文档详细内容(约25页)
V-i chain block Encryption Encryption 64 bits ciphertext 64 bits ciphertext Electronic codebook mode Cipher block chaining mode Encryption Encryption k bits output k bits output I k bits plaintext-++ k bits plaintext k bits ciphertext Cipher feedback mode Output feedback mode FIGURE 97.5 Modes of use for block cryptosystems. Although the dES key length was acceptable to most users when the standard was released in 1977, increases in computing power have made exhaustive search less expensive, so the relative security of dES has decreased. NSA now supports some of its own secret algorithms as DES replacements("COMSEC Commercial Endorse ment Program, Type Ir"devices), although NIST support for DES continues and no algorithmic weaknesses in DES have been publicly revealed Public-key cryptosystems [Diffie and Hellman, 1976] use two different keys(asymmetric systems). For example, information can be encrypted with one key and decrypted with a different(but related through a secure process)key. If the aim is secrecy, the decryption key must be secret so only the recipient can decrypt. In this case, however, the encryption key can be publicly known and known to be associated with a particular potential recipient. Although the sender can be assured of information secrecy in this process, the recipient cannot be assured of sender authenticity. If the secret key of a pair of keys is used by a sender to encrypt, any ecipient who knows the sender's public key can be assured of sender authenticity, but there is no assurance of secrecy. If the public-key cryptosystem has commutative transformations(as does the RSA cryptosystem) encryption with the sender's secret key and with the recipients public key for encipherment, and decryption by the recipient with his or her secret key and with the sender's public key provides both secrecy and authenticity. RSA (named after Rivest, Shamir, and Adleman) is the most well known and most widely used public-key cryptosystem. Unlike DES, the key length ot rsd enof the public key is not helpful in determining the secret key). Key selection begins with the choice of two prime numbers, each can be approximately 150 decimal digits ng, giving about a 300-digit number on which the RSA encryption is based [Eq(97. 1)]. The security of the system depends on the difficulty of factoring large numbers that have no relatively small factors. Equation (97. 2)shows how a secret modulus is determined, and Eq. (97.3)shows how the modulus is used to relate the secret key and the public key. Equation(97. 4) gives the RSA encryption process, and Eq. (97.5)gives the RSA decryption process. An adversary who could factor n could use Eq. (97.2)to determine the modulus, o, and then the secret key, d, from Eq (97.3), given the public key, e. (97.1) φ=(p-1)(q-1) d=1(mod o) c 2000 by CRC Press LLC
© 2000 by CRC Press LLC Although the DES key length was acceptable to most users when the standard was released in 1977, increases in computing power have made exhaustive search less expensive, so the relative security of DES has decreased. NSA now supports some of its own secret algorithms as DES replacements (“COMSEC Commercial Endorsement Program, Type II” devices), although NIST support for DES continues and no algorithmic weaknesses in DES have been publicly revealed. Public-key cryptosystems [Diffie and Hellman, 1976] use two different keys (asymmetric systems). For example, information can be encrypted with one key and decrypted with a different (but related through a secure process) key. If the aim is secrecy, the decryption key must be secret so only the recipient can decrypt. In this case, however, the encryption key can be publicly known and known to be associated with a particular potential recipient. Although the sender can be assured of information secrecy in this process, the recipient cannot be assured of sender authenticity. If the secret key of a pair of keys is used by a sender to encrypt, any recipient who knows the sender’s public key can be assured of sender authenticity, but there is no assurance of secrecy. If the public-key cryptosystem has commutative transformations (as does the RSA cryptosystem), encryption with the sender’s secret key and with the recipient’s public key for encipherment, and decryption by the recipient with his or her secret key and with the sender’s public key provides both secrecy and authenticity. RSA (named after Rivest, Shamir, and Adleman) is the most well known and most widely used public-key cryptosystem. Unlike DES, the key length of RSA encryption is user-selectable. However, the length chosen must be securely long (long enough that knowledge of the public key is not helpful in determining the secret key). Key selection begins with the choice of two prime numbers, each can be approximately 150 decimal digits long, giving about a 300-digit number on which the RSA encryption is based [Eq. (97.1)]. The security of the system depends on the difficulty of factoring large numbers that have no relatively small factors. Equation (97.2) shows how a secret modulus is determined, and Eq. (97.3) shows how the modulus is used to relate the secret key and the public key. Equation (97.4) gives the RSA encryption process, and Eq. (97.5) gives the RSA decryption process. An adversary who could factor n could use Eq. (97.2) to determine the modulus, φ, and then the secret key, d, from Eq. (97.3), given the public key, e. n = pq (97.1) φ = (p – 1)(q – 1) (97.2) ed = 1 (mod φ) (97.3) FIGURE 97.5 Modes of use for block cryptosystems
C= Me(mod n) (974) (mod n) For equivalent security, the computational burden of RSA and similar public-key cryptosystems is signifi antly greater than DES and similar single-key cryptosystems. As a result, where large amounts of information must be communicated, public-key systems are frequently used for secure communication of a key intended for a single-key system, which is then in turn used for mainstream encryption RSA has well known cryptographic digital signature capabilities( transformed by the sender using the sender secret key; transformed by the receiver using the senders public key), which gives assurance that the information was initiated by the signer and that the sender cannot deny creating the information. a signature technique Digital Signature Standard(DSS)(NIST, 1991], has been proposed by NIST. The basic differences between DSS ed only for digital signatures, DSS the proposed DSS key lengths will be constrained, and the security of DSS is based on the difficulty of finding logarithms of large numbers Examples of relatively new encryption techniques coming into popular use are PGP( Pretty Good Privacy) IDEA (International Data Encryption Algorithm), and PEM(Privacy Enhanced Mail). The U.S. Government has proposed SKIPJACK, a secret and controlled system, as an intended replacement for DES. The proposal which includes"trusted third-party "key escrow, has met with ant controversy. Sof A number of techniques that are commonly implemented in software can contribute to protection against adversaries. These include password authentication; memory, file, and database access restrictions; restrictions on processing actions; development and maintenance controls; and auditing. asswords, which are intended to authenticate a computer user in a cost-effective way, are sometimes user selected(a technique resulting in a relatively small potential population), sometimes user-selected from a computer-generated collection, sometimes randomly generated, and sometimes randomly generated from a phonetic construction(for pronounceability and memorization ease)[Cooper, 1989]. Examples of phonetic passwords are TAMOTUT, OTOOBEC, SKUKOMO, ALTAMAY, and ZooLTEE. These five were each chosen om a different phonetic construction(five of the approximately 25 commonly used) Security control can be physical, temporal, logical, or procedural. Two important logical or procedural contr principles are part of fundamental multilevel security(multiple levels of sensitivity and multiple user clearance levels on the same system), as described by part of the Bell-La Padula model. The simple security principle restricts users of a particular clearance level from reading information that is of a more sensitive(more highly classified)level. The star property prohibits information flow from the level at which its sensitivity has been determined to any lower level(write-down). Analogous integrity protection is provided by the Biba integrity Protection rules can be mandatory(used mainly by the government or military) or discretionary(compart mented according to need-to-know regimes of trust typically determined by file owners ). The combination of security levels and protection rules at the same level can be associated with a lattice model. In addition to matching the security controls, the lattice model facilitates mathematical verification of security implementations. A common logical protection rule specification gives the rights of subjects(action initiators)to act on objects (action targets) at any particular time. One way to view these rules(although seldom implemented in this manner)is to consider an access matrix(Table 97. 1) containing rows for subject indicators and columns for object indicators. The matrix entries are the rights of subjects to objects. Actual implementation may differ e.g., by using directories, or capability lists, or capability tokens(row designations for rights of subjects)or access control lists(column designation for rights to objects) These types of rules can be augmented by software(and/or hardware)memory protection through techniques including fences, base/bounds registers, tagged registers, and paging [Gasser, 1988] Database management system(DBMS)security and integrity protections include access controls but generally require finer granularity and greater protection(especially for relational databases)against subtle forms of c 2000 by CRC Press LLC
© 2000 by CRC Press LLC C = Me (mod n) (97.4) M = Cd (mod n) (97.5) For equivalent security, the computational burden of RSA and similar public-key cryptosystems is signifi- cantly greater than DES and similar single-key cryptosystems. As a result, where large amounts of information must be communicated, public-key systems are frequently used for secure communication of a key intended for a single-key system, which is then in turn used for mainstream encryption. RSA has well known cryptographic digital signature capabilities (transformed by the sender using the sender’s secret key; transformed by the receiver using the sender’s public key), which gives assurance that the information was initiated by the signer and that the sender cannot deny creating the information. A signature technique, Digital Signature Standard (DSS) [NIST, 1991], has been proposed by NIST. The basic differences between DSS and RSA are that DSS is intended only for digital signatures, DSS patents are intended to be government owned, the proposed DSS key lengths will be constrained, and the security of DSS is based on the difficulty of finding logarithms of large numbers. Examples of relatively new encryption techniques coming into popular use are PGP (Pretty Good Privacy), IDEA (International Data Encryption Algorithm), and PEM (Privacy Enhanced Mail). The U.S. Government has proposed SKIPJACK, a secret and controlled system, as an intended replacement for DES. The proposal, which includes “trusted third-party” key escrow, has met with significant controversy. Software Security A number of techniques that are commonly implemented in software can contribute to protection against adversaries. These include password authentication; memory, file, and database access restrictions; restrictions on processing actions; development and maintenance controls; and auditing. Passwords, which are intended to authenticate a computer user in a cost-effective way, are sometimes userselected (a technique resulting in a relatively small potential population), sometimes user-selected from a computer-generated collection, sometimes randomly generated, and sometimes randomly generated from a phonetic construction (for pronounceability and memorization ease) [Cooper, 1989]. Examples of phonetic passwords are TAMOTUT, OTOOBEC, SKUKOMO, ALTAMAY, and ZOOLTEE. These five were each chosen from a different phonetic construction (five of the approximately 25 commonly used). Security control can be physical, temporal, logical, or procedural. Two important logical or procedural control principles are part of fundamental multilevel security (multiple levels of sensitivity and multiple user clearance levels on the same system), as described by part of the Bell–La Padula model. The simple security principle restricts users of a particular clearance level from reading information that is of a more sensitive (more highly classified) level. The star property prohibits information flow from the level at which its sensitivity has been determined to any lower level (write-down). Analogous integrity protection is provided by the Biba integrity model [Gasser, 1988]. Protection rules can be mandatory (used mainly by the government or military) or discretionary (compartmented according to need-to-know regimes of trust typically determined by file owners). The combination of security levels and protection rules at the same level can be associated with a lattice model. In addition to matching the security controls, the lattice model facilitates mathematical verification of security implementations. A common logical protection rule specification gives the rights of subjects (action initiators) to act on objects (action targets) at any particular time. One way to view these rules (although seldom implemented in this manner) is to consider an access matrix (Table 97.1) containing rows for subject indicators and columns for object indicators. The matrix entries are the rights of subjects to objects. Actual implementation may differ, e.g., by using directories, or capability lists, or capability tokens (row designations for rights of subjects) or access control lists (column designation for rights to objects). These types of rules can be augmented by software (and/or hardware) memory protection through techniques including fences, base/bounds registers, tagged registers, and paging [Gasser, 1988]. Database management system (DBMS) security and integrity protections include access controls but generally require finer granularity and greater protection (especially for relational databases) against subtle forms of
140 Factored TTTTTTTTTTTTT 197419761978198019821984198619881990199219941996 IGURE 97.6 Factoring history. Because of the importance of factoring to RSA security, factoring methodology and mplishments are of considerable interest. Techniques for factoring"hard"numbers were available for only up to about digits in about a days computing time until 1983, when a match between mathematical development(the quadratic sieve)and computer vector processing capabilities contributed to factoring up to 58-digit numbers in equivalent time. The next year, a 69-digit number was factored in about 32 hours on a Cray 1S. A few months later, a 71-digit number was factored in less than 10 hours on a Cray XMP. By the end of the decade, collections of small computers had been coupled in a worldwide effort to demonstrate that numbers of more than 100(116 in 1991)digits could be cost-effectively factored. This explosive trend, although not expected to continue because of current mathematical limitations(at present many orders of magnitude more computation time is needed than would threaten 300-digit numbers), demonstrates the importance factoring prognosis in forecasting the long-term security of RSA TABLE 97.1 An Access matrix Subjects/Objects Own, write, read Own, read, execute Own, read, delete Read, write, execute Read Read Write Read Read information deduction such as inference and aggregation. Integrity protection mechanisms include field checks, hange logs, two-phase updates, error protection codes, range comparisons, and query controllers Pfleeger 1989]. Secrecy depends on access control (e.g, file passwords), query controllers, and encryption. Processing restrictions can, in addition to those implied by memory, file, and database controls, limit the ability of users to, for example, try multiple passwords or multiple user IDs; make financial transactions; change security parameters; move, rename, or output information; and deliver covert channel information(signaling ystematically using authorized actions to codify unauthorized data delivery) Software development and maintenance controls include standards under which programs(including secu- rity features)are designed to meet requirements, coded in structured or development, tested, and maintained. Configuration or change control is als modular form, reviewed during mportant Computer auditing intended to provide computer records about user actions for routine review(a productive application for expert systems)and for detailed investigation of any incidents or suspicious circumstances. It is essential that audit records be tamper-proof. Software security features(including auditing)can be provided as part of the computer operating system or they can be added to an operating system as an add-on product. A U.S. government multilevel trusted computing base development program through NSAs National Computer Security Center(NCSC)resulted in a well known ecurity methodology and assessment scheme for these types of software(and hardware) products [DOD, 1985 A significant number of operating systems and software security packages have been evaluated and given c 2000 by CRC Press LLC
© 2000 by CRC Press LLC information deduction such as inference and aggregation. Integrity protection mechanisms include field checks, change logs, two-phase updates, error protection codes, range comparisons, and query controllers [Pfleeger, 1989]. Secrecy depends on access control (e.g., file passwords), query controllers, and encryption. Processing restrictions can, in addition to those implied by memory, file, and database controls, limit the ability of users to, for example, try multiple passwords or multiple user IDs; make financial transactions; change security parameters; move, rename, or output information; and deliver covert channel information (signaling systematically using authorized actions to codify unauthorized data delivery). Software development and maintenance controls include standards under which programs (including security features) are designed to meet requirements, coded in structured or modular form, reviewed during development, tested, and maintained. Configuration or change control is also important. Computer auditing is intended to provide computer records about user actions for routine review (a productive application for expert systems) and for detailed investigation of any incidents or suspicious circumstances. It is essential that audit records be tamper-proof. Software security features (including auditing) can be provided as part of the computer operating system or they can be added to an operating system as an add-on product. A U.S. government multilevel trusted computing base development program through NSA’s National Computer Security Center (NCSC) resulted in a well known security methodology and assessment scheme for these types of software (and hardware) products [DOD, 1985]. A significant number of operating systems and software security packages have been evaluated and given FIGURE 97.6 Factoring history. Because of the importance of factoring to RSA security, factoring methodology and accomplishments are of considerable interest. Techniques for factoring “hard” numbers were available for only up to about 50 digits in about a day’s computing time until 1983, when a match between mathematical development (the quadratic sieve) and computer vector processing capabilities contributed to factoring up to 58-digit numbers in equivalent time. The next year, a 69-digit number was factored in about 32 hours on a Cray 1S. A few months later, a 71-digit number was factored in less than 10 hours on a Cray XMP. By the end of the decade, collections of small computers had been coupled in a worldwide effort to demonstrate that numbers of more than 100 (116 in 1991) digits could be cost-effectively factored. This explosive trend, although not expected to continue because of current mathematical limitations (at present many orders of magnitude more computation time is needed than would threaten 300-digit numbers), demonstrates the importance of factoring prognosis in forecasting the long-term security of RSA. TABLE 97.1 An Access Matrix Subjects/Objects O1 O2 O3 O4 O5 S1 Own, write, read Own, read, execute Own, read, delete Read, write, execute Read S2 Read Execute Read S3 Write Read Read
TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class Al Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class amper-proof kernelized security reference monitor(tamper-Proof, analyzable, testable), structured ass B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources Class Bl Explicit security model, mandatory(Bell-La Padula)access control, labels for internal files and exported files, code analysis and testing lass C2 Single-level protection for important objects, log- in control, auditing features, memory residue erasure Class Cl Controlled discretionary isolation of users from data, authentication, testing No significant security features identified ratings by NCSC, in addition to hardware-software combinations, encryption devices, and network security stems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified Al and utilize a reference monitor(checking every request for access to every resource), a security kernel(concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes(in order of progressively fewer security features, which results in decreasing security)are B3. B2, B1, C2, Cl, and D(see Table 97. 2, where security features generally accumulate, reading up from the table bottom) In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm(because they copy themselves and spread)are both capable of global spanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program haracteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include tra wolve unauthorized actions by authorized people and are most ors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually inv effectively counteracted by insider personnel controls(see Section 97.7, Personnel Security) Hardware Security In addition to personal authentication through something known (e.g, passwords or PINs), users can be authenticated through something possessed or by something inherent about the user(or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices( to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result In order to protect against loss, most also require a user password for token access Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical c 2000 by CRC Press LLC
© 2000 by CRC Press LLC ratings by NCSC, in addition to hardware–software combinations, encryption devices, and network security systems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified A1 and utilize a reference monitor (checking every request for access to every resource), a security kernel (concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes (in order of progressively fewer security features, which results in decreasing security) are B3, B2, B1, C2, C1, and D (see Table 97.2, where security features generally accumulate, reading up from the table bottom). In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm (because they copy themselves and spread) are both capable of globalspanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program characteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include trapdoors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually involve unauthorized actions by authorized people and are most effectively counteracted by insider personnel controls (see Section 97.7, “Personnel Security”). Hardware Security In addition to personal authentication through something known (e.g., passwords or PINs), users can be authenticated through something possessed or by something inherent about the user (or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices (to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations. Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by assuring that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result. In order to protect against loss, most also require a user password for token access. Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class A1 Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class B3 Tamper-proof kernelized security reference monitor (tamper-proof, analyzable, testable), structured implementation Class B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources (including communication lines) Class B1 Explicit security model, mandatory (Bell–La Padula) access control, labels for internal files and exported files, code analysis and testing Class C2 Single-level protection for important objects, log-in control, auditing features, memory residue erasure Class C1 Controlled discretionary isolation of users from data, authentication, testing Class D No significant security features identified
