【導(dǎo)讀】putersystems.attacks?claimstobe.munication.

　　

【正文】 oth the document and the first signature, and so on. Why does PGP generate a signature before applying pression? a. It is preferable to sign an unpressed message so that one can store only the unpressed message together with the signature for future verification. If one signed a pressed document, then it would be necessary either to store a pressed version of the message for later verification or to repress the message when verification is required. b. Even if one were willing to generate dynamically a repressed message for verification, PGP39。s pression algorithm presents a difficulty. The algorithm is not deterministic。 various implementations of the algorithm achieve different tradeoffs in running speed versus pression ratio and, as a result, produce different pressed forms. However, these different pression algorithms are interoperable because any version of the algorithm can correctly depress the output of any other version. Applying the hash function and signature after pression would constrain all PGP implementations to the same version of the pression algorithm. What is R64conversion? R64 converts a raw 8bit binary stream to a stream of printable ASCII characters. Each group of three octets of binary data is mapped into four ASCII characters. 17 Why is R64 conversion useful for an application? When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service is used, then the message digest is encrypted (with the sender39。s private key). If the confidentiality service is used, the message plus signature (if present) are encrypted (with a onetime symmetric key). Thus, part or all of the resulting block consists of a stream of arbitrary 8bit octets. However, many electronic mail systems only permit the use of blocks consisting of ASCII text. Why is the segmentation and reassembly function in PGP needed? Email facilities often are restricted to a maximum message length. How does PGP use the concept of trust? PGP includes a facility for assigning a level of trust to individual signers and to keys. What is RFC822? RFC 822 defines a format for text messages that are sent using electronic mail. What is MIME? MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for electronic mail. What is S/MIME? S/MIME (Secure/Multipurpose Inter Mail Extension) is a security enhancement to the MIME Inter format standard, based on technology from RSA Data Security. ANSWERS NSWERS TO PROBLEMS In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced? This is just another form of the birthday paradox discussed in Appendix 11A. Let us state the problem as one of determining what number of session keys 18 must be generated so that the probability of a duplicate is greater than . From Equation () in Appendix 11A, we have the approximation:?k ? ??n For a 128bit key, there are 2128 possible keys. Therefore?k ? ??2128 ? ??264 The first 16 bits of the message digest in a PGP signature are translated in the clear. a. To what extent does this promise the security of the hash algorithm? b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest? a. Not at all. The message digest is encrypted with the sender39。s private key. Therefore, anyone in possession of the public key can decrypt it and recover the entire message digest. b. The probability that a message digest decrypted with the wrong key would have an exact match in the first 16 bits with the original message digest is 2–16. In Figure , each entry in the publickey ring contains an owner trust field that indicates the degree of trust associated with this publickey owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is not that trust enough to permit PGP to use this public key? We trust this owner, but that does not necessarily mean that we can trust that we are in possession of that owner39。s public key. Consider radix64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess it was R64. How effective would this algorithm be against cryptanalysis? It certainly provides more security than a monoalphabetic substitution. Because we are treating the plaintext as a string of bits and encrypting 6 bits at a time, we are not encrypting individual characters. Therefore, the frequency information is lost, or at least significantly obscured. Phil Zimmermann chose IDEA, threekey triple DES, and CAST128 as symmetric encryption algorithms for reasons why each of the following symmetric encryption algorithms for described in this book is 19 suitable or unsuitable for PGP: DES, twokey triple DES, and AES. DES is unsuitable because of its short key size. Twokey triple DES, which has a key length of 112 bits, is suitable. AES is also suitable. 20 Chapter 6 IP Security ANSWERS NSWERS TO QUESTIONS Give examples of applications of IPSec. Secure branch office connectivity over the Inter: A pany can build a secure virtual private work over the Inter or over a public WAN. This enables a business to rely heavily on the Inter and reduce its need for private works, saving costs and work management overhead. Secure remote access over the Inter