g密钥分散管理系统密钥确认算法实现外文资料翻译-管理系统(编辑修改稿)

g密钥分散管理系统密钥确认算法实现外文资料翻译-管理系统(编辑修改稿)内容摘要：

risk of promise of the keys is minimal. At the same time, the munication is secure from eavesdropping. The protocol depicted in Figure is insecure against an adversary who can intercept messages and then either relay the intercepted message or substitute another message (see Figure ). Such an attack is known as a maninthemiddle attack [RIVE84]. In this case, if an adversary, E, has control of the intervening munication channel, then E can promise the munication in the following fashion without being detected: 1. A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA. 2. E intercepts the message, creates its own public/private key pair {PUe, PRe} and transmits PUe||IDA to B. 3. B generates a secret key, Ks, and transmits E(PUe, Ks). 4. E intercepts the message, and learns Ks by puting D(PRe, E(PUe, Ks)). 5. E transmits E(PUa, Ks) to A. The result is that both A and B know Ks and are unaware that Ks has also been revealed to E. A and B can now exchange messages using Ks E no longer actively interferes with the munications channel but simply eavesdrops. Knowing Ks E can decrypt all messages, and both A and B are unaware of the problem. Thus, this simple protocol is only useful in an environment where the only threat is eavesdropping. Secret Key Distribution with Confidentiality and Authentication Figure , based on an approach suggested in [NEED78], provides protection against both active and passive attacks. We begin at a point when it is assumed that A and B have exchanged public keys by one of the schemes described earlier in this section. Then the following steps occur: 1. A uses B39。 s public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A39。 s nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. 3. A returns N2 encrypted using B39。 s public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B39。 s public key ensures that only B can read it。 encryption with A39。 s private key ensures that only A could have sent it. 5. B putes D(PUa, D(PRb, M)) to recover the secret key. Figure . PublicKey Distribution of Secret Keys Notice that the first three steps of this scheme are the same as the last three steps of Figure . The result is that this scheme ensures both confidentiality and authentication in the exchange of a secret key. A Hybrid Scheme Yet another way to use publickey encryption to distribute secret keys is a hybrid approach in use on IBM mainframes [LE93]. This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys. The following rationale is provided for using this threelevel approach: • Performance: There are many applications, especially transactionoriented applications, in which the session keys change frequently. Distribution of session keys by publickey encryption could degrade overall system performance because of the relatively high putational load of publickey encryption and decryption. With a threelevel hierarchy, publickey encryption is used only occasionally to update the master key between a user and the KDC. • Backward patibility: The hybrid scheme is easily overlaid on an existing KDC scheme, with minimal disruption or software changes. The addition of a publickey layer provides a secure, efficient means of distributing master keys. This is an advantage in a configuration in which a single KDC serves a widely distributed set of users. . DiffieHellman Key Exchange The first published publickey algorithm appeared in the seminal paper by Diffie and Hellman that defined publickey cryptography [DIFF76b] and is generally referred to as DiffieHellman key exchange.[1] A number of mercial products employ this key exchange technique. [1] Williamson of Britain39。 s CESG published the identical scheme a few months earlier in a classified document [WILL76] and claims to have discovered it several years prior to that。 see [ELLI99] for a discussion. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values. The DiffieHellman algorithm depends for its effectiveness on the difficulty of puting discrete logarithms. Briefly, we can define the discrete logarithm in the following way. First, we define a primitive root of a prime number p as one whose powers modulo p generate all the integers from 1 to p 1. That is, if a is a primitive root of the prime number p, then the numbers a mod p, a2 mod p,..., ap1 mod p are distinct and consist of the integers from 1 through p 1 in some permutation. For any integer b and a primitive root a of prime number p, we can find a unique exponent i such that b ≡ ai (mod p) where 0 ≤ i ≤ (p － 1) The exponent i is referred to as the discrete logarithm of b for the base a, mod p. We express this value as dloga,p (b). See Chapter 8 for an extended discussion of discrete logarithms. The Algorithm Figure summarizes the DiffieHellman key exchange algorithm. For this scheme, there are two publicly known numbers: a prime number q and an integer that is a primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a random integer XA q and putes YA = aXA mod q. Similarly, user B independently se。