資訊安全基礎 by Chuck Easttom 第 7 章 加密
本章目的 解釋加密的基本原理 討論近代密碼學方法 為組織選擇適合的密碼系統 了解 VPN 的功能與通訊協定 © 2006 by Pearson Education, Inc. 第 7 章 加密
介紹 加密 密碼學 打亂資訊 資訊安全領域中相當重要的部分 沒有它,其它的安全性方法都沒有用 一種藝術 Encryption The process of scrambling a message or other information so that it cannot be easily read One of the most critical parts to the security puzzle Without it, all firewalls, IDSs, antivirus and anti-spyware software, policies, and so forth are inadequate Cryptography The art of writing or deciphering secret code Basic overview This is a very complex topic We'll get some idea of how it works and how to make intelligent decisions about it © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼系統的基本原理 解密 加密 反轉將訊息打亂的流程 演算法打亂明文 傳送端與接收端同意的演算法 如果不知道將訊息打亂的協定,訊息就很難被重建 Decryption Reversal of the scrambling protocol to make the message comprehensible Encryption Plain text is scrambled according to a particular algorithm, agreed upon beforehand by sender and receiver Without the correct protocol, the message is difficult to re-create Plain text – key – cipher text – key – plain text. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼系統的基本原理(續) 兩種基本型態 換位(Transposition) 替換(Substitution) 單一金鑰加密 / 對稱式金鑰加密 公開金鑰加密 / 非對稱式金鑰加密 Two basic types Transposition Rearranging the letters Substitution Replaces each letter with a different letter Two types of substitution Single/symmetric key encryption Public/asymmetric key encryption We’ll focus on Substitution ciphers. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史 加密的概念可能和通訊一樣久遠 凱撒加密法(Caesar Cipher) 位移加密器 A DOG 位移 1 個字元 – B EPH 位移 2 個字元 – C FQI 位移負 1 個字元 – Z CNF As old as written communication and war Caesar Cipher Shift cipher – You decide the number of letters you shift over A DOG Shift 1 – B EPH Shift 2 – C FQI Shift negative 1 – Z CNF The history of encryption and code is fascinating reading, but it is beyond the scope of this text. Check out the sites in the text or others on the Web. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) 凱撒加密法 因為某些字母出現次數比其它字母更頻繁,所以此方法很容易被破解 替換符號系統(Substitution alphabet) 將字母表中的每一個字母用另一個來取代 凱撒加密法是一個單字母替換法(mono-alphabetic cipher) Caesar Cipher Frequency distribution will crack this simple cipher Most common letter in English is E and the most common three-letter word is THE Substitution alphabet Substitutes one letter in the alphabet for another Caesar is a mono-alphabetic cipher, using only one alphabet ASIDE: Caesar needed to send messages to the far-flung posts at the ends of the Roman Empire. He would need security. He would write a message and then encrypt it with the now-famous Caesar 3 cipher. He would send for messengers. They would be extremely well paid, as they did not expect to return alive. Their heads would be shaved and the encrypted message tattooed on their heads. By the time they got to their destination, their hair had grown back and the message hidden. This is the first example we have of stenography. Also, they never saw the message and did not know what it was. After a successful mission and their heads were shaved, the message was decrypted. Since Caesar did not want the enemy to know how he used stenography or if they fell into enemy hands, we have the expression, “Kill the messenger.” © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) 多字母替換法(Multi-alphabetic) 選擇多個位移的字母 舊的加密法現在被認為是非常不安全 位移 1, 2, -1 循環位移 A DOG 變成 B FNH 舊的加密法現在被認為是非常不安全 Uses the same English alphabet, but changes the shift. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) 1 AND 運算的範例 二進制運算 AND, OR, XOR 1 Binary Operations 3 operations not found in decimal or base 10 math In comparing binary numbers in the AND operation, compare them one place at a time. If both places have a 1 in them, the result is a 1. If one or both of them are a 0, the result is a 0. 1 © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) OR 運算的範例 1 Binary Operations OR In comparing binary numbers in the OR operation, compare them one place at a time. If one or both of them are a 1, the result is a 1. If not, the result is a 0. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) XOR 運算的範例 1 Binary Operations In comparing binary numbers in the XOR operation, compare them one place at a time. If one of them, but NOT both of them, is a 1, the result is a 1. If not, the result is a 0. © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) 只有 XOR 是可以反轉的運算 將明文轉換成 ASCII 然後,將 ASCII 轉換成二進制數值 A DOG = 065 032 068 079 071 然後,將 ASCII 轉換成二進制數值 0100 0001, 0100 0100, 0100 1111, 0100 0111 XOR The only reversible binary operation First, convert plain text to ASCII A DOG = 065 032 068 079 071 Then, convert ASCII to binary 0100 0001, 0100 0100, 0100 1111, 0100 0111 © 2006 by Pearson Education, Inc. 第 7 章 加密
密碼學的歷史(續) 對 ASCII 進行 XOR 運算 結果就是密文 0100 0001, 0100 0100, 0100 1111, 0100 0111 1111 0111, 1111 0111, 1111 0111, 1111 0111 1011 0110, 1011 0011, 1011 1000, 1011 0000 結果就是密文 Then, using any random, previously agreed upon string as the key, XOR the ASCII 0100 0001, 0100 0100, 0100 1111, 0100 0111 1111 0111, 1111 0111, 1111 0111, 1111 0111 1011 0110, 1011 0011, 1011 1000, 1011 0000 The result is the cipher text, which can be decrypted using the agreed upon key and the XOR operation, then converted back to ASCII Uses single-key encryption Both sender and receiver use the same key – weak Uses mono-alphabetic substitution Subject to frequency distribution attack – weak Excellent introduction to contemporary encryption © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法 單一金鑰(對稱式)加密法 相同的金鑰被用來加密及解密 Blowfish 對稱式區塊加密法 針對訊息的"區塊"來進行 使用不同長度的金鑰(32 – 448 位元) 免費軟體 Single (symmetric) encryption Uses the same key to encrypt and decrypt Blowfish Symmetric block cipher Works on “blocks” of letters Uses variable length key (32 – 448 bits) Bruce Schneier – 1993 Freeware © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 資料加密標準演算法(DES) 1. 將資料切割成數個 64 位元的區塊,然後進行換位 2. 利用 56 位元的金鑰進行 16 個加密步驟 3. 利用交換(swap)演算法將資料打亂 4. 對資料作最後一次的換位 © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 對稱式金鑰加密法最主要的問題 答案:公開金鑰加密法 如何安全地傳送對稱式金鑰? © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 公開金鑰(非對稱式)加密法 與單一金鑰加密相反 一把金鑰(公開金鑰)用來加密 一把金鑰(私密金鑰)用來解密 只有擁有私密金鑰的人才能解密訊息 Public key (asymmetric) encryption The opposite of single-key encryption One key (public key) is used to encrypt a message One key (private key) is used to decrypt a message Distribute public key, but only holder of private key can decrypt those messages © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 公開金鑰(非對稱式)加密法 與大質數、因數分解、及數論有關 公開金鑰加密碼法是最被廣泛使用的 Pretty Good Privacy(PGP) 免費軟體 相當安全 Public key (asymmetric) encryption Public key algorithms depend on large prime numbers, factoring, and number theory The major issue with symmetric encryption is the distribution of keys, so public key encryption is the most widely used Loss of a key with symmetric encryption is a major problem, for someone else could decrypt all the messages Not so with asymmetric encryption © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 公開金鑰(非對稱式)加密法 Pretty Good Privacy(PGP) 免費軟體 Phil Zimmerman – 2004 相當安全 http://web.mit.edu/network/pgp.html © 2006 by Pearson Education, Inc. 第 7 章 加密
MIT 的 PGP 散佈中心首頁 (http://web.mit.edu/network/pgp.html) 現代的方法(續) MIT 的 PGP 散佈中心首頁 (http://web.mit.edu/network/pgp.html) © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 公開金鑰(非對稱式)加密法 RSA 選擇兩個大質數並相乘, n = p * q 然後令,f(n) = (p – 1) (q – 1), 及 e>1, 解方程式得 d (e,n) – 公開金鑰, (d,n) – 私密金鑰 © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) RSA Security 首頁 (http://www.rsasecurity.com) © 2006 by Pearson Education, Inc. 第 7 章 加密
現代的方法(續) 合法與騙人的加密法 詐騙的警告標示 無法破解的 認證過的 沒有經驗的人 Legitimate versus fraudulent encryption methods Warning signs of frauds Unbreakable – No such thing Certified – No recognized certification for encryption methods Inexperienced people – Inventors of the previously discussed methods had years of experience www.interhack.net/people/cmcurtin/snake-oil-faq.html © 2006 by Pearson Education, Inc. 第 7 章 加密
虛擬私人網路 虛擬私人網路(VPN) 透過網際網路的虛擬連線 封包被加密 通訊協定 PPTP L2TP IPSec PPTP L2TP Virtual Private Networks (VPN) Creates a virtual connection through the Internet between a remote user and a central location Packets over the VPN are encrypted Protocols PPTP L2TP IPSec © 2006 by Pearson Education, Inc. 第 7 章 加密
虛擬私人網路(續) PPTP – 點對點通道通訊協定(Point-to-Point Protocol) PPP 的安全性延伸 對使用者認證 可延伸的驗證通訊協定(Extensible Authentication Protocol,EAP) 通關檢驗通訊協定(Challenge Handshake Authentication Protocol,CHAP) 對封包加密 微軟點對點加密法(Microsoft Point-to-Point Encryption,MPPE) PPTP – Point-to-Point Protocol A secure extension of PPP add features Authenticates users Extensible Authentication Protocol (EAP) Challenge Handshake Authentication Protocol (CHAP) Encrypts packets Microsoft Point-to-Point Encryption (MPPE) © 2006 by Pearson Education, Inc. 第 7 章 加密
虛擬私人網路(續) L2TP – 第 2 層通道通訊協定(Layer 2 Tunneling Protocol) 五種使用者認證方法:CHAP 與 EAP 加上: PAP – 密碼驗證通訊協定(Password Authentication Protocol) SPAP – Shiva 密碼驗證通訊協定(Shiva Password Authentication Protocol) MS-CHAP – 微軟所發展的 CHAP 延伸版本(Microsoft-specific extension of CHAP) L2TP – Layer 2 Tunneling Protocol Enhances PPTP with five user authentication methods: CHAP and EAP plus: PAP – Password Authentication Protocol – clears text username and password; SPAP – Shiva Password Authentication Protocol, encrypts username and password MS-CHAP – Microsoft-specific extension of CHAP © 2006 by Pearson Education, Inc. 第 7 章 加密
虛擬私人網路(續) IPSec – 網際網路安全通訊協定(Internet Protocol Security) 被 L2TP 用來加密 加密封包資料與標頭 避免未經授權的封包傳輸 © 2006 by Pearson Education, Inc. 第 7 章 加密
總結 加密是電腦安全的一個基本元素 傳送資料時對資料進行加密會是任何資訊安全計畫中的一部分 © 2006 by Pearson Education, Inc. 第 7 章 加密