分析教案成果

学XuHui,: 1CISSPExpectation-CISSPUnderstandtheapplicationanduseof 码学的应Dataatrest,e.g.,hardDataintransit,e.g.,“OntheUnderstandtheencryption 码学概Foundationalconcepts（基本概念Symmetriccryptography（对称加密Asymmetriccryptography（非对称加密Hybridcryptography（混合加密Messagedigests（消 2CISSPExpectation-CISSPUnderstandKeyManagement 钥管理流Creationanddistribution（创建和分发Storageand 和销毁Recovery（密钥恢复Keyescrow(密钥托Understanddigital理解数字签Understand理解不可抵3CISSPExpectation-CISSPUnderstandmethodsof ytic 方Chosenplaintext（选择明 Socialengineeringforkeydiscovery（社会工程学Brute Knownplaintext（已知明 ysis（频率分析Chosenciphertext（选择密 Implementationattacks（针对实施 4CISSPExpectation-CISSPEmploycryptographyinnetwork 中使 学技Usecryptographyto 使 学技术保护电子邮件安Understandpublickey理解PKI公钥技术设 related理解数 和相关概Understandinformationhidingalternatives,e.g.,steganography,watermarking5※0.CISSP※1.Cryptography※2.Symmetric※3.Asymmetric※4.Hash※5.Cipher※6. ※7.6CRYPTOGRAPHY7CryptographyHistory-beforelast)scribeswritingdownthebookofJeremiahusedreversed-alphabetsimplesubstitutioncipherPlain:Cipher:MonoalphabeticPlain:Cipher:CipherPlaintext:IhaveagoodCiphertext:rszevztllw8CryptographyHistory- 700-300BCinGreece(希腊人于公元前600年-前500年consistingofacylinderwithastripofpar entwoundarounditonwhichiswrittenamessage.TheancientGreeks（希腊人）,andtheSpartans（斯巴达人）inparticular,aresaidtohaveusedthisciphertocommunicateduringmilitary TranspositionCipher（移位 9CryptographyHistory-Caesar60-50BCbyJuliusCaesarRoma Substitution:Rightshiftthealphabeticby3positions()Plaintext:IhaveagoodCiphertext:fexsbxdllaCryptographyHistory-VigenereCipher(维吉尼 Polyalphabeticsubstitution(多字母替 ababcdefghijklmnopqrstuvwxyzAabcdefghijklmnopqrstuvwxyzBbcdefghijklmnopqrstuvwxyzaCcdefghijklmnopqrstuvwxyzabDdefghijklmnopqrstuvwxyzabcEefghijklmnopqrstuvwxyzabcdFfghijklmnopqrstuvwxyzabcdeGghijklmnopqrstuvwxyzabcdefHhijklmnopqrstuvwxyzabcdefgIijklmnopqrstuvwxyzabcdefghJjklmnopqrstuvwxyzabcdefghiKklmnopqrstuvwxyzabcdefghijLlmnopqrstuvwxyzabcdefghijkMmnopqrstuvwxyzabcdefghijklNnopqrstuvwxyzabcdefghijklmOopqrstuvwxyzabcdefghijklmnPpqrstuvwxyzabcdefghijklmnoQqrstuvwxyzabcdefghijklmnopRrstuvwxyzabcdefghijklmnopqSstuvwxyzabcdefghijklmnopqrTtuvwxyzabcdefghijklmnopqrsUuvwxyzabcdefghijklmnopqrstVvwxyzabcdefghijklmnopqrstuWwxyzabcdefghijklmnopqrstuvXxyzabcdefghijklmnopqrstuvwYyzabcdefghijklmnopqrstuvwxZzabcdefghijklmnopqrstuvwxyRepeatedKey:Ihaveagoods+i=>ae+h=>lc+a=>ck+v=>f…alcfiyysqnCryptographyHistory-OneTime 本KeyPeoplehumanbeingeatfooddrinkwatertakeshowerhappyfamilyFaithhopeloveawomana

Pre

KeyPeoplehumanbeingeatfooddrinkwatertakeshowerhappyfamilyFaithhopeloveawomana Ihaveagood …ymplqCryptographyHistory-RunningKey

Pre

KeyIndex:Ihaveagoodnews

IwenttothewoodsbecauseIwishedtolivedelibera y,tofrontonlytheessentialfactsoflife,andseeifIcouldnotlearnwhatithadtoteach,andnot,whenIcametodie,discoverthatIhadnotlived.Ididnotwishtolivewhatwasnotlife,livingissodear;CryptographyHistory-

TranspositionCipher(移位 Permutation MonoalphabeticPolyalphabeticCryptographyHistory-Steganography(隐写术TheartandscienceofwritinghiddenTheadvantageofsteganographyovercryptographyaloneisthatmessagesdonotattractattentiontothe iodinestarchSYMMETRIC对

BlockCipherVSStream

……

…… Terminology(术语NIST(USA):NationalInstituteofStandardsand与技NISTSP:NationalInstituteofStandardsandTechnologySpecialPublication与技 特 信息处理标non-NSA(USA):NationalSecurity国家安全

DataEncryptionStandard(数据加密标准1977,FIPS46,byReplacedbyAES(被AES算法替代BlockCipher( KeySize:56bit(密钥长度：56比特Rounds:16roundsoftranspositionand4CipherModes(4 模式ElectronicCodebookBlockChainingCipherFeedbackOutputFeedback安全性：DES已经在1998年被EFF(ElectronicFrontierFoundation)证明是不安全的，当时EFF用了少于250000的价格组装了一台计算机用少于3天的时间了DES。ElectronicProblem:IdenticalplaintextblocksareencryptedintoidenticalciphertextAstrikingexampleCipherBlockCipherFeedbackOutputFeedbackTheoutputfeedback(OFB)modemakesablockcipherintoasynchronousstreamcipher.Itgenerateskeystreamblocks

TripleDataEncryptionStandardorTDEA(TripleDataEncryptionAlgorithm)publishedin1998,NISTSP800-1999年，NIST将3-DES指定为过渡的加密标准BlockCipher( 3DES3DES K1≠K2, K1≠K2≠安全性：NISThasapprovedTripleDESthroughtheyear2030forsensitive ernmentinformation

AdvancedEncryptionStandardFIPS197in2001byNIST,OriginallycalledWinfromMARS,RC6,Rijndael,Serpent,BlockBlockSize:128/192/256bitKeySize:10roundsfor128-bitkeys,12roundsfor192-bitkeys,and14roundsfor256-bitkeysBy2006,thebestknownattackswereon7roundsfor128-bitkeys,8roundsfor192-bitkeys,and9roundsfor256-bitkeys. RivestCipher

byRonRivestofRSASecurityInStreamThekey-schedulingalgorithmThepseudo-randomgenerationalgorithmKeyLength:variablelengthkey,typicallybetween40and256theonlycommoncipherwhichisimmunetothe2011BEASTattackonTLS1.0,whichexploitsaknownweaknessinthewaycipherblockchainingmodeisusedwithalloftheothercipherssupportedbyTLS1.0,whichareallblock

MoreTheTwofishSymmetricblockcipher：128-bitblock,Up256-bitTheIDEACipher(InternationalDataEncryptionJamesMasseyandXuejiaLai,blockcipher：64-bitplaintextblocks,128-bitRonaldRivestinBlockcipherofvariableblockTypicalBlocksizeof32,64,or128KeysizeandRoundsarefrom0toConfusionand ClaudeShannon( )inhispaperCommunicationTheoryofSecrecySystems,publishedin1949.ConfusionreferstomakingtherelationshipbetweentheplaintextandtheciphertextascomplexandinvolvedasDiffusionreferstothepropertythattheredundancyinthestatisticsoftheplaintextis"dissipated"inthestatisticsoftheInparticular,changingonebitofthekeyshouldchangetheciphertextcomple Kerckhoffs’s“Acryptosystemshouldbesecureevenifeverythingaboutthesystem,exceptthekey,ispublicknowledge”wasstatedbyAugusteKerckhoffsinthe19thcentury ASYMMETRICAsymmetricComparewithSymmetricAMessagethatisencryptedbyoneofthekeyscanbedecryptedwiththeotherkey.NoneedtoExchangeSlowerthansymmetric EllipticEl

RivestShamirh1977,byRonRivest,AdiShamirh,LenAdlemanatbasedonthepresumeddifficultyoffactoringlargeRSA1024andRSA 日，编号为RSA-768（768bits,232digits）数

KeygenerationChoosetwodistinctprimenumbers(质数):Eg,p=13,ComputeComputeφ(n)=(p–1)(q–1)=(13-1)*(7-Chooseanintegere,suchthat1<e<φ(n)and(e,φ(n))=1Eg,e=11，PublickKey(e,n)=(11,Computed,suchthatd=e–1modd=11–1mod72=59，PrivateKey（d,φ(n)）=(59,usingtheextendedEuclideanalgorithm(扩 Encryption

Decryption

DiffieHallmankeyToExchangesecretkeysoveranon-securemediumwithoutexposingthekeys.publishedbyWhitfieldDiffieand manin1ap,b2ap,g,gamodp=p,b3ap,g,gbmodp=p,g,A,b4a,p,g,A,Bamodp=Abmodp=p,g,A,b,

椭圆曲线y2=x3+a*x+bp=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFa=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFb=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD41n=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123Gx=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7Gy=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0Ellipticcurvecryptography(椭圆曲线算法basedonthealgebraicstructureofellipticcurvesoverfiniteEllipticCurve:y2=x3+ax+1985,byNealKoblitzandVictorS.DigitalSignature:ECDSA(ECC-DigitalSignatureDataEncryption:ECDH(Ellipticcurve HASH

Message-Digest1991,designedbyRonRivestinThesecurityoftheMD5hashfunctionisseverelyAcollisionattackexiststhatcanfindcollisionswithin

SHA-SecureHashAlgorithm-1995,designedbytheUnitedStatesNationalSecurityAgency,publishedbytheUnitedStatesNISTDigestLength:Rounds:安全In2005,crypt ystsfoundattacksonSHA-1suggestingthatthealgorithmmightnotbesecureenoughforongoinguse.NISTrequiredmanyapplicationsinfederalagenciestomovetoSHA-2after2010becauseoftheweakness.

SHABlocksize(bits)264−264−264−2264−2128−

Aone-wayhashingalgorithmwithvariablelengthofoutput1992,byYuliangZheng,JosefPieprzyk,andJenniferHAVALcanproducehashesinlengthsof128bits,160bits,192bits,224bits,and256bits.HAVALalsoallowsuserstospecifythenumberofrounds(3,4,or5)tobeusedtogeneratethehash.On17August2004,collisionsforHAVAL(128bits,3passes)wereannouncedbyXiaoyunWangCIPHERCipherApplication-

CIA- fromSymmetricEncryption,AsymmetricDataarenottamperedbeforeHash,checksum,Evidence,cannotDigital 基于对称密钥 认终 卡

服务（PSAM：刷卡机卡片随机加密后的随机

分散算法（消费密钥 6. 随机数，比CipherApplication-MAC消息认证MessageAuthenticationHMAC:HashedMessageAuthenticationCipherApplication-

CBC-CipherApplication-基于HMAC的动态口 CipherApplication-DigitalRSA-basedsignatureschemes(PKCS#1,DSAanditsellipticcurvevariantElGamalsignatureCipherApplication-RSA-BasedSignature

PKCS#7数字签 数据包内

签名信

? ?

CipherApplication-

数章CipherApplication-

S/MIME（SecureMultipurposeInternetMail inaMIMEToprovideauthenticationthroughdigitalsignaturesand ityofencryptionUsesX.509standardforits PGP(PrettyGoodInsteadof Authority,PGPusesa“WebUserscancertifyeachotherinameshCipherApplication-

PKIvs(Hierarchical

PGP:Mesh(WebofCipherApplication-IDBased thepublickeyofauserissomeuniqueinformationabouttheidentityoftheuser(e.g.auser's ID-basedencryptionwasproposedbyAdiShamirin1984.Thepairing-basedBoneh–FranklinschemeandCocks'sencryptionschemebasedonquadraticresiduesbothsolvedtheIBEproblemin2001.CipherApplication-

SecureElectronicVisa&MasterCarddevelopedSETin1997，Coverstheend-to-endtransactionsfromthecardholdertothefinancialinstitution. Despiteheavypublicitytowinmarketshare,itfailedtogainwidespreaduseNeedtoinstallclientCostandcomplexityformerchantstooffersupport,contrastedwiththecomparativelylowcostandsimplicityoftheexistingSSLbasedalternative. distributionCipherApplication-

4 5商 2

3

1实际B2C交易技 SSL加 5返回6支付交互过SSLCipherApplication-

SSLSecureSocketslatestversionSSLprotocoldevelopedbyNetscapein abovetheTransportLayerAsymmetriccryptography(Digital )toexchangekeyEncryptusingSymmetricTLS:TransactionLayerThesuccessorofSSL,CipherApplication-

InternetProtocolauthenticatingandencryptingeachIPpacketofacommunicationsessionAuthenticationHeaderEncapsulatingSecurityPayloadThedatainthepacketisencrypted,buttheheaderisTheoriginalIPheaderisencryptedandanewIPheaderisaddedtothebeginningofthepacket.ThisadditionalIPheaderhastheaddressofthe theencryptedIPheaderpointstothefinaldestinationontheinternalnetworkbehindthegateway.CipherApplication-

HTTPSandS-HTTPS:HypertextTransferProtocolHTTPSwrapstheentirecommunicationwithinrequireaseparateportwithSHTTP:SecureHypertextTransferS-HTTPencryptsonlytheservedpagedataandsubmitteddatalikePOSTfieldsS-HTTPcouldbeusedconcurrentlywithHTTP(unsecured)onthesameport,astheunencryptedheaderwoulddeterminewhethertherestofthetransmissionisencrypted.HTTPSandS-HTTPwerebothdefinedinthemid-1990stoaddressthisneed.Netscapeand supportedHTTPSratherthanS-HTTP,leadingtoHTTPS ingthedefactostandardmechanismforsecuringwebcommunications.Secure

ByestablishinganencryptedtunnelbetweenanSSHclientandanSSHserver.Canbeusedtoauthenticatetheclienttothesever,andalsotoprovide ityandintegritySSHV2.X mankeyIntegritycheckingviamessageauthenticationRunanynumberofs sessionsoverasingleSSH

WorkWorkFactorisdefinedastheamountofeffort(usuallymeasuredinunitsoftime)neededtobreakacryptosystem. ysisofSymmetricBruteKnownPlaintexttheattackerhassamplesofboththeplaintext,andChosenPlaintexttheattackerhasthecapabilitytochoosearbitraryplaintextstobeencryptedandobtainthecorrespondingciphertextsAdaptiveChosenwherethecrypt ystmakesaseriesofinteractivequeries,choosingsubsequentplaintextsbasedontheinformationfromthepreviousencryptions. ysisofSymmetricCiphertextOnlytheattackerisassumedtohaveaccessonlytoasetofChosenCiphertextthecryptystgathersinformation,atleastinpart,bychoosingaciphertextandobtainingitsdecryptionunderanunknownkey.IntheattackAdaptiveChosenaninteractiveformofchosen-ciphertextattackinwhichanattackersendsanumberofciphertextstobedecrypted ysisofSymmetricDifferential itisthestudyofhowdifferencesinaninputcanaffecttheresultantdifferenceattheoutputLinear findingaffineapproximationstotheactionofaTripleDESwiththreeindependentkeyshasakeylengthof168bits(three56-bitDESkeys),butduetothemeet-in-the-middleattack,theeffectivesecurityitprovi