Security Engineering. Ross Anderson

Читать онлайн.
Название Security Engineering
Автор произведения Ross Anderson
Жанр Зарубежная компьютерная литература
Серия
Издательство Зарубежная компьютерная литература
Год выпуска 0
isbn 9781119642817



Скачать книгу

and otherwise reveal k Subscript 2 i plus 1. This is secure if the hash function is, but has the drawback that each key can be used only once. Merkle saw that you could generate a series of private keys by encrypting a counter with a master secret key, and then use a tree to hash the resulting public keys. However, for most purposes, people use signature algorithms based on number theory, which I'll describe in the next section.

      One security-protocol use of hash functions is worth a mention: key updating and autokeying. Key updating means that two or more principals who share a key pass it through a one-way hash function at agreed times: upper K Subscript i Baseline equals h left-parenthesis upper K Subscript i minus 1 Baseline right-parenthesis. The point is that if an attacker compromises one of their systems and steals the key, he only gets the current key and is unable to decrypt back traffic. The chain of compromise is broken by the hash function's one-wayness. This property is also known as backward security. A variant is autokeying where the principals update a key by hashing it with the messages they have exchanged since the last key change: upper K Subscript i plus 1 Baseline equals h left-parenthesis upper K Subscript i Baseline comma upper M Subscript i Baseline 1 Baseline comma upper M Subscript i Baseline 2 Baseline comma ellipsis right-parenthesis. If an attacker now compromises one of their systems and steals the key, then as soon as they exchange a message which he can't observe or guess, security will be recovered; again, the chain of compromise is broken. This property is known as forward security. It was first used in banking in EFT payment terminals in Australia [208, 210]. The use of asymmetric cryptography allows a slightly stronger form of forward security, namely that as soon as a compromised terminal exchanges a message with an uncompromised one which the opponent doesn't control, security can be recovered even if the message is in plain sight. I'll describe how this works next.

      The commonly used building blocks in asymmetric cryptography, public-key encryption and digital signature are based on number theory. I'll give a brief overview here, and look in more detail at some of the mechanisms in Part 2 when I discuss applications.

      The basic idea is to make the security of the cipher depend on the difficulty of solving a mathematical problem that's known to be hard, in the sense that a lot of people have tried to solve it and failed. The two problems used in almost all real systems are factorization and discrete logarithm.

      5.7.1 Cryptography based on factoring

      In RSA, the encryption key is a modulus upper N which is hard to factor (take upper N equals p q for two large randomly chosen primes p and q, say of 1024 bits each) plus a public exponent e that has no common factors with either p minus 1 or q minus 1. The private key is the factors p and q, which are kept secret. Where upper M is the message and upper C is the ciphertext, encryption is defined by

upper C identical-to upper M Superscript e Baseline left-parenthesis mod upper N right-parenthesis

      Decryption is the reverse operation:

upper 
            </div>
      	</div>
  	</div>
  	<hr>
  	<div class=