學XuHui,: 1CISSPExpectation-CISSPUnderstandtheapplicationanduseof 碼學的應Dataatrest,e.g.,hardDataintransit,e.g.,“OntheUnderstandtheencryption 碼學概Foundationalconcepts（基本概念Symmetriccryptography（對稱加密Asymmetriccryptography（非對稱加密Hybridcryptography（混合加密Messagedigests（消 2CISSPExpectation-CISSPUnderstandKeyManagement 鑰管理流Creationanddistribution（創建和分發Storageand 和銷毀Recovery（密鑰恢復Keyescrow(密鑰托Understanddigital理解數字簽Understand理解不可抵3CISSPExpectation-CISSPUnderstandmethodsof ytic 方Chosenplaintext（選擇明 Socialengineeringforkeydiscovery（社會工程學Brute Knownplaintext（已知明 ysis（頻率分析Chosenciphertext（選擇密 Implementationattacks（針對實施 4CISSPExpectation-CISSPEmploycryptographyinnetwork 中使 學技Usecryptographyto 使 學技術保護電子郵件安Understandpublickey理解PKI公鑰技術設 related理解數 和相關概Understandinformationhidingalternatives,e.g.,steganography,watermarking5※0.CISSP※1.Cryptography※2.Symmetric※3.Asymmetric※4.Hash※5.Cipher※6. ※7.6CRYPTOGRAPHY7CryptographyHistory-beforelast)scribeswritingdownthebookofJeremiahusedreversed-alphabetsimplesubstitutioncipherPlain:Cipher:MonoalphabeticPlain:Cipher:CipherPlaintext:IhaveagoodCiphertext:rszevztllw8CryptographyHistory- 700-300BCinGreece(希臘人于公元前600年-前500年consistingofacylinderwithastripofpar entwoundarounditonwhichiswrittenamessage.TheancientGreeks（希臘人）,andtheSpartans（斯巴達人）inparticular,aresaidtohaveusedthisciphertocommunicateduringmilitary TranspositionCipher（移位 9CryptographyHistory-Caesar60-50BCbyJuliusCaesarRoma Substitution:Rightshiftthealphabeticby3positions()Plaintext:IhaveagoodCiphertext:fexsbxdllaCryptographyHistory-VigenereCipher(維吉尼 Polyalphabeticsubstitution(多字母替 ababcdefghijklmnopqrstuvwxyzAabcdefghijklmnopqrstuvwxyzBbcdefghijklmnopqrstuvwxyzaCcdefghijklmnopqrstuvwxyzabDdefghijklmnopqrstuvwxyzabcEefghijklmnopqrstuvwxyzabcdFfghijklmnopqrstuvwxyzabcdeGghijklmnopqrstuvwxyzabcdefHhijklmnopqrstuvwxyzabcdefgIijklmnopqrstuvwxyzabcdefghJjklmnopqrstuvwxyzabcdefghiKklmnopqrstuvwxyzabcdefghijLlmnopqrstuvwxyzabcdefghijkMmnopqrstuvwxyzabcdefghijklNnopqrstuvwxyzabcdefghijklmOopqrstuvwxyzabcdefghijklmnPpqrstuvwxyzabcdefghijklmnoQqrstuvwxyzabcdefghijklmnopRrstuvwxyzabcdefghijklmnopqSstuvwxyzabcdefghijklmnopqrTtuvwxyzabcdefghijklmnopqrsUuvwxyzabcdefghijklmnopqrstVvwxyzabcdefghijklmnopqrstuWwxyzabcdefghijklmnopqrstuvXxyzabcdefghijklmnopqrstuvwYyzabcdefghijklmnopqrstuvwxZzabcdefghijklmnopqrstuvwxyRepeatedKey:Ihaveagoods+i=>ae+h=>lc+a=>ck+v=>f…alcfiyysqnCryptographyHistory-OneTime 本KeyPeoplehumanbeingeatfooddrinkwatertakeshowerhappyfamilyFaithhopeloveawomana

Pre

KeyPeoplehumanbeingeatfooddrinkwatertakeshowerhappyfamilyFaithhopeloveawomana Ihaveagood …ymplqCryptographyHistory-RunningKey

Pre

KeyIndex:Ihaveagoodnews

IwenttothewoodsbecauseIwishedtolivedelibera y,tofrontonlytheessentialfactsoflife,andseeifIcouldnotlearnwhatithadtoteach,andnot,whenIcametodie,discoverthatIhadnotlived.Ididnotwishtolivewhatwasnotlife,livingissodear;CryptographyHistory-

TranspositionCipher(移位 Permutation MonoalphabeticPolyalphabeticCryptographyHistory-Steganography(隱寫術TheartandscienceofwritinghiddenTheadvantageofsteganographyovercryptographyaloneisthatmessagesdonotattractattentiontothe iodinestarchSYMMETRIC對

BlockCipherVSStream

……

…… Terminology(術語NIST(USA):NationalInstituteofStandardsand與技NISTSP:NationalInstituteofStandardsandTechnologySpecialPublication與技 特 信息處理標non-NSA(USA):NationalSecurity國家安全

DataEncryptionStandard(數據加密標準1977,FIPS46,byReplacedbyAES(被AES算法替代BlockCipher( KeySize:56bit(密鑰長度：56比特Rounds:16roundsoftranspositionand4CipherModes(4 模式ElectronicCodebookBlockChainingCipherFeedbackOutputFeedback安全性：DES已經在1998年被EFF(ElectronicFrontierFoundation)證明是不安全的，當時EFF用了少于250000的價格組裝了一臺計算機用少于3天的時間了DES。ElectronicProblem:IdenticalplaintextblocksareencryptedintoidenticalciphertextAstrikingexampleCipherBlockCipherFeedbackOutputFeedbackTheoutputfeedback(OFB)modemakesablockcipherintoasynchronousstreamcipher.Itgenerateskeystreamblocks

TripleDataEncryptionStandardorTDEA(TripleDataEncryptionAlgorithm)publishedin1998,NISTSP800-1999年，NIST將3-DES指定為過渡的加密標準BlockCipher( 3DES3DES K1≠K2, K1≠K2≠安全性：NISThasapprovedTripleDESthroughtheyear2030forsensitive ernmentinformation

AdvancedEncryptionStandardFIPS197in2001byNIST,OriginallycalledWinfromMARS,RC6,Rijndael,Serpent,BlockBlockSize:128/192/256bitKeySize:10roundsfor128-bitkeys,12roundsfor192-bitkeys,and14roundsfor256-bitkeysBy2006,thebestknownattackswereon7roundsfor128-bitkeys,8roundsfor192-bitkeys,and9roundsfor256-bitkeys. RivestCipher

byRonRivestofRSASecurityInStreamThekey-schedulingalgorithmThepseudo-randomgenerationalgorithmKeyLength:variablelengthkey,typicallybetween40and256theonlycommoncipherwhichisimmunetothe2011BEASTattackonTLS1.0,whichexploitsaknownweaknessinthewaycipherblockchainingmodeisusedwithalloftheothercipherssupportedbyTLS1.0,whichareallblock

MoreTheTwofishSymmetricblockcipher：128-bitblock,Up256-bitTheIDEACipher(InternationalDataEncryptionJamesMasseyandXuejiaLai,blockcipher：64-bitplaintextblocks,128-bitRonaldRivestinBlockcipherofvariableblockTypicalBlocksizeof32,64,or128KeysizeandRoundsarefrom0toConfusionand ClaudeShannon( )inhispaperCommunicationTheoryofSecrecySystems,publishedin1949.ConfusionreferstomakingtherelationshipbetweentheplaintextandtheciphertextascomplexandinvolvedasDiffusionreferstothepropertythattheredundancyinthestatisticsoftheplaintextis"dissipated"inthestatisticsoftheInparticular,changingonebitofthekeyshouldchangetheciphertextcomple Kerckhoffs’s“Acryptosystemshouldbesecureevenifeverythingaboutthesystem,exceptthekey,ispublicknowledge”wasstatedbyAugusteKerckhoffsinthe19thcentury ASYMMETRICAsymmetricComparewithSymmetricAMessagethatisencryptedbyoneofthekeyscanbedecryptedwiththeotherkey.NoneedtoExchangeSlowerthansymmetric EllipticEl

RivestShamirh1977,byRonRivest,AdiShamirh,LenAdlemanatbasedonthepresumeddifficultyoffactoringlargeRSA1024andRSA 日，編號為RSA-768（768bits,232digits）數

KeygenerationChoosetwodistinctprimenumbers(質數):Eg,p=13,ComputeComputeφ(n)=(p–1)(q–1)=(13-1)*(7-Chooseanintegere,suchthat1<e<φ(n)and(e,φ(n))=1Eg,e=11，PublickKey(e,n)=(11,Computed,suchthatd=e–1modd=11–1mod72=59，PrivateKey（d,φ(n)）=(59,usingtheextendedEuclideanalgorithm(擴 Encryption

Decryption

DiffieHallmankeyToExchangesecretkeysoveranon-securemediumwithoutexposingthekeys.publishedbyWhitfieldDiffieand manin1ap,b2ap,g,gamodp=p,b3ap,g,gbmodp=p,g,A,b4a,p,g,A,Bamodp=Abmodp=p,g,A,b,

橢圓曲線y2=x3+a*x+bp=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFa=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFb=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD41n=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123Gx=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7Gy=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0Ellipticcurvecryptography(橢圓曲線算法basedonthealgebraicstructureofellipticcurvesoverfiniteEllipticCurve:y2=x3+ax+1985,byNealKoblitzandVictorS.DigitalSignature:ECDSA(ECC-DigitalSignatureDataEncryption:ECDH(Ellipticcurve HASH

Message-Digest1991,designedbyRonRivestinThesecurityoftheMD5hashfunctionisseverelyAcollisionattackexiststhatcanfindcollisionswithin

SHA-SecureHashAlgorithm-1995,designedbytheUnitedStatesNationalSecurityAgency,publishedbytheUnitedStatesNISTDigestLength:Rounds:安全In2005,crypt ystsfoundattacksonSHA-1suggestingthatthealgorithmmightnotbesecureenoughforongoinguse.NISTrequiredmanyapplicationsinfederalagenciestomovetoSHA-2after2010becauseoftheweakness.

SHABlocksize(bits)264?264?264?2264?2128?

Aone-wayhashingalgorithmwithvariablelengthofoutput1992,byYuliangZheng,JosefPieprzyk,andJenniferHAVALcanproducehashesinlengthsof128bits,160bits,192bits,224bits,and256bits.HAVALalsoallowsuserstospecifythenumberofrounds(3,4,or5)tobeusedtogeneratethehash.On17August2004,collisionsforHAVAL(128bits,3passes)wereannouncedbyXiaoyunWangCIPHERCipherApplication-

CIA- fromSymmetricEncryption,AsymmetricDataarenottamperedbeforeHash,checksum,Evidence,cannotDigital 基于對稱密鑰 認終 卡

服務（PSAM：刷卡機卡片隨機加密后的隨機

分散算法（消費密鑰 6. 隨機數，比CipherApplication-MAC消息認證MessageAuthenticationHMAC:HashedMessageAuthenticationCipherApplication-

CBC-CipherApplication-基于HMAC的動態口 CipherApplication-DigitalRSA-basedsignatureschemes(PKCS#1,DSAanditsellipticcurvevariantElGamalsignatureCipherApplication-RSA-BasedSignature

PKCS#7數字簽 數據包內

簽名信

? ?

CipherApplication-

數章CipherApplication-

S/MIME（SecureMultipurposeInternetMail inaMIMEToprovideauthenticationthroughdigitalsignaturesand ityofencryptionUsesX.509standardforits PGP(PrettyGoodInsteadof Authority,PGPusesa“WebUserscancertifyeachotherinameshCipherApplication-

PKIvs(Hierarchical

PGP:Mesh(WebofCipherApplication-IDBased thepublickeyofauserissomeuniqueinformationabouttheidentityoftheuser(e.g.auser's ID-basedencryptionwasproposedbyAdiShamirin1984.Thepairing-basedBoneh–FranklinschemeandCocks'sencryptionschemebasedonquadraticresiduesbothsolvedtheIBEproblemin2001.CipherApplication-

SecureElectronicVisa&MasterCarddevelopedSETin1997，Coverstheend-to-endtransactionsfromthecardholdertothefinancialinstitution. Despiteheavypublicitytowinmarketshare,itfailedtogainwidespreaduseNeedtoinstallclientCostandcomplexityformerchantstooffersupport,contrastedwiththecomparativelylowcostandsimplicityoftheexistingSSLbasedalternative. distributionCipherApplication-

4 5商 2

3

1實際B2C交易技 SSL加 5返回6支付交互過SSLCipherApplication-

SSLSecureSocketslatestversionSSLprotocoldevelopedbyNetscapein abovetheTransportLayerAsymmetriccryptography(Digital )toexchangekeyEncryptusingSymmetricTLS:TransactionLayerThesuccessorofSSL,CipherApplication-

InternetProtocolauthenticatingandencryptingeachIPpacketofacommunicationsessionAuthenticationHeaderEncapsulatingSecurityPayloadThedatainthepacketisencrypted,buttheheaderisTheoriginalIPheaderisencryptedandanewIPheaderisaddedtothebeginningofthepacket.ThisadditionalIPheaderhastheaddressofthe theencryptedIPheaderpointstothefinaldestinationontheinternalnetworkbehindthegateway.CipherApplication-

HTTPSandS-HTTPS:HypertextTransferProtocolHTTPSwrapstheentirecommunicationwithinrequireaseparateportwithSHTTP:SecureHypertextTransferS-HTTPencryptsonlytheservedpagedataandsubmitteddatalikePOSTfieldsS-HTTPcouldbeusedconcurrentlywithHTTP(unsecured)onthesameport,astheunencryptedheaderwoulddeterminewhethertherestofthetransmissionisencrypted.HTTPSandS-HTTPwerebothdefinedinthemid-1990stoaddressthisneed.Netscapeand supportedHTTPSratherthanS-HTTP,leadingtoHTTPS ingthedefactostandardmechanismforsecuringwebcommunications.Secure

ByestablishinganencryptedtunnelbetweenanSSHclientandanSSHserver.Canbeusedtoauthenticatetheclienttothesever,andalsotoprovide ityandintegritySSHV2.X mankeyIntegritycheckingviamessageauthenticationRunanynumberofs sessionsoverasingleSSH

WorkWorkFactorisdefinedastheamountofeffort(usuallymeasuredinunitsoftime)neededtobreakacryptosystem. ysisofSymmetricBruteKnownPlaintexttheattackerhassamplesofboththeplaintext,andChosenPlaintexttheattackerhasthecapabilitytochoosearbitraryplaintextstobeencryptedandobtainthecorrespondingciphertextsAdaptiveChosenwherethecrypt ystmakesaseriesofinteractivequeries,choosingsubsequentplaintextsbasedontheinformationfromthepreviousencryptions. ysisofSymmetricCiphertextOnlytheattackerisassumedtohaveaccessonlytoasetofChosenCiphertextthecryptystgathersinformation,atleastinpart,bychoosingaciphertextandobtainingitsdecryptionunderanunknownkey.IntheattackAdaptiveChosenaninteractiveformofchosen-ciphertextattackinwhichanattackersendsanumberofciphertextstobedecrypted ysisofSymmetricDifferential itisthestudyofhowdifferencesinaninputcanaffecttheresultantdifferenceattheoutputLinear findingaffineapproximationstotheactionofaTripleDESwiththreeindependentkeyshasakeylengthof168bits(three56-bitDESkeys),butduetothemeet-in-the-middleattack,theeffectivesecurityitprovi