现代密码学理论与实践(4)(精品·公开课件).ppt

现代密码学理论与实践-07 Cryptography and Network SecurityChapter 7 Confidentiality Using Symmetric Encryption Fourth Edition by William Stallings Lecture slides by Shoubao Yang syang@ 1/~syang September 2006 第7章 用对称密码实现保密性 本章讨论加密逻辑功能所处的位置，使用加密防止通信量分析攻击的方法，密钥分配问题及随机数的产生。 7.1 密码功能的位置 安全隐患 从同一网上其他工作站发起的窃听 使用拨号进入局域网或服务器进行窃听 使用外部路由链接进入网络和窃听 在外部链路上对通信业务的监听和修改 7.1.2 链路加密与端到端加密 基本方法：链路加密与端到端加密 link encryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys end-to-end encryption encryption occurs between original source and final destination need devices at each end with shared keys 链路加密与端到端加密 Traffic Analysis when using end-to-end encryption must leave headers in clear, so network can correctly route information hence although contents protected, traffic pattern flows are not ideally want both at once end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring Encryption Across a Packet Switching-Network 两种加密策略的特点 Placement of Encryption We can place encryption function at various layers in OSI Reference Model link encryption occurs at layers 1 or 2 end-to-end can occur at layers 3, 4, 6, 7 as move higher less information is encrypted but it is more secure though more complex with more entities and keys Traffic Analysis Traffic analysis is monitoring of communications flows between parties useful both in military commercial spheres can also be used to create a covert channel Link encryption obscures header details but overall traffic volumes in networks and at end-points is still visible Traffic padding can further obscure flows but at cost of continuous traffic 端到端加密函数的逻辑位置 采用前端处理器FEP实现加密功能 端系统用户进程和应用使用同一个密钥采用同一个加密方案 存储转发通信网络中的加密覆盖范围 将加密设备用于端到端协议，不能提供网络之间的服务，如电子邮件、电子数据交换和文件传输等。因此，端到端加密需要到应用层上进行。 不同加密策略的实现(1) 不同加密策略的实现(2) 7.2 Traffic Confidentiality 可以从通信量分析攻击得到的信息类型 Identities of partners How frequently the partners are communi