2918g密钥分散管理系统——密钥确认算法实现外文资料翻译--原文

2918g密钥分散管理系统——密钥确认算法实现外文资料翻译--原文内容摘要：

red.One scheme has bee universally accepted for formatting publickey certificates: the standard. certificates are used in most network security applications, including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME, all of which are discussed in Part Two. is examined in detail in Chapter 14.Distribution of Secret Keys Using PublicKey CryptographyOnce public keys have been distributed or have bee accessible, secure munication that thwarts eavesdropping (Figure ), tampering (Figure ), or both (Figure ) is possible. However, few users will wish to make exclusive use of publickey encryption for munication because of the relatively slow data rates that can be achieved. Accordingly, publickey encryption provides for the distribution of secret keys to be used for conventional encryption.Simple Secret Key DistributionAn extremely simple scheme was put forward by Merkle [MERK79], as illustrated in Figure . If A wishes to municate with B, the following procedure is employed:1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier of A, IDA.2. B generates a secret key, Ks, and transmits it to A, encrypted with A39。 s public key.3. A putes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks.4. A discards PUa and PRa and B discards PUa.Figure . Simple Use of PublicKey Encryption to Establish a Session KeyA and B can now securely municate using conventional encryption and the session key Ks. At the pletion of the exchange, both A and B discard Ks. Despite its simplicity, this is an attractive protocol. No keys exist before the start of the munication and none exist after the pletion of munication. Thus, the risk of promise of the keys is minimal. At the same time, the munication is secure from eavesdropping.The protocol depicted in Figure is insecure against an adversary who can intercept messages and then either relay the intercepted message or substitute another message (see Figure ). Such an attack is known as a maninthemiddle attack [RIVE84]. In this case, if an adversary, E, has control of the intervening munication channel, then E can promise the munication in the following fashion without being detected:1. A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA.2. E intercepts the message, creates its own public/private key pair {PUe, PRe} and transmits PUe||IDA to B.3. B generates a secret key, Ks, and transmits E(PUe, Ks).4. E intercepts the message, and learns Ks by puting D(PRe, E(PUe, Ks)).5. E transmits E(PUa, Ks) to A.The result is that both A and B know Ks and are unaware that Ks has also been revealed to E. A and B can now exchange messages using Ks E no longer actively interferes with the munications channel but simply eavesdrops. Knowing Ks E can decrypt all messages, and both A and B are unaware of the problem. Thus, this simple protocol is only useful in an environment where the only threat is eavesdropping.Secret Key Distribution with Confidentiality and AuthenticationFigure , based on an approach suggested in [NEED78], provides protection against both active and passive attacks. We begin at a point when it is assumed that A and B have exchanged public keys by one of the schemes described earlier in this section. Then the following steps occur:1. A uses B39。 s public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A39。 s nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.3. A returns N2 encrypted using B39。 s public key, to assure B that its correspondent is A.4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B39。 s public key ensures that only B can read it。 encryption with A39。 s private key ensures that only A could have sent it.5. B putes D(PUa, D(PRb, M)) to recover the secret key.Figure . PublicKey Distribution of Secret KeysNotice that the first three steps of this scheme are the same as the last three steps of Figure . The result is that this scheme ensures both confidentiality and authentication in the exchange of a secret key.A Hybrid SchemeYet another way to use publickey encryption to distribute secret keys is a hybrid approach in use on IBM mainframes [LE93]. This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribu。