1、信息安全技術(shù)密碼技術(shù),中國(guó)信息安全產(chǎn)品測(cè)評(píng)認(rèn)證中心（CNITSEC） CISP-2-密碼技術(shù)（培訓(xùn)樣稿）,第0章 緒論,密碼學(xué)與信息安全,信息的私密性(Privacy) 對(duì)稱(chēng)加密 信息的完整性(Integrity) 數(shù)字簽名 信息的源發(fā)鑒別(Authentication) 數(shù)字簽名 信息的防抵賴(lài)性(Non-Reputation) 數(shù)字簽名時(shí)間戳,互聯(lián)網(wǎng)困境,Overview of Cryptography,Information security and cryptography Background on functions Basic terminology and concepts Sy

2、mmetric-key encryption Digital signatures Authentication and identification Public-key cryptography Hash functions Protocols and mechanisms Key establishment, management, and certification Pseudorandom numbers and sequences Classes of attacks and security models,Mathematical Background,Probability t

3、heory Information theory Complexity theory Number theory Abstract algebra Finite fields,Some information security objectives,密碼學(xué)分類(lèi),第1章 密碼學(xué)基礎(chǔ),1.1 密碼學(xué)的歷史與發(fā)展,密碼學(xué)的演進(jìn) 單表代替多表代替機(jī)械密(恩格瑪)現(xiàn)代密碼學(xué)(對(duì)稱(chēng)與非對(duì)稱(chēng)密碼體制)量子密碼學(xué) 密碼編碼學(xué)和密碼分析學(xué) 應(yīng)用領(lǐng)域 軍事，外交，商業(yè)，個(gè)人通信，古文化研究等,1.2基礎(chǔ)術(shù)語(yǔ),點(diǎn)對(duì)點(diǎn)通信 消息與加密 鑒別、完整性與抗抵賴(lài) 算法與密鑰 對(duì)稱(chēng)算法 公開(kāi)密鑰算法 密碼分析與密碼攻擊,點(diǎn)對(duì)

4、點(diǎn)通信,通信由發(fā)起方（發(fā)送方）與接收方組成 通過(guò)通信基礎(chǔ)設(shè)施傳送,消息與加密,消息（message）-明文M 加密（encryption）-邏輯擾亂E目的：對(duì)消息進(jìn)行偽裝C，為非授權(quán)或非意向接收者制造麻煩。 E(M)=C,鑒別、完整性與抗抵賴(lài),鑒別（authentication）消息來(lái)源確認(rèn)、防假冒、證明你是否就是你所聲明的你 完整性（integrity）防篡改、證明消息與過(guò)程的正確性 抗抵賴(lài)（nonrepudiation）你或其他主體對(duì)所作所為的可確認(rèn)性,算法與密鑰,數(shù)學(xué)理論的應(yīng)用算法 算法保密 算法參數(shù)控制密鑰 密鑰保密為了消息保密,對(duì)稱(chēng)算法與公開(kāi)密鑰算法,鎖門(mén)的鑰匙與開(kāi)門(mén)的鑰匙是同一把鑰

5、匙對(duì)稱(chēng)算法 鎖門(mén)的鑰匙與開(kāi)門(mén)的鑰匙不是同一把鑰匙兩把或更多公開(kāi)密鑰算法,密碼分析與密碼攻擊,攻擊（數(shù)學(xué)方法與計(jì)算支持）密文攻擊、已知明文攻擊、選擇明文攻擊、選擇密文攻擊、野蠻攻擊 泄露（非技術(shù)方法）,1.3密碼政治,國(guó)家政策絕密、普密、商密 國(guó)際慣例 國(guó)家安全密碼技術(shù)出入控制,第2章傳統(tǒng)密碼學(xué),2.1 傳統(tǒng)密碼學(xué)簡(jiǎn)介,歷史悠久，最古老與最現(xiàn)代的密碼學(xué) 基本特點(diǎn)：加密和解密采用同一個(gè)密鑰 let C = Cipher text, P = Plain text, k is key, E()/D() is the encryption/decryption function, then C=E(P,

6、 k), P=D(C, k) 基本技術(shù) 替換/置換和移位,2.2 DES,DES是第一個(gè)得到廣泛應(yīng)用的密碼算法； DES是一種分組加密算法，輸入的明文為64位，密鑰為56位，生成的密文為64位； DES是一種對(duì)稱(chēng)密碼算法，源于Lucifer算法，其中采用了Feistel網(wǎng)絡(luò)(Feistel Network)，即 DES已經(jīng)過(guò)時(shí)，基本上認(rèn)為不再安全； ,2.3 IDEA,Xuejia Lai和James Massey提出； IDEA是對(duì)稱(chēng)、分組密碼算法，輸入明文為64位，密鑰為128位，生成的密文為64位； IDEA是一種相對(duì)較新的算法，雖有堅(jiān)實(shí)的理論基礎(chǔ)，但仍應(yīng)謹(jǐn)慎使用(盡管該算法已被證明可對(duì)

7、抗差分分析和線(xiàn)性分析)； IDEA是一種專(zhuān)利算法(在歐洲和美國(guó))，專(zhuān)利由Ascom-Tech AG擁有; PGP中已實(shí)現(xiàn)了IDEA；,2.4 RC系列,RC系列是Ron Rivest為RSA公司設(shè)計(jì)的一系列密碼： RC1從未被公開(kāi)，以致于許多人們稱(chēng)其只出現(xiàn)在Rivest的記事本上； RC2是變長(zhǎng)密鑰加密密法；(RC3在設(shè)計(jì)過(guò)程中在RSADSI內(nèi)被攻破); RC4是Rivest在1987年設(shè)計(jì)的變長(zhǎng)密鑰的序列密碼； RC5是Rivest在1994年設(shè)計(jì)的分組長(zhǎng)、密鑰長(zhǎng)的迭代輪數(shù)都可變的分組迭代密碼算法； DES(56),RC5-32/12/5, RC5-32/12/6,RC-32/12/7已分別

8、在1997年被破譯；,2.5 AES Candidate和Rijndeal,AES評(píng)選過(guò)程 最后的5個(gè)候選算法：Mars, RC6, Rijndael, Serpent, and Twofish Rijndael算法的原型是Square算法，其設(shè)計(jì)策略是寬軌跡策略(Wide Trail Strategy)，以針對(duì)差分分析和線(xiàn)性分析； Rijndael是迭代分組密碼，其分組長(zhǎng)度和密鑰長(zhǎng)度都是可變的；為了滿(mǎn)足AES的要求，分組長(zhǎng)度為128bit，密碼長(zhǎng)度為128/192/256bit，相應(yīng)的輪數(shù)r為10/12/14。,2.6分組密碼工作模式,ECB(The Electronic Codebook)

9、 CBC(Cipher Block Chaining ) CFB(Cipher Feedback) OFB (Output Feedback ) CTR (Counter ).,Electronic Codebook (ECB) mode,The Electronic Codebook (ECB) mode is a confidentiality mode that features, for a given key,the assignment of a fixed ciphertext block to each plaintext block, analogous to the ssi

10、gnment of code words in a codebook. In ECB encryption, the forward cipher function is applied directly and independently to each block of the plaintext. The resulting sequence of output blocks is the ciphertext. In ECB decryption, the inverse cipher function is applied directly and independently to

11、each block of the ciphertext. The resulting sequence of output blocks is the plaintext.,Electronic Codebook Mode,ECB Encryption: Cj = CIPHK(Pj) for j = 1 n. ECB Decryption: Pj = CIPH -1K(Cj) for j = 1 n.,Cipher Block Chaining Mode,The Cipher Block Chaining (CBC) mode is a confidentiality mode whose

12、encryption process features the combining (“chaining”) of the plaintext blocks with the previous ciphertext blocks.The CBC mode requires an IV to combine with the first plaintext block. The IV need not be secret, but it must be unpredictable;,Cipher Block Chaining Mode,In CBC encryption, the first i

13、nput block is formed by exclusive-ORing the first block of the plaintext with the IV. The forward cipher function is applied to the first input block,and the resulting output block is the first block of the ciphertext. This output block is also exclusive-ORed with the second plaintext data block to

14、produce the second input block, and the forward cipher function is applied to produce the second output block. This output block, which is the second ciphertext block, is exclusive-ORed with the next plaintext block to form the next input block. Each successive plaintext block is exclusive-ORed with

15、 the previous output/ciphertext block to produce the new input block. The forward cipher function is applied to each input block to produce the ciphertext block.,Cipher Feedback (CFB) mode,The Cipher Feedback (CFB) mode is a confidentiality mode that features the feedback of successive ciphertext se

16、gments into the input blocks of the forward cipher to generate output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. The CFB mode requires an IV as the initial input block. The IV need not be secret, but it must be unpredictable;,Cipher Feedback Mode,Out

17、put Feedback (OFB) mode,The is a confidentiality mode that features the iteration of the forward cipher on an IV to generate a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. The OFB mode requires that the IV is a nonce, i.e., the IV mu

18、st be unique for each execution of the mode under the given key;,Output Feedback Mode,In OFB encryption, the IV is transformed by the forward cipher function to produce the first output block. The first output block is exclusive-ORed with the first plaintext block to produce the first ciphertext blo

19、ck. The forward cipher function is then invoked on the first output block to produce the second output block. The second output block is exclusive-ORed with the second plaintext block to produce the second ciphertext block, and the forward cipher function is invoked on the second output block to pro

20、duce the third output block. Thus, the successive output blocks are produced from applying the forward cipher function to the previous output blocks, and the output blocks are exclusive-ORed with the corresponding plaintext blocks to produce the ciphertext blocks. For the last block, which may be a

21、partial block of u bits, the most significant u bits of the last output block are used for the exclusive-OR operation; the remaining b-u bits of the last output block are discarded.,In both OFB encryption and OFB decryption, each forward cipher function (except the first) depends on the results of t

22、he previous forward cipher function; therefore, multiple forward cipher functions cannot be performed in parallel. However, if the IV is known, the output blocks can be generated prior to the availability of the plaintext or ciphertext data.,Counter (CTR) mode,The is a confidentiality mode that feat

23、ures the application of the forward cipher to a set of input blocks, called counters, to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. The sequence of counters must have the property that each block in the sequence is differ

24、ent from every other block. This condition is not restricted to a single message: across all of the messages that are encrypted under the given key, all of the counters must be distinct.,In both CTR encryption and CTR decryption, the forward cipher functions can be performed in parallel; similarly,

25、the plaintext block that corresponds to any particular ciphertext block can be recovered independently from the other plaintext blocks if the corresponding counter block can be determined. Moreover, the forward cipher functions can be applied to the counters prior to the availability of the plaintex

26、t or ciphertext data.,2.6流密碼工作模式,synchronous stream cipher binary additive stream cipher self-synchronizing stream cipher,General model of a synchronous stream cipher,General model of a binary additive stream cipher.,General model of a self-synchronizing stream cipher.,self-synchronizing stream ciph

27、er Property 1/4,self-synchronization. Self-synchronization is possible if ciphertext digits are deleted or inserted, because the decryption mapping depends only on a fixed number of preceding ciphertext characters. Such ciphers are capable of re-establishing proper decryption automatically after los

28、s of synchronization, with only a fixed number of plaintext characters unrecoverable.,self-synchronizing stream cipher Property 2/4,limited error propagation. Suppose that the state of a self-synchronization stream cipher depends on t previous ciphertext digits. If a single ciphertext digit is modif

29、ied (or even deleted or inserted) during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes.,self-synchronizing stream cipher Property 3/4,active attacks. Property (ii) implies that any modification of ciphertext digits by a

30、n active adversary causes several other ciphertext digits to be decrypted incorrectly,thereby improving (compared to synchronous stream ciphers) the likelihood of being detected by the decryptor. As a consequence of property (i), it is more difficult (than for synchronous stream ciphers) to detect i

31、nsertion, deletion, or replay of ciphertext digits by an active adversary. This illustrates that additional mechanisms must be employed in order to provide data origin authentication and data integrity guarantees,self-synchronizing stream cipher Property 4/4,diffusion of plaintext statistics. Since

32、each plaintext digit influences the entire following ciphertext, the statistical properties of the plaintext are dispersed through the ciphertext. Hence, self-synchronizing stream ciphers may bemore resistant than synchronous stream ciphers against attacks based on plaintext redundancy.,小結(jié),DES是應(yīng)用最廣泛

33、的對(duì)稱(chēng)密碼算法(由于計(jì)算能力的快速進(jìn)展，DES已不在被認(rèn)為是安全的)； IDEA在歐洲應(yīng)用較多； RC系列密碼算法的使用也較廣(已隨著SSL傳遍全球); AES將是未來(lái)最主要，最常用的對(duì)稱(chēng)密碼算法；,第3章現(xiàn)代密碼學(xué),3.1公鑰密碼學(xué)簡(jiǎn)介,Whitefield Diffie，Martin Hellman，New Directions in Cryptography,1976 公鑰密碼學(xué)的出現(xiàn)使大規(guī)模的安全通信得以實(shí)現(xiàn) 解決了密鑰分發(fā)問(wèn)題； 公鑰密碼學(xué)還可用于另外一些應(yīng)用：數(shù)字簽名、防抵賴(lài)等； 公鑰密碼體制的基本原理 陷門(mén)單向函數(shù)(troopdoor one-way function),3.2

34、RSA,Ron Rivest, Adi Shamir和Len Adleman于1977年研制并于1978年首次發(fā)表； RSA是一種分組密碼，其理論基礎(chǔ)是一種特殊的可逆模冪運(yùn)算，其安全性基于分解大整數(shù)的困難性； RSA既可用于加密，又可用于數(shù)字簽名，已得到廣泛采用； RSA已被許多標(biāo)準(zhǔn)化組織(如ISO、ITU、IETF和SWIFT等)接納； RSA-155(512 bit), RSA-140于1999年分別被分解；,RSA (cont.),設(shè)n是兩個(gè)不同素?cái)?shù)之積，即n = pq，計(jì)算其歐拉函數(shù)值(n)=(p-1)(q-1). 隨機(jī)選一整數(shù)e,1e(n), (n),e)=1. 因而在模(n)下,e

35、有逆元 取公鑰為n,e, 密鑰為d.(p,q不再需要，應(yīng)該被舍棄，但絕不可泄露) 定義加密變換為 解密變換為,3.3 DH/DSA,Diffie-Hellman(DH)是第一個(gè)公鑰算法，其安全性基于在有限域中計(jì)算離散對(duì)數(shù)的難度； DH可用于密鑰分發(fā)，但不能用于加/解密報(bào)文； DH算法已得到廣泛應(yīng)用，并為許多標(biāo)準(zhǔn)化組織(IETF等)接納； DSA是NIST于1991年提出的數(shù)字簽名標(biāo)準(zhǔn)(DSS),該標(biāo)準(zhǔn)于1994年5月19日被頒布； DSA是Schnorr和Elgemal簽名算法的變型,DSA只能用于數(shù)字簽名不能用于加密；,3.4 Elgemal,Elgemal于1985年基于離散對(duì)數(shù)問(wèn)題提出了

36、一個(gè)既可用于數(shù)字簽名又可用于加密的密碼體制；(此數(shù)字簽名方案的一個(gè)修改被NIST采納為數(shù)字簽名標(biāo)準(zhǔn)DSS) Elgemal,Schnorr和DSA簽名算法都非常類(lèi)似。事實(shí)上，它們僅僅是基于離散對(duì)數(shù)問(wèn)題的一般數(shù)字簽名的三個(gè)例子。,小結(jié),RSA是最易于實(shí)現(xiàn)的； Elgemal算法更適合于加密； DSA對(duì)數(shù)字簽名是極好的，并且DSA無(wú)專(zhuān)利費(fèi)，可以隨意獲??； Diffie-Hellman是最容易的密鑰交換算法；,第4章散列函數(shù),4. 1 單向雜湊(Hash)函數(shù),雜湊(Hash)函數(shù)是將任意長(zhǎng)的數(shù)字串M映射成一個(gè)較短的定長(zhǎng)輸出數(shù)字串H的函數(shù)，我們關(guān)心的通常是單向雜湊函數(shù)； 單向雜湊函數(shù)的設(shè)計(jì)理論 雜湊

37、函數(shù)除了可用于數(shù)字簽名方案之外，還可用于其它方面，諸如消息的完整性檢測(cè)、消息的起源認(rèn)證檢測(cè)等 常見(jiàn)的攻擊方法,4. 2 MD系列,Ron Rivest設(shè)計(jì)的系列雜湊函數(shù)系列: MD4Rivest 1990, 1992, 1995; RFC1320 MD5是MD4的改進(jìn)型RFC1321 MD2RFC1319,已被Rogier等于1995年攻破 較早被標(biāo)準(zhǔn)化組織IETF接納，并已獲得廣泛應(yīng)用 安全性介紹,4.3 SHA和SHA-1,NIST和NSA為配合DSS的使用，設(shè)計(jì)了安全雜湊標(biāo)準(zhǔn)(SHS)，其算法為SHAFIPS PUB 180，修改的版本被稱(chēng)為SHA-1FIPS PUB 180-1 SHA

38、/SHA-1采用了與MD4相似的設(shè)計(jì)準(zhǔn)則，其結(jié)構(gòu)也類(lèi)似于MD4，但其輸出為160bit 目前還沒(méi)有針對(duì)SHA有效的攻擊,4.3 RIPE-MD,歐共體的RIPERACE 1992計(jì)劃下開(kāi)發(fā)的雜湊算法，為MD4的變型，是針對(duì)已知的密碼攻擊而設(shè)計(jì)的，雜湊值為128bit; RIPE-MD的改進(jìn)型為RIPEMD-160；,4.4 HMAC,HMAC是利用散列函數(shù)計(jì)算報(bào)文鑒別碼值 HMAC能夠證明嵌入散列函數(shù)提供的安全性有某些合理的密碼分析強(qiáng)度,4.5 SHA與MD4和MD5的比較,第5章密碼應(yīng)用,5.1機(jī)密性保護(hù),密碼體制類(lèi)型（對(duì)稱(chēng)算法、非對(duì)稱(chēng)算法） 算法選擇（對(duì)稱(chēng)算法、非對(duì)稱(chēng)算法） 工作模式（選擇

39、字段與流加密） 填充需求 初始化要求 同步要求 密鑰管理過(guò)程,5.2完整性保護(hù),封裝和簽名 加密 序列完整性,5.3抗抵賴(lài)服務(wù),起源否認(rèn) 傳遞否認(rèn) 數(shù)字簽名算法（發(fā)起者、可信第三方） 安全時(shí)戳,5.5 PKI中的密碼應(yīng)用,公鑰體制 簽名算法 完整性保護(hù)算法,5.6 VPN中密碼應(yīng)用,公鑰體制 傳輸加密 完整性 源認(rèn)證,第6章密鑰交換與管理,6.1密鑰產(chǎn)生,密鑰選擇（強(qiáng)、弱） 隨機(jī)密鑰產(chǎn)生 ANSI X9.17密鑰產(chǎn)生 RSA密鑰產(chǎn)生,6.2密鑰傳輸,簡(jiǎn)單密鑰人工傳輸 分布網(wǎng)絡(luò)密鑰分發(fā) 密鑰驗(yàn)證 密鑰加密密鑰與數(shù)據(jù)密鑰,6.3密鑰使用,軟件加密使用 硬件加密使用 使用控制,6.4密鑰更新,密鑰更

40、新（從舊的產(chǎn)生新的） 使用單向函數(shù),6.5密鑰存儲(chǔ),個(gè)人密鑰存儲(chǔ)管理 磁卡 ROM 生物特征,6.6密鑰備份,個(gè)人備份 組織備份 CA,6.7泄密、密鑰期限和密鑰銷(xiāo)毀,密鑰泄露（技術(shù)因素和非技術(shù)因素）需要處理程序支持 密鑰有限期 銷(xiāo)毀密鑰,6.8 密鑰交換,Diffie-Hellman算法 IKE ,7密碼分析與密碼攻擊,唯密文攻擊 已知明文攻擊 選擇明文攻擊 自適應(yīng)選擇明文攻擊 選擇密文攻擊 選擇密鑰攻擊 軟磨硬泡(Rubber-hose)攻擊,唯密文攻擊,密碼分析者有一些消息的密文，這些消息都用同一加密算法加密。密碼分析者的任務(wù)是恢復(fù)盡可能多的明文，或者最好是能推算出加密消息的密鑰來(lái)，以便可采用相同的密鑰解出其他被加密的消息。 已知：C1=EK（P1），C2=EK（P2），CI=EK（Pi） 推導(dǎo)出：P1，P2，Pi；K或者找出一個(gè)算法從Ci+1= EK（Pi+1）推出Pi+1。,已知明文攻擊,密碼分析者不僅可得到一些消息的密文，而且也知道這些消息的明文。分析者的任務(wù)就是用加密信息推出用來(lái)加密的密鑰或?qū)С鲆粋€(gè)算法，此算法可以對(duì)用同一密鑰加密的任何新的消息進(jìn)行解密。 已知：P1，C1=Ek（P1），P2，C2=Ek（P2），Pi，Ci=Ek（Pi）， 推導(dǎo)出：密鑰k，或從Ci+1= Ek（