2公钥基础设施终稿.ppt

June 2009 Copyright ? 2003, TECH Networks Lab Side * 主模式：用数字签名认证 HDR contains CKY-I | CKY-R KE = g^i (Initiator) or g^r (Responder) SIG_I/SIG_R = digital sig of HASH_I/HASH_R CERT是证书载荷 June 2009 Copyright ? 2003, TECH Networks Lab Side * 主模式：用公钥加密认证 HDR contains CKY-I | CKY-R，HASH（l）是响应方证书的HASH值 KE = g^i (Initiator) or g^r (Responder) 这里nonce是通过加密传输的，因此可作为共享密钥，HASH值就可以直接用来认证对方的身份。 June 2009 Copyright ? 2003, TECH Networks Lab Side * 用公钥加密认证中存在的问题 问题 采用了四次公钥加/解密操作，耗费计算资源，与签名认证算法相比，多了两次加/解密 修改方法 采用修正的公钥加密认证 June 2009 Copyright ? 2003, TECH Networks Lab Side * Main Mode: Authentication with Revised Public Key Encryption HDR contains CKY-I | CKY-R KE = g^I (Initiator) or g^r (Responder) Ki = prf(Ni, CKY-I), Kr = prf(Nr, CKY-R) June 2009 Copyright ? 2003, TECH Networks Lab Side * 密钥推导 SKEYID Pre-shared keys SKEYID=PRF(preshared key, Ni|Nr) SKEYID是从预共享密钥推导得到，并且总是与Ni/Nr有关，这样即使采用相同的预共享密钥，不同的Ni/Nr产生的SKEYID是不同的。 Digital signatures: SKEYID=PRF(Ni|Nr, gir) Public key encryption SKEYID=PRF(hash(Ni|Nr), CKY-i|CKY-r) June 2009 Copyright ? 2003, TECH Networks Lab Side * 密钥推导（续） SKEYID_d (used to derive keying material for IPsec SA): SKEYID_d =PRF(SKEYID, gir|CKY-i|CKY-r|0) SKEYID_a (auth key for ISAKMP SA): SKEYID_a =PRF(SKEYID, SKEYID_d|gir|CKY-i|CKY-r|1) SKEYID_e (enc key for ISAKMP SA): SKEYID_e =PRF(SKEYID, SKEYID_a|gir|CKY-i|CKY-r|2) June 2009 Copyright ? 2003, TECH Networks Lab Side * IKE第一阶段小节 认证 根据预共享密钥和公钥密码机制 抗中间人、伪装攻击 DH密钥协商 提供密钥的生成源gir，Ni/r，生成SKEYID，SKEYID_d，SKEYID_a，SKEYID_e June 2009 Copyright ? 2003, TECH Networks Lab Side * Why all these secrets? SKEYID_d is used for deriving keying data for IPSec SKEYID_a is used for integrity and data source authentication SKEYID_e is used to encrypt IKE messages. Different keys must be used for security purposes. Because of the hash function PRF, the original secret SKEYID cannot be calculated from the derived secrets. June 2009 Copyright ? 2003, TECH Networks Lab Side * 4 IKE第二阶段 目的： 建立IPsec SA，一个第1阶段的SA可以用于建立多个第2阶段的