文档详细内容(约529页)
Note If you want to spend more time learning about cryptography,there's plenty of good literature available.My favorite book on this topic is Understanding Cryptography, written by Christof Paar and Jan Pelzl and published by Springer in 2010. Building Blocks At the lowest level,cryptography relies on various cryptographic primitives.Each primitive is designed with a particular useful functionality in mind.For example,we might use one primitive for encryption and another for integrity checking.The primitives alone are not very useful,but we can combine them into schemes and protocols to provide robust security. Who Are Alice and Bob? Alice and Bob are names commonly used for convenience when discussing cryptography. They make the otherwise often dry subject matter more interesting.Ron Rivest is credited for the first use of these names in the 1977 paper that introduced the RSA cryptosystem.?Since then,anumber ofoter names have entered cryptographic literature.In this chapter Iuse the name Eve for an attacker with an eavesdropping ability and Mallory for an active attacker who can interfere with network traffic. Symmetric Encryption Symmetric enryption (o private-key cryptography)is a method for obfuscation that enables secure transport of data over insecure communication channels.To communicate securely, Alice and Bob first agree on the encryption algorithm and a secret key.Later on,when Alice wants to send some data to Bob,she uses the secret key to encrypt the data.Bob uses the same key to decrypt it.Eve,who has access to the communication channel and can see the encrypted data,doesn't have the key and thus can't access the original data.Alice and Bob can continue to communicate securely for as long as they keep the secret key safe. Aliced Bob(Wikipedia,retrieved June01) Securitys inseparable couple(Network World,205) Building Blocks
Note If you want to spend more time learning about cryptography, there’s plenty of good literature available. My favorite book on this topic is Understanding Cryptography, written by Christof Paar and Jan Pelzl and published by Springer in 2010. Building Blocks At the lowest level, cryptography relies on various cryptographic primitives. Each primitive is designed with a particular useful functionality in mind. For example, we might use one primitive for encryption and another for integrity checking. e primitives alone are not very useful, but we can combine them into schemes and protocols to provide robust security. Who Are Alice and Bob? Alice and Bob are names commonly used for convenience when discussing cryptography.6 ey make the otherwise often dry subject matter more interesting. Ron Rivest is credited for the first use of these names in the 1977 paper that introduced the RSA cryptosystem.7 Since then, a number of other names have entered cryptographic literature. In this chapter, I use the name Eve for an attacker with an eavesdropping ability and Mallory for an active attacker who can interfere with network traffic. Symmetric Encryption Symmetric encryption (or private-key cryptography) is a method for obfuscation that enables secure transport of data over insecure communication channels. To communicate securely, Alice and Bob first agree on the encryption algorithm and a secret key. Later on, when Alice wants to send some data to Bob, she uses the secret key to encrypt the data. Bob uses the same key to decrypt it. Eve, who has access to the communication channel and can see the encrypted data, doesn’t have the key and thus can’t access the original data. Alice and Bob can continue to communicate securely for as long as they keep the secret key safe. 6 Alice and Bob (Wikipedia, retrieved 5 June 2014) 7 Security’s inseparable couple (Network World, 2005) Building Blocks 5
Figure 1.1.Symmetric encryption ret key Encrypt 合 Decrypt B08 ALICE Note Three terms are commonly used when discussing encryption:plaintext is the data in its original form,cipher is the algorithm used for encryption,and ciphertext is the data after encryption. Symmetric encryption goes back thousands of years.For example,to encrypt with a substi tution cipher,you replace each letter in the alphabet with some other letter;to decrypt,you reverse the process.In this case,there is no key;the security depends on keeping the method itself secret.That was the case with most early ciphers.Over time,we adopted a different approach,following the observation of a nineteenthentury cryptographer named Auguste Kerckhoffs:8 A cryptosystem should be secure even if the attacker knows everything about the system,except the secret key. Although it might seem strange at first,Kerckhoffs's principle-as it has come to be known -makes sense if you consider the following: For an encryption algorithm to be useful,it must be shared with others.As the number of people with access to the algorithm increases,the likelihood that the algorithm will fall into the enemy's hands increases too. A single algorithm without a key is very inconvenient to use in large groups;everyone can decrypt everyone's communication. It's very difficult to design good encryption algorithms.The more exposure and scruti- ny an algorithm gets,the more secure it can be.Cryptographers recommend a conser- vative approach when adopting new algorithms;it usually takes years of breaking at- tempts until a cipher is considered secure. Chapter 1:SSL TLS,and Cryptography
Figure 1.1. Symmetric encryption Secret key Secret key BOB ALICE Encrypt Decrypt Original document Encrypted document Original document Note ree terms are commonly used when discussing encryption: plaintext is the data in its original form, cipher is the algorithm used for encryption, and ciphertext is the data after encryption. Symmetric encryption goes back thousands of years. For example, to encrypt with a substitution cipher, you replace each letter in the alphabet with some other letter; to decrypt, you reverse the process. In this case, there is no key; the security depends on keeping the method itself secret. at was the case with most early ciphers. Over time, we adopted a different approach, following the observation of a nineteenth-century cryptographer named Auguste Kerckhoffs: 8 A cryptosystem should be secure even if the attacker knows everything about the system, except the secret key. Although it might seem strange at first, Kerckhoffs’s principle—as it has come to be known —makes sense if you consider the following: • For an encryption algorithm to be useful, it must be shared with others. As the number of people with access to the algorithm increases, the likelihood that the algorithm will fall into the enemy’s hands increases too. • A single algorithm without a key is very inconvenient to use in large groups; everyone can decrypt everyone’s communication. • It’s very difficult to design good encryption algorithms. e more exposure and scrutiny an algorithm gets, the more secure it can be. Cryptographers recommend a conservative approach when adopting new algorithms; it usually takes years of breaking attempts until a cipher is considered secure. 8 la cryptographie militaire (Fabien Petitcolas, retrieved 1 June 2014) 6 Chapter 1: SSL, TLS, and Cryptography
A good encryption algorithm is one that produces seemingly random ciphertext,which can't be analyzed by the attacker to reveal any information about plaintext.For example,the substitution cipher is not a good algorithm,because the attacker could determine the fre- quency of each letter of ciphertext and compare it with the frequency of the letters in the English language.Because some letters appear more often than others,the attacker could use his observations to recover the plaintext.If a cipher is good,the only option for the at- tacker should be to try all possible decryption keys,otherwise known as an exhaustive key search. At this point,the security of ciphertext depends entirely on the key.If the key is selected froma large keyspace and breaking the encryption requires iterating througha prohibitively large number of possible keys,then we say that a cipher is computationally secure. Note The common way to measure encryption strength is via key length;the assumption is that keys are essentially random,which means that the keyspace is defined by the number of bits in a key.As an example,a 128-bit key(which is considered very se- cure)is one of 340 billion billion billlion billion possible combinations. Ciphers can be divided into two groups:stream and block ciphers. Stream Ciphers Conceptually,stream ciphers operate in a way that matches how we tend to imagine encryp- tion.You feed one byte of plaintext to the encryption algorithm,and out comes one byte of ciphertext.The reverse happens at the other end.The process is repeated for as long as there is data to process. At its core,a stream cipher produces an infinite stream of seemingly random data called a keystream.To perform encryption,one byte of keystream is combined with one byte of plaintext using the XOR logical operation.Because XOR is reversible,to decrypt you per- form XOR of ciphertext with the same keystream byte.This process is illustrated in Fig- urel.2,“RC4 encryption'”. Building Blocks
A good encryption algorithm is one that produces seemingly random ciphertext, which can’t be analyzed by the attacker to reveal any information about plaintext. For example, the substitution cipher is not a good algorithm, because the attacker could determine the frequency of each letter of ciphertext and compare it with the frequency of the letters in the English language. Because some letters appear more often than others, the attacker could use his observations to recover the plaintext. If a cipher is good, the only option for the attacker should be to try all possible decryption keys, otherwise known as an exhaustive key search. At this point, the security of ciphertext depends entirely on the key. If the key is selected from a large keyspace and breaking the encryption requires iterating through a prohibitively large number of possible keys, then we say that a cipher is computationally secure. Note e common way to measure encryption strength is via key length; the assumption is that keys are essentially random, which means that the keyspace is defined by the number of bits in a key. As an example, a 128-bit key (which is considered very secure) is one of 340 billion billion billlion billion possible combinations. Ciphers can be divided into two groups: stream and block ciphers. Stream Ciphers Conceptually, stream ciphers operate in a way that matches how we tend to imagine encryption. You feed one byte of plaintext to the encryption algorithm, and out comes one byte of ciphertext. e reverse happens at the other end. e process is repeated for as long as there is data to process. At its core, a stream cipher produces an infinite stream of seemingly random data called a keystream. To perform encryption, one byte of keystream is combined with one byte of plaintext using the XOR logical operation. Because XOR is reversible, to decrypt you perform XOR of ciphertext with the same keystream byte. is process is illustrated in Figure 1.2, “RC4 encryption”. Building Blocks 7
Figure 1.2.RC4 encryption RC4 →1010 Keystream ⊕ 0 1 1o Plaintext 11 0 Ciphertext An encryption process is considered secure if the attacker can't predict which keystream bytes are at which positions.For this reason,it is vital that stream ciphers are never used with the same key more than once.This is because,in practice,attackers know or can pre. dict plaintext at certain locations(think of HTTP requests being encrypted;things such as request method,protocol version,and header names are the same across many requests). When you know the plaintext and can observe the corresponding ciphertext,you uncover parts of the keystream.You can use that information to uncover the same parts of future ciphertexts if the same key is used.To work around this problem,stream algorithms are used with one-time keys derived from long-term keys. RC4is the best-known stream cipher.It became popular due to its speed and simplicity but itsno longer conidered secure.I discuss its weaknesses at some length in the sectio call "RC4 Weaknesses".Other modern and secure stream ciphers are promoted by the ECRYPT Stream Cipher Project. Block Ciphers Block ciphers encrypt entire blocks of data at a time;modern block ciphers tend to use a block size of 128 bits(16 bytes).A block cipher is a transformation function:it takes some input and produces seemingly random output from it.For every possible input combina tion,there is exactly one output,as long as the key stays the same.A key property of block ciphers is that a small variation in input (e.g.a change of one bit anywhere)produces a large variation in output. On their own,block ciphers are not very useful because of several limitations.First,you can only use them to encrypt data lengths equal to the size of the encryption block.To use a block cipher in practice,you need a scheme to handle data of arbitrary length.Another Chapter 1:SSL,TLS,and Cryptography
Figure 1.2. RC4 encryption 1 1 0 0 Ciphertext 0 1 1 0 Plaintext Key RC4 1 0 1 0 Keystream An encryption process is considered secure if the attacker can’t predict which keystream bytes are at which positions. For this reason, it is vital that stream ciphers are never used with the same key more than once. is is because, in practice, attackers know or can predict plaintext at certain locations (think of HTTP requests being encrypted; things such as request method, protocol version, and header names are the same across many requests). When you know the plaintext and can observe the corresponding ciphertext, you uncover parts of the keystream. You can use that information to uncover the same parts of future ciphertexts if the same key is used. To work around this problem, stream algorithms are used with one-time keys derived from long-term keys. RC4 is the best-known stream cipher.9 It became popular due to its speed and simplicity, but it’s no longer considered secure. I discuss its weaknesses at some length in the section called “RC4 Weaknesses”. Other modern and secure stream ciphers are promoted by the ECRYPT Stream Cipher Project. 10 Block Ciphers Block ciphers encrypt entire blocks of data at a time; modern block ciphers tend to use a block size of 128 bits (16 bytes). A block cipher is a transformation function: it takes some input and produces seemingly random output from it. For every possible input combination, there is exactly one output, as long as the key stays the same. A key property of block ciphers is that a small variation in input (e.g., a change of one bit anywhere) produces a large variation in output. On their own, block ciphers are not very useful because of several limitations. First, you can only use them to encrypt data lengths equal to the size of the encryption block. To use a block cipher in practice, you need a scheme to handle data of arbitrary length. Another 9 RC4 (Wikipedia, retrieved 1 June 2014) 10 eSTREAM: the ECRYPT Stream Cipher Project (European Network of Excellence in Cryptology II, retrieved 1 June 2014) 8 Chapter 1: SSL, TLS, and Cryptography
problem is that block ciphers are deterministic;they always produce the same output for the same input.This property opens up a number of attacks and needs to be dealt with In practice,block ciphers are used via encryption schemes called block cipher modes,which smooth over the limitations and sometimes add authentication to the mix.Block ciphers can also be used as the basis for other cryptographic primitives,such as hash functions message authentication codes,pseudorandom generators,and even stream ciphers. The worlds most popular block cipher is AES (short for Advanced Encryption Standard). which is available in strengths of 128,192,and 256 bits.1 Padding One of the challenges with block ciphers is figuring out how to handle encryption of data lengths smaller than the encryption block size.For example,128-bit AES requires 16 bytes of input data and produces the same amount as output.This is fine if you have all of your data in 16-byte blocks,but what do you do when you have less than that?One approach is to append some extra data to the end of your plaintext.This extra data is known as padding. The padding can't consist of just any random data.It must follow some format that allows the receiver to see the padding for what it is and know exactly how many bytes to discard.In TLS,the last byte of an encryption block contains padding length,which indicates how many bytes of padding(excluding the padding length byte)there are.All padding bytes are set to the same value as the padding length byte.This approach enables the receiver to check that the padding is correct. Figure 1.3.Example of TLS padding lengt 48656c6c6F☐776F726c64243333 e l 10 w o r l d Padding To discard the padding after decryption,the receiver examines the last byte in the data block and removes it.After that,he removes the indicated number of bytes while checking that they all have the same value. Hash Functions A hash function is an algorithm that converts input of arbitrary length into fixed-size out- put.The result of a hash function is often called simply a hash.Hash functions are common- 1Advanced Eypion Standard (Wikipedia,retrieved 1June 2014) Building Blocks
problem is that block ciphers are deterministic; they always produce the same output for the same input. is property opens up a number of attacks and needs to be dealt with. In practice, block ciphers are used via encryption schemes called block cipher modes, which smooth over the limitations and sometimes add authentication to the mix. Block ciphers can also be used as the basis for other cryptographic primitives, such as hash functions, message authentication codes, pseudorandom generators, and even stream ciphers. e world’s most popular block cipher is AES (short for Advanced Encryption Standard), which is available in strengths of 128, 192, and 256 bits.11 Padding One of the challenges with block ciphers is figuring out how to handle encryption of data lengths smaller than the encryption block size. For example, 128-bit AES requires 16 bytes of input data and produces the same amount as output. is is fine if you have all of your data in 16-byte blocks, but what do you do when you have less than that? One approach is to append some extra data to the end of your plaintext. is extra data is known as padding. e padding can’t consist of just any random data. It must follow some format that allows the receiver to see the padding for what it is and know exactly how many bytes to discard. In TLS, the last byte of an encryption block contains padding length, which indicates how many bytes of padding (excluding the padding length byte) there are. All padding bytes are set to the same value as the padding length byte. is approach enables the receiver to check that the padding is correct. Figure 1.3. Example of TLS padding 48 3 3 3 3 H 65 e 6C l 6C l 21 ! 6F o 6F o 77 w 72 r 6C l 64 d Padding Padding length To discard the padding after decryption, the receiver examines the last byte in the data block and removes it. After that, he removes the indicated number of bytes while checking that they all have the same value. Hash Functions A hash function is an algorithm that converts input of arbitrary length into fixed-size output. e result of a hash function is often called simply a hash. Hash functions are common- 11 Advanced Encryption Standard (Wikipedia, retrieved 1 June 2014) Building Blocks 9
