【正文】 管理員處檢索出 A 的公鑰。這條消息包括下列內(nèi)容： ? B 的公鑰 PUb。這可能是因為公鑰已用于大量的數(shù)據(jù)，因而用戶更希望更換公鑰，也可能是 因為相應(yīng)的私鑰已經(jīng)泄密。例如，越來越為人們廣泛使用的 PGP（ pretty good privacy，該方法將在第 15章討論）中使用了 RSA 算法，所以許多 PGP 用戶在給諸如 USENET新聞組和 Inter 郵件列表這樣的一些公開論壇發(fā)送消息時，都將其公鑰附加在要發(fā)送的消息之后。 YA = 40。s nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. 3. A returns N2 encrypted using B39。s public key can obtain the certificate and verify that it is valid by way of the attached trusted signature. A participant can also convey its key information to another by transmitting its certificate. Other participants can verify that the certificate was created by the authority. We can place the following requirements on this scheme: 1. Any participant can read a certificate to determine the name and public key of the certificate39。s public key, PUb which A can use to encrypt messages destined for B ? The original request, to enable A to match this response with the corresponding earlier request and to verify that the original request was not altered before reception by the authority ? The original timestamp, so A can determine that this is not an old message from the authority containing a key other than B39。s current public key 3. A stores B39。s owner. 2. Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. 3. Only the certificate authority can create and update certificates. These requirements are satisfied by the original proposal in [KOHN78]. Denning [DENN83] added the following additional requirement: 4. Any participant can verify the currency of the certificate. A certificate scheme is illustrated in Figure . Each participant applies to the certificate authority, supplying a public key and requesting a certificate. Figure . Exchange of PublicKey Certificates Application must be in person or by some form of secure authenticated munication. For participant A, the authority provides a certificate of the form CA = E(PRauth, [T||IDA||PUa]) where PRauth is the private key used by the authority and T is a timestamp. A may then pass this certificate on to any other participant, who reads and verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa) The recipient uses the authority39。s public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B39。 YB = 248 In this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the mon key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The bruteforce approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem bees impractical. Key Exchange Protocols Figure shows a simple protocol that makes use of the DiffieHellman calculation. Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt messages on that connection. User A can generate a onetime private key XA, calculate YA, and send that to user B. User B responds by generating a private value XB calculating YB, and sending YB to user A. Both users can now calculate the key. The necessary public values q and a would need to be known ahead of time. Alternatively, user A could pick values for q and a and include those in the first message. Figure . DiffieHellman Key Exchange As an example of another use of the DiffieHellman algorithm, suppose that a group of users (., all users on a LAN) each generate a longlasting private value Xi (for user i) and calculate a public value Yi. These public values, together with global public values for q and a, are stored in some central directory. At any time, user j can access user i39。 雖然這種方法比較簡便，但它有一個較大的缺點，即任何人都可以偽造這種公鑰的公開發(fā)布。 4. 通信方也可以訪問電子目錄。 A 可用它對要發(fā)送給 B的消息加密。 至此公鑰已被安全地傳遞給 A 和 B，他們之間的信息交換將受到保護。像前面一樣，管理員所維護的，含有姓名和公鑰的目錄也容易被篡改。 3. 只有證書管理員才可以產(chǎn)生并更新證書。因為只用管理員的公鑰即可讀取證書，因此接收方可 驗證證書確實是出自證書管理員； IDA和 PUa幾向接收方提供證書擁有者的姓名和公 鑰；時間戳 T 用來驗證證書的當(dāng)前性。但是由于公鑰密碼速度較慢，幾乎沒有用戶愿意在通信中完全使用公鑰密碼，因此公鑰密碼更適合作為傳統(tǒng)密碼中實現(xiàn)秘密鑰分配的一種手段 簡單的秘密鑰分配 Merkle 提出了一種極其簡單的方法 [MERK79].如圖 所示。密鑰交換完成后，A和 B均 放棄 KA。 3. E 產(chǎn)生秘密鑰 KA，井發(fā)送 EPUa[KA]。其中 N1 用來惟一標(biāo)識本次交易。 混合方法 混合方法也是利用公鑰密碼來進行密鑰 分配，在 IBM 計算機上曾使用了這種方法 [LE93]。公鑰方法在這里只用來分配主密鑰。因為只有 B可以解 密消息 (1)，所以消息 (2)中的N1 可使 A確信其通信伙伴是 B。 5. E 發(fā)送 EPUa[KA]給 A。由于在通信前和通信完成后都沒有密鑰存在。的消息發(fā)送給B。 假設(shè) A 產(chǎn)生新的公 /私鑰對并向證書管理員申請新的證書；同時，攻擊者重放 A的舊證書給 B，若 B用偽冒的舊公鑰加密消息，則攻擊者可讀取消息。后來 Denning[ DENN83」又增加了下列要求 : 4．任何通信方可以驗證證書的當(dāng)前性。通信各方使用證書來交換密鑰而不是通過公鑰管理員。因為只有 B 可以解密消息（ 3），所以消息（ 6）中的 N1 可以使 A確信其通信伙伴就是 B。這樣 A 可以將該請求與其最初發(fā)出的請求進行比較，以驗證在管理員收到請求之前，其原始請求違背修改。 公鑰授權(quán) 通過更加嚴(yán)格地控制目錄中的公鑰分配，可使公鑰分配更加安全。 公開可訪問的目錄 維護一個動態(tài)可訪問的公鑰目錄可以獲得更大程度的安全性。 in G such that a ? a39。 encryption with A39。s public key, this verifies that the certificate came from the certificate authority. The elements IDA and PUa provide the recipient with the name and public key of the certificate39。s public key from the authority in the same manner as A retrieved B39。s private key, PRauth Thus, A is able to decrypt the message using the authority39。s public key, to assure B that its correspondent is A. Thus, a total of seven messages are required. However, the initial four messages need be used only infrequently because both A and B can save the other39。s public key. 3. A putes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks. 4. A discards PUa and PRa and B discards PUa. Figure . Simple Use of PublicKey