing the first block of the plaintext with the IV.The forward cipher function is applied to the first input block,and the cipher function is applied to the first input block,and the resulting output block is the first block of the ciphertext.This resulting output block is the first block of the ciphertext.This output block is also exclusive-ORed with the second plaintext output block is also exclusive-ORed with the second plaintext data block to produce the second input block,and the forward data block to produce the second input block,and the forward cipher function is applied to produce the second output block.cipher function is applied to produce the second output block.This output block,which is the second ciphertext block,is This output block,which is the second ciphertext block,is exclusive-ORed with the next plaintext block to form the next exclusive-ORed with the next plaintext block to form the next input block.Each successive plaintext block is exclusive-ORed input block.Each successive plaintext block is exclusive-ORed with the previous output/ciphertext block to produce the new with the previous output/ciphertext block to produce the new input block.The forward cipher function is applied to each input block.The forward cipher function is applied to each input block to produce the ciphertext block.input block to produce the ciphertext block.Cipher Feedback(CFB)moden nThe Cipher Feedback(CFB)mode is a The Cipher Feedback(CFB)mode is a confidentiality mode that features the feedback of confidentiality mode that features the feedback of successive ciphertext segments into the input blocks successive ciphertext segments into the input blocks of the forward cipher to generate output blocks of the forward cipher to generate output blocks that are exclusive-ORed with the plaintext to that are exclusive-ORed with the plaintext to produce the ciphertext,and vice versa.The CFB produce the ciphertext,and vice versa.The CFB mode requires an IV as the initial input block.The mode requires an IV as the initial input block.The IV need not be secret,but it must be unpredictable;IV need not be secret,but it must be unpredictable;Cipher Feedback ModeOutput Feedback(OFB)moden nThe is a confidentiality mode that features the The is a confidentiality mode that features the iteration of the forward cipher on an IV to iteration of the forward cipher on an IV to generate a sequence of output blocks that are generate a sequence of output blocks that are exclusive-ORed with the plaintext to produce exclusive-ORed with the plaintext to produce the ciphertext,and vice versa.The OFB mode the ciphertext,and vice versa.The OFB mode requires that the IV is a nonce,i.e.,the IV requires that the IV is a nonce,i.e.,the IV must be unique for each execution of the must be unique for each execution of the mode under the given key;mode under the given key;Output Feedback Moden nIn OFB encryption,the IV is transformed by the forward cipher In OFB encryption,the IV is transformed by the forward cipher function to produce the first output block.The first output block function to produce the first output block.The first output block is exclusive-ORed with the first plaintext block to produce the is exclusive-ORed with the first plaintext block to produce the first ciphertext block.The forward cipher function is then first ciphertext block.The forward cipher function is then invoked on the first output block to produce the second output invoked on the first output block to produce the second output block.The second output block is exclusive-ORed with the block.The second output block is exclusive-ORed with the second plaintext block to produce the second ciphertext block,second plaintext block to produce the second ciphertext block,and the forward cipher function is invoked on the second output and the forward cipher function is invoked on the second output block to produce the third output block.Thus,the successive block to produce the third output block.Thus,the successive output blocks are produced from applying the forward cipher output blocks are produced from applying the forward cipher function to the previous output blocks,and the output blocks are function to the previous output blocks,and the output blocks are exclusive-ORed with the corresponding plaintext blocks to exclusive-ORed with the corresponding plaintext blocks to produce the ciphertext blocks.For the last block,which may be a produce the ciphertext blocks.For the last block,which may be a partial block of partial block of u u bits,the most significant bits,the most significant u u bits of the last bits of the last output block are used for the exclusive-OR operation;the output block are used for the exclusive-OR operation;the remaining remaining b b-u u bits of the last output block are discarded.bits of the last output block are discarded.n nIn both OFB encryption and OFB decryption,In both OFB encryption and OFB decryption,each forward cipher function(except the first)each forward cipher function(except the first)depends on the results of the previous forward depends on the results of the previous forward cipher function;therefore,multiple forward cipher function;therefore,multiple forward cipher functions cannot be performed in parallel.cipher functions cannot be performed in parallel.However,if the IV is known,the output blocks However,if the IV is known,the output blocks can be generated prior to the availability of the can be generated prior to the availability of the plaintext or ciphertext data.plaintext or ciphertext data.Counter(CTR)moden nThe is a confidentiality mode that features the The is a confidentiality mode that features the application of the forward cipher to a set of input application of the forward cipher to a set of input blocks,called counters,to produce a sequence of blocks,called counters,to produce a sequence of output blocks that are exclusive-ORed with the output blocks that are exclusive-ORed with the plaintext to produce the ciphertext,and vice versa.plaintext to produce the ciphertext,and vice versa.The sequence of counters must have the property The sequence of counters must have the property that each block in the sequence is different from that each block in the sequence is different from every other block.This condition is not restricted to every other block.This condition is not restricted to a single message:across all of the messages that are a single message:across all of the messages that are encrypted under the given key,all of the counters encrypted under the given key,all of the counters must be distinct.must be distinct.n nIn both CTR encryption and CTR decryption,In both CTR encryption and CTR decryption,the forward cipher functions can be performed in the forward cipher functions can be performed in parallel;similarly,the plaintext block that parallel;similarly,the plaintext block that corresponds to any particular ciphertext block corresponds to any particular ciphertext block can be recovered independently from the other can be recovered independently from the other plaintext blocks if the corresponding counter plaintext blocks if the corresponding counter block can be determined.Moreover,the forward block can be determined.Moreover,the forward cipher functions can be applied to the counters cipher functions can be applied to the counters prior to the availability of the plaintext or prior to the availability of the plaintext or ciphertext data.ciphertext data.2.6流密码工作模式n nsynchronous stream ciphern nbinary additive stream ciphern nself-synchronizing stream cipherGeneral model of a synchronous stream cipherGeneral model of a binary additive stream cipher.General model of a self-synchronizing stream cipher.self-synchronizing stream cipher Property 1/4n nself-synchronizationself-synchronization.Self-synchronization is Self-synchronization is possible if ciphertext digits are deleted or possible if ciphertext digits are deleted or inserted,because the decryption mapping inserted,because the decryption mapping depends only on a fixed number of depends only on a fixed number of preceding ciphertext characters.Such preceding ciphertext characters.Such ciphers are capable of re-establishing ciphers are capable of re-establishing proper decryption automatically after loss proper decryption automatically after loss of synchronization,with only a fixed of synchronization,with only a fixed number of plaintext characters number of plaintext characters unrecoverable.unrecoverable.self-synchronizing stream cipher Property 2/4n nlimited error propagationlimited error propagation.Suppose that the Suppose that the state of a self-synchronization stream cipher state of a self-synchronization stream cipher depends on depends on t t previous ciphertext digits.If a previous ciphertext digits.If a single ciphertext digit is modified(or even single ciphertext digit is modified(or even deleted or inserted)during transmission,deleted or inserted)during transmission,then decryption of up to then decryption of up to t t subsequent subsequent ciphertext digits may be incorrect,after ciphertext digits may be incorrect,after which correct decryption resumes.which correct decryption resumes.self-synchronizing stream cipher Property 3/4n nactive attacks.active attacks.Property(ii)implies that any Property(ii)implies that any modification of ciphertext digits by an active modification of ciphertext digits by an active adversary causes several other ciphertext digits to be adversary causes several other ciphertext digits to be decrypted incorrectly,thereby improving(compared decrypted incorrectly,thereby improving(compared to synchronous stream ciphers)the likelihood of to synchronous stream ciphers)the likelihood of being detected by the decryptor.As a consequence of being detected by the decryptor.As a consequence of property(i),it is more difficult(than for synchronous property(i),it is more difficult(than for synchronous stream ciphers)to detect insertion,deletion,or stream ciphers)to detect insertion,deletion,or replay of ciphertext digits by an active adversary.replay of ciphertext digits by an active adversary.This illustrates that additional mechanisms must be This illustrates that additional mechanisms must be employed in order to provide data origin employed in order to provide data origin authentication and data integrity guaranteesauthentication and data integrity guaranteesself-synchronizing stream cipher Property 4/4n ndiffusion of plaintext statisticsdiffusion of plaintext statistics.Since each Since each plaintext digit influences the entire followingplaintext digit influences the entire followingn nciphertext,the statistical properties of the ciphertext,the statistical properties of the plaintext are dispersed through the plaintext are dispersed through the ciphertext.Hence,self-synchronizing stream ciphertext.Hence,self-synchronizing stream ciphers may bemore resistant than ciphers may bemore resistant than synchronous stream ciphers against attacks synchronous stream ciphers against attacks based on plaintext redundancy.based on plaintext redundancy.小结n nDESDES是应用最广泛的对称密码算法是应用最广泛的对称密码算法是应用最广泛的对称密码算法是应用最广泛的对称密码算法(由于计由于计由于计由于计算能力的快速进展，算能力的快速进展，算能力的快速进展，算能力的快速进展，DESDES已不在被认为是已不在被认为是已不在被认为是已不在被认为是安全的安全的安全的安全的)；n nIDEAIDEA在欧洲应用较多；在欧洲应用较多；在欧洲应用较多；在欧洲应用较多；n nRCRC系列密码算法的使用也较广系列密码算法的使用也较广系列密码算法的使用也较广系列密码算法的使用也较广(已随着已随着已随着已随着SSLSSL传遍全球传遍全球传遍全球传遍全球););n nAESAES将是未来最主要，最常用的对称密码将是未来最主要，最常用的对称密码将是未来最主要，最常用的对称密码将是未来最主要，最常用的对称密码算法；算法；算法；算法；第第3章现代密码学章现代密码学3.1公钥密码学简介n nWhitefield DiffieWhitefield Diffie，Martin HellmanMartin Hellman，New New Directions in CryptographyDirections in Cryptography,1976,1976n n公钥密码学的出现使大规模的安全通信得以实现公钥密码学的出现使大规模的安全通信得以实现公钥密码学的出现使大规模的安全通信得以实现公钥密码学的出现使大规模的安全通信得以实现 解决了密钥分发问题；解决了密钥分发问题；解决了密钥分发问题；解决了密钥分发问题；n n公钥密码学还可用于另外一些应用：数字签名、防公钥密码学还可用于另外一些应用：数字签名、防公钥密码学还可用于另外一些应用：数字签名、防公钥密码学还可用于另外一些应用：数字签名、防抵赖等；抵赖等；抵赖等；抵赖等；n n公钥密码体制的基本原理公钥密码体制的基本原理公钥密码体制的基本原理公钥密码体制的基本原理 陷门单向函数陷门单向函数陷门单向函数陷门单向函数(troopdoor one-way function)(troopdoor one-way function)3.2 RSAn nRon Rivest,Adi ShamirRon Rivest,Adi Shamir和和和和Len AdlemanLen Adleman于于于于19771977年研年研年研年研制并于制并于制并于制并于19781978年首次发表；年首次发表；年首次发表；年首次发表；n nRSARSA是一种分组密码，其理论基础是一种特殊的可是一种分组密码，其理论基础是一种特殊的可是一种分组密码，其理论基础是一种特殊的可是一种分组密码，其理论基础是一种特殊的可逆模幂运算，其安全性基于分解大整数的困难性；逆模幂运算，其安全性基于分解大整数的困难性；逆模幂运算，其安全性基于分解大整数的困难性；逆模幂运算，其安全性基于分解大整数的困难性；n nRSARSA既可用于加密，又可用于数字签名，已得到广既可用于加密，又可用于数字