2918.G密钥分散管理系统——密钥确认算法实现外文资料翻译原文.doc

《2918.G密钥分散管理系统——密钥确认算法实现外文资料翻译原文.doc》由会员分享，可在线阅读，更多相关《2918.G密钥分散管理系统——密钥确认算法实现外文资料翻译原文.doc（13页珍藏版）》请在三一办公上搜索。

1、 大学毕业设计(论文)外文资料翻译学院(系)： 计算机学院 专业： 信息安全 学生姓名： 班级学号： 外文出处：WilliamStallings. Cryptography and Network Security, Fourth Edition. Prentice Hall. November 16, 2005附件：1.外文资料翻译译文；2.外文原文指导教师评语：指导教师签名：年月日外文资料翻译原文10.1. Key ManagementIn Chapter 7, we examined the problem of the distribution of secret keys. One

2、of the major roles of public-key encryption has been to address the problem of key distribution. There are actually two distinct aspects to the use of public-key cryptography in this regard:The distribution of public keysThe use of public-key encryption to distribute secret keysWe examine each of th

3、ese areas in turn.Distribution of Public KeysSeveral techniques have been proposed for the distribution of public keys. Virtually all these proposals can be grouped into the following general schemes:Public announcementPublicly available directoryPublic-key authorityPublic-key certificatesPublic Ann

4、ouncement of Public KeysOn the face of it, the point of public-key encryption is that the public key is public. Thus, if there is some broadly accepted public-key algorithm, such as RSA, any participant can send his or her public key to any other participant or broadcast the key to the community at

5、large (Figure 10.1). For example, because of the growing popularity of PGP (pretty good privacy, discussed in Chapter 15), which makes use of RSA, many PGP users have adopted the practice of appending their public key to messages that they send to public forums, such as USENET newsgroups and Interne

6、t mailing lists.Although this approach is convenient, it has a major weakness. Anyone can forge such a public announcement. That is, some user could pretend to be user A and send a public key to another participant or broadcast such a public key. Until such time as user A discovers the forgery and a

7、lerts other participants, the forger is able to read all encrypted messages intended for A and can use the forged keys for authentication (see Figure 9.3).Publicly Available DirectoryA greater degree of security can be achieved by maintaining a publicly available dynamic directory of public keys. Ma

8、intenance and distribution of the public directory would have to be the responsibility of some trusted entity or organization (Figure 10.2). Such a scheme would include the following elements:1.The authority maintains a directory with a name, public key entry for each participant.2.Each participant

9、registers a public key with the directory authority. Registration would have to be in person or by some form of secure authenticated communication.3.A participant may replace the existing key with a new one at any time, either because of the desire to replace a public key that has already been used

10、for a large amount of data, or because the corresponding private key has been compromised in some way.4.Participants could also access the directory electronically. For this purpose, secure, authenticated communication from the authority to the participant is mandatory.This scheme is clearly more se

11、cure than individual public announcements but still has vulnerabilities. If an adversary succeeds in obtaining or computing the private key of the directory authority, the adversary could authoritatively pass out counterfeit public keys and subsequently impersonate any participant and eavesdrop on m

12、essages sent to any participant. Another way to achieve the same end is for the adversary to tamper with the records kept by the authority.Public-Key AuthorityStronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the dire

13、ctory. A typical scenario is illustrated in Figure 10.3, which is based on a figure in POPE79. As before, the scenario assumes that a central authority maintains a dynamic directory of public keys of all participants. In addition, each participant reliably knows a public key for the authority, with

14、only the authority knowing the corresponding private key. The following steps (matched by number to Figure 10.3) occur:1. A sends a timestamped message to the public-key authority containing a request for the current public key of B.2. The authority responds with a message that is encrypted using th

15、e authoritys private key, PRauth Thus, A is able to decrypt the message using the authoritys public key. Therefore, A is assured that the message originated with the authority. The message includes the following:Bs public key, PUb which A can use to encrypt messages destined for BThe original reques

16、t, to enable A to match this response with the corresponding earlier request and to verify that the original request was not altered before reception by the authorityThe original timestamp, so A can determine that this is not an old message from the authority containing a key other than Bs current p

17、ublic key3. A stores Bs public key and also uses it to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely.4. B retrieves As public key from the authority in the same manner as A retrieved Bs public key.At this point, publi

18、c keys have been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable:5. B sends a message to A encrypted with PUa and containing As nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (3

19、), the presence of N1 in message (6) assures A that the correspondent is B.6. A returns N2, encrypted using Bs public key, to assure B that its correspondent is A.Thus, a total of seven messages are required. However, the initial four messages need be used only infrequently because both A and B can

20、save the others public key for future use, a technique known as caching. Periodically, a user should request fresh copies of the public keys of its correspondents to ensure currency.Public-Key CertificatesThe scenario of Figure 10.3 is attractive, yet it has some drawbacks. The public-key authority

21、could be somewhat of a bottleneck in the system, for a user must appeal to the authority for a public key for every other user that it wishes to contact. As before, the directory of names and public keys maintained by the authority is vulnerable to tampering.An alternative approach, first suggested

22、by Kohnfelder KOHN78, is to use certificates that can be used by participants to exchange keys without contacting a public-key authority, in a way that is as reliable as if the keys were obtained directly from a public-key authority. In essence, a certificate consists of a public key plus an identif

23、ier of the key owner, with the whole block signed by a trusted third party. Typically, the third party is a certificate authority, such as a government agency or a financial institution, that is trusted by the user community. A user can present his or her public key to the authority in a secure mann

24、er, and obtain a certificate. The user can then publish the certificate. Anyone needed this users public key can obtain the certificate and verify that it is valid by way of the attached trusted signature. A participant can also convey its key information to another by transmitting its certificate.

25、Other participants can verify that the certificate was created by the authority. We can place the following requirements on this scheme:1.Any participant can read a certificate to determine the name and public key of the certificates owner.2.Any participant can verify that the certificate originated

26、 from the certificate authority and is not counterfeit.3.Only the certificate authority can create and update certificates.These requirements are satisfied by the original proposal in KOHN78. Denning DENN83 added the following additional requirement:4.Any participant can verify the currency of the c

27、ertificate.A certificate scheme is illustrated in Figure 10.4. Each participant applies to the certificate authority, supplying a public key and requesting a certificate.Figure 10.4. Exchange of Public-Key CertificatesApplication must be in person or by some form of secure authenticated communicatio

28、n. For participant A, the authority provides a certificate of the formCA = E(PRauth, T|IDA|PUa)where PRauth is the private key used by the authority and T is a timestamp. A may then pass this certificate on to any other participant, who reads and verifies the certificate as follows:D(PUauth, CA) = D

29、(PUauth, E(PRauth, T|IDA|PUa) = (T|IDA|PUa)The recipient uses the authoritys public key, PUauth to decrypt the certificate. Because the certificate is readable only using the authoritys public key, this verifies that the certificate came from the certificate authority. The elements IDA and PUa provi

30、de the recipient with the name and public key of the certificates holder. The timestamp T validates the currency of the certificate. The timestamp counters the following scenario. As private key is learned by an adversary. A generates a new private/public key pair and applies to the certificate auth

31、ority for a new certificate. Meanwhile, the adversary replays the old certificate to B. If B then encrypts messages using the compromised old public key, the adversary can read those messages.In this context, the compromise of a private key is comparable to the loss of a credit card. The owner cance

32、ls the credit card number but is at risk until all possible communicants are aware that the old credit card is obsolete. Thus, the timestamp serves as something like an expiration date. If a certificate is sufficiently old, it is assumed to be expired.One scheme has become universally accepted for f

33、ormatting public-key certificates: the X.509 standard. X.509 certificates are used in most network security applications, including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME, all of which are discussed in Part Two. X.509 is examined in detail in Chapte

34、r 14.Distribution of Secret Keys Using Public-Key CryptographyOnce public keys have been distributed or have become accessible, secure communication that thwarts eavesdropping (Figure 9.2), tampering (Figure 9.3), or both (Figure 9.4) is possible. However, few users will wish to make exclusive use o

35、f public-key encryption for communication because of the relatively slow data rates that can be achieved. Accordingly, public-key encryption provides for the distribution of secret keys to be used for conventional encryption.Simple Secret Key DistributionAn extremely simple scheme was put forward by

36、 Merkle MERK79, as illustrated in Figure 10.5. If A wishes to communicate with B, the following procedure is employed:1. A generates a public/private key pair PUa, PRa and transmits a message to B consisting of PUa and an identifier of A, IDA.2. B generates a secret key, Ks, and transmits it to A, e

37、ncrypted with As public key.3. A computes D(PRa, E(PUa, Ks) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks.4. A discards PUa and PRa and B discards PUa.Figure 10.5. Simple Use of Public-Key Encryption to Establish a Session KeyA and B can

38、 now securely communicate using conventional encryption and the session key Ks. At the completion of the exchange, both A and B discard Ks. Despite its simplicity, this is an attractive protocol. No keys exist before the start of the communication and none exist after the completion of communication

39、. Thus, the risk of compromise of the keys is minimal. At the same time, the communication is secure from eavesdropping.The protocol depicted in Figure 10.5 is insecure against an adversary who can intercept messages and then either relay the intercepted message or substitute another message (see Fi

40、gure 1.4c). Such an attack is known as a man-in-the-middle attack RIVE84. In this case, if an adversary, E, has control of the intervening communication channel, then E can compromise the communication in the following fashion without being detected:1.A generates a public/private key pair PUa, PRa a

41、nd transmits a message intended for B consisting of PUa and an identifier of A, IDA.2.E intercepts the message, creates its own public/private key pair PUe, PRe and transmits PUe|IDA to B.3.B generates a secret key, Ks, and transmits E(PUe, Ks).4.E intercepts the message, and learns Ks by computing

42、D(PRe, E(PUe, Ks).5.E transmits E(PUa, Ks) to A.The result is that both A and B know Ks and are unaware that Ks has also been revealed to E. A and B can now exchange messages using Ks E no longer actively interferes with the communications channel but simply eavesdrops. Knowing Ks E can decrypt all

43、messages, and both A and B are unaware of the problem. Thus, this simple protocol is only useful in an environment where the only threat is eavesdropping.Secret Key Distribution with Confidentiality and AuthenticationFigure 10.6, based on an approach suggested in NEED78, provides protection against

44、both active and passive attacks. We begin at a point when it is assumed that A and B have exchanged public keys by one of the schemes described earlier in this section. Then the following steps occur:1. A uses Bs public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N

45、1), which is used to identify this transaction uniquely.2. B sends a message to A encrypted with PUa and containing As nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.3. A r

46、eturns N2 encrypted using Bs public key, to assure B that its correspondent is A.4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks) to B. Encryption of this message with Bs public key ensures that only B can read it; encryption with As private key ensures that only A could have sent it.5.

47、B computes D(PUa, D(PRb, M) to recover the secret key.Figure 10.6. Public-Key Distribution of Secret KeysNotice that the first three steps of this scheme are the same as the last three steps of Figure 10.3. The result is that this scheme ensures both confidentiality and authentication in the exchang

48、e of a secret key.A Hybrid SchemeYet another way to use public-key encryption to distribute secret keys is a hybrid approach in use on IBM mainframes LE93. This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys. The following rationale is provided for using this th