网络安全-09：公钥密码学RSA.pptVIP

公钥密码体制 公钥/双钥/非对称 密码都是指使用两个密钥: 公钥：可以对任何人公开的密钥，用于加密消息或验证签名。 私钥：只能由接收者私存，用于解密消息或签名。 非对称 用于加密消息或验证签名的密钥不能进行解密消息的或消息的签名。 * * We can identify three approaches to attacking RSA mathematically, as shown. Mathematicians currently believe all equivalent to factoring. See Stallings Table 9.4 for progress in factoring, where see slow improvements over the years, with the biggest improvements coming from improved algorithms. The best current algorithm is the “Lattice Sieve” (LS), which replaced the “Generalized Number Field Sieve” (GNFS), which replaced the “Quadratic Sieve”(QS). Have to assume computers will continue to get faster, and that better factoring algorithms may yet be found. Numbers of size 1024-2048 bits look reasonable at present, provided the factors meet other constraints. * * Had a new category of attacks developed by Paul Kocher in mid-1990’s, based on observing how long it takes to compute the cryptographic operations. Timing attacks are applicable not just to RSA, but to other public-key cryptography systems. This attack is alarming for two reasons: It comes from a completely unexpected direction and it is a ciphertextonly attack. A timing attack is somewhat analogous to a burglar guessing the combination of a safe by observing how long it takes for someone to turn the dial from number to number. Although the timing attack is a serious threat, there are simple countermeasures that can be used, including using constant exponentiation time algorithms, adding random delays, or using blind values in calculations. * The RSA algorithm is vulnerable to a chosen ciphertext attack (CCA). CCA is defined as an attack in which adversary chooses a number of ciphertexts and is then given the corresponding plaintexts, decrypted with the target’s private key. The adversary exploits properties of RSA and selects blocks of data that, when processed using the target’s private key, yield information needed for cryptanalysis. Can counter simple attacks with random pad of pla