密码编码学与网络安全(第四版)教案编写 .pptVIP

现代密码学理论与实践-13 现代密码学理论与实践-13 * Direct Digital Signatures involve the direct application of public-key algs. But are dependent on security of the sender’s private-key. Have problems if lost/stolen and signatures forged. Need time-stamps and timely key revocation. * See Stallings Table 13.1 for various alternatives * This is the original, basic key exchange protocol. Used by 2 parties who both trusted a common key server, it gives one party the info needed to establish a session key with the other. Note that since the key server chooses the session key, it is capable of reading/forging any messages between AB, which is why they need to trust it absolutely! Note that all communications is between AKDC and AB, BKDC dont talk directly (though indirectly a message passes from KDC via A to B, encrypted in Bs key so that A is unable to read or alter it). Other variations of key distribution protocols can involve direct communications between BKDC. * There is a critical flaw in the protocol, as shown. This emphasises the need to be extremely careful in codifying assumptions, and tracking the timeliness of the flow of info in protocols. Designing secure protocols is not easy, and should not be done lightly. Great care and analysis is needed. * DSA is the US Govt approved signature scheme - designed to provide strong signatures without allowing easy use for encryption. The signature scheme has advantages, being both smaller (320 vs 1024bit) and faster (much of the computation is done modulo a 160 bit number) than RSA. * Signature creation is similar to ElGamal with the use of a per message temporary signature key k, but doing calculations first mod p, then mod q to reduce the size of the result. Note that the use of the hash function SHA is explicit. Note that only computing r involves calculation mod p and does not depend on message, hence can be done in advance. * Verification also consists of comparing two computations. Note that the difficulty of computing discrete lo