WWW.DISSERS.RU


...
    !

Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |   ...   | 14 |

pc aep paa popa 2-e ae pooo, aop cxoe ec a e C COEPAHE . pecoe Beee aa 1 Ocoe o 1.1 Tepoo 1.2 ...

-- [ 5 ] --

a oa pe aa. Teopeec ce pao, o eceoc opao coee. popa c op a, coyea ece c epo oc ae KDC, co ycoe oey o o pyoo. o oa e oe acoo yepe, o Mop e opopye eo peaoc ooc, o o oe a aepa, o aa oea peaoc opeye opao oe pecypco, e coe aoy pea Mop.

o o ae poep Ac o eeoy, oy oooc yca ee ooc. Paco a ae ooca eceo ec xopoe cxeo ea oc. Ec pe e o opo e, o oe eoaco eo oop eo ae p ypoe ocya. Ec o cepe , o oe cooa poep a oocopo x-y. Oa TSD PGP (c. pae 24.12.) AT$T (c. Pae 24.18) coy o coco p oep e.

oa oe ae e ao oo poep, oy pae op . Moe oaoc poep, o o pae oy e eoey, o o aa. Ec o-o ocae ay ocaoe cooee o epeoe ee, a oye e o, o opeo cae e, a oo o, o o eoe e, o ec e ep pa.

Oapyeue ouo npu nepeae e oa caac p epeae. o ec poeo, a a cae oe pe c eaaa epacpoaoo poeca. Bce o epeaac c oapyee oo cpaee o. Ta opao o p epeae oy eo oapye , ec opeyec, oe oca ee pa.

O aoee poo coyex eoo ec poae o eoopo ocoo e epeaa epx 2-4 a oo poeca ece c o. oyae eaec o e caoe.

Ec poae oca coaa, o epea e o. Bepooc o axoc aaoe o 1/216 o 1/232.

Oapyeue ouo npu eupupoauu oa oyae xoe poep, ec eo ope pa o cepoo eppoa. Ec op ec cooe pecae coo o-o oxoee a ASCII, o oe o ac pacpoa poa cooee. Ec op ec cyae, o cyecy pye pe.

Ha oxoo oc pcoeee opoy ecy o poa poepooo oa ecoo aooa. oyae o pacpoae aooo poepe, o o pae. o paoae, o ae Ee ec ycoe opoo eca, o ooae e poaapoa ccey. o ae o eae cpe po c opo o, ax a DES ce coppyee p. Paccae apa ee o pa aoo a poepoy cyy, ae coye y poepoy cyy opee e a o cooe, oopoe epexa oce oo. a poepoa cya a, oo py e e cyae , o pae epe, pae ae, oaae coco. o ee o oe oxoe a eepa e o e paa.

Bo oo coco oye [821]:

(1) Ceepe eop ea (o o coyeoo cooe ).

(2) coye o eop ea eepa ooo oa o: cae, 512.

(3) Xpye peya.

(4) coye e e cpoae x-ae, cae, 32, opoo cy a.

o oe ae Ee ay-o opa, o oe eoy. Ec oa oaec cooa ae 32 a oeoo x-ae cp pyo co, e pec aoo epooo a o ecoo poa xpoae, cpe pyo co caoo a oaec cpee.

Oa e oy poep ax ecx ycoo opoo eca, ae ec oa cyee op o c a ae e cyaoe aee, oa oa e oy o ac pa op ec, a a o ye peopaoa x-ye pee, e oa eo y.

8.5 cooae e popaoe poae pcoao. e , oa poce pooep paoa o ypa ee eceo popa. Ceo pe Macintosh System 7, Windows NT UNIX. Heooo ca a, oa oepaoa ccea ocao paoay popay poa, ae ce a c pa pe oc ao-o pyo aae. oa oepaoa ccea, aoe, epec poa, o a e poaoc, apa oe oaac eca aao. Oepaoa ccea acaa p o pay poa a c, aca ece c e. , eapoa, ye ea a ce, oa oep e ae o-y y e oac a oepx. o oe cyc epe ecoo y, a oe epe ecoo ece. oo oe oa e cyc, o ce e oe oaac a ce o oe, oa ec c yco poecaec a poo. B popeo, ooa ao cpee, poa oo ycao ocaoo co pope, o a oepa e p e paac. o co pc. ae p o ccea eo ye cyae eaea.

Aapae peaa eoacee. Moe ycpoc poa papaoa a, o oe e aeco poo yoe a. Hapep, ae poa IBM PS/2 a o co coo oy coep pocxey DES, aape a. oeo, B o ep, o po oe aapayp pao peaoa ce eoxoe coca.

P oyaox poe, apep, eeoe paop, oy cooa ceacoe . Ceaco aaec , oop coyec oo ooo ceaca c - eceoo eeooo paoopa - ae yoaec. He cca xpa oce oo, a o cooa.

ec coyee epea a o ooo aoea pyoy eoop pooo oea a, o o e yo xpa epe eo cooae. o aeo cae epooc opoe a a.

ompo ucnooau e B eoopx poex oe opeoac opopoa poecc cooa ceacooo a.

Heoop ooae ceacoe y oo poa oo eppoa.

Ceacoe oy papee cooa oo a opeeeo ae oo op e eeoe pe. o oo cxe ypae oo opae y oaec eop opo (Control Vector, CV), eop opo opeee oo a opae eo cooa (c.

pae 24.1) [1025, 1026]. o CV xpyec, a ae eo aoo a oec oepa XOR.

Peya coyec a poa poa ceacooo a. oye ceaco ae xpac ece c CV. occaoe ceacooo a yo xpoa CV o eo aoo a oepa XOR. oye peya coyec eppoa poa o o ceacooo a.

peyeca o cxe o, o a CV oe pooo, o CV cea xpac o po e ece c poa o. Taa cxea e ae peoa ooceo ycooc aapayp oy peoaae ocyce eocpeceoo ocya ooaee a. a cc ea paccapaec e paeax 24.1 24.8.

8.6 Ooee e pecae cee poa aa epea ax, oopoo xoe e a e. oa eeeoe pacpeeee ox e ec eeo aoo. oee pocoe peee - e eppoa o capoo, aa cxea oa aaec ooee a.

Bce, o yo - o ooapaea y. Ec Aca o coy o pe ey oy y e ooapaey y, o oya oao peya. O oy pa pe yaa ye coa o .

Ooee e paoae, o oe, o eoacoc ooo a opeeec eoacoc c a poo a. Ec Ee yacc aoy cap , oa coe o ooee e caoco eo. Oao, ec capoo a y E e, oa aec o ooe poaoy pay o cpe c cooae oo poeca, ooee e ec xopo cocoo a Ac oa.

8.7 Xpaee e Haeee co p xpae e c poe ooo ooae, Ac, pye a oceyeo cooa. Ta a oa ec ece ecy ooaee c c e, oo oa oeae a . B eoopx cceax coyec poco oxo : xpac o oe Ac oe e. o poe Ac - o o eo c pa, oa e yo apoa pacpoa a.

pepo ao cce ec IPS [881]. ooae oy o o 64-o eocpe ceo, o ec a oee y coy cpoy. B ocee cyae ccea eeppye 64 o o cpoe coo, coy exy epeaa a.

py peee ec xpa e apo c ao ooco, acooo a c cpoeo pocxeo ROM (aaeoo ROM-) eeyao apo [556, 557, 455].

ooae oe ec co ccey, ca ec oce caee ycpoco, cpoeoe eo poae oeoe oepoy epay. Xo ooae oe c ooa , o e ae eo e oe eo copoepoa. O oe cooa eo oo e cocoo oo ex ee, oope opeee eopo opo.

ROM- - o oe ya e. paec o cocoe ocoa, o aoe ec , a oo eo aee, a eo a. pae popaecoy y eoopo eco op e ae xpaee ay aoo a yo oee o.

a exa caoc oee eoaco p pae a a e oo, oa oopx xpac epae, a opa - ROM-e. Ta paoae eoac eeo STU-III paeca CA. oep ROM-a e opoepye popaec - aee o ce coa cae opao.

To e pocxo p oepe epaa. Ceoaeo, opoea ROM-a cce e o poepye popaec key - pay yo aoy oe ac.

, oope pyo ao oo xpa apoa, coy o-o oxoee a poa e. Hapep, ap RSA oe apoa o DES aca a c.

occaoe a RSA ooae ye oe ec DES popay eppoa.

Ec eeppyc eeppoao (c oo popaec eoacoo eepaopa ce o cyax oceoaeoce), oe p oo eo aoaeoc apo ee eeppoa oopo c pa, oa o oaoc.

B eae, oa e oe oaac e poaoo ycpoca eapoao e.

a e e cea oca, o oy yo cpec.

8.8 Peepe Aca paoae a acco Secrets, Ltd. - "Ha e - M ee e cae." a pep cya opopa oa cooec c cpy o eoacoc pye ce co ae. eca c, oa, pooppoa cpy o epexoy y, oaa o pyo. o ea peey oa oy?

Ec Aca e ocaa o coeo a, ey pec ecao. Bec cc poa ao - e oooc occao x e a. Ec Aca e a ypo e cooaa oxx poax popa, o ee a poa acea.

oa ec ecoo cocoo ea oo. poce oa aa yco pyee e (c. pae 4.14). O peye, o ce copy aca co a yaax oa x aa y cy eoacoc oa, oop ape x e-y ce ( apye x a o). Teep, o e cyoc c Aco, o yae ee y aaa cy eoacoc. Ee oy o o ae oe xpa coe cee, poo cyae, ec aa cy eoac o c oae o pyo pyo, oy coa e oee.

poea ao cce ypae a o, o o oe ep, o eo aa cy eoacoc e ocoyec y a. o ee cepeee, ce copy o ep, o a a cy eoacoc e ocoyec x a. Cyeceo y peee ec co oae poooa coecoo cooa cepea (c. pae 3.7).

oa Aca eeppye , oa oopeeo e e ecoo ace ae ocae ce a c - apoae, oeo - pa ooc a oa. H oa x ace caa o cee e ec o, o ce ac oo copa ece occao . Teep Aca aea o oyeo, a o - o oep cex ax Ac oce ee oaa o pyo. , oa oe po co xpa pae ac, apoae op a cooecyx oocx oa, a coe eco ce. Ta opao, o e yacye ypae a, oa o e cae eox o .

pya cxea peeppoa [188] coye peeoo ycooo pye e eeya e apo (c. pae 24.13). Aca oe oec , oop ap ee ec c, a ee yay apoy a ee oy, oa oa oee. o oe cooa apoy ocya ec oy cy Ac, o, a a xpac a apoe, o e coe eo ya. poe oo, aa ccea opopyea c oex copo: o oe poep, o opae c Ac, a oa Aca epec, oa coe poep, cooa o pa o , ec a, o coo pa.

B ooo cxee e ya epeaa ax. eoacoo eeoa oe cyecoa oo eee paoopa e oe. xpa ax, a o oaao, ycooe pyee e oe eoxo ee. ep pepo pa e, a o a oye, e y ox. Ec 200 oo eoe ooac popae, ooa acoa pea oepe 40 oo e eeoo. xpa o e o oeo oa y cocea, ooy o oy oep co . Ec o oa oo popaec a, o, oep x, oa e co oac yp cy co paa ae. Tae, a xpa e-o pyo ece o cox ax, e ee cc xpa peepe o ox e poa.

8.9 Copoepoae Bce pooo, eo aop o eoac oo, ec (ap ccee c op a) ocaec ae. Ec Ac ypae, oep, aeaa aee copo e poa cocoo, o ce ee eoacoc cee.

Ec copoepoa cooac cepo pocce, Ace pec e co aec, o cyc yep ae. Ec o ap , ee poe a o o oe, a a ee op oe xpac a ox cepepax ce. ec Ea oy ocy apoy y Ac, oa coe a ce a ee o ce : a poay oy, oca oppecoe opa, a aee. Ea eceo coe ca Aco.

eo eoxoo, o ece o opoea apoo a cpo pacpocpaoc o ce. Hyo eeeo ec ce a ax opx e o cyec opoea, o eo e oopea eoe e apoa cooee copoepoa o.

Xopoo, ec Aca ae, oa copoepoa ee . Ec pacpeee KDC, o Aca oa coo ey o opoea coeo a. Ec KDC e coyec, o e ceye ec cex oppecoeo, oope oy oya o ee cooe. o-o oe oyoa o a, o oe cooee, oyeoe oce oep a Aco, ec oope, o o e oe oca cooe Ace, coy cooecy op . Peoeyec, o popaoe oece e e cooao ae-y e pee, oa ooae coy opee, ae cooe ao , a ae oope.

Ec Aca e ae oo, oa ee copoepoa, o eo xye. Aca oe axoe oa ac o opaa, a a o oca eco ee eoeo, ypa y ee . Ec ccea ae ay oooc, o o yoo coe oaac o opaa, yepa, o eo copoepoa epe ocae. Bopoc oe pee appo.

o cepea poea oaae, a oaco Ac ca co oc c ece o. ye, o y Ac pae pax poe - oo ae, a oa ep coe apae ece pax ao. pye pee o poe a oep ece epe, opae oooce cooa a, aep pee opa oc.

poeyp peoea aepa e oa, o o yee, o oe ocoeoa. Mo pa - aae , cee ceo aae ape .

8.10 Bpe e H o poa e cooa ecoeo. Bpe eo ec oo cea aoa ec, opoo acopa e. Bo ecoo p oo:

e oe coyec , e oe epooc eo opoea. aca ep x. pocxo ecace cya. Ec coyee eee oa, o epooc eo opoea opao e, e ec cooa eo oo o e.

e oe coyec , e oe oep p opoea a. Ec coyec oo poa ooo acooo oyea a a-cepepe, o oep a oaae o poea oo oo oyea. Ec o e ca coyec poa ce a coo opa a a-cepepe, o eo oep opao oee papyea.

e oe coyec , e oe coa po eoxoe yc eo cp ae pyo co. Bcpe a, coyeoo eee c ey y oc opaee, oo a cooe, oop oeac opaee, coaa o ee. Bcpe a, coyeoo eee oa ce oeo oao cpyypo, ooo oy eee oa a ce cooe, pypye o ccee o cey py, oea x. B ae pe aoec xoo o ao pa cp ?

Oo aoo ee poo poaa, e oo poeco, poax o e e o.

oo popaecoo poe eoxoa cpae, opeea oycoe pe a. pax e oy pae peea . cce c ycaoee coee, ax a eeo, ee cc cooa oo eee eeooo paoopa, a ooo pa oopa - cooa o .

cce, coyx ceapoae aa c, ce e a oeo. e oo ooceo opooe pe , acoc o aoc ax oeca ax, apoa x eee aaoo epoa. aaa c co copoc epea 1 a ceyy ooo pec e opao ae, e oeoo aaa 9600 /c. Ec cyecye e eo e pea ox e, ceacoe o ec xo eeeo.

poa e a aco e e yo. O coyc peo (peo pa e) oea a. p o poeca poaaa opayec eoo, a y cooecy eo opoo eca e opeeeo op. Oao, ec poa e copoepoa, oeae oep pea : c opa, apoaa a, apoa o poa e. B eoopx poex poa e aec oo pa ec ae pa o. Ba pec a-o ypaoec oacoc, cay c cooae ooo oo e a, oacoc, cay c epeae ooo a.

poa, coyee p poa ao ax eoo xpae, e e aco. a oy xpac a ce apoa eca oa, pee e o oy y coa oaoc. Eeeoe eppoae oopoe poae o o a e o c eoacoc, poco poaa oy oe aepaa pao. Peee oe ocy poae aoo aa ya o oceyee poae e ao o poa e. poa e oe o aoe, o coxpae eoaco e c e, oe e-y cee. oeo e, oep oo a oaae oep cex yax aox e.

Bpe apx e poe popa c op a ac o po e . ape pox oce ea oy cooac oa (ae eee eoeeco ). ape poooo poca oe oy yoe cpay e o ce aepe poooa. ae ec caec, o pe eoacoc a pepo pao eoeeco , aopayee e ay apy e. Bo ox ex ape coyc oo a oa, ae ooae oe oy o ap . Cap , e e eee, oe xp a c cepee a cya, oa ooae ye yo oep oc, ceay o pe ec capoo a. Ho oca ox oyeo oe cooac o . Taa cxea o o ye oeco oyeo, oopoe poaa coe cooa cp.

8.11 Papyee e pa o ae, o o peypo ec, cape eoxoo yoa.

Cape e opeeeoe aee, ae ec o oa oe e coyc. C x oo pa coe poa cape cooe, apoae a [65].

o yoac aeo (c. pae 10.9). Ec aca a yae, yay yo papea ce. oyec aece yoe ya, po aoe ee ycpo ca. Aop, ocae o e, aeo pooco cp pyo co, coey o oapo peyey oo e. Ec pa coe pacp a , o oxo eee oye aeo ycopa a co epaox ao-y ocao cpae a 10 eo ac cea ece yco papeax cpa, o oo o apy eco c oapo.

Ec - o pocxea EEPROM, o eoxoo epeca ecoo pa. Ec - o pocxea EPROM PROM, o oa oa cepa opoo paea o ce copo. Ec xpa c a ce oepa, ecee cooecyeo yaca a o epeca ecoo pa (c. pae 10.9) c oe yoe.

Booa poea coco o, o oepe oy eo copoa coxpae o oece ec. o oep, peay ay-o cxey ypae a, ocoo py a e popa a apyae x opao, ycyy poey. Cocoa apapoa aeoe y oee a oepe e cyecye, ocoeo oa poecc yoe opopyec oepao o cceo oepa. Ca oaoe eoxoo cooa ceay popay, oopa a eco ypoe caa a ce o a ae ecoyex oax ae cpaa coo ecye o. He aae ae cpa ce peex ao.

8.12 paee op a popa c op a ypoae ypaee a, o y ee ec co cocee p o e. aoo aoea, eaco o ca e ce, ec oo o op . Ec Aca axoe opa oy cooee, e pec e-o a op oa. Oa oe ecoa e co cocoa:

oy o oa.

oy eo epaoao a ax.

oy eo coe o a ax.

B paee 2.5 ocyac ooe coco cp popa c op a, ocoax a oee a oa o Mop. coyec cey ceap: yc Aca xoe oca c o oee oy. Oa opaaec ae ax opx e oyae op oa. Ho o Mop oee oa co coce. (Ec Aca apaae eocpeceo y oa, Mop yceo oe pec epexa oa p epeae.) Aca pye cooee o Mop opae eo oy. Mop epexaae cooee, pacpoae ae eo.

ae pye op o oa opae o aae. H o, Aca o e e oa a c.

aepee ompme u aepe op o, cepao, ec e-o op , oca ac y a oep o. aepee coyc, o oea oa oe a [879].

aepe oa ae ax opx e coco e oo opoo a oa. O coep opa o oe - eo , apec, .. - oca e-o, oy Aca oepe - Tpeo (oo ec a opa cepa, certification authority, CA). oca , cee o oe, Tpe aepe, o opa o oe paa, op pae ey. Aca poepe o c Tpea ae coye op , yec o, o o pae oy oy pyoy. aepee pa ay po o ox poooax c op a, apep, PEM [825] (c. pae 24.10) X.509 [304] (c. pae 24.9).

B ax cceax oae coa poea, e ea poo ooe popa. ao cc poeyp aepe? , ae oop, o oo ee ooo aa cepa ? o yoo oe aep coe oc e yoo op , o oe e ao-o coco o poa eaee cepa: apep, ope copyo oa, aepee CA pyo oa. Oo coaec eoa epea oep : o ae opa aepe ope o e pex aeo, e ceppy CA oa, a CA oa aep ope cox paoo.

Bo ee opoc, a oop co oya :

ao ypoe oep e-o oc oeceae cepa ?

ao aoooe ey eoeo CA, aep eo op , a ooe opaac cepae?

oy oo oep "o ae opao", oa cepaoy eoy ?

Hacoo o oe cepaoa eoa ?

B eae pee, e CA oe cepa oa, oy yo po opeeey poeypy aop a. poe oo, a o copoepoax e ao cooa ae-y e p e e pa cpoa ec cepaa [461].

cooae eo pee eocaoo. oy ca epa aoo o cee x cpoa o -a opoea, o o a-o acpa pa. Ceoaeo, ao, o CA xpa cco epax aepex e, a ooae peypo cepc c cco.

a poea oe e ce ee pya pee.

oy e, oo ap op /ap eocaoo. oeo e, a xopoa pea a popa c op a oa cooa pae poa p o x oce. Taoe paeee papeae pae o paeee yae pae ypo a, cpo ec, poeyp peeppoa, a aee. o-o oe oca cooe 2048-o o, oop xpac a eeyao apoe ecye aa e, a o-o oe co o a poa 768-o , oop xpac oepe ecye ec ece.

Oao, oo ap poa oo oc ae eocaoo. ap oe e poa po eoea ae, a oc, a y e oe ecoo poe. Aca oe xoe oca o oye a o Aca, pyo - a Aca, e-pee Monolith, Inc., a pe - a Aca, aa coe o. Heoope x e e oee aee, e pye, ooy o o ye ae. Ace oe opeoac xpa peepy o coeo paoeo a y copya oea eoacoc, a oa e xoe, o y oa a o a, oop oa ocaa aay. Aca copaec ooac eco popaec a oo ae, a oa coye cy e coeo apaa.

Pacnpeeeoe ynpaeue au B eoopx cyax ao coco epaoaoo ypae a paoa e ye. Booo, e cyecye aoo CA, oopoy oep Aca o. Booo, Aca o oep oo co py. Booo, Aca o oy e oep.

Pacpeeeoe ypaee a, coyeoe PGP (c. pae 24.12), peae y poey c oo opyee. opye - o ooae cce, oope oca ope cox p y e. Hapep, oa o coae co op , o epeae o a co py - po y. O a oa, ooy a x ocae oa ae oy o coe oc. Te ep, oa o pee co yoy eoey, Ace, o pee eo ece c oc x yx opyee. Ec Aca ae ae po oepe e, y ee oec pa oep pa oc a oa. Ec Aca ae po a xo eoo oepe , y ee ae oec p a oep paoc a oa. Ec oa e ae po, a y ee e p oep y oa.

Cyc aoe-o pe o coepe oc oeo ca opyee. Ec Aca o paac ox pyax, o c oo epooc Aca ye a ooo opyee oa. peopae oe Mop ooo a py opye oe yepe, pee e oca , o o pae eo oy. Moe , opye opeye epea a p o cpee o eeoy.

Boa oo exaa - ocyc CA, oopoy a oe oep. A opaeo copoo ec ocyce apa oo, o Aca, oya op oa, ae oo-o opyee, , ceoaeo, e apa, o oa oep paoc a.

aa T aopo popaece pe Cyecye a ocox a cepx aopo : oe p oooe p. oe p paoa c oa opoo eca poeca - oo o 64 a, o oa ee. o ooe p paoa c o ao ooa opoo eca poeca (oa a e c ooa 32-x co). o p, coy o o e , p poa cea pepaae o o e o opoo eca o o e o poeca. ooo p p a o poa pepaae o o e a opoo eca pae a poeca.

popaec pe oo oee ao p, ay-o opay c p pocx o e pa. Oepa poc, ooy o eoacoc ec ye coyeoo pa, a e pea. o ee oo, pe pa e oe opoepoa eoacoc coyeoo aopa.

Cyecy pye coopae eoacoc : oa cpa cpyypa opoo eca, oe paopoa o pa, oo apyeo aypoae op eco ocpeco oa oo poec, oo ooo poae ecox cooe o o. Bce o ye opoo paccapac ceyx paeax.

py a coopaee ec eoc. o eoc pe e oe co xye coyeoo aopa. B eoopx ocoecax ao, o paep poeca coaa c paepo opoo eca.

Tpe coopaee ec ycooc co. pa poe peyec pacapaea poae eppoae, a py ya oooc o a oo oy peopaoy. B pex ao, o poecc eppoa ye cpa co o ooe p o eca, a ae yco oepe oae o. a ye oaao, pae pe oaa pa ooeca x xapa epc.

9.1 Pe epoo poao Pe epoo poao (electronic codebook, ECB) - o aoee oe coco c ooa o p: o opoo eca aeec oo poeca. Ta a o o e o opoo eca aeec o e e oo poeca, o eopeec ooo coa p o ay y oo opoo eca cooecyx poeco. Oao, ec paep oa - 64 a, o ooa a ye coco 2 ace - co oo peapeoo ce xpa e . e aae, aoo a oaoc oea poaa a.

o ca e pe pao. Bce o opoo eca pyc eaco. He eoxooc oceoaeo poa aa, oo apoa caaa 10 oo cepe eca, ae o cee o, aoe, epe. o ao poax ao c poo ocyo, apep, a ax. Ec aa ax apoaa pee ECB, o a ac oe oaea, ya e a, apoaa pacpoaa eaco o o pyo ac ( p yco, o aa ac c o co eoo ca oo poa). poe oo, opaoa oe pacapaeea, ec co y c ecoo poax poeccopo, o oy eaco py o pya poa epp o a pae o.

poeo pea ECB ec o, o ec y poaaa ec op ec poec e cox cooe, o oe aa coca poay y, e a a. B oce pea x cya pae cooe e ee oopc. B pax cooex oy o aoe oe oceoaeoc. cooe, oope ooo epoo oe coac o e po, oe peypa cpyypa. Cooe oy e coy cee ooc coepa e cpo ye poeo.

Ec poaa ae, o o opoo eca "5e081bc5" p poa pepaaec o poeca "7ea593a4," o o oe oeo pacpoa o o poeca, ao- pyo c o oe o e oc. Ec poao cooe oo oopo, oope e ee aa oaooe eco pax cooex, poaa oe oy oo opa. O oe oac cacec cp coye op ec, eaco o c ooo pa.

Ocoeo y aao ooae cooe, e axoc opa o opaee, oyaee ae .. a poea oa aaec caap aooa caap ooa.

ooeo copoo ec oooc poa ecoo cooe o o e c e eoacoc. o cy, a o oo paccapa a oeoe cooee, poaoe e e ca o. p eppoa oe o poece po epaoy epp o a cooecyeo oa opoo eca, o e e a ocao op ec. Oao, ec poeca cyao oep oae, o ec ocey poec ye pacpoa ep a o, ec paa pa oo e coyec aa-y apoa cpyypa.

Haua oco cooe oo e ec a 64-e ( oo pyoo paepa) o poa, oe oo oaaec yopoe o. ECB peye cooa 64-e o. Cocoo pee o poe ec aa.

oce o ooec (aaec) eoop peyp aoo - y, ea, ep e yc y ea - oye ooo oa. p eoxooc ya ay oce eppoa ae oeco ao a oce a oceeo oa. Hapep, yc paep oa - 64 a, oce o coco 3 ao (24 ). ooe oa o 64 pe y ec ao, oae epe aa ye oce a c co 5. oce eppoa yae ocee 5 ao oceeo pacpoaoo oa. o o eo paoa pao, aoe coo e e oo ooeo. ae ec op ec coep eoe co oo, a pec oa o o o. C pyo copo, oo cooa co oa aa ooae oceeo aa opoo eca oo o co er.

Ha 8- oaa pyo apa, aae oxee poeca [402]. Pn-1 - oce o o opoo eca, a Pn - oce, opo o opoo eca. Cn-1 - oce o o po eca, Cn - oce, opo o poeca. C' - o poeyo peya, e c a c epeaoo poeca.

poae eppoae Pn-1 Pn C' Cn-1 Cn C' Ek Dk Ek Dk Cn-1 Pn- Cn C' Pn C' Pc. 9-1. oxee poeca.

9.2 oop oa oee cepeo poeo pea ECB ec o, o pa oe e poae cooe, e a a ae aopa, o oay peoaaeoo oyae. Bepe a poe a paccopea [291].

cpa o poe paccop ccey epea ee, oopa epeo e aa a. o oe aocx oepo, a coacoa pepo cey caap opa cooe epea ee :

o cooecye 8-aoy oy poa. Cooe pyc c oo eoopoo ooo aopa pee ECB.

Mop, oop ocyae c ey aa, ao Ac ao oa, oe co oa y opa ooae. Caaa, o popapye co oep ac cex p o ax cooe aa Ac a oa. ae, o epeo $100 aa Ac a co ce a oa. oe, o oope y oepa ee pa. C oo coeo oepa o poepe acae c o oe, paca apy ex cooe. cooe c e cooe, oop o epeo $100 a co ce. Ec o axo ecoo ap oaox cooe (o oe oxoe a peay ), o eae ee o ee epeo acae peya. B oe oo o coe e cooee, oop poee eo eo epeo.

Teep o oe opa o cooee o aay c, oa axoe. aoe cooee pee a ce a eo ce ae oa ee $100. oa oa aa cep co epeo (ooo oe ), o oapya epeo-ppa, o ec Mop ocaoo ye, o ye ce ay-y aa o y pecyy e ooopa o cpa, pxa c coo e. copee ceo o coye cy ecoo oe $100 poepe oepa cpay ecox ao.

Ha ep a oy eo pece o, oa e pee co cooe.

B ao ccee a ex cooe yy eo oapye. Te e eee, c oo eoa, a aeoo oopo oa, Mop ce e coe ooac. Ha 7- oaao, o Mop oe copa oce oo poeca, cooecyx eo e oepy cea : o c 5 o 12. B o oe yec o oc paccec, e Mop ye oo oooc.

Hoep oa 1 2 3 4 5 6 7 8 9 10 11 12 Mea a a Ce Cya pee opae oyae aa aa oe Pc. 9-2. o poa ac peeoo pepa.

O epexaae cooe aa Ac a oa aee o c 5 o 12 cooe aa, cooecy eo e oepy cea. ae o ocae eee cooe a oa. Ey e yo a, o opaee ee, ey ae e yo a epeoy cyy (xo o oe ca opaeoe cooee c cooecy yeee coeo cea opee o, cooecye opeee ee cya). O poco ee oep cea a co cocee ce a po c o cox oxoo. ( o, o Mop ao ocopo, o e opoa cooee o c ee, o peoo a yy, o y x cooe pya a o oe p a.) oapye aoo cocoa aa ooo e xa. oa o cep co epeo oe , ce cy coay. Booo, oa aco a e ae, o eo a e acc a ce, oa o-y e opa ae a eoay aa pao co ceo Mop, a e coy ae ax ceo. Mop e y oy pee apoe co ce, e y y Apee.

a oy poa y poey, aco e co , o o oaae oo, o Mop pec ecoa ocpee. Oao, oaee MAC ae pe poey. Hecop a o paccap aea poea yaeaa pea ECB. Mop ya, oop ae o o coey ycope. Peee ec coco, aae ceee.

9.3 Pe cee oo pa Ceee oae ooy py exa opao c : peya poa peyx oo a poae eyeo oa. py coa, a o coyec ee poa ceyeo oa. a o poeca ac e oo o pyeoo oa opoo eca, o o cex peyx oo opoo eca.

B pee cee oo pa (cipher block chaining, CBC) epe poae a op e co pey oo poeca oec oepa XOR. Ha 6- (a) oaao poae CBC ec.,oa o opoo eca apoa, oye poec coxpaec pecpe opao c. pee e ye apoa cey o opoo eca, o oepaec oepa XOR ece c coep pecpa opao c. Ta opao coac xoe ae ceyeo aa p o eyp poa. oye poec coa coxpaec pecpe opao c, o oep yc oepa XOR ece co cey oo opoo eca, a o oa cooe. poae aoo oa ac o cex peyx oo.

eppoae ec opao oepae (c. Figure 9.3 () ). o poeca pacpoaec a oo, o coxpaec pecpe opao c. ae cey o eppyec oepaec oepa XOR ece c coep pecpa opao c. Teep cey o poeca coxpa ec pecpe opao c, a aee, o oa cooe.

Maeaec o cey o pao:

Ci = EK(Pi Ci-1) Pi = Ci-1 DK(Ci) Pi-1 Pi Pi+1 Ci-1 Ci Ci+ Ek Ek Ek Dk Dk Dk Ci-1 Ci Ci+1 Pi-1 Pi Pi+ (a) poae CBC () eppoae CBC Pc. 9-3. Pe cee oo pa.

Bemop uuuauauu B pee CBC oaoe o opoo eca p poa epexo pae o p o eca oo, ec oac ae-o peecyx oo opoo eca. a ex coo e, oao, yy poac a o o e poec. o ee xye, a oaoo aaxc cooe yy poac oaoo, oa e oc epoe pae.

pa cooe oe oao aooo - ea ca, cpoa "From'' ee o-y. Xo oop oa ye eooe, aoe oaooe aao oe peoca poaay ay y oey opa.

ea oo oo, py aece epoo oa ae-o cyae ae. o o cyax ax aaec eopo aa (initialization vector, IV), apye epeeo a a aee cee. IV e ee aoo ccooo ae, o coyec oo oo, o cea aoe cooee ya. oa oyae pacpoae o o, o coye eo oo aoe pecpa opao c. Xopo IV cy ea pee. coye ae y cyae .

C cooae IV cooe c e op eco p poa epexo cooe c pa poeco. Ceoaeo, oye e coe pep oop oa, apy c coae poao . Xo peoeyec aoo cooe, pyeoo o e e o, pa ya IV, o peoae e ec oae.

IV e oe xpac cepee, o oe epeaac opo ece c poeco. Ec e o aee oey, paccope cey oo. yc ae cooee coco ecox oo : B1, B2,..., Bi. B1 pyec ece c IV. B2 pyec c cooae poeca B1 po IV. B3 pyec c cooae poeca B2 po IV, a aee. a, ec oeco oo - n, o n-1 "eopo aa" op, ae ec epoaa IV xpac cepee. ooy p xpa cepee IV e, IV - o poco o-aya, oo ca eo ye oo cee B0.

Haua Haa coyec ae, a pee ECB, o eoopx poex paep poec oe ooc coaa c paepo opoo eca. Moe , apoa a oe a o o c o e oe a, o a opoo eca. B o cyae oce opo o pec poa ae. yc oce o coco l o. apoa oce o o, coa apye poec, epe cape l o oe x opooo oa oepa XOR, coaa poec. a poeypa oaaa a 5-.

P (j o o) n Pn-2 Pn- Ek Ek Ek Bpa ee j o Cn-2 Cn- Cn (j o o) Pc. 9-4. poae opooo oceeo oa pee CBC.

Caoc oo cocoa o, o xo Mop e coe pacp oce o poeca, o o e cceaec e eo, e oee poeca. Ec ocee ecoo o poeca coepa ay opa, o oaco. Ec ocee poco coepa coe o ooo cy, o eo cpaoo.

y cocoo ec oxee poeca (c. 4th) [402]. Pn-1 - oce o o opoo eca, Pn - ae, opo o opoo eca. Cn-1 - oce o o poeca, Cn ae, opo o poeca. C' - o poco poeyo peya, e c a c epeaoo poeca. peyeco oo eoa ec o, o ce opoo eca coo e poxo epe aop poa.

Cn C' Cn- Pn-1 Pn Dk Dk Ek Ek Cn- Cn Cn- Pn C' Pn- Cn C' Pc. 9-5. oxee poeca pee CBC.

Pacnpocmpaeue ouu Pe CBC xapaepyec po opao c poeca p poa epco opa o c poeca p eppoa. p o poe o ye opoc c oa.

Ecea oa oa oe opoo eca oe a a o poeca ce oc e ye o poeca. o e ao, ooy o eppoae eppye o e, occao e op ec ye coepa y e ecey oy.

ae cpeac o poeca. O eo oc -a ya epea coe yc poc xpae. B pee CBC oa ooo a poeca e a o o o occao eoo opoo eca. o, cooecy coepaey oy oy poeca, caaec o o c. B ceye oe caaec ece , axoc o e o, o oo .

o coco pepae ao o poeca oy oy opoo eca aaec pacpocpaee o. o ec a eocao. a oa e e a o, pacooe e epe o o copeoo aee, ooy pe CBC ec caooccaaac. Oa e a a oa, o ccea pooae paoa pao cex oceyx oo. CBC peca e coo pep ooo pa, coyeoo caocxpopyec aepe, o oo a ooo ypoe.

Xo pe CBC cpo occaaaec o ooo co, o acoo e yco oa cxp o a. Ec ooe poeca epec oaec , o ooee cex oceyx oo cac a o , a xoe eppoa ye coo ycop. a poccea, co ya pe CBC oa oecea eococ oo cpyyp o p oo apo, o c o xpa ae cpyyp ecox oo.

Bonpoc eonacocmu P oox poe oycaac cpyypo CBC. Bo epx, a a o poeca ocao o poco e a cey o, Mop oe ao oa o oy apoaoo coo e . oeo, p eppoa o pepac eyxy, o eoopx cyax o eeaeo.

p cooa CBC o cpyyppoa a op ec a, o a, e axo c o cooe, o oapy oaee x oo.

Bo opx, Mop oe e o poeca, ee opeee opao o pac poaoo opoo eca. Hapep, ec Mop e o poeca, ec o ye pac poa epao, a ceye oe cooecye o ye epa . Boo c ya, oa o eeaeo. Opoe cooe oo oaa eoopo ooc cpec a ea.

Haoe, xo cpyypa opoo eca acpyec ceee, cpyypa oe x cooe ce m/ pao ye aea. apaoc poe pecaae, o oce 2 oo, e m - paep oa, o c oaoe o. 64-ooo oa a aoo cooe pepo pa 32 aa. o oa poea oae oo cooe eaeoo paepa.

9.4 oooe p oooe p peopay op ec poec o ooy y a oepa. pocea peaa ooooo pa oaaa a 3-. eepaop ooa e (oa aae eepaopo c ey o) ae oo o: k1, k2, k3,..., ki. o oo e (oa aae ey o) oo o opoo eca, p1, p2, p3,..., pi, oepac oepa "caee ", p e yae oyaec oo o poeca.

ci =pi ki p eppoa oepa XOR oec a a poeca e e ca ooo e occaoe o opoo eca.

pi = ci ki Ta a pi ki ki= pi o paoae pao.

eoacoc cce ooc ac o coc eepaopa ooa e. Ec eepaop ooa e ae ecoey cpoy ye, poec ye coaa c op eco, ce oepa ye ecccea. Ec eepaop ooa e eae oopc 16-o ao, aop y e c poc XOR c peepeo ao eoacoc (c. pae 1.4). Ec eepaop ooa e eae ecoe oo cyax (o acoey, a e ceocyax - c. pae 2.8) o, oyaee oopao oo eay eoacoc.

Ha ee eoacoc ooooo pa axoc e-o ey poc XOR oopao ooo.

eepaop ooa e coae o oo, oop oxo a cya, o eceoc ee p poa oe eooo ocpoee p eppoa. e e xo eepaopa o oa e cyaoy, e oe pee opeyec poaay, o oa p.

eepaop eepaop ooa e ooa e oo e Ki oo e Ki poec Pi Pi Op Op Ci ec ec poae eppoae Pc. 9-6. ooo p Oao, ec eepaop ooa e p ao e coae o o e o oo, o c oyy eo poccey oa epyo. oae a pepe, oey o a.

Ec Ee oa poec cooecy op ec, o oa, o oepa XOR a o p eco poeco, pacpae oo e. , ec y ee ec a pax poeca, apoax oao o, oa oe o a oepa XOR, oya a opx eca cooe, a oop oea oepa XOR. o epyo oa, ae oa oe o y oo e, o oepa XOR a o opx eco poeco.

Teep, epexa oe pyoe poaoe cooee, oa coe pacpoa eo, coy o y e oo e. poe oo, oa oe pacpoa poa oe paee epexaex coo e. oa Ea oy apy op ec/poec, oa coe a ce.

ooy cex ooox po coyc . Bxo eepaopa ooa e ec y e a. Teep, ec Ea oy apy op ec/poec, oa coe a oo e cooe , oope apoa e e o. ee , poy pec aa ce caaa. oo oe p ocoeo oe poa ecoex ooo oyaooo paa, ap ep, aaa T1, caeo a oepa.

eepaop ooa e coco pex ocox ace (c. 2nd). Bypeee cocoe ocae ey ee cocoe eepaopa ooa e. a eepaopa ooa e, c oao o oao ype cocoe, a oaoe oo e. y xoa o ypeey coco e e ppye ooa e. y ceyeo coco o ypeey coco eeppye ooe y peee cocoe.

Bypeee cocoe y ceyeo coco K y xoa Ki Pc. 9-7. cpoco eepaopa ooa e.

9.5 Caocxpopyec oooe p B caocxpopyxc ooox pax a ooa e ec ye cp o aoo ca peyx o poeca [1378]. Boee aa o p aoo poe ca (ciphertext auto key, CTAK). Ocoa e a aaeoaa 1946 [667].

Caocxpopyc ooo p oaa a 1-. Bypeee cocoe ec ye p e yx n o poeca. popaec coo ec xoa y, oopa coye ypeee cocoe eepa a ooa e.

Bypeee Bypeee cocoe cocoe y y K xoa xoa Pi Ci Pi Pc. 9-8. Caocxpopyc eepaop ooa e.

Ta a ypeee cocoe ooc ac o peyx n poeca, eppy eepa op ooa e aoaec cxpopyec c py eepaopo ooa e, p n o poeca.

B eeyax peaax oo pea aoe cooee aaec cya aooo o n o. o aooo pyec, epeaec ae pacpoaec. Pacpoa ye epa o, o oce x n o oa eepaopa ooa e yy cxpopoa.

Cao copoo caocxpopyeoc ooooo pa ec pacpocpaee o. a oo a poeca, copeoo p epeae, eppy eepaop ooa e ae n e pax o ooa e. Ceoaeo, aoy epaoy y poeca cooecy n oo opo ece, oa cope e epecae a ypeee cocoe.

Bonpoc eonacocmu Caocxpopyec oooe p ae yce cp oopo epeae. Ca aa Mop acae ecoo o poeca. ae, oee, o cae y ac ey pa. oce a eoopo eyx, oa paa copoa cxpopyec c caeo ac, cap poec ye pacpoa a opa. pae copo e cocoa ya, o o yee ae c oopo epeaaeo ac. Ec e coyc e pee, Mop oe ye a coa coa ac e a eo ce, oopo epeaa oo o e cooee (oeo, p yco, o e ec ). pye cae eca o cxe oy ca ae p oe aco epecxpoa [408].

9.6 Pe opao c o py o p ae oe peaoa a caocxpopyc ooo p, ao p e aaec peo opao c o py ( cipher-feedback, CFB). B pee CBC poae e o o aac, oa e oye e o ax. o coae poe eoopx ceex poe.

Hapep, eoaco ceeo cpee epa oe e oooc epeaa aoy oepy a co cpay, a oo o ee. Ec ae yo opaaa aa, pe CBC ae e paoae.

B pee CFB ea apoax ax oe ee paepa oa. B ceye pepe a pa pyec oo o co ASCII (o aaec 8-o poae ), o ce 8 e eo oeoo. B oee poa ae o ooy y c oo 1-ooo CFB, xo coo ae eceoo a ooo poa o po opeye oo pecypco, ooo p o cyae ee oye. (eee oeca o ooo pa oe copoc e peoeyec [1269].) Moo ae cooa 64-o CFB, o n-o CFB, e n oe pao paepy oa.

Ha 0- oaa 8-o pe CFB, paoa c 64-o aopo. o aop pee CFB paoae c oepe, paep oopo pae paepy coyeoo oa. Caaa oepe aoea IV, a pee CBC. Oepe pyec pax ex oc o peyaa oec XOR c ep 8-o coo opoo eca oye epoo 8-ooo coa poeca. T e ep o co epeaec. Te e oce o ae epeac a eco pax pax oc o oepe, a pa e a caoc ceye oce o. pae oce ex o opa caec. Cey co opoo eca pyec e e cocoo. eppoae ec opa poecco. pye, eppye copoo o aop coyec pee p o a.

Ec paep oa aopa - n, o -o CFB cey opao (c. -1-):

Ci = Pi Ek(Ci-1) Pi = Ci Ek(Ci-1) Co pecp Co pecp poae poae Ca e a Ca e a ki ki ci pi pi ci (a) poae () eppoae Pc. 9-9. Pe 8-oo opao c o py.

Pn-1 Pn Pn+ Ek Ek Cn Cn-1 Cn+ Pc. 9-10. n-o CBF c n-o aopo.

a pe CBC, pe CFB cae ece co opoo eca a, o poec ac o ceo peecyeo opoo eca.

Bemop uuuauauu aa poecca CFB aece xooo oa aopa oe cooac eop aa IV. a pee CBC IV e yo xpa cepee.

Oao IV oe ya. (B oe o pea CBC, e IV e oa ya, xo o eaeo.) Ec IV pee CFB e yae, poaa oe pacp cooecy o p ec. IV oe ec aoo cooe. o oe oceoae oep, ye ac aoo ooo cooe e oopc eee pee a. Ec ae pyc c e oceyeo xpae, IV oe ye eca, coyeoo oca a x.

Pacnpocmpaeue ouu B pee CFB oa opo ece e a ec ocey poec, o caoycpaec p eppoa. opao epecee oa poece. ep eo co a poeca ec co ooo a opoo eca. ae oa oaae co pecp, oa co e e pecpa, ye oppoac epa poec. B 8-oo pee CFB -a co eceoo a opc 9 ao pacpoaoo opoo eca. oo ccea occaaaec, ec ocey poec pacpoaec pao. B oe cya n-oo pee CFB oa oa poeca e a eppoae eyeo ceyx m/n-l oo, e m - paep oa.

oee oo poeo, cao c aoo poa pacpocpaee o, ec o, o ec Mop ae op ec cooe, o oe opa a aoo oa, aca x pacpoac ye ey ae. Ceyu o p eppoa pepac eyxy, o pe ye ye pe.

oy e, o oe, ocaac eoapye, e ocee cooe.

CFB caooccaaaec oce oo cxpoa. Oa oaae co pecp , oa oa axoc a, op 8 ao ax. CFB pecae coo pep ooo pa, oop oo cooa a caocxpopyc ooo p (a ypoe oo ).

9.7 Cxpoe oooe p B cxpoo oooo pe oo e eeppyec eaco o ooa cooe. Boee aa o p e aoo (Key Auto-Key, KAK). p poa eepaop ooa e o a py ae ooa e. p eppoa pyo eepaop ooa e o a py ae ee ooa e. o paoae, ec oa eepaopa cxpopoa. Ec o x poycae o o, ec poeca epec p epeae, o oce o a co poeca ye pacpoa epao.

Ec aoe cyaec, opae oyae o oopo cxpopoa co eepaop o o a e pee, e oo ye poo paoy. o ee xye, o o o cxpoa a, o oa ac ooa e e a oopea, ooy oeoe peee epeec eepaop oee paee cocoe e paoae.

ooea copoa cxpox po - o ocyce pacpocpae oo. Ec p epeae e coe aee, o aoo epoee eo oep, o oo cope ye epoa epao. Bce peecye oceye e ec.

eepaop oe aa o o e oo e poa, eppoa, ce o aeo, xo eepaopa oe peopeee. Ec o peayec a oeo aoae (.e., o epe), oceoaeoc co peee oopc. Tae eepaop ooa e aac epo ec. a cee oopaox ooo ce eepaop ooa e c epoec.

eepaop ooa e oe oaa epoo, aoo oee , e oeco o, aaex ey ceo e. Ec epo ee, e paep opoo eca, o pae ac opoo eca yy apoa oao opao, o co ocae eoacoc cce. Ec poaay eca ac opoo eca, o oe pacp ac ooa e cooa ee aeeo pacp opoo eca. ae ec y aaa ec oo poec, o oe o XOR a paea, poa oao ooo e, oy XOR cooecyx yaco opoo eca. p o coye aop pepaaec poco aop XOR c oe o.

opea a epoa ac o poe. eepaop ooa e, py epep aa T1, ye poa 2? e. epo eepaopa oe a ecoo opo oe oo ae, ae ec eec eeeo. Ec epo ee ocaoy y, oo ye e pa ee ae pa ec.

Cxpoe oooe p ae peoxpa o x cao yae poeca, a a o po oepe cxpoa yy eeeo oapye. Oao, o e aa ooc o ox coe. a p oox pax pee CFB, Mop oe e oee ooa.

Ec ey ece op ec, o oe e a, o eppoac a, a ey ao. aee p eppoa pepac eyxy (oa ccea e occaoc), o opeeex poex Mop oe pec ae yep.

Bcpmue cmao Cxpoe oooe p yce cp cao [93]. yc Mop aca oo poeca, o e ae opoo eca, ooa e, cooaoo poa opoo eca.

Opa op ec: pl p! p3 Pi Opa oo e: kl k! kj ki Opa poec: cl c! c3 ci Mop cae o ec ey , w', op ec oce pl ae aec oy o poa op ec, poa e e ooo e. O acae oyc o poec:

Ho op ec: pl p' pl pi pi Opa oo: k. k! k-i ks k!, Ooe poec: cl c'z c'3 c'i c'i Ta a o ae aee p', o oe opee ec op ec oce oo a o opaoy ooy poeca:

k! = c'z s p', ae p! = c! s k! kj = c'3 S pt, ae p3 = c3 S fc3 kt = c', S p3, ae p,, = cs S ks Mop ae e yo a ooe ooee caeoo a, o oe poco cpa opa ooe poec, o oapy, e o aa oac. peopae ao o cp oa e coye o oo e poa yx pax cooe.

9.8 Pe xoo opao c Pe xoo opao c (Output-feedback, OFB) pecae coo eo cooa ooo pa aece cxpooo ooooo pa. o pe oxo a CFB a cee oo, o n o peyeo xooo oa cac pae pae o oepe (c. -2nd). eppoae ec opa poecco. Tao pe aaec n-o OFB. p poa, p eppo a o aop paoae pee poa. o oa aa ypee opao c, ooy o exa opao c e ac o ooo opoo eca, o ooo poeca [291]. Ec paep oa aopa n, o n-o aop OFB , a oaao a :

C, = P, S,! S, = *I, - I,) P, = C, Sh Si = Ek*Si, I,) s - cocoe, eacee o opoo eca, o poeca. cy ooex coc OFB oocc o, o oa ac pao oe oea aooo, ae o oo, a oc op ec cooe. oa aoe cooee aoe oc, oye poeca a cooee xoo aopa yo ye o oepa XOR.

Pc. 9-11. 8-o pe Bemop uuuauauu B co pecp OFB ae caaa oe apye IV. O oe ya, o coxp a eo cepee e oaeo.

Pacnpocmpaeue ouu B pee OFB pacpocpae o e pocxo. Hepa poeca po ep a oy y opoo eca. o oe oeo p poo epeae aaoox e, ap ep opoaoo ya eoopae, oa cya co a oyc, o pacpocpaee o eeaeo.

C pyo copo, oep cxpoa cepea. Ec coe pecp p poa p e ppoa oac, o occaoe op ec pecae coo ecccy. a cc ea, coya pe OFB, oa a exa oapye oep cxpoa exa aoe oox cox pecpo o ( oao ) IV occaoe cxpoa.

Pc. 9-12. n-o OFB c n-o aopo.

OFB u npoe eonacocmu Aa pea OFB [588, 430, 431, 789] oaae, o OFB co cooa oo, oa paep o pao c coaae c paepo oa. Hapep, 64-o aop yo cooa oo 64 oo pee OFB. Hecop a o, o paeco CA papeae DES pye paep opax ce DES [1143], eae x.

Pe OFB oe XOR a ooo e eco. o oo e co peee oopec.

Bao, o o e oopc oo e a, poo cyae apyaec eoacoc. oa paep opao c pae paepy oa, o p epecae m-oe ae (e m - o paep o a), cpe a a cocae 2 -1. p e oa 64 a o oe ooe co. oa paep opao c n ee oa, cpe a a aae o peo 2'"*. 64-oo pa o oo * - o o eocaoo.

omooe up peue OFB oooe p ae oy paoa pee OFB. B o cyae e a y cey e o coco (c. -4-). y xoa e ac o a, oe aco oa ec e-o poc, ap ep, o o ypeeo coco peyao XOR ecox o ypeeo coco. p opaec coo ec y ceyeo coco, oopa ac o a. o eo ae aaec ypee opao c [291], ooy o exa opao c ec oe o ooe aopy eepa e.

Pc. 9-13. eepaop ooa e pee c xoo opao c.

B oo apao oo pea opeee oo aaoe cocoe eepaopa ooa e.

oce oo, a opee ypeee cocoe eepaopa, eepaop paoae, e oepac oec e.

9.9 Pe cea oe p pee cea coy aece xoo aopa oceoaee oepa [824, 498, 715]. aoe pecpa coyec ce, a e xo aopa poa. oce poa aoo oa ce peepyec a opeeey ocay, oo ey. oo pe a coca cxpoa pacpocpae o ae e, a OFB. Pe cea peae poey n-ooo xoa pea OFB, e n ee oa.

cey e peec ax ocox peoa, o e oe poxo o opy ce oo e ae. B aece xoa ooo aopa oo cooa eepaop cyax ce, oca e aax 16 17, eaco o oo, c o popaec eoac e.

omooe up peue cemua ooox po pee cea poce y ceyeo coco coe y x o a, ace o a. o eo, oaa a -5-, peoe [498, 715]. y ceyeo coco oe e-o poc, apep, ceo, oa ey peyey coco .

Pc. 9-14. eepaop ooa e pee cea.

ooo p pee cea oe eeppoa i- , ki, e a cex peecyx ex o. poco ycaoe ce pyy i-oe ypeee cocoe eeppye . o o eo ap ao ax c poo ocyo, oo pacpoa ope o ax e pacpoa e a.

9.10 pye pe ox po Peu ceneu oo cooa ooo aopa pee cee oo (block chaining, BC), poco oe XOR xoa ooo pa peyaa XOR cex peyx oo poeca. a CBC co yec IV. Maeaec o a:

C, = Ek(P, Q F*;

F, I = F, C, P, = F, *(C,);

Fi* I = F, Ci a CBC, opaa c poecca BC po pacpocpae o opo ece. aa poea BC aaec o, o -a oo, o eppoae oa poeca ac o cex p e yx oo poeca, ecea oa poeca pee epao pacpoe cex oceyx oo poeca.

Peu pacnpocmpaeoc ceneu oo upa Pe pacpocpaeoc cee oo pa (propagating cipher block chaining, PCBC) [1080] oxo a pe CBC a cee oo, o pey o opoo eca, pey o poeca oepac oepa XOR c ey oo opoo eca epe poae ( oce poa) (c. -6-).

Ci = E*P, Ci I P, I) P* = Cj I Pi I a*,) PCBC coyec Kerberos epc 4 (c. pae 24.5) oe a o poxo poa, poep eococ. B pee PCBC oa poeca po epaoy eppoa cex oceyx oo. o oaae, o poepa caapoo oa oe cooe oeceae eoc oc ceo cooe.

Pc. 9-15. Pe pacpocpaeoc cee oo pa.

ecac o pee cyecye oa poea [875]. epecaoa yx oo poeca p o epao pacpoe yx cooecyx oo opoo eca, o -a ppo oepa XOR a op eco poeco, aee o oecpyc. ooy, ec p poep e eococ poepc oo ecoo ocex oo pacpoaoo opoo eca, oo oy aco copeoe cooee. Xo o o cx op e oyac, a ocooac o c a oc, Kerberos epc 5 oce oapye o epeaec pe CBC.

Ceneue oo upa c ompoo cyo Ceee oo pa c opoo cyo (cipher block chaining with checksum, CBCC) peca e coo apa CBC [1618]. Coxpae aee XOR cex ye apoax oo opoo eca, o aoo eyeo oa opoo eca epe eo poae XOR c coxpae ae e. CBCC oeceae, o oe eee oo oa poeca e peya epo o ceeo oa. Ec oce o coep ay-y ocay cy poep eococ, o eococ pacpoaoo opoo eca oe poepea c a ooe aa pacxoa.

Bxoa opama c c eueo yue Bxoa opaa c c eeo ye ( output feedback with a nonlinear function, OFBNLF) [777] pecae coo apa OFB, ECB, e eec c a oo :

C, = Ek*P*, K* = Edit,,1 P, = a*,);

Ki = E*K, I) Oa ooo a poeca pacpocpaec oo a o o opoo eca. Oao, ec epec oaec, o oa pacpocpaec o ecoeoc. C o aopo, coy co aop apoa e, o pe paoae eeo. e a, a o p oaa oo pea.

poue peu Boo pye pe, xo o coyc eaco. Ceee oo opoo eca (plaintext block chaining, PBC) oxoe a CBC a cee oo, o oepa XOR oec c oa op oo eca peyeo oa opoo eca, a e oa poeca. Opaa c o opoy ecy (plaintext feedback, PFB) oxoa a CFB a cee oo, o opao c coyec e poec, a op ec. Cyecye ae ceee oo poeca o pa opoo e ca (cipher block chaining of plaintext difference, CBCPD). yepe, o oo a ee aceee.

Ec y poaaa ec aa oca e pyo co, o o coe pacp , ec yaae o oo opoo eca. Heoope yoyx cpax peo, o cy, c o oe poae epe cooae aopa poa : apep, XOR eca cpo ao cepeo cpo epecaoa eca. o ce ooe o caapo oea oooy poaay.

9.11 Bop pea pa Ec ae ocoo aoo c copoc pocoa, o ECB ec ca poc ca cp cocoo cooa o p. oo yoc cp oopo, aop pee ECB poe ceo poaapoa. e coey cooa ECB poa cooe.

ECB xopoo cooa poa cyax ax, apep, pyx e. Ta a ae ee o paepy cya, eoca ECB e cyece aoo pee.

ooo opoo eca coye CBC, CFB OFB. ope pe ac o ax p e oa. B pee eoacoc eoc pax peo.

poa ao ye ceo oxo CBC. aeo yeaec eoacoc, p o e oo xpax ax o oa e ae coe cxpoa. Ec ae poee popaoe, o CBC o cea ye y opo.

Ta. 9-1.

pa oop peo pao ox po ECB:

Security:

-Plaintext patterns are not concealed.

- Input to the block cipher Is not randomlzed;

It Is the same as the plaintext. More than one message can be encrypted with the same - plaintext Is easy to manipulate;

blocks can be removed, repeated, or Interchanged.

Efficiency: Speed is the same as the block cipher.

- Clphertext Is up to one block longer than the plaintext, due to padding.

- No preprocessing is possible. *Processing is paraUelizable.

Fault-tolerance:

-A ciphertext error affects one full block of plaintext.

- Synchronization error is unrecoverable.

CFB:

Security:

Plaintext patterns are concealed. Input to the block cipher is randomized. More than one message can be encrypted with the same key, provided that a different IV is used. /- Plaintext is somewhat difficult to manipulate;

blocks call be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes.

Efficiency: Speed is the same as the block cipher.

- Ciphertext is the same size as the plaintext, not counting the IV.

/- Encryption is not paraUelizable;

decryption is paral- Idizable and has a random-access property.

- Some preprocessing is possible before a block is seen;

the Previous ciphertext block can be encrypted. /- Encryption is not parallelizable;

decry p tion is paral- felizable and has a random-access property.

F'auh-toterance:

-A ciphertext error affects the corresponding bit of plaintext and the next full block.

Synchronization errors of full block sizes are recoverable. I. -bit CFB can recover from the addition or loss of single bits.

cbc:

Security:

Plaintext patterns are concealed by XORing with previous ciphertext block.

Input to the block cipher is randomized by XORing with the previous ciphertext block.

More than one message can be encrypted with the same key.

/- Plaintext is somewhat difficult to manipulate;

blocks can be removed from the beginning and end of the message, bits of the first block can be changed, and repetition allows some controlled changes.

Efficiency: Speed is the same as the block cipher.

- Ciphertext is up to one block longer than the plaintext, not counting the IV.

- No preprocessing is possible.

/- Encryption is not paraUelizable;

decryption is paral- lelizable and has a random-access property.

Wau*-toterance:

- A ciphertext error affects one full block of plaintext and the corresponding bit in the next block.

- Synchronization error is unrecoverable.

OFB/Counter:

Security;

Plaintext patterns are concealed. Input to the block cipher is randomized. More than one message can be encrypted with the same key, provided that a different IV is used. - Plaintext is very easy to manipulate;

any change in ciphertext directly affects the plaintext.

C*lclency: Speed is the same as the block cipher.

- Ciphertext is the same size as the plaintext, not counting the IV. Processing is possible before the message is seen.

-/ OFB processing is not paraUelizable;

counter processing is paraUelizable.

Fau*t-tolerance:

A ciphertext error affects only the corresponding bit of plaintext. - Synchronization error is unrecoverable.

CFB-specifically 8-bit CFB-is generally the mode ol choice for encrypting streams of characters when each cha r acter has to be treated individually, as in a link between a terminal and a host. OFB is most often used in high-speed synchronous systems where error propagation is intolerable. OFB is also the mode of choice if preprocessing is r e uired.

OFB is the mode of choice in a error-prone environment, because it has no error extension.

Stay away from the weird modes. One of the four basic modes-ECB, CBC, OFB, and CFB-is suitable for almost any application. These modes are not overly complex and probably do not reduce the security of the system. While it is possible that a complicated mode might increase the security of a system, most likely it just increases the complexity.

None of the weird modes has any better error propagation or error recovery characteristics.

9.12 INTERLEAVING With most modes, encryption of a bit (or block) depends on the encryption of the previous bits (or blocks). This can often make it impossible to parallelize encryption. For example, consider a hardware box that does encryption in CBC mode. Even if the box contains four encryption chips, only one can work at any time. The next chip needs the results of the previous chip before it starts working.

The solution is to interleave multiple encryption streams. (This is not multiple encryption;

that's covered in Se c tions 15.1 and 15.2). Instead of a single CBC chain, use four. The first, fifth, and every fourth block thereafter are e n crypted in CBC mode with one IV. The second, sixth, and every fourth block thereafter are encrypted in CBC mode with another IV, and so on. The total IV is much longer than it would have been without interleaving.

Think of it as encrypting four different messages with the same key and four different IVs. These messages are all i nterleaved.

This trick can also be used to increase the overall speed of hardware encryption. If you have three encryption chips, each c a pable of encrypting data at 33 megabits/second, you can interleave them to encrypt a single 100 megabit/second data channel.

Figure 9.16 shows three parallel streams interleaved in CFB mode. The idea can also work in CBC and OFB modes, and with any number of parallel streams. Just remember that each stream needs its own IV. Don't share.

9.13 BLOCK CIPHERS VERSUS STREAM CIPHERS Although block and stream ciphers are very different, block ciphers can be implemented as stream ciphers and stream ciphers can be implemented as block ciphers. The best definition of the difference I've found is from Ranier Rueppel [1362.]:

Block ciphers operate on data with a fixed transformation on large blocks of plaintext data;

stream ciphers ope r ate with a time-varying transformation on individual plaintext digits.

Figure 9.16 Interleavingthtee CFB encryptions.

In the real world, block ciphers seem to be more general (i.e., they can be used in any of the four modes) and stream ciphers seem to be easier to analyze mathematically. There is a large body of theoretical work on the analysis and design of stream c i phers-most of it done in Europe, for some reason. They have been used by the world's militaries since the invention of electronics.

This seems to be changing;

recently a whole slew of theoretical papers have been written on block cipher design. Maybe soon there will be a theory of block cipher design as rich as our current theory of stream cipher d esign.

Otherwise, the differences between stream ciphers and block ciphers are in the implementation. Stream ciphers that only e n crypt and decrypt data one bit at a time are not really suitable for software implementation. Block ciphers can be easier to impl e ment in software, because they often avoid time-consuming bit manipulations and they operate on data in computer-sized blocks.

On the other hand, stream ciphers can be more suitable for hardware implementation because they can be implemented very eff i ciently in silicon.

These are important considerations. It makes sense for a hardware encryption device on a digital communications channel to encrypt the individual bits as they go by. This is what the device sees. On the other hand, it makes no sense for a software encry p tion device to encrypt each individual bit separately. There are some specific instances where bit- and byte-wise encryption might be necessary in a computer system-encrypting the link between the keyboard and the CPU, for example-but generally the encry p tion block should be at least the width of the data bus.

aa 10 Using AIgorithms Think of security - data security, communications security, information security, whatever - as a chain. The security of the entire system is only as strong as the weakest link. Everything has to be secure: cryptographic algorithms, protocols, key manag e ment, and more. If your algorithms are great but your random-number generator stinks, any smart cryptanalyst is going to attack your system through the random-number generation. If you patch that hole but forget to securely erase a memory location that contains the key, a cryptanalyst will break your system via that route. If you do everything right and accidentally e-mail a copy of your secure files to The Wall Street Journal, you might as well not have bothered.

It's not fair. As the designer of a secure system, you have to think of every possible means of attack and protect against them all, but a cryptanalyst only has to find one hole in your security and exploit it.

Cryptography is only a part of security, and often a very small part. It is the mathematics of making a system secure, which is different from actually making a system secure. Cryptography has its "size ueens": people who spend so much time arguing about how long a key should be that they forget about everything else. If the secret police want to know what is on your computer, it is far easier for them to break into your house and install a camera that can record what is on your computer screen than it is for them to cryptanalyze your hard drive.

Additionally, the traditional view of computer cryptography as "spy versus spy" technology is becoming increasingly ina p propriate. Over 99 percent of the cryptography used in the world is not protecting military secrets;

it's in applications such as bank cards, pay-TV, road tolls, office building and computer access tokens, lottery terminals, and prepayment electricity meters [43,44].

In these applications, the role of cryptography is to make petty crime slightly more difficult;

the paradigm of the well-funded a d versary with a rabbit warren of cryptanalysts and roomsful of computers just doesn't apply.

Most of those applications have used lousy cryptography, but successful attacks against them had nothing to do with cry p tanalysts. They involved crooked employees, clever sting operations, stupid implementations, integration blunders, and random idiocies. (I strongly recommend Ross Anderson's paper, "Why Cryptosytems Fail" [44];

it should be re uired reading for anyone involved in this field.) Even the NSA has admitted that most security failures in its area of interest are due to failures in impl e mentation, and not failures in algorithms or protocols [1119]. In these instances it didn't matter how good the cryptography was;

the successful attacks bypassed it completely.

10.1 CHOOSING AN ALGORITHM When it comes to evaluating and choosing algorithms, people have several alternatives:

- They can choose a published algorithm, based on the belief that a published algorithm has been scrutinized by many cry p tographers;

if no one has broken the algorithm yet, then it must be pretty good.

- They can trust a manufacturer, based on the belief that a well-known manufacturer has a reputation to uphold and is u n likely to risk that reputation by selling e uipment or programs with inferior algorithms.

- They can trust a private consultant, based on the belief that an impartial consultant is best e uipped to make a reliable evaluation of different algorithms.

- They can trust the government, based on the belief that the government is trustworthy and wouldn't steer its citizens wrong.

- They can write their own algorithms, based on the belief that their cryptographic ability is second-to-none and that they should trust nobody but themselves.

Any of these alternatives is problematic, but the first seems to be the most sensible. Putting your trust in a single manufa c turer, consultant, or government is asking for trouble. Most people who call themselves security consultants (even those from big name firms usually don't know anything about encryption. Most security product manufacturers are no better. The NSA has some of the world's best cryptographers working for it, but they're not telling all they know. They have their own interests to further which are not congruent with those of their citizens. And even if you're a genius, writing your own algorithm and then using it without any peer review is just plain foolish.

The algorithms in this book are public. Most have appeared in the open literature and many have been cryptanalyzed by e x perts in the field. I list all published results, both positive and negative. I don't have access to the cryptanalysts done by any of the myriad military security organizations in the world Which are probably better than the academic institutionsthey've been doing it longer and are better funded), so it is possible that these algorithms are easier to break than it appears. Even so, it is far more likely that they are more secure than an algorithm designed and implemented in secret in some corporate basement.

The hole in all this reasoning is that we don't know the abilities of the various military cryptanalysts organizations.

What algorithms can the NSA break? For the majority of us, there's really no way of knowing. If you are arrested with a DES-encrypted computer hard drive, the FBI is unlikely to introduce the decrypted plaintext at your trial;

the fact that they can break an algorithm is often a bigger secret than any information that is recovered. During WWII, the Allies were forbidden from using decrypted German Ultra traffic unless they could have plausibly gotten the information elsewhere. The only way to get the NSA to admit to the ability to break a given algorithm is to encrypt something so valuable that its public dissemination is worth the admission. Or, better yet, create a really funny joke and send it via encrypted e-mail to shady characters in shadowy countries.

NSA employees are people, too;

I doubt even they can keep a good joke secret.

A good working assumption is that the NSA can read any message that it chooses, but that it cannot read all messages that it chooses. The NSA is limited by resources, and has to pick and choose among its various targets. Another good assumption is that they prefer breaking knuckles to breaking codes;

this preference is so strong that they will only resort to breaking codes when they wish to preserve the secret that they have read the message. In any case, the best most of us can do is to choose among public a l gorithms that have withstood a reasonable amount of public scrutiny and cryptanalysts. Algorithms for Export Algorithms for export out of the United States must be approved by the U.S. government (actually, by the NSA (see Section 25.1). It is widely believed that these export-approved algorithms can be broken by the NSA. Although no one has admitted this on the record, these are some of the things the NSA is rumored to privately suggest to companies wishing to export their crypt o graphic products:

- Leak a key bit once in a while, embedded in the ciphertext.

- "Dumb down" the effective key to something in the 30-bit range. For example, while the algorithm might accept a 100-bit key, most of those keys might be e uivalent.

- Use a fixed IV, or encrypt a fixed header at the beginning of each encrypted message. This facilitates a known-plaintext attack.

- Generate a few random bytes, encrypt them with the key, and then put both the plaintext and the ciphertext of those ra n dom bytes at the beginning of the encrypted message. This also facilitates a known- plaintext attack.

NSA gets a copy of the source code, but the algorithm's details remain secret from everyone else. Certainly no one adve r tises any of these deliberate weaknesses, but beware if you buy a U.S. encryption product that has been approved for export.

10.2 PUBLIC-KEY CRYPTOGRAPHY VERSUS SYMMETRIC CRYPTOGRAPHY Which is better, public-key cryptography or symmetric cryptography? This uestion doesn't make any sense, but has been d e bated since public-key cryptography was invented. The debate assumes that the two types of cryptography can be compared on an e ual footing. They can't.

Needham and Schroeder [1159] pointed out that the number and length of messages are far greater with public-key alg o rithms than with symmetric algorithms. Their conclusion was that the symmetric algorithm was more efficient than the public-key algorithm. While true, this analysis overlooks the significant security benefits of public-key cryptography. Whitfield Diffie writes 492,494]:

In viewing public-key cryptography as a new form of cryptosystem rather than a new form of key management, I set the stage for criticism on grounds of both security and performance. Opponents were uick to point out that the RSA system ran about one thousandth as fast as DES and re uired keys about ten times as large. Although it had been obvious from the beginning that the use of public key systems could be limited to exchanging keys for conventional [symmetric] cryptography, it was not immediately clear that this was necessary. In this context, the proposal to build hybrid systems [879] was hailed as a discovery in its own right.

Public-key cryptography and symmetric cryptography are different sorts of animals;

they solve different sorts of problems.

Symmetric cryptography is best for encrypting data. It is orders of magnitude faster and is not susceptible to chosen-ciphertext a t tacks. Public-key cryptography can do things that symmetric cryptography can't;

it is best for key management and a myriad of protocols discussed in Part I.

Other primitives were discussed in Part I: one-way hash functions, message authentication codes, and so on. Table 10.1 lists different types of algorithms and their properties [804].

10.3 ENCRYPTING COMMUN1CAT10NS CHANNELS This is the classic Alice and Bob problem: Alice wants to send Bob a secure message. What does she do? She encrypts the me s sage.

In theory, this encryption can take place at any layer in the OSI (Open Systems Interconnect) communications model. (See the OSI security architecture standard for more information [305].) In practice, it takes place either at the lowest layers (one and two) or at higher layers. If it takes place at the lowest layers, it is called link-by-link encryption;

everything going through a pa r ticular data link is encrypted. If it takes place at higher layers, it is called end-to-end encryption;

the data are encrypted selectively and stay encrypted until they are decrypted by the intended final recipient. Each approach has its own benefits and drawbacks.

Link-by Link Encryption The easiest place to add encryption is at the physical layer (see Figure 10. 1). This is called link-by-link encryption. The i n terfaces to the physical layer are generally standardized and it is easy to connect hardware encryption devices at this point. These devices encrypt all data passing through them, including data, routing information, and protocol information. They can be used on any type of digital communication link. On the other hand, any intelligent switching or storing nodes between the sender and the receiver need to decrypt the data stream before processing it.

This type of encryption is very effective. Because everything is encrypted, a crypt- analyst can get no information about the structure of the information. He has no idea who is talking to whom, how long the messages they are sending are, what times of day they communicate, and so on. This is called traffic-flow security: the enemy is not only denied access to the information, but also access to the knowledge of where and how much information is flowing.

Security does not depend on any traffic management techni ues. Key management is also simple;

only the two endpoints of the line need a common key, and they can change their key independently from the rest of the network.

Imagine a synchronous communications line, encrypted using 1-bit CFB. After initialization, the line can run indefinitely, r e covering automatically from bit or synchronization errors. The line encrypts whenever messages are sent from one end to the other;

otherwise it just encrypts and decrypts random data. Eve has no idea when messages are being sent and when they are not;

she has no idea when messages begin and end. All she sees is an endless stream of random-looking bits.

If the communications line is asynchronous, the same 1-bit CFB mode can be used. The difference is that the adversary can get information about the rate of transmission. If this information must be concealed, make some provision for passing dummy messages during idle times.

The biggest problem with encryption at the physical layer is that each physical link in the network needs to be encrypted:

Leaving any link unencrypted jeopardizes the security of the entire network. If the network is large, the cost may uickly become prohibitive for this kind of encryption.

Additionally, every node in the network must be protected, since it processes unencrypted data. If all the network's users trust one another, and all nodes are in secure locations, this may be tolerable. But this is unlikely. Even in a single corporation, information might have to be kept secret within a department. If the network accidentally misroutes information, anyone can read it. Table 10.2 summarizes the pros and cons of link-by-link encryption.

End-to-End Encryption Another approach is to put encryption e uipment between the network layer and the transport layer. The encryption device must understand the data according to the protocols up to layer three and encrypt only the transport data units, which are then r e combined with the unencrypted routing information and sent to lower layers for transmission.

This approach avoids the encryption/decryption problem at the physical layer. By providing end-to-end encryption, the data remains encrypted until it reaches its final destination (see Figure 10.2). The primary problem with end-to-end encryption is that the routing information for the data is not encrypted;

a good cryptanalyst can learn much from who is talking to whom, at what times and for how long, without ever knowing the contents of those conversations. Key management is also more difficult, since individual users must make sure they have common keys.

Building end-to-end encryption e uipment is difficult. Each particular communications system has its own protocols. Som e times the interfaces between the levels are not well-defined, making the task even more difficult.

If encryption takes place at a high layer of the communications architecture, like the applications layer or the presentation layer, then it can be independent of the type of communication network used. It is still end-to-end encryption, but the encryption implementation does not have to bother about line codes, synchronization between modems, physical interfaces, and so forth. In the early days of electro- mechanical cryptography, encryption and decryption took place entirely offline;

this is only one step r e moved from that.

Encryption at these high layers interacts with the user software. This software is different for different computer archite c tures, and so the encryption must be optimized for different computer systems. Encryption can occur in the software itself or in specialized hardware. In the latter case, the computer will send the data to the specialized hardware for encryption before sending it to lower layers of the communication architecture for transmission. This process re uires some intelligence and is not suitable for dumb terminals. Additionally, there may be compatibility problems with different types of computers. The major disadvantage of end-to-end encryption is that it allows traffic analysis. Traffic analysis is the analysis of encrypted messages: where they come from, where they go to, how long they are, when they are sent, how fre uent or infre uent they are, whether they coincide with outside events like meetings, and more. A lot of good information is buried in that data, and a cryptanalyst will want to get his hands on it. Table 10.3 presents the positive and negative aspects of end-to-end encryption.

Combining the Two Table 10.4, primarily from [1244], compares link-by-link and end-to-end encryption. Combining the two, while most expe n sive, is the most effective way of securing a network. Encryption of each physical link makes any analysis of the routing informa tion impossible, while end-to-end encryption reduces the threat of unencrypted data at the various nodes in the network. Key ma n agement for the two schemes can be completely separate: The network managers can take care of encryption at the physical level, while the individual users have responsibility for end-to-end encryption.

10.4 ENCRYPTING DATA FOR STORAGE Encrypting data for storage and later retrieval can also be thought of in the Alice and Bob model. Alice is still sending a me s sage to Bob, but in this case "Bob" is Alice at some future time. However, the problem is fundamentally different. In communic a tions channels, messages in transit have no intrinsic value. If Bob doesn't receive a particular message, Alice can always resend it.

This is not true for data encrypted for storage. If Alice can't decrypt her message, she can't go back in time and re-encrypt it. She has lost it forever. This means that encryption applications for data storage should have some mechanisms to prevent unrecove r able errors from creeping into the ciphertext. The encryption key has the same value as the message, only it is smaller. In effect, cryptography converts large secrets into smaller ones. Being smaller, they can be easily lost. Key management procedures should assume that the same keys will be used again and again, and that data may sit on a disk for years before being decrypted. Fu r thermore, the keys will be around for a long time. A key used on a communications link should, ideally, exist only for the length of the communication. A key used for data storage might be needed for years, and hence must be stored securely for years.

Other problems particular to encrypting computer data for storage were listed in [357]:

- The data may also exist in plaintext form, either on another disk, in another computer, or on paper. There is much more opportunity for a cryptanalyst to perform a known-plaintext attack.

- In database applications, pieces of data may be smaller than the block size of most algorithms. This will cause the ciphe r text to be considerably larger than the plaintext.

- The speed of I/O devices demands fast encryption and decryption, and will probably re uire encryption hardware. In some applications, special high-speed algorithms may be re uired.

- Safe, long-term storage for keys is re uired.

- Key management is much more complicated, since different people need access to different files, different portions of the same file, and so forth. If the encrypted files are not structured as records and fields, such as text files, retrieval is easier: The entire file is decrypted before use. If the encrypted files are database files, this solution is problematic. Decrypting the entire dat a base to access a single record is inefficient, but encrypting records independently might be susceptible to a block-replay kind of attack. In addition, you must make sure the unencrypted file is erased after encryption (see Section 10.9). For further details and insights, consult [425,569].

Dereferencing Keys When encrypting a large hard drive, you have two options. You can encrypt all the data using a single key. This gives a cryptanalyst a large amount of ciphertext to analyze and makes it impossible to allow multiple users to see only parts of the drive.

Or, you can encrypt each file with a different key, forcing users to memorize a different key for each file.

The solution is to encrypt each file with a separate key, and to encrypt the keys with another key known by the users. Each user only has to remember that one key. Different users can have different subsets of the file-encryption keys encrypted with their key. And there can even be a master key under which every file-encryption key is encrypted. This is even more secure because the file-encryption keys are random and less susceptible to a dictionary attack.

Driver-Level vs. File-Level Encryption There are two ways to encrypt a hard drive: at the file level and at the driver level. Encryption at the file level means that every file is encrypted separately. To use a file that's been encrypted, you must first decrypt the file, then use it, and then re- e n crypt it.

Driver-level encryption maintains a logical drive on the user's machine that has all data on it encrypted. If done well, this can provide security that, beyond choosing good passwords, re uires little worry on the part of the user. The driver must be consider a bly more complex than a simple file-encryption program, however, because it must deal with the issues of being an installed d e vice driver, allocation of new sectors to files, recycling of old sectors from files, random-access read and update re uests for any data on the logical disk, and so on.

Typically, the driver prompts the user for a password before starting up. This is used to generate the master decryption key, which may then be used to decrypt actual decryption keys used on different data.

Providing Random Access to an Encrypted Drive Most systems expect to be able to access individual disk sectors randomly. This adds some complication for using many stream ciphers and block ciphers in any chaining mode. Several solutions are possible.

Use the sector address to generate a uni ue IV for each sector being encrypted or decrypted. The drawback is that each se c tor will always be encrypted with the same IV. Make sure this is not a security problem.

For the master key, generate a pseudo-random block as large as one sector. You can do this by running an algorithm in OFB mode, for example.) To encrypt any sec- tor, first XOR in this pseudo-random block, then encrypt normally with a block cipher in ECB mode. This is called ECB OFB (see Section 15.4).

Since CBC and CFB are error-recovering modes, you can use all but the first block or two in the sector to generate the IV for that sector. For example, the IV for sector 3001 may be the hash of the all but the first 128 bits of the sector's data. After genera t ing the IV, encrypt normally in CBC mode. To decrypt the sector, you use the second 64-bit block of the sector as an IV, and d e crypt the remainder of the sector. Then, using the decrypted data, you regenerate the IV and decrypt the first 128 bits.

You can use a block cipher with a large enough block size that it can encrypt the whole sector at once. Crab See Section 14.6) is an example.

10.5 HARDWARE ENCRYPTION VERSUS SOFTWARE ENCRYPTION Hardware Until very recently, all encryption products were in the form of specialized hardware. These encryption/decryption boxes plugged into a communications line and encrypted all the data going across that line. Although software encryption is becoming more prevalent today, hardware is still the embodiment of choice for military and serious commercial applications. The NSA, for example, only authorizes encryption in hardware. There are several reasons why this is so.

The first is speed. As we will see in Part III, encryption algorithms consist of many complicated operations on plaintext bits.

These are not the sorts of operations that are built into your run-of-the-mill computer. The two most common encryption alg o rithms, DES and RSA, run inefficiently on general-purpose processors. While some cryptographers have tried to make their alg o rithms more suitable for software implementation, specialized hardware will always win a speed race.

Additionally, encryption is often a computation-intensive task. Tying up the computer's primary processor for this is ineff i cient. Moving encryption to another chip, even if that chip is just another processor, makes the whole system faster. The second reason is security. An encryption algorithm running on a generalized computer has no physical protection. Mallory can go in with various debugging tools and surreptitiously modify the algorithm without anyone ever realizing it. Hardware encryption devices can be securely encapsulated to prevent this. Tamper- proof boxes can prevent someone from modifying a hardware encryption device. Special-purpose VLSI chips can be coated with a chemical such that any attempt to access their interior will result in the destruction of the chip's logic. The U.S. government's Clipper and Capstone chips See Sections 24.16 and 24.171 are designed to be tamperproof. The chips can be designed so that it is impossible for Mallory to read the unencrypted key.

IBM developed a cryptographic system for encrypting data and communications on mainframe computers [515,1027]. It i n cludes tamper-resistant modules to hold keys. This system is discussed in Section 24.1.

Electromagnetic radiation can sometimes reveal what is going on inside a piece of electronic e uipment. Dedicated encry p tion boxes can be shielded, so that they leak no compromising information. General-purpose computers can be shielded as well, but it is a far more complex problem. The U.S. military calls this TEMPEST;

it's a subject well beyond the scope of this book.

The final reason for the prevalence of hardware is the ease of installation. Most encryption applications don't involve ge n eral-purpose computers. People may wish to encrypt their telephone conversations, facsimile transmissions, or data links. It is cheaper to put special-purpose encryption hardware in the telephones, facsimile machines, and modems than it is to put in a m i croprocessor and software.

Even when the encrypted data comes from a computer, it is easier to install a dedicated hardware encryption device than it is to modify the computer's system software. Encryption should be invisible;

it should not hamper the user. The only way to do this in software is to write encryption deep into the operating system. This isn't easy. On the other hand, even a computer neophyte can plug an encryption box between his computer and his external modem.

The three basic kinds of encryption hardware on the market today are: self-contained encryption modules (that perform functions such as password verification and key management for banks), dedicated encryption boxes for communications links, and boards that plug into personal computers.

Some encryption boxes are designed for certain types of communications links, such as T-1 encryption boxes that are d e signed not to encrypt synchronization bits. There are different boxes for synchronous and asynchronous communications lines.

Newer boxes tend to accept higher bit rates and are more versatile.

Even so, many of these devices have some incompatibilities. Buyers should be aware of this and be well-versed in their pa r ticular needs, lest they find themselves the owners of encryption e uipment unable to perform the task at hand. Pay attention to restrictions in hardware type, operating system, applications software, net- work, and so forth. PC-board encryptors usually e n crypt everything written to the hard disk and can be configured to encrypt everything sent to the floppy disk and serial port as well.

These boards are not shielded against electromagnetic radiation or physical interference, since there would be no benefit in pr o tecting the boards if the computer remained unaffected. More companies are starting to put encryption hardware into their co m munications e uipment. Secure telephones, facsimile machines, and modems are all available. Internal key management for these devices is generally secure, although there are as many different schemes as there are e uipment vendors. Some schemes are more suited for one situation than another, and buyers should know what kind of key management is incorporated into the encryption box and what they are expected to provide themselves.

Software Any encryption algorithm can be implemented in software. The disadvantages are in speed, cost, and ease of modification (or manipulation). The advantages are in flexibility and portability, ease of use, and ease of upgrade. The algorithms written in C at the end of this book can be implemented, with little modification, on any computer. They can be inexpensively copied and i n stalled on many machines. They can be incorporated into larger applications, such as communications programs or word proce s sors.

Software encryption programs are popular and are available for all major operating systems. These are meant to protect i n dividual files;

the user generally has to manually encrypt and decrypt specific files. It is important that the key management scheme be secure: The keys should not be stored on disk anywhere (or even written to a place in memory from where the processor swaps out to disk). Keys and unencrypted files should be erased after encryption. Many programs are sloppy in this regard, and a user has to choose carefully.

Of course, Mallory can always replace the software encryption algorithm with something lousy. But for most users, that isn't a problem. If Mallory can break into our office and modify our encryption program, he can also put a hidden camera on the wall, a wiretap on the telephone, and a TEMPEST detector down the street. If Mallory is that much more powerful than the user, the user has lost the game before it starts.

10.6 COMPRESSION, ENCODING, AND ENCRYPTION Using a data compression algorithm together with an encryption algorithm makes sense for two reasons:

Cryptanalysis relies on exploiting redundancies in the plaintext;

com- pressing a file before encryption reduces these redu n dancies.

Encryption is time-consuming;

compressing a file before encryption speeds up the entire process.

The important thing to remember is to compress before encryption. If the encryption algorithm is any good, the ciphertext will not be compressible;

it will look like random data. (This makes a reasonable test of an encryption algorithm;

if the cipher text can be compressed, then the algorithm probably isn't very good.) If you are going to add any type of transmission encoding or error detection and recovery, remember to add that after encry p tion. If there is noise in the communications path, decryption's error-extension properties will only make that noise worse. Figure 10.3 summarizes these steps.

10.7 DETECTING ENCRYPTION How does Eve detect an encrypted file? Eve is in the spy business, so this is an important uestion. Imagine that she's eave s dropping on a network where messages are flying in all directions at high speeds;

she has to pick out the interesting ones. E n crypted files are certainly interesting, but how does she know they are encrypted?

Generally, she relies on the fact that most popular encryption programs have well-defined headers. Electronic-mail messages encrypted with either PEM or POP (see Sections 24.10 and 24.12) are easy to identify for that reason.

Other file encryptors just produce a ciphertext file of seemingly random bits. How can she distinguish it from any other file of seemingly random bits? There is no sure way, but Eve can try a number of things:

- Examine the file. ASCII text is easy to spot. Other file formats, such as TIFF, TeX, C, Postscript, G3 facsimile, or Micr o soft Excel, have standard identifying characteristics. Executable code is detectable, as well. UNIX files often have "magic nu m bers" that can be detected.

- Try to uncompress the file, using the major compression algorithms. If the file is compressed (and not encrypted), this should yield the original file.

- Try to compress the file. If the file is ciphertext (and the algorithm is good), then the probability that the file can be a p preciably compressed by a general-purpose compression routine is small. (By appreciably, I mean more than 1 or 2 percent.) If it is something else (a binary image or a binary data file, for examples it probably can be compressed.

Any file that cannot be compressed and is not already compressed is probably ciphertext. (Of course, it is possible to specif i cally make ciphertext that is compressible.) Identifying the algorithm is a whole lot harder. If the algorithm is good, you can't. If the algorithm has some slight biases, it might be possible to recognize those biases in the file. However, the biases have to be pretty significant or the file has to be pretty big in order for this to work.

10.8 HIDING CIPHERTEXT IN CIPHERTEXT Alice and Bob have been sending encrypted messages to each other for the past year. Eve has been collecting them all, but she cannot decrypt any of them. Finally, the secret police tire of all this unreadable ciphertext and arrest the pair. "Give us your e n cryption keys," they demand. Alice and Bob refuse, but then they notice the thumbscrews. What can they do?

Wouldn't it be nice to be able to encrypt a file such that there are two possible decryptions, each with a different key. Alice could encrypt a real message to Bob in one of the keys and some innocuous message in the other key. If Alice were caught, she could surrender the key to the innocuous message and keep the real key secret.

The easiest way to do this is with one-time pads. Let P be the plaintext, D the dummy plaintext, C the ciphertext, K the real key, and K' the dummy key. Alice encrypts P:

P K = C Alice and Bob share K, so Bob can decrypt C:

C K = P If the secret police ever force them to surrender their key, they don't surrender K, but instead surrender:

K'=C D The police then recover the dummy plaintext:

C K' = D Since these are one-time pads and K is completely random, there is no way to prove that K' was not the real key. To make matters more convincing, Alice and Bob should concoct some mildly incriminating dummy messages to take the place of the really incriminating real messages. A pair of Israeli spies once did this.

Alice could take P and encrypt it with her favorite algorithm and key K to get C. Then she takes C and XORs it with some piece of mundane plaintext - Pride and Prejudice for example, to get K'. She stores both C and the XOR on her hard disk. Now, when the secret police interrogate her, she can explain that she is an amateur cryptographer and that K' is a merely one-time pad for C. The secret police might suspect something, but unless they know K they cannot prove that Alice's explanation isn't valid.

Another method is to encrypt P with a symmetric algorithm and K, and D with K'. Intertwine bits (or bytes) of the ciphertext to make the final ciphertexts. If the secret police demand the key, Alice gives them K' and says that the alternating bits (or bytes) are random noise designed to frustrate cryptanalysts. The trouble is the explanation is so implausible that the secret police will probably not believe her (especially considering it is suggested in this book). A better way is for Alice to create a dummy me s sage, D, such that the concatenation of P and D, compressed, is about the same size as D. Call this concatenation P'. Alice then encrypts P' with whatever algorithm she and Bob share to get C. Then she sends C to Bob. Bob decrypts C to get P', and then P and D. Then they both compute C 0 D = K'. This K' becomes the dummy one-time pad they use in case the secret police break their doors down. Alice has to transmit D so that hers and Bob's alibis match.

Another method is for Alice to take an innocuous message and run it through some error-correcting code. Then she can i n troduce errors that correspond to the secret encrypted message. On the receiving end, Bob can extract the errors to reconstruct the secret message and decrypt it. He can also use the error-correcting code to recover the innocuous message. Alice and Bob might be hard pressed to explain to the secret police why they consistently get a 30 percent bit-error rate on an otherwise noise-free co m puter network, but in some circumstances this scheme can work.

Finally, Alice and Bob can use the subliminal channels in their digital signature algorithms (see Sections 4.2 and 23.3). This is undetectable, works great, but has the drawback of only allowing 20 or so characters of subliminal text to be sent per signed innocuous message. It really isn't good for much more than sending keys.

10.9 DESTROYING INFORMATION When you delete a file on most computers, the file isn't really deleted. The only thing deleted is an entry in the disk's index file, telling the machine that the file is there. Many software vendors have made a fortune selling file-recovery software that recovers files after they have been deleted.

And there's yet another worry: Virtual memory means your computer can read and write memory to disk any time. Even if you don't save it, you never know when a sensitive document you are working on is shipped off to disk. This means that even if you never save your plaintext data, your computer might do it for you. And driver-level compression programs like Stacker and DoubleSpace can make it even harder to predict how and where information is stored on a disk.

To erase a file so that file-recovery software cannot read it, you have to physically write over all of the file's bits on the disk.

According to the National Computer Security Center [1148]:

Overwriting is a process by which unclassified data are written to storage locations that previously held sensitive data.... To purge the... storage media, the DoD re uires overwriting with a pattern, then its complement, and finally with another pattern;

e.g., overwrite first with 0011 0101, followed by 1100 1010, then 1001 0111. The number of times an overwrite must be acco m plished depends on the storage media, sometimes on its sensitivity, and sometimes on different DoD component re uirements. In any case, a purge is not complete until a final over- write is made using unclassified data.

You may have to erase files or you may have to erase entire drives. You should also erase all unused space on your hard disk.

Most commercial programs that claim to implement the DoD standard over- write three times: first with all ones, then with all zeros, and finally with a repeating one-zero pattern. Given my general level of paranoia, I recommend overwriting a deleted file seven times: the first time with all ones, the second time with all zeros, and five times with a cryptographically secure pseudo random se uence. Recent developments at the National Institute of Standards and Technology with electron-tunneling microscopes suggest even that might not be enough. Honestly, if your data is sufficiently valuable, assume that it is impossible to erase data completely off magnetic media. Burn or shred the media;

it's cheaper to buy media new than to lose your secrets.

ac III popaece aop aa Maeaece oco 11.1 Teop opa Copeea eop opa epe a oyoaa 1948 oy oo . eoo (Claude Elmwood Shannon) [1431, 1432]. (Eo pao epea IEEE Press [1433].) C aeaeco o pe a ea xopoo paccopea [593]. B o ae oo cxe ao aa ocoe e.

mponu u eonpeeeocm Teop opa opeee oeco opa cooe a aoe oeco , eoxooe opoa cex oox ae cooe, ca ce cooe paoepo.

Hapep, o ee ae ax ocaoo cooa p a opa, a a c opa oe aopoaa 3 a:

000 - Bocpecee 001 - oee 010 - Bop 011 - Cpea 100 - eep 101 - a 110 - Cyoa 111 - He coyec Ec a opa a pecaea cooecy cpoa ASCII coo, oa aa oe eca a, o e coepaa oe opa. Aaoo, oe a ax "o" coe p oo o opa, xo a opa oe xpac a oo yx 7-aox ASCII cpo: "MHA" "EHHA".

opao, oeco opa cooe M epec poe cooe, ooaaeoe a H(M). po cooe, opeeeo o, cocae1 , a po cooe, opeeeo e ee, eoo ee, e 3 a. B oe cyae po cooe, epea ax, paa log n, e n - o oeco oox ae. p o peoaaec, o ce ae paoepo.

po cooe ae ec epo eo eopeeeoc. o oeco o opoo eca, oopoe yo pacp poece cooe, o ya ec op ec. Hapep, ec o poeca "QHP*5M '' oaae o "MHA", o "EHHA", o eopeeeoc cooe paa 1. poaay yo ya oo o pao pa , o pacp c ooee.

Hopa a aoo a opa a paa r = H(M)/N e N - o a cooe. p ox N opa ooo acoo a pae pae a e o 1.0 /ya o 1.5 /ya. eo [1434] oop, o po ac o eca. o peo o oaa, o opa 8-yex oo paa 2.3 /ya, o ee aee aae axoc ey 1.3 1.5 16-yex oo. Toac aep (Thomas Cover) cooa poy eoy oe oapy, o po paa 1.3 /co [386]. (B o e yy cooa aee 1.3.) Aco a opa a paa acaoy oecy o, oopoe oe epeao a coo p yco, o ce oceoaeoc coo paoepo. Ec e L coo, o acoa opa paa:

R = log2 L o acy po oex coo.

acoo a c 26 ya acoa opa paa log 26, ooo 4.7 /ya. Bac e o o y, o ecea opa acoo a aoo ee, e acoa - ececee oaa coo ooc. ooc a, ooaaea D, opeeec a:

D=R - r Ca, o opa acoo a paa 1.3, ooc coca 3.4 /ya. o oaae, o a a aca ya coep 3.4 a oo opa.

Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |   ...   | 14 |



2011 www.dissers.ru -

, .
, , , , 1-2 .