密码算法与协议1密码学原理课件

2023/10/61Chapter1.

OverviewofCryptographicProtocol2023/10/62课程教学大纲

课程名称：现代密码协议/AdvancedCryptographicProtocols学 时（课内/课外*）：54(44/10)先修课程：密码算法教材、教学参考书：主要教材：书名：CryptographicProtocols

作者：BerrrySchoenmakers

出版社：www.win.tue.nl/~berry/2WC01/LectureNotes-v0.9.pdf

出版日期：Version0.9,March3，2004参考教材：1书名：《通信网的安全-理论与技术》作者：王育民出版社：西安电子科技大学出版社出版日期：1999年2书名：《应用密码学-协议、算法与C源程序》作者：(美)BruceSchneier

出版社：机械工业出版社

出版日期：2000年

2023/10/63课程的性质、地位、任务密码学是信息安全的核心，围绕着密码理论和应用分为几个不同的层次，最底层是数学、逻辑等基础；然后是基本的密码算法（分组密码、公钥密码、Hash函数等），接下来是在此基础上具有普适性的密码协议，最上面是一些针对具体应用的协议。

本课程的重点是讨论一般的密码协议，并在此基础上介绍几个应用广泛的应用协议，使学生对现代密码协议的基本理论以及它们的应用情况有基本的认识，为以后的进一步研究和工作打下基础。2023/10/64课程的教学内容和基本要求

教学内容包括：密码协议引论，密钥交换协议，比特承诺协议，身份鉴别协议，零知识证明协议，门限密码协议，安全多方计算，签名与盲签名协议，协议的形式化分析，应用协议1:网络认证，应用协议2:电子支付，应用协议3:无线安全，密码协议的国际标准，密码协议的研究进展等。要求了解相关密码协议的内容，并初步掌握密码协议的分析设计方法。考核形式：考试（70％）＋研究报告

（20％）+平时表现（10%）2023/10/65InformationsecurityandcryptographyCryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofinformationsecurityCryptographicgoalsConfidentialityDataintegrityAuthenticationNon-repudiation2023/10/66BackgroundonFunctions(ctd)one-wayfunctioniff(x)iseasytocomputeforallx

X,butitiscomputationallyinfeasibletofindanyx

Xsuchthatf(x)=y.trapdoorone-wayfunctionifgiventrapdoorinformation,itbecomesfeasibletofindanx

Xsuchthatf(x)=y.2023/10/67Symmetric-keyciphersBlockcipherbreaksuptheplaintextintoblocksofafixedlength,andthenencryptsoneblockatatime.Streamciphertakestheplaintextstringandproducesaciphertextstringusingkeystreamspecificcaseofblockcipherwiththesizeof12023/10/68Symmetric-keycryptographyAdvantageshighdatathroughputrelativelyshortsizeprimitivestoconstructvariouscryptographicmechanismsDisadvantagesthekeymustremainsecretatbothends.O(n2)keystobemanaged.relativelyshortlifetimeofthekey2023/10/69Public-keycryptographyAdvantagesOnlytheprivatekeymustbekeptsecretrelativelylonglifetimeofthekeyrelativelyefficientdigitalsignaturemechanismssmallerverificationkeyO(n)keystobemanagedDisadvantageslowdatathroughputmuchlargerkeysizes2023/10/610DigitalsignaturesNomenclatureM:messagesS:signaturesSA:signingtransformationforAVA:verificationtransformationforADefinitionSAandVAprovideadigitalsignaturescheme(ormechanism)forA.2023/10/611AuthenticationEntityauthentication(Identification)corroborationoftheidentityofanentity(e.g.,aperson,acomputerterminal,acreditcard,etc.).Messageauthentication(Dataoriginauthentication)corroboratingthesourceofinformation2023/10/612Summaryofcomparisonpublic-keycryptographysignatures(particularly,non-repudiation)andkeymanagementsymmetric-keycryptographyencryptionandsomedataintegrityapplicationsKeysizesPrivatekeysmustbelarger(e.g.,1024bitsforRSA)thansecretkeys(e.g.,64or128bits)mostattackonsymmetric-keysystemsisanexhaustivekeysearchpublic-keysystemsaresubjectto“short-cut”attacks(e.g.,factoring)2023/10/613ProtocolsandmechanismsCryptographicalgorithmwell-definedtransformation,whichonagiveninputvalueproducesanoutputvalue,achievingcertainsecurityobjectives.CryptographicprotocoldistributedalgorithmdefinedbyasequenceofstepspreciselyspecifyingtheactionsrequiredoftwoormoreentitiesCryptographicmechanismmoregeneraltermencompassingprotocols,algorithms,andnon-cryptographictechniques2023/10/614KeyestablishmentandmanagementKeyestablishmentprocesstoestablishasharedsecretkeyavailabletotwoormorepartiessubdividedintokeyagreementandkeytransport.Keymanagementthesetofprocessesandmechanismswhichsupportkeyestablishmentandthemaintenanceofongoingkeyingrelationshipsbetweenparties2023/10/615Keymanagementthroughsymmetric-keytech.Advantageseasytoaddandremoveentitiesneedstostoreonlyonelong-termsecretkey.DisadvantagesinitialinteractionwiththeTTP.nlong-termsecretkeysmaintainedbyTTPTTPcanreadallmessages.IfTTPiscompromised,allcommunicationsareinsecure2023/10/616Keymanagementthroughpublic-keytech.AdvantagesNoTTPisrequiredduringkeyagreementorupdate.OnlynpublickeysneedtobestoredDisadvantagesActiveadversarycancompromisethekeymanagementscheme(e.g.man-in-the-middleattack)NeedTTP(e.g.,CA)tocertifythepublickeyofeachentity.2023/10/617Public-keycertificationAdvantagespreventsanactiveadversaryfromimpersonationTTPcannotmonitorcommunications.DisadvantagesIfthesigningkeyoftheTTPiscompromised,allcommunicationsbecomeinsecure.2023/10/618AttacksonencryptionschemesCiphertext-onlyattackdeducethedecryptionkeyorplaintextbyonlyobservingciphertext.Known-plaintextattackusingaquantityofplaintextandcorrespondingciphertext.Chosen-plaintextattackchoosesplaintextandisthengivencorrespondingciphertext.Adaptivechosen-plaintextattackchosen-plaintextattackwherethechoiceofplaintextmaydependontheciphertextreceivedfrompreviousrequests.Chosen-ciphertextattackselectstheciphertextandisthengiventhecorrespondingplaintext.Adaptivechosen-ciphertextattackchosen-ciphertextattackwherethechoiceofciphertextmaydependontheplaintextreceivedfrompreviousrequests.2023/10/619Attacksonprotocolsknown-keyattackusespreviouslyusedkeystodeterminenewkeysreplayattackrecordsacommunicationsessionandreplaysthatsessionimpersonationattackdeceivestheidentityofoneofthelegitimatepartiesdictionaryattackusingcodebookforwardsearchattackifmessagespaceissmallorpredictableinterleavingattackimpersonationorotherdeceptioninvolvingselectivecombinationofinformationfromparallelsessions2023/10/620OverviewBasicnotionsofcryptographic(security)protocolsProblemswithcryptographicprotocolsDesignprinciplesforcryptographicprotocolsAnalysisofcryptographicprotocols2023/10/621BasicNotions2023/10/622BasicNotions2023/10/623BasicNotions2023/10/624BasicNotions2023/10/625ASimpleProtocol(inDetail)2023/10/626ASimpleProtocol(inDetail)2023/10/627BasicNotions(ctd.)2023/10/628BasicNotions2023/10/629BasicNotions2023/10/630BasicNotions2023/10/631BasicNotions2023/10/632BasicNotions--ASimpleProtocol(ctd.)2023/10/633BasicNotions--ASimpleProtocol(ctd.)2023/10/634BasicNotions--ASimpleProtocol(ctd.)2023/10/635BasicNotions--ASimpleProtocol(ctd.)2023/10/636BasicNotions--ASimpleProtocol(ctd.)2023/10/637BasicNotions--ASimpleProtocol(ctd.)2023/10/638BasicNotions--ASimpleProtocol(ctd.)2023/10/639BasicNotions2023/10/640BasicNotions--ASimpleProtocol(ctd.)2023/10/641ASimpleProtocol(inDetail)2023/10/642ProblemswithProtocols2023/10/643ProblemswithProtocols2023/10/644ProblemswithProtocols2023/10/645ProblemswithProtocols2023/10/646ProblemswithProtocols2023/10/647ProblemswithProtocols2023/10/648ProblemswithProtocols2023/10/649ProblemswithProtocols2023/10/650ProblemswithProtocols2023/10/651ProblemswithProtocols2023/10/652ProblemswithProtocols2023/10/653ProblemswithProtocols2023/10/654ProblemswithProtocols2023/10/655ProblemswithProtocols2023/10/656ProblemswithProtocols2023/10/657ProblemswithProtocols2023/10/658ProblemswithProtocols2023/10/659PrinciplesforDesigningSecu