如果同一个算法既用做加密又用做数字签名,就有可能受到攻击[506]。在这些情况中,数字签名操作是加密操作的逆过程:VX=EX,并且SX=DX。
假设Mallory是持有自己公开密钥和私人密钥的系统合法用户。让我们看看他怎么读Bob的邮件。首先他将Alice在(1)中发送给Bob的消息记录下来,在以后的某个时间,他将那个消息发送给Bob,声称消息是从Mallory来的。Bob认为是从Mallory来的合法消息,于是就用私人密钥解密,然后用Mallory的公开密钥解密来验证Mallory的签名,那么得到的消息纯粹是乱七八糟的消息:EM(DB(EB(DA(M))))=EM(DA(M))
即使这样,Bob继续执行协议,并且将收据发送给Mallory:
EM(DB(EM(DA(M))))
现在Mallory所要做的就是用他的私人密钥对消息解密,用Bob的公开密钥加密,再用自己的私人密钥解密,并用Alice的公开密钥加密。哇!Mallory就获得了所要的消息M。
506. J.D. Dixon. "Factorizon and Primality Tests." American Mathematical Monthly. v. 91, n. 6 1984, pp. 333-352. (查看原文)
If I take a letter, lock it in a safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism - and you still can't open the safe and read the letter - that's security. (查看原文)
And don't forget Kerchhoffs' assumption: If the strength of your new cryptosystem relies on the fact that the attackers does not know the algorithm's inner workings, you're sunk. If you believe that keeping the algorithm's insides secret improves the security of your cryptosystem more than letting the academic community analyze it, you're wrong. And if you think someone won't disassemble your code and reverse-engineer your algorithm, you're naive. The best algorithms we have are the ones that have been made public, have been attacked by world's best cryptographers for years, and are still unbreakable. (查看原文)
There are many cryptographic algorithms. These are three of the most common:
- DES (Data Encryption Standard) is the most popular computer encryption algorithm. DES is a U.S. and international standard. It is a symmetric algorithm; the same key is used for encryption and decryption.
- RSA (named for its creators - Rivest, Shamir, and Adleman) is the most popular public-key algorithm. It can be used for both encryption and digital signatures.
- DSA (Digital Signature Algorithm, used as part of the Digital Signature Standard) is another public-key algorithm. It cannot be used for encryption, but only for digital signatures. (查看原文)
Random-number generators are not random because they don't have to be. Most simple applications, like computer games, need so few random numbers that they hardly notice. However, cryptography is extremely sensitive to the properties of random-number generators.
...
Of course, it is impossible to produce something truly random on a computer. Donald Knuth quotes John von Neumann as saying: "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin".
...
The best a computer can produce is a pseudo-random-sequence generator.
...
For our purposes, a sequence generator is pseudo-random if it has this property:
1. It looks random. This means that it passes all the statistical tests of randomness that we can find.
...
For a sequence to be crypto... (查看原文)
Factoring large numbers is hard. Unfortunately for algorithm designers, it is getting easier. Even worse, it is getting easier faster than mathematicians expected. In 1976 Richard Guy wrote: “I shall be surprised if anyone regularly factors numbers of size 10^80 without special form during the present century”. In 1977 Ron Rivest said that factoring a 125-digit number would take 40 quadrillion years. In 1994 a 129-digit number was factored. If there is any lesson in all this, it is that making predictions is foolish. (查看原文)
