Chapter

14密鑰管理和分發《計算機與網絡安全》主要內容9/7/20202華中農業大學信息學院對稱加密的對稱密鑰分發非對稱加密的對稱密鑰分發公鑰分發X.509認證服務公鑰基礎設施§14.1對稱加密的密鑰分發9/7/20203華中農業大學信息學院

任何密碼系統的強度都與密鑰分配方法有關。?密鑰分配方法指將密鑰發放給希望交換數據的雙方而不讓別人知道的方法。密鑰分配9/7/20204華中農業大學信息學院分配方法：A、B雙方通信密鑰由A選擇，親自交與B；第三方選擇密鑰后親自交與A和B；一方用雙方已有的密鑰加密一個新密鑰后發給 另一方；A和B與第三方C均有秘密通道，則C可以將密 鑰分別發送給A和B。密鑰分配9/7/20205華中農業大學信息學院??對分配方法的分析方法1和2需要人工傳送密鑰，對鏈路加密要求不過分，對端到端加密則有些笨拙。方法3可用于鏈路加密和端到端加密。問題：■①攻擊者若已成功獲取一個密鑰；②初始密鑰的分配。對于端到端加密，方法4稍做變動即可應用。需要一個密鑰分配中心（KDC）參與分配。■?用于支持任意端點間通信所需的密鑰數9/7/20206華中農業大學信息學院§7.3密鑰分配9/7/20207華中農業大學信息學院??密鑰分類會話密鑰（ks）末端通信時使用的臨時加密密鑰主密鑰（km）加密ks的密鑰層次式密鑰9/7/20208華中農業大學信息學院一種透明的密鑰控制方案密鑰分發方案9/7/20209華中農業大學信息學院密鑰分配模式9/7/202010華中農業大學信息學院層次式密鑰控制9/7/202011華中農業大學信息學院單個KDC在網絡規模很大時不實際層次式可提高效率并降低風險會話密鑰的生命期9/7/202012華中農業大學信息學院在安全性與通信時間之間折衷考慮對面向連接的協議，改變連接時，改用新的ks對非面向連接的協議，定期更改。面向連接的密鑰自動分發協議9/7/202013華中農業大學信息學院分散式密鑰控制會話密鑰生成步驟：9/7/202014華中農業大學信息學院密鑰的使用方法9/7/202015華中農業大學信息學院???會話密鑰的類型數據加密密鑰，用于網絡中的通用通信PIN加密密鑰，用于電子資金轉賬和銷售點應用的個人識別碼（PIN）文件加密密鑰，用于可公開訪問的加密文件§7.3.6

密鑰的使用方法9/7/202016華中農業大學信息學院■會話密鑰的類型密鑰標志(以DES為例)一位表示主密鑰或會話密鑰一位表示密鑰可否用于加密一位表示密鑰可否用于解密其余位未用■?????特點標志含在密鑰中，密鑰分配時就被加密缺點：?■①位數少，限制了其靈活性和功能；②標志不能以明文傳輸，解密后才能使用，限制了對密鑰的管理控制矢量方法■■9/7/202017華中農業大學信息學院■?會話密鑰的類型密鑰標志控制矢量方法思路會話密鑰的加密加密：H=h(CV)，Kc=Ekm⊕H[Ks]解密：H=h(CV)，

Ks=Dkm⊕H[Kc]?優點控制矢量長度不限控制矢量以明文傳輸，可多次運用對密鑰的控制要求■■密鑰的使用方法⊕⊕9/7/202018華中農業大學信息學院控制矢量的加密和解密§14.2非對稱加密的對稱密鑰分發9/7/202019華中農業大學信息學院公鑰的分配公鑰密碼用于傳統密碼體制的密鑰分配采用前面的方法獲得公鑰可以提供保密和認證但公鑰算法常常很慢用私鑰加密可以保護信息內容因此，需要會話密鑰許多可選的方案用于協商合適的會話密鑰9/7/202020華中農業大學信息學院簡單的秘密鑰分配9/7/202021華中農業大學信息學院1979由Merkle提出?

A產生一個新的臨時用的公鑰對?

A發送自己的標識和公鑰給B?

B產生一個會話密鑰，并用A的公鑰加密后發送給A?

A解密會話密鑰問題是容易受到主動攻擊，而通信雙方卻毫無察覺。利用公鑰加密建立會話密鑰9/7/202022華中農業大學信息學院具有保密性和真實性的密鑰分配9/7/202023華中農業大學信息學院假設雙發已安全交換了各自的公鑰:公鑰加密的密鑰分發混合方式的密鑰分配9/7/202024華中農業大學信息學院保留私鑰配發中心(KDC)每用戶與KDC共享一個主密鑰用主密鑰分配會話密鑰公鑰用于分配主密鑰?在大范圍分散用戶的情況下尤其有用三層結構基本依據?性能?向后兼容性§14.3公鑰分發9/7/202025華中農業大學信息學院公鑰的分配公鑰密碼用于傳統密碼體制的密鑰分配公鑰的分配9/7/202026華中農業大學信息學院公鑰分配方法?公開發布?公開可訪問目錄?公鑰授權?公鑰證書公鑰的公開發布9/7/202027華中農業大學信息學院用戶分發自己的公鑰給接收者或廣播給通信各方?例如：把PGP的公鑰放到消息的最后，發布到新聞組或郵件列表中缺點：偽造?任何人都可以產生一個冒充真實發信者的公鑰來進行欺騙?直到偽造被發現，欺騙已經形成無控制的公鑰分發9/7/202028華中農業大學信息學院公開可訪問的目錄9/7/202029華中農業大學信息學院通過使用一個公共的公鑰目錄可以獲得更大程度的安全性目錄應該是可信的，特點如下：?

包含{姓名，公鑰}目錄項?

通信方只能安全的注冊到目錄中?

通信方可在任何時刻進行密鑰更替?

目錄定期發布或更新?

目錄可被電子化地訪問缺點：仍存在被篡改偽造的風險公開的公鑰發布9/7/202030華中農業大學信息學院公鑰授權9/7/202031華中農業大學信息學院

通過更加嚴格地控制目錄中的公鑰分配，使公鑰分配更加安全。具有目錄特性每一通信方必須知道目錄管理員的公鑰

用戶和目錄管理員進行交互以安全地獲得所希望的公鑰?當需要密鑰時，確實需要能夠實時訪問目錄。公鑰目錄管理員成為系統的瓶頸。公鑰授權公鑰發布方案9/7/202032華中農業大學信息學院公鑰證書9/7/202033華中農業大學信息學院

用證書進行密鑰交換，可以避免對公鑰目錄的實時授權訪問證書包含標識和公鑰等信息?通常還包含有效期，使用權限等其它信息含有可信公鑰或證書授權方(CA)的簽名

知道公鑰或證書授權方的公鑰的所有人員都可以進行驗證例如：X.509標準公鑰證書公鑰證書交換9/7/202034華中農業大學信息學院X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.4

X.509認證服務9/7/202035華中農業大學信息學院CCITT

X.500目錄服務的一部分?維護用戶信息數據庫的分布式服務器定義了認證服務的框架?目錄可存儲公鑰證書?由認證中心簽名的用戶的公鑰定義了認證協議使用了公鑰密碼和數字簽名技術?未作算法規定，但推薦使用RSAX.509證書已得到了廣泛地使用X.509認證服務的應用

X.509建議最 在1988年發布，1993年和1995年又分別發布了它的第二和第三個修訂版。X.509目前已經是一個非常重要的標準，因為X.509定義的認證證書結構和認證協議已經被廣泛應用于諸多應用過程。?IPSec(提供了一種網絡層的安全性)?SSL/TLS(security

socket

layer/transport

layer

security，安全套接層，可用來解決傳輸層的安全性問題)?SET(電子商務交易，SET是一種開放的加密安全規范，用于保護Internet上的信用卡交易)?S/MIME(保證電子郵件安全，側重于作為商業和團體使用的標準，而PGP則傾向于為許多用戶提供個人電子郵件的安全性)9/7/202036華中農業大學信息學院公鑰證書的使用9/7/202037華中農業大學信息學院The

X.509

certificate

is

the

heartof

the

standard.

There

are

3

versions,

withsuccessively

more

info

in

the

certificate

-

must

be

v2

if

either

uniqueidentifier

field

exists,

must

be

v3

if

any

extensions

are

used.

These

user

certificates

are

assumed

to

be

created

bysome

trusted

certificationauthority

(CA)

and

placed

in

the

directory

by

the

CA

or

by

the

user.

The

directory

server

itself

is

not

responsible

for

the

creation

of

public

keys

or

for

the

certification

function;

it

merely

provides

an

easily

accessible

location

for

users

to

obtain

certificates.

The

certificate

includes

the

elementsshown.The

standard

uses

the

notation

for

a

certificate

of:

CA<<A>>

where

the

CA

signs

the

certificate

for

user

A

with

its

private

key.X.509證書9/7/202038華中農業大學信息學院由認證中心發放(CA),包括:?

version

(1,

2,

or

3)?

serial

number

(unique

within

CA)

identifying

certificate?

signature

algorithm

identifier?

issuer

X.500

name

(CA)?

period

of

validity

(from

-

to

dates)?

subject

X.500

name

(name

of

owner)?

subject

public-key

info

(algorithm,

parameters,

key)?

issuer

unique

identifier

(v2+)?

subject

unique

identifier

(v2+)?

extension

fields

(v3)?

signature

(of

hash

of

all

fields

in

certificate)符號CA<<A>>表示由CA簽名的A的證書Stallings

Figure

14.4

shows

the

format

of

an

X.509

certificate

and

CRL.X.509證書9/7/202039華中農業大學信息學院

在X.509中，證書機構Y頒發給用戶X的證書表示為：Y<<X>>；Y對信息I進行的簽名表示為Y{I}。這樣一個CA頒發給用戶A的X.509證書可以表示為：CA<<A>>=CA{V,SN,AI,CA,TA,A,Ap

}V: 版本號，

SN：證書序列號，

AI：算法標識，TA：有效期,

Ap

：

A的公開密鑰信息。9/7/202040華中農業大學信息學院X.509證書User

certificates

generated

by

aCA

have

the

characteristics

that

any

user

with

access

to

the

public

key

of

the

CA

can

verifythe

user

public

keythat

was

certified,

and

no

party

other

than

the

certification

authority

can

modify

the

certificate

without

this

beingdetected.

Because

certificates

areunforgeable,

they

can

be

placed

in

adirectorywithout

the

need

for

the

directory

to

make

special

efforts

to

protect

them.獲得一個用戶證書9/7/202041華中農業大學信息學院

任何可以訪問CA的用戶都可以得到一個證書只有CA可以修改證書

由于證書不能偽造，所以證書可以放到一個公共目錄中If

both

parties

use

the

same

CA,

they

knowits

public

key

and

can

verify

others

certificates.

If

not,

then

there

has

to

be

some

means

to

formachain

of

certifications

between

the

CA"s

used

by

the

two

parties,

by

the

use

of

client

and

parent

certificates.

It

is

assumed

that

each

client

trusts

itsparents

certificates.CA層次9/7/202042華中農業大學信息學院如果兩個用戶共享同一個CA,則兩者知道彼此的公鑰否則，CA就要形成層次用證書將層次中的各CA鏈接?每個CA有對客戶的證書(前向)和對父CA的證書(后向)每一個客戶信任所有父證書

層次中的所有其它CA的用戶，可以驗證從一個CA獲得的任何證書Stallings

Figure

14.5

illustrates

the

use

of

an

X.509

hierarchy

to

mutuallyverifyclients

certificates.Track

chains

of

certificates:A

acquires

B

certificate

usingchain:

X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>B

acquires

A

certificate

usingchain:

Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>>CA層次的使用9/7/202043華中農業大學信息學院Acertificate

includesa

period

of

validity.

Typically

a

newcertificate

is

issued

just

before

the

expiration

of

the

old

one.In

addition,

it

may

be

desirable

on

occasion

to

revoke

a

certificate

before

it

expires,

for

one

of

a

rangeof

reasons,

such

as

those

shown

above.To

support

this,

each

CA

must

maintain

alist

consisting

of

all

revoked

but

not

expired

certificates

issued

by

that

CA,

known

as

the

certificaterevocation

list

(CRL).When

a

user

receives

a

certificate

in

a

message,

the

user

must

determine

whether

the

certificate

has

been

revoked,

bychecking

the

directory

CRLeach

timea

certificate

is

received,

this

often

does

not

happen

in

practice.證書的撤銷9/7/202044華中農業大學信息學院1.2.3.證書有效期過期前撤銷，例如:用戶的密鑰被認為不安全了用戶不再信任該CACA證書被認為不安全了CA維護一個證書撤銷列表?

證書撤銷列表，the

Certificate

Revocation

List

(CRL)用戶應該檢查CA的CRLX.509

also

includes

three

alternative

authentication

procedures

that

are

intended

for

use

across

a

variety

of

applications,

used

when

obtainingandusing

certificates.

1-way

for

unidirectional

messages

(like

email),

2-way

for

interactive

sessions

when

timestamps

are

used,

3-way

for

interactivesessions

with

no

need

for

timestamps

(and

hence

synchronised

clocks).

See

Stallings

Figure

14.6

for

details

of

each

of

these

alternatives.認證過程9/7/202045華中農業大學信息學院X.509包括三種可選的認證過程?

單向認證?

雙向認證?

三向認證三種方法都采用公鑰簽名One

way

authenticationinvolvesa

single

transfer

ofinformation

fromone

user

(A)

to

another

(B),

and

establishes

the

details

shownabove.

Notethat

only

the

identity

of

the

initiating

entity

is

verified

in

this

process,

not

thatof

the

responding

entity.

At

aminimum,

the

message

includes

atimestamp,a

nonce,

and

the

identity

of

B

and

is

signed

with

A’s

private

key.

The

message

may

also

include

information

to

be

conveyed,

such

as

asession

key

for

B.單向認證9/7/202046華中農業大學信息學院1消息(A->B)完成單向認證?A的標識和A創建的消息?B所需要的消息?消息的完整性和原創性（不能多次發送）消息必須含有時間戳，臨時交互號和B的標識，并由A簽名也可以包含B所需要的其它信息?例如，會話密鑰單向認證9/7/202047華中農業大學信息學院Two-wayauthentication

thus

permits

both

parties

in

a

communication

to

verify

the

identity

of

the

other,

thus

additionallyestablishing

the

abovedetails.

The

reply

message

includes

the

nonce

from

A,

to

validate

the

reply.

It

also

includes

a

timestamp

and

nonce

generated

by

B,

and

possibleadditional

informationfor

A.雙向認證9/7/202048華中農業大學信息學院2消息如上建立外(A->B,B->A)，還需:?B的標識和B生成的應答消息?A需要的消息?應答的完成性和真實性應答包括從A產生的臨時交互號，也有由

B產生的時戳和臨時交互號還可以包括其它A需要的附加信息雙向認證9/7/202049華中農業大學信息學院Three-Way

Authentication

includes

a

final

message

from

A

to

B,

which

contains

asigned

copy

of

the

nonce,

so

that

timestamps

need

not

bechecked,

for

use

when

synchronized

clocks

are

not

available.三向認證9/7/202050華中農業大學信息學院

3在沒有同步時鐘情況下，消息(A->B,B->A,A->B)可以完成認證從A回到B的相應包含B產生的臨時交互號時戳不必檢查了三向認證9/7/202051華中農業大學信息學院The

X.509

version

2

format

does

not

convey

all

of

the

information

that

recent

design

and

implementation

experience

has

shownto

be

needed.Rather

than

continue

to

add

fields

to

a

fixed

format,

standards

developers

felt

that

a

more

flexible

approach

was

needed.

X.509

version

3

includes

anumberof

optional

extensions

that

may

be

added

to

the

version

2

format.

Each

extension

consists

of

an

extension

identifier,

acriticalityindicator,

and

an

extension

value.

The

criticality

indicator

indicates

whether

an

extension

can

be

safely

ignored

or

not

(in

which

case

if

unknownthe

certificate

is

invalid).X.509

Version

39/7/202052華中農業大學信息學院已經認識到證書中附加信息的重要性?email/URL,策略細節,使用限制增加了一些可選的擴展項證書每一個擴展項都包括:?擴展標識?危險指示（T/F）?擴展值The

certificate

extensions

fall

into

three

main

categories:key

and

policy

information

-

convey

additional

information

about

the

subject

and

issuer

keys,

plus

indicators

of

certificate

policysubject

and

issuer

attributes

-

support

alternative

names,

in

alternative

formats,

fora

certificate

subject

or

certificate

issuer

and

can

conveyadditional

informationabout

the

certificate

subjectcertification

path

constraints

-

allow

constraint

specifications

to

be

included

in

certificates

issued

for

CA’s

by

other

CA’s證書擴展項9/7/202053華中農業大學信息學院密鑰和策略信息?傳達證書主體和發行商密鑰相關的附加信息，以及證書策略的指示信息，如密鑰用途證書主體和發行商屬性?支持可變的名字，以可變的形式表示證書主體或發行商的某些屬性，如公司位置，圖片等。證書路徑約束?允許限制由其它CA發行的證書的使用X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.5

公鑰基礎設施9/7/202054華中農業大學信息學院

PKI系統是有硬件、軟件、人、策略和程序構成的一整套體系（RFC

2822）

IETF的PKIX工作組在X.509的基礎上，建立一個可以構建網絡認證的基本模型。X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.5公鑰基礎設施9/7/202055華中農業大學信息學院RFC

2822

(Internet

Security

Glossary)

defines

public-key

infrastructure

(PKI)

as

the

set

of

hardware,

software,

people,

policies,

and

proceduresneeded

to

create,

manage,

store,

distribute,

and

revoke

digital

certificates

based

on

asymmetric

cryptography.

The

IETF

Public

KeyInfrastructure

X.509

(PKIX)

workinggroup

has

setup

a

formal

(and

generic)

model

based

on

X.509

that

is

suitable

for

deployinga

certificate-based

architecture

on

the

Internet.Stallings

Figure

14.7

shows

the

interrelationship

among

the

key

elements

of

the

PKIX

model,

and

lists

the

various

management

functions

needed.Public

Key

Infrastructure，PKI9/7/202056華中農業大學信息學院端實體簽證機構CA注冊機構RA證書撤銷列表發布CRL證書存儲庫RFC

2822