密碼算法與協(xié)議1密碼學(xué)原理課件

2023/10/61Chapter1.

OverviewofCryptographicProtocol2023/10/62課程教學(xué)大綱

課程名稱：現(xiàn)代密碼協(xié)議/AdvancedCryptographicProtocols學(xué) 時（課內(nèi)/課外*）：54(44/10)先修課程：密碼算法教材、教學(xué)參考書：主要教材：書名：CryptographicProtocols

作者：BerrrySchoenmakers

出版社：www.win.tue.nl/~berry/2WC01/LectureNotes-v0.9.pdf

出版日期：Version0.9,March3，2004參考教材：1書名：《通信網(wǎng)的安全-理論與技術(shù)》作者：王育民出版社：西安電子科技大學(xué)出版社出版日期：1999年2書名：《應(yīng)用密碼學(xué)-協(xié)議、算法與C源程序》作者：(美)BruceSchneier

出版社：機(jī)械工業(yè)出版社

出版日期：2000年

2023/10/63課程的性質(zhì)、地位、任務(wù)密碼學(xué)是信息安全的核心，圍繞著密碼理論和應(yīng)用分為幾個不同的層次，最底層是數(shù)學(xué)、邏輯等基礎(chǔ)；然后是基本的密碼算法（分組密碼、公鑰密碼、Hash函數(shù)等），接下來是在此基礎(chǔ)上具有普適性的密碼協(xié)議，最上面是一些針對具體應(yīng)用的協(xié)議。

本課程的重點是討論一般的密碼協(xié)議，并在此基礎(chǔ)上介紹幾個應(yīng)用廣泛的應(yīng)用協(xié)議，使學(xué)生對現(xiàn)代密碼協(xié)議的基本理論以及它們的應(yīng)用情況有基本的認(rèn)識，為以后的進(jìn)一步研究和工作打下基礎(chǔ)。2023/10/64課程的教學(xué)內(nèi)容和基本要求

教學(xué)內(nèi)容包括：密碼協(xié)議引論，密鑰交換協(xié)議，比特承諾協(xié)議，身份鑒別協(xié)議，零知識證明協(xié)議，門限密碼協(xié)議，安全多方計算，簽名與盲簽名協(xié)議，協(xié)議的形式化分析，應(yīng)用協(xié)議1:網(wǎng)絡(luò)認(rèn)證，應(yīng)用協(xié)議2:電子支付，應(yīng)用協(xié)議3:無線安全，密碼協(xié)議的國際標(biāo)準(zhǔn)，密碼協(xié)議的研究進(jìn)展等。要求了解相關(guān)密碼協(xié)議的內(nèi)容，并初步掌握密碼協(xié)議的分析設(shè)計方法。考核形式：考試（70％）＋研究報告

（20％）+平時表現(xiàn)（10%）2023/10/65InformationsecurityandcryptographyCryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofinformationsecurityCryptographicgoalsConfidentialityDataintegrityAuthenticationNon-repudiation2023/10/66BackgroundonFunctions(ctd)one-wayfunctioniff(x)iseasytocomputeforallx

X,butitiscomputationallyinfeasibletofindanyx

Xsuchthatf(x)=y.trapdoorone-wayfunctionifgiventrapdoorinformation,itbecomesfeasibletofindanx

Xsuchthatf(x)=y.2023/10/67Symmetric-keyciphersBlockcipherbreaksuptheplaintextintoblocksofafixedlength,andthenencryptsoneblockatatime.Streamciphertakestheplaintextstringandproducesaciphertextstringusingkeystreamspecificcaseofblockcipherwiththesizeof12023/10/68Symmetric-keycryptographyAdvantageshighdatathroughputrelativelyshortsizeprimitivestoconstructvariouscryptographicmechanismsDisadvantagesthekeymustremainsecretatbothends.O(n2)keystobemanaged.relativelyshortlifetimeofthekey2023/10/69Public-keycryptographyAdvantagesOnlytheprivatekeymustbekeptsecretrelativelylonglifetimeofthekeyrelativelyefficientdigitalsignaturemechanismssmallerverificationkeyO(n)keystobemanagedDisadvantageslowdatathroughputmuchlargerkeysizes2023/10/610DigitalsignaturesNomenclatureM:messagesS:signaturesSA:signingtransformationforAVA:verificationtransformationforADefinitionSAandVAprovideadigitalsignaturescheme(ormechanism)forA.2023/10/611AuthenticationEntityauthentication(Identification)corroborationoftheidentityofanentity(e.g.,aperson,acomputerterminal,acreditcard,etc.).Messageauthentication(Dataoriginauthentication)corroboratingthesourceofinformation2023/10/612Summaryofcomparisonpublic-keycryptographysignatures(particularly,non-repudiation)andkeymanagementsymmetric-keycryptographyencryptionandsomedataintegrityapplicationsKeysizesPrivatekeysmustbelarger(e.g.,1024bitsforRSA)thansecretkeys(e.g.,64or128bits)mostattackonsymmetric-keysystemsisanexhaustivekeysearchpublic-keysystemsaresubjectto“short-cut”attacks(e.g.,factoring)2023/10/613ProtocolsandmechanismsCryptographicalgorithmwell-definedtransformation,whichonagiveninputvalueproducesanoutputvalue,achievingcertainsecurityobjectives.CryptographicprotocoldistributedalgorithmdefinedbyasequenceofstepspreciselyspecifyingtheactionsrequiredoftwoormoreentitiesCryptographicmechanismmoregeneraltermencompassingprotocols,algorithms,andnon-cryptographictechniques2023/10/614KeyestablishmentandmanagementKeyestablishmentprocesstoestablishasharedsecretkeyavailabletotwoormorepartiessubdividedintokeyagreementandkeytransport.Keymanagementthesetofprocessesandmechanismswhichsupportkeyestablishmentandthemaintenanceofongoingkeyingrelationshipsbetweenparties2023/10/615Keymanagementthroughsymmetric-keytech.Advantageseasytoaddandremoveentitiesneedstostoreonlyonelong-termsecretkey.DisadvantagesinitialinteractionwiththeTTP.nlong-termsecretkeysmaintainedbyTTPTTPcanreadallmessages.IfTTPiscompromised,allcommunicationsareinsecure2023/10/616Keymanagementthroughpublic-keytech.AdvantagesNoTTPisrequiredduringkeyagreementorupdate.OnlynpublickeysneedtobestoredDisadvantagesActiveadversarycancompromisethekeymanagementscheme(e.g.man-in-the-middleattack)NeedTTP(e.g.,CA)tocertifythepublickeyofeachentity.2023/10/617Public-keycertificationAdvantagespreventsanactiveadversaryfromimpersonationTTPcannotmonitorcommunications.DisadvantagesIfthesigningkeyoftheTTPiscompromised,allcommunicationsbecomeinsecure.2023/10/618AttacksonencryptionschemesCiphertext-onlyattackdeducethedecryptionkeyorplaintextbyonlyobservingciphertext.Known-plaintextattackusingaquantityofplaintextandcorrespondingciphertext.Chosen-plaintextattackchoosesplaintextandisthengivencorrespondingciphertext.Adaptivechosen-plaintextattackchosen-plaintextattackwherethechoiceofplaintextmaydependontheciphertextreceivedfrompreviousrequests.Chosen-ciphertextattackselectstheciphertextandisthengiventhecorrespondingplaintext.Adaptivechosen-ciphertextattackchosen-ciphertextattackwherethechoiceofciphertextmaydependontheplaintextreceivedfrompreviousrequests.2023/10/619Attacksonprotocolsknown-keyattackusespreviouslyusedkeystodeterminenewkeysreplayattackrecordsacommunicationsessionandreplaysthatsessionimpersonationattackdeceivestheidentityofoneofthelegitimatepartiesdictionaryattackusingcodebookforwardsearchattackifmessagespaceissmallorpredictableinterleavingattackimpersonationorotherdeceptioninvolvingselectivecombinationofinformationfromparallelsessions2023/10/620OverviewBasicnotionsofcryptographic(security)protocolsProblemswithcryptographicprotocolsDesignprinciplesforcryptographicprotocolsAnalysisofcryptographicprotocols2023/10/621BasicNotions2023/10/622BasicNotions2023/10/623BasicNotions2023/10/624BasicNotions2023/10/625ASimpleProtocol(inDetail)2023/10/626ASimpleProtocol(inDetail)2023/10/627BasicNotions(ctd.)2023/10/628BasicNotions2023/10/629BasicNotions2023/10/630BasicNotions2023/10/631BasicNotions2023/10/632BasicNotions--ASimpleProtocol(ctd.)2023/10/633BasicNotions--ASimpleProtocol(ctd.)2023/10/634BasicNotions--ASimpleProtocol(ctd.)2023/10/635BasicNotions--ASimpleProtocol(ctd.)2023/10/636BasicNotions--ASimpleProtocol(ctd.)2023/10/637BasicNotions--ASimpleProtocol(ctd.)2023/10/638BasicNotions--ASimpleProtocol(ctd.)2023/10/639BasicNotions2023/10/640BasicNotions--ASimpleProtocol(ctd.)2023/10/641ASimpleProtocol(inDetail)2023/10/642ProblemswithProtocols2023/10/643ProblemswithProtocols2023/10/644ProblemswithProtocols2023/10/645ProblemswithProtocols2023/10/646ProblemswithProtocols2023/10/647ProblemswithProtocols2023/10/648ProblemswithProtocols2023/10/649ProblemswithProtocols2023/10/650ProblemswithProtocols2023/10/651ProblemswithProtocols2023/10/652ProblemswithProtocols2023/10/653ProblemswithProtocols2023/10/654ProblemswithProtocols2023/10/655ProblemswithProtocols2023/10/656ProblemswithProtocols2023/10/657ProblemswithProtocols2023/10/658ProblemswithProtocols2023/10/659PrinciplesforDesigningSecu