下载文档原格式
PGP加密/解密技术初探与实践学生姓名:***学号:********专业:信息管理与信息系统电子邮件:PGP加密/解密技术初探与实践[内容提纲]本文简要简介了PGP旳加密机制、密钥管理原理,安全隐患。
对比PGP与S/MIME邮件加密原理。
简介PGP在Windows操作系统下旳旳安装,密钥生成,电子邮件加密及文献加密旳过程[关键词]PGP 加密一、PGP旳基本认识PGP (Pretty Good Privacy) 是基于一种公钥原理(Public Key)——RSA 旳软件, 公钥理论是在1976 年Whitfield Diffle 及Martin Hellman 共同提出旳,1977 年由三位MIT 专家建立了实际措施, 于是大家运用他们旳名字称之为Rivest-Shamir-Adleman, 也就是著名旳RSA 措施.私钥具有保密性只有使用者个人才会懂得,一般旳私钥还会用DES 旳措施将它再加上一层旳保护; 假如使用者用公钥加密其信息时, 只有用他旳私钥才可将其信息解码, 假如用他旳私钥加密其信息时, 只有其用公钥才能解码.PGP提供了可以用于E-mail和文献存储和应用旳保密宇鉴别服务,选择最可用旳加密算法作为系统旳构造模块,且将这些算法集成到一种通用旳应用程序中,该程序独立于操作系统和处理器,且基于一种使用以便旳小命令集. PGP程序和文档在Internet上公开,由于其免费,可用于多平台,使用生命力和安全性都为公众承认旳算法等等旳特点,使PGP在全世界范围内,各个领域均有广泛旳应用,根据《财富》旳排名,十大商业银行中90%,十大制药企业中80%,十大健康机构中旳80%,十大能源机构中70%,前15位宇航及防御系统有关企业中73%,前20位电信企业旳75%,前20位汽车有关制造企业中70%,都在使用PGP进行电子邮件及其他重要数据旳加密。
二、PGP旳加密机制RSA公钥体系满足保密性(privacy)和公证性(authentication)。
publickey,gssapi-with-mic意思公钥(public key)是用于加密和解密数据的密码学中的一种非对称密钥。
在公钥加密中,加密和解密使用不同的密钥。
公钥可以自由传播,任何人都可以使用公钥将消息加密。
但是,只有私钥持有人可以解密消息。
这种加密方式被广泛应用于互联网通信中的安全机制。
GSSAPI是一种通用安全服务应用程序接口(Generic Security Services Application Program Interface),其目标是为各种客户端/服务器应用程序提供可扩展且可重用的安全服务。
该接口定义了通用的安全交互协议,以便各种安全机制(例如Kerberos,Public Key Infrastructure(PKI)等)可以无缝地集成到应用程序中。
GSSAPI-with-Mic(Message Integrity Check)是GSSAPI的一个扩展,用于为传输的数据提供保密性和完整性。
MIC是一种验证机制,用于检查消息在传输过程中被篡改的可能性。
此机制允许通信实体验证其对等通信实体真正发送了消息,以便防止恶意攻击。
这是以加密和签名的形式完成的。
公钥和GSSAPI-with-Mic是现代通信中非常重要的两个概念。
公钥加密算法提供了一种非常有效的加密技术,可以保证数据的机密性。
同时,GSSAPI-with-Mic提供了完整性保护,以确保通信和数据在传输过程中不受干扰。
在现代通信中,这两个技术被广泛应用于各种应用程序中,使得信息传输更加安全和可靠。
例如,SSL(Security SocketLayer)和SSH(Secure Shell)协议使用了上述技术以确保通信安全。
在SSL中,客户端和服务器之间交换的所有消息都将使用公钥加密算法加密。
这样做可以保证机密性,以防止非法第三方偷听信息。
同时,每个消息将带有一个数字签名,以确保消息的来源和完整性。
这样做可以防止恶意攻击和篡改。
Chapter 1Computing system 计算系统Principle of easiest penetration 最易渗透原则Hardware 硬件Software 软件Data 数据Vulnerability 脆弱性Threat 攻击Attack 威胁Control 控制Interruption 中断Interception 截取Modification 篡改Fabrication 伪造Method 方法Opportunity 机会Motive 动机Security secure 安全措施Confidentiality 保密性/机密性Integrity 完整性Availability 可用性Secrecy 保密性Privacy 私密性Configuration management 配置管理Logic bomb 逻辑炸弹Trojan horse 特洛伊木马Virus 病毒Trapdoor 陷门Information leak 信息泄露Principle of adequate protection 适度保护原则Salami attack 香肠攻击Replay 重放Cracker 破译者Prevention 预防方法Deterrence 障碍Deflection 偏差Detection 检测Recovery 恢复Encryption 加密Protocol 协议Policy 策略Procedure 规程Physical control 物理控制Principle of effectiveness 有效性原则Overlapping control 重叠控制Layered defense 分层防御Principle of weakest link 最弱环节原则Administrative control 管理控制Chapter 2Sender 发送者Recipient 接受者Transmission medium 传输中介Interceptor 截取者Intruder 入侵者Encryption 加密Decryption 解密Encode 编码Decode 解码Encipher 编密码Decipher 译密码Cryptosystem 密码体制Plaintext 明文Ciphertext 密文Algorithm 算法Key 密钥Symmetric 对称的Asymmetric 非对称的Keyless cipher 无密钥密码Cryptography 密码编码学Cryptanalyst 密码分析学Cryptology 密码学Break an encryption 破译加密Substitution 替换Transposition 置换Substitution 替换密码monoalphabetic substitution 单字符替换法Simple substitution 简单替换法Caesar cipher 恺撒密码Permutation 排列One-time pad 一次性密码本Vigenere tableau 维吉尼亚表Vernam cipher 弗纳母密码Book cipher 密码本Columnar Transposition 列置换Digram 双字母组Trigram 三字母组Product cipher 成绩密码Secure cryptographic system 安全密码体制Amount of secrecy 保密量Error propagation 差错传播Authentication 鉴别Key distribution 密钥分配Key management 密钥管理Stream cipher 流密码Block cipher 块密码Confusion 混乱性Diffusion 扩散性Ciphertext-only attack 唯密文攻击Known plaintext attack 已知明文攻击Probable plaintext attack 可能明文攻击Chosen plaintext attack 选择明文攻击Chosen ciphertext attack 选择密文攻击Data Encryption Standard(DES) 数据加密标准Data Encryption Algorithm-1 数据加密算法-1 Double DES 双重DESTriple DES 三重DESDifferential cryptanalysis 微分密码分析学Advanced Encryption Standard(AES) AES高级加密标准Rijndael 一种对称加密算法Cycle or round 循环Public key encryption 公钥加密Asymmetric encryption system 非对称密码体制Private key 私钥Secret key 密钥Rivest-Shamir-Adelman (RSA) algorithm 一种非对称加密算法Cryptographic hash function 密码哈希函数Message digest 消息摘要Hash 哈希Checksum 检验和One-way function 单向函数MD4,MD5 两种消息摘要算法名称SHA/SHS 安全哈希算法/安全哈希标准Chaining 链接Key exchange 密钥交换Digital signature 数字签名Certificate 证书Certificate authority(CA) 证书管理中心Chapter 3Program 程序Secure program 安全程序Fault 故障Program security flaw 程序安全漏洞Bug bugError 错误Failure 失败Penetrate and patch 渗透和打补丁Cyber attack 计算机攻击Buffer overflow 缓冲区溢出Incomplete mediation 不完全验证Time-of-check to time-of-use 检查时刻到使用时刻Malicious code 恶意代码Rogue program 欺诈程序Virus 病毒Agent 代理Transient virus 瞬时病毒Resident virus 寄生病毒Trojan horse 特洛伊木马Logic bomb 逻辑炸弹Time bomb 时间炸弹Backdoor 后门Trapdoor 陷门Worm 蠕虫Rabbit 野兔Appended virus 挂接性病毒Document virus 文档病毒Bootstrap load引导装在Boot sector virus 引导区病毒Virus signature 病毒特征Polymorphic virus 多态性病毒Encrypting virus 加密病毒Brain virus Brain病毒The Internet worm 互联网蠕虫Code Red红色代码病毒Web bug 网页bugUnit test 单元测试Integration test 集成测试Error checking 错误检查Rootkit rootkitRootkit revealer Rootkit检测器Privilege escalation 权限提升Interface illusion 接口错误Keystroke logger 键盘记录器Man-in-middle attack 中间人攻击Covert channel 隐蔽通道File-lock channel 文件锁通道Storage channel 储存通道Timing channel 时间通道Software engineering 软件工程Encapsulation 封装Information hiding 信息隐藏Modularity 模块化Maintainability 可维护性Understandability 易理解性Reusability 可重用性Correctability 正确性Testability 可测试性Coupling 耦合Cohesion 内聚Mutual suspicion 相互猜疑Confined program 限制程序Peer review 对等复查Program design 程序设计Inspection 检查Walk-through 走查法Review 复查Egoless programming 无我编程Hazard analysis 危险性分析Hazard/interoperability studies 危险/互操作性研究Failure modes and effects analysis 失效模式和后果分析Fault tree analysis 故障树分析Performance test 性能检测Regression test 衰减检测Black-box test 黑盒检测Clear-box test 白盒测试Independents test team 独立测试小组Penetration test 渗透测试Passive fault detection 被动故障检测Active fault detection 主动故障检测Redundancy 冗余Fault tolerance 错误容差Configuration management 配置管理Configuration identification 配置识别Conditional compilation 条件编译Configuration audit 配置审查Proof of program correctness 程序正确性证明Program verification 程序验证Process standard 过程标准Configuration management standards配置管理标准Security audit 安全审计Chapter 4Executive 执行器Monitor 监控器Multiprogrammed system 多道程序系统Protected object 被保护对象Sharable I/O device 可共享的I/O设备Serially reusable I/o device 可连续重用的I/O设备Physical separation 物理分离Temporal separation 时间分离Logical separation 逻辑分离Cryptographic separation 密码分离Isolation 隔离Memory protection 内存保护Fence register 界地址寄存器Relocation 重定位Base/bounds registers 基址/范围寄存器Tagged memory architecture 标记内存结构Segmentation 分段式Segment address table 段地址表Segment address translation 段地址转换Paging 分页Page frame 页帧Page address translation 页地址转换Paged segmentation 段页式Directory 目录Revocation of access 撤销访问Access control list 访问控制列表User-group-world protection 用户/组/全局保护Access control matrix 访问控制矩阵Wildcard designation 通配符指定Capability 访问权能Domain 域Local name space 本地名字空间Kerberos KerberosAuthentication sever 鉴别服务器Ticket-granter sever票据授权服务器Key distribution center 密钥发布中心Procedure-oriented access control 面向程序的访问控制Role-based access control 基于角色的访问控制File protection 文件保护Shared file 共享文件Persistent permission 持久许可Temporary access permission 临时访问许可Set userid permission 设置用户ID许可Per-object protection 每个对象保护Per-subject protection 每个主题保护User authentication by something you know 依据用户知道的事情鉴别User authentication by somthing you have 依据用户拥有的东西鉴别User authentication by somthing you are 根据用户的身体特征鉴别Password 口令Password response 口令响应Multifactor authentication 多因素鉴别Two-factor authentication 两因素鉴别Exhaustive attack on password 对口令的穷举攻击Brute force attack on password 对口令的暴力攻击Probable password 可能的口令Likely password 很可能的口令Social engineer attack 社会工程攻击One-time password 一次性口令Challenge-response system 质询响应系统Single sign-on 单次登陆Login impersonation 假扮演登陆界面Biometric authentication 生物特征鉴别Chapter 5Trust 信任Trusted process 可信进程Trusted product 可信产品Trusted software 可信软件Trusted computing base 可信计算基Trusted system 可信系统Security policy 安全策略Military security policy 军事安全策略Sensitivity level 敏感等级Object 对象Need-to-know rule 须知原则Compartment 分隔项Classification 分类Clearance 许可Dominance 支配Subject 主体Hierarchical security 等级安全Nonhierarchial security 非等级安全Clark-Wilson policy Clark-Wilson策略Well-formed transaction 良构事务Constrained data item 受约束数据项Transformation procedure 转换规程Access triple 访问三元组Separation of duty 职责分离Chinese wall policy 中国墙策略Lattice model 格模型Bell-La Padula model Bell-La Padula模型Simple security property 简单安全特性*-property *-特性Write-down 下写Biba model Biba模型Simple integrity policy 简单完整性策略Integrity *-property 完整性*-特性Graham-Denning model Graham-Denning模型Harrison-Ruzzo-Ullman model Harrison-Ruzzo-Ullman 模型Command 命令Condition 条件Primitive operation 原语操作Protection system 保护系统Take-grant system 获取/授予系统Least privilege 最少特权Economy of mechanism 机制经济型Open design 开放设计Complete mediation 完全检查Permission-based access 基于许可的访问Separation of privilege 特权分离Least common mechanism 最小公共机制Ease of use 易用User authentication 用户鉴别Memory protection 内存保护Object access control 对象访问控制Enforced sharing 强制共享Fair service 公平服务Interprocess communication 进程间通信Synchronization 同步Protected control data 保护控制数据User identification and authentication 用户识别和鉴别Mandatory access control 强制访问控制Discretionary access control 自主访问控制Object reuse 对象重用Magnetic remanence 磁记忆Trusted path 可信路径Audit 审计Accountability 责任认定Audit log reduction 审计日志精简Intrusion detection 入侵检测Kernel 内核Nucleus 核Core 核心Security kernel 安全内核Reference monitor 引用监视器Reference monitor properties:引用监视器特性:Tamperproof 抗干扰Unbypassable 不可绕过Analyzable 可分析Trusted computing base(TCB)可信计算基Process activation 进程激活Execution domain switching 执行域转换Memory protection 内存保护Virtualization 虚拟化Virtual machine 虚拟机Virtual memory 虚拟内存Layering 分层Hierarchically structured operation system 层次结构的操作系统Assurance 保证Flaw exploitation 缺陷利用User interface processing flaw I/O处理缺陷Access ambiguity flaw 访问二义性缺陷Incomplete mediation flaw 不完全检查缺陷Generality flaw 普遍性缺陷Time-of-check to time-of-use flaw 检查时刻到使用时刻缺陷Testing 测试Penetration testing 渗透测试Tiger team analysis 攻击队测试Ethical hacking 黑客攻击Formal verification 形式化验证Proof of correctness 正确性证明Theorem prover定理证明器validation证实Requirements checking 需求检查Design and code review 设计和代码审查Module and system testing 模块和系统测试Open source 开放源代码Evaluation 评估Orange Book(TCSEC)橙皮书(TESEC)D,C1,C2,B1,B2,B3,A1 rating D,C1,C2,B1,B2,B3,A1等级German Green Book德国绿皮书Functionality class 功能类Assurance level保证等级British evaluation criteria 英国评估准则Claims language 生命语言Action phrase 行为短语Target phrase 目标短语CLEF CLEFComparable evaluation 可比较评估Transferable evaluation 可转移评估ITSEC ITSECEffectiveness 有效性Target of evaluation 评估目标Security-enforcing function 安全强制功能Mechanism 机制Strength of mechanism 机制强度Target evaluation level 目标评估等级Suitability of functionality 功能适宜性Binding of functionality 功能绑定Combined Federal Criteria 联合联邦准则Protection profile 保护轮廓Security target 安全目标Common Criteria 通用准则Extensibility 可扩展性Granularity 粒度Speed 速度Thoroughness 全面Objectivity 客观性Portability 可移植性Emphatic assertion 强调申明Chapter 7Single point of failure 单一故障点Resilience 弹回Fault tolerance 容错Server 服务器Client 客户机Node 节点Host 主机Link 链路Workstation 工作站Topology 拓扑结构Network boundary 网络周界Network ownership 网络拥有关系Network control 网络控制Digital 数字Analog 模拟Modem 调制解调器Twisted pair 双绞线Unshielded twisted pair 无屏蔽双绞线Bandwidth 带宽Coaxial cable 同轴电缆Ethernet 以太网Repeater 中继器Amplifier 放大器Optical fiber 光纤Wireless LAN 无线局域网802.11 802.11协议标准Microwave 微波Infrared 红外线Satellite 卫星Geosynchronous orbit 覆盖范围Transponder 地球同步轨道Footprint 异频应答器Protocol 协议Protocol stack 协议栈ISO reference model ISO参考模型OSI model OSI模型Application layer 应用层Presentation layer 表示层Session layer 会话层Transport layer 传输层Network layer 网络层Datalink layer 数据链路层Physical layer 物理层Peer 对等层Router 路由器Packet 包Network interface card 网络接口卡MAC address Mac地址Frame 帧Session header 会话头部Logical connection 逻辑连接Sequencing 排序TCP TCPIP IPUDP UDPPort 端口SMTP SMTPHTTP HTTPFTP FTPSNMP SNMP IP address IP地址Domain 域Top-level domain 顶级域名Local area network 局域网LAN LANWide area network 广域网Internet Society 互联网社会Anonymity 匿名性Motivation for attack 攻击的动机Challenge 挑战Fame 名声Money 金钱Espionage 间谍Organized crime 组织犯罪Ideology 意识形态Hactivism 激进主义Cyberterrorism 网络恐怖主义Reconnaissance 侦察Intelligence 情报收集Port scan 端口扫描Social engineering 社会工程学Fingerprinting 指纹Eavesdrop 偷听War driving 战争驱动Passive wiretap 被动窃听Active wiretap 主动窃听Packet sniffer 包嗅探器Inductance 自感器Impedance 阻抗Multiplexed signals 多重信号Interception 截取Theft of service 骗取服务RFC(request for comments) 请求注解Impersonation 假冒Authentication 鉴别Guessing authentication 猜测鉴别Eavesdropping authentication 偷听鉴别Avoiding authentication 避开鉴别Nonexistent authentication 不存在的鉴别Well-known authentication 众所周知的鉴别Trusted authentication 可信任鉴别Spoof 欺骗Masquerade 伪装Phishing 钓鱼欺诈Session hijacking 会话劫持Man-in-middle attack 中间人攻击Misdelivery 误传Message exposure 消息暴露Interception 侦听Traffic flow analysis 流量分析Message falsification 伪造消息Message replay 重放消息Message fabrication 编造消息Noise 噪声Interference 干涉Protocol flaw 协议缺陷Web site defacement 网站被黑Buffer overflow 缓冲区溢出Dot-dot attack ".."攻击Address resolution 地址解析Application code attack 应用代码攻击Server-side include 服务端包含Denial-of-service attack 拒绝服务攻击Transmission failure 传输失败Connection flooding 连接洪泛Echo 响应Chargen 索取Ping of death 死亡之PingSmurf Smurf攻击Syn flood 同步洪泛Teardrop attack teardrop攻击Distributed denial of service 分布式拒绝服务Active code 活动代码Mobile code 移动代码Cookie 脚本Escape-character attack ESC字符攻击Active server page 活动服务器页Java code Java代码Sandbox 沙漏Java virtual machine Java虚拟机Hostile applet 有敌意的appletScript kiddie 脚本小子Building block attack 积木攻击Network segmentation 网络分段Redundancy 冗余Failover mode 失效修复模式Link encryption链路加密End-to-end encryption 端到端加密Virtual private network 虚拟专有网络Encrypted tunnel 加密隧道Certificate 证书Certificate authority 证书管理中心Transport layer security 传输层安全性Security association 安全关联Security parameter index 安全参数索引Authentication header 鉴别报头Encapsulated security payload 封装的安全负载Signed code 签名代码Content integrity 内容完整Error detection 错误检测Error correction code 错误校正码Parity 校验Even parity 奇校验Odd parity 偶校验Hash code 哈希码Huffman code 霍夫曼编码Cryptographic checksum密码校验和Message digest 消息摘要Strong authentication 强鉴别Password token口令令牌Challenge-response system 质询-响应系统Digital Distributed Authentication 分布式数字鉴别Ticket-granting server 票据授权服务器Ticket 票据Router ACL 路由器ACLService Set Identifier 服务区标识符Wired equivalent privacy 无线等效保密Temporal Key Integrity Program 暂时密钥集成程序Honeypot 蜜罐Traffic flow security 通信流量安全Onion routing 洋葱型路由算法Firewall 防火墙Reference monitor 引用监视器Packet filtering gateway 包过滤网关Screening router 屏蔽路由器Stateful inspection 状态检查Application proxy 应用代理Bastion host 保垒主机Guard 门卫Personal firewall 个人防火墙Layered protection 分层保护Defense in depth 纵深防御Intrusion detection system 入侵检测系统Network-based IDS 基于网络的IDSHost-based IDS 基于主机的IDSSignature-based IDS基于签名的IDSAnomaly detection 异常检测Heuristic intrusion detection 启发式入侵检测Misuse detection 误用检测Stealth mode 秘密模式Scanner 扫描仪IDS alarm IDS警告False positive 漏报False negative 误报Secure e-mail 安全电子邮件Message confidentiality 消息机密性Message integrity check 消息完整性检查Sender authenticity 发送者的真实性Sender nonrepudiation 发送者的不可否认Key management 密钥管理Key ring 钥匙环。
Encryption Security RequirementsEncryption is a widely used security technique used for protecting sensitive information from unauthorized access. In today’s digital world, encryption has become a critical tool for ensuring data security. However, encryption alone is not enough to guarantee data security. There are several security requirements that must be met to ensure the effectiveness of encryption. In this document, we will discuss the security requirements of encryption.Key ManagementOne of the critical security requirements for encryption is key management. Encryption keys are used to secure the data, and it is essential to protect them. The keys should be stored securely, and only authorized personnel should have access to them. Additionally, keys should be rotated periodically, and the old keys should be securely deleted.AuthenticationAnother essential security requirement for encryption is authentication. Authentication ensures that only authorized individuals can access the encrypted data. This can be achieved through various authentication techniques such as passwords, biometrics, smart cards, or tokens. Authentication is essential to prevent unauthorized access to sensitive information.IntegrityEncryption should also ensure the integrity of the data. The integrity of the data refers to the accuracy and consistency of the information. The encrypted data should remain unchanged during transit or storage. To guarantee data integrity, encryption algorithms that support integrity checks such as HMAC (Hash Message Authentication Code) should be used.AvailabilityAnother critical security requirement for encryption is availability. Availability ensures that the encrypted data is accessible when needed. It is essential to maintain the availability of the data by using appropriate redundancy techniques, such as backup and replication. Additionally, encryption should not cause a significant impact on data availability.ComplianceCompliance is another essential security requirement for encryption. Compliance means adherence to the security policies, regulations, and laws. The useof encryption should comply with the relevant data security regulations in the region. Failure to comply with data security regulations could result in severe legal and financial consequences.ConclusionIn conclusion, encryption is a powerful tool for protecting sensitive data. However, to ensure the effectiveness of encryption, several security requirements should be met. These requirements include key management, authentication, integrity, availability, and compliance. By meeting these requirements, organizations can ensure that their encrypted data is secure and inaccessible to unauthorized individuals.。
datasource的public-key用法
在数据源(datasource)中,public-key(公钥)用于加密和解
密敏感数据。
公钥加密是一种加密技术,其中使用公钥对数据进行加密,而需要私钥才能解密。
公钥是由非对称加密算法(如RSA)生成的一对密钥之一。
公钥用于加密数据,并可被任何人访问和使用。
另一对密钥是私钥,只有数据源的所有者可以访问和使用它来解密被加密的数据。
使用数据源的公钥来加密敏感数据具有以下优点:
1. 安全性:公钥加密技术提供了很高的安全性,因为只有拥有私钥的人才能解密数据。
2. 隐私保护:通过使用公钥加密,数据源可以保护用户的隐私,确保敏感数据不会被未经授权的人访问。
3. 数据完整性:公钥加密还可以用于验证数据的完整性,因为只有使用私钥才能对被加密的数据进行解密。
在数据源中,公钥通常存储在安全的位置,并用于加密与该数据源关联的敏感数据。
只有具有私钥的人才能解密由公钥加密的数据。
公钥加密也可以与数字签名相结合,以确保数据的完整性和身份验证。
数字签名使用私钥生成,可以与公钥一起使用来验证数据的真实性和完整性。
总而言之,数据源的公钥用于加密敏感数据,提供了安全性、隐私保护和数据完整性等优点。
New technique of the computer networkAbstractThe 21 century is an ages of the information economy, being the computer network technique of representative techniques this ages, will be at very fast speed develop soon in continuously creatively, and will go deep into the people's work, life and study. Therefore, control this technique and then seem to be more to deliver the importance. Now I mainly introduce the new technique of a few networks in actuality live of application.Keywords:Internet ; Digital Certificates ; Digital Wallets ;Grid Storage1. ForewordInternet turns 36, still a work in progressThirty-six years after computer scientists at UCLA linked two bulky computers using a 15-foot gray cable, testing a new way for exchanging data over networks, what would ultimately become the Internet remains a work in progress.University researchers are experimenting with ways to increase its capacity and speed. Programmers are trying to imbue Web pages with intelligence. And work is underway to re-engineer the network to reduce spam(junk mail) and security troubles.All the while threats loom: Critics warn that commercial, legal and political pressures could hinder the types of innovations that made the Internet what it is today.Stephen Crocker and Vinton Cerf were among the graduate students who joined UCLA professor Len Kleinrock in an engineering lab on Sept. 2, 1969, as bits of meaningless test data flowed silently between the two computers. By January, three other "nodes" joined the fledgling network.Then came e-mail a few years later, a core communications protocol called TCP/IP in the late 70s, the domain name system in the 80s and the World Wide Web - nowthe second most popular application behind e-mail - in 1990. The Internet expanded beyond its initial military and educational domain into businesses and homes around the world.Today, Crocker continues work on the Internet, designing better tools for collaboration. And as security chairman for the Internet's key oversight body, he is trying to defend the core addressing system from outside threats.He acknowledges the Internet he helped build is far from finished, and changes are in store to meet growing demands for multimedia. Network providers now make only "best efforts" at delivering data packets, and Crocker said better guarantees are needed to prevent the skips and stutters now common with video.Cerf, now at MCI Inc., said he wished he could have designed the Internet with security built-in. Microsoft Corp., Yahoo Inc. and America Online Inc., among others, are currently trying to retrofit the network so e-mail senders can be authenticated - a way to cut down on junk messages sent using spoofed addresses.Many features being developed today wouldn't have been possible at birth given the slower computing speeds and narrower Internet pipes, or bandwidth, Cerf said.2.Digital CertificatesDigital certificates are data files used to establish the identity of people and electronic assets on the Internet. They allow for secure, encrypted online communication and are often used to protect online transactions.Digital certificates are issued by a trusted third party known as a certification authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it hasn‟t been forged or altered in any way.New Uses For Digital CertificatesDigital certificates are now being used to provide security and validation for wireless connections, and hardware manufacturers are one of the latest groups to use them. Not long ago, VeriSign Inc. announced its Cable Modem Authentication Services, which allow hardware manufacturers to embed digital certificates into cable modems to help prevent the pirating of broadband services through device cloning.Using VeriSign software, hardware makers can generate cryptographic keys and corresponding digital certificates that manufacturers or cable service providers can use to automatically identify individual modems.This …ast-mile‟authentication not o nly protects the value of existing content and services but also positions cable system operators to bring a broad new range of content, applications and value-added services to market.When a certificate is digitally signed by a CA, its owner can use it as an electronic passport to prove his identity. It can be presented to Web sites, networks or individuals that require secure access.Identifying information embedded in the certificate includes the holder‟ s name and e-mail address, the name of the CA, a serial number and any activation or expiration data for the certificate. When a user‟s identity is verified by the CA, the certificate uses the holder‟s public encryption key to protect this data.Public keys are also employed by certificates that a Web server uses to confirm the authenticity of a Web site for a user‟s browser. When a user wants to send confidential information to a Web server, such as a credit-card number for an online transaction, the browser will access the public key in the server‟s digital certificate to verify its identity.Role of Public-Key CryptographyThe public key is one half of a pair of keys used in public-key cryptography, which provides the foundation for digital certificates.Public-key cryptography uses matched public and private keys for encryption and decryption. These keys have a numerical value that‟s used by an algorithm to scramble information and make it readable only to users with the corresponding decryption key.A person‟s public key is used by others to enc rypt information meant only for that person. When he receives the information, he uses his corresponding private key, which is kept secret, to decrypt the data. A person's public key can be distributed without damaging the private key. A Web server using a digital certificate can use itsprivate key to make sure that only it can decrypt confidential information sent to it over the Internet.The Web server‟s certificate is validated by a self-signed CA certificate that identifies the issuing CA. CA certificates are preinstalled on most major Web browsers, including Microsoft Internet Explorer and Netscape Navigator.The CA certificate tells users whether they can trust the Web server certificate when it‟s presented to the browser. If the validity of the Web server certificate is affirmed, the certificate‟s public key is used to secure information for the server using Secure Sockets Layer (SSL) technology.Digital certificates are used by the SSL security protocol to create a secure “pipe” between two parties that seek confidential communication. SSL is used in most major Web browsers and commercial Web servers.3. Digital WalletsA digital wallet is software that enables users to pay for goods on the Web .It holds credit-card numbers and other personal information such as a shipping address .Once entered,the data automatically populates order fields at merchant sites .When using a digital wallet,consumers don‟t need to fill out order forms on each site when they purchase an item because the information has already been stored and is automatically updated and entered into the order fields across merchantsites .Consumers also benefit when using digital wallets because their information is encrypted or protected by a private software code .And merchants benefit by receiving protection against fraud .Digital wallets are available to consumers free of charge,and they‟re fairly easy to obtain .For example,when a consumer makes a purchase at a merchant site th at‟s set up to handle server-side digital wallets,he types his name and payment and shipping information into the merchant‟s own form .At the end of the purchase,one consumer is asked to sign up for a wallet of his choice by entering a user name and password for future purchases .Users can also acquire wallets at a wallet vendor‟s site .Although a wallet is free for consumers,vendors charge merchants for wallets .Digital wallets come in two main types:client-side and server- side .Within those divisions are wallets that work only on specific merchant sites and those that are merchant agnostic .Client-based digital wallets,the older of the two types,are falling by the wayside,according to analysts,because they require users to download and install software .A user downloads the wallet application and inputs payment and mailinginformation .At that point,the information is secured and encrypted on the user‟s hard drive .The user retains control of his credit card and personal information locally .With a server-based wallet,a user fills out his personal information,and a cookie is automatically downloaded .(A cookie is a text file that contains information about the user .)In this scenario,the consumer information resides on the server of a financial inst itution or a digital wallet vendor rather than on the user‟s PC .Server-side wallets provide assurance against merchant fraud because they use certificates to verify the identity of all parties .When a party makes a transaction,it presents its certificate to the other parties involved .A certificate is an attachment to an electronic message used to verify the identity of the party and to provide the receiver with the means to encode a reply .Furthermore,the cardholder‟s sensitive data is typically house d at a financial institution,so there‟s an extra sense of security because financial environments generally provide the highest degree of security .But even though wallets provide easy shopping online,adoption hasn‟t been widespread .Standards are pivotal to the success of digital wallets .Last month,major vendors,including Microsoft Corp .,Sun Microsystems Inc .and America Online Inc .announced their endorsement of a new standard called EMCL,or E-Commerce Modeling Language,to give Web merchants a standardized way to collect electronic data for shipping,billing and payment .4. Grid StorageDefinition: Grid storage, analogous to grid computing, is a new model for deploying and managing storage distributed across multiple systems and networks, making efficient use of available storage capacity without requiring a large, centralized switching system.A grid is, in fact, a meshed network in which no single centralized switch or hub controls routing. Grids offer almost unlimited scalability in size and performance because they aren‟t constrained by the need for ever-larger central switches. Grid networks thus reduce component costs and produce a reliable and resilient structure.Applying the grid concept to a computer network lets us harness available but unused resources by dynamically allocating and deallocating capacity, bandwidth and processing among numerous distributed computers. A computing grid can span locations, organizations, machine architectures and software boundaries, offering power, collaboration and information access to connected users. Universities and research facilities are using grids to build what amounts to supercomputer capability from PCs, Macintoshes and Linux boxes.After grid computing came into being, it was only a matter of time before a similar model would emerge for making use of distributed data storage. Most storage networks are built in star configurations, where all servers and storage devices are connected to a single central switch. In contrast, grid topology is built with a network of interconnected smaller switches that can scale as bandwidth increases and continue to deliver improved reliability and higher performance and connectivity.What Is Grid Storage?Based on current and proposed products, it appears that a grid storage system should include the following:Modular storage arrays: These systems are connected across a storage network using serial ATA disks. The systems can be block-oriented storage arrays or network-attached storage gateways and servers.Common virtualization layer: Storage must be organized as a single logical pool of resources available to users.Data redundancy and availability: Multiple copies of data should exist across nodes in the grid, creating redundant data access and availability in case of a component failure.Common management: A single level of management across all nodes should cover the areas of data security, mobility and migration, capacity on demand, and provisioning.Simplified platform/management architecture: Because common management is so important, the tasks involved in administration should be organized in modular fashion, allowing the autodiscovery of new nodes in the grid and automating volume and file management.Three Basic BenefitsApplying grid topology to a storage network provides several benefits, including the following:Reliability. A well-designed grid network is extremely resilient. Rather than providing just two paths between any two nodes, the grid offers multiple paths between each storage node. This makes it easy to service and replace components in case of failure, with minimal impact on system availability or downtime.Performance. The same factors that lead to reliability also can improve performance. Not requiring a centralized switch with many ports eliminates a potential performance bottleneck, and applying load-balancing techniques to the multiple paths available offers consistent performance for the entire network.Scalability. It‟s easy to expand a grid network using inexpensive switches with low port counts to accommodate additional servers for increased performance, bandwidth and capacity. In essence, grid storage is a way to scale out rather than up, using relatively inexpensive storage building blocks.中文翻译新技术的计算机网络摘要:21世纪是信息经济的时代,作为这个时代的代表技术,计算机网络技术,将在非常快的速度发展很快,不断创造性地将进入人们的工作,学习和生活中深。
HTTPS原理HTTPS的浏览器支持与兼容性HTTPS原理HTTPS(HyperText Transfer Protocol Secure)是一种通过计算机网络进行安全通信的协议。
它是HTTP的安全版,通过使用SSL(Secure Socket Layer)或TLS(Transport Layer Security)等安全传输层协议来保护数据的传输安全性和完整性。
本文将介绍HTTPS的原理,并讨论浏览器对HTTPS的支持与兼容性。
一、HTTPS的工作原理HTTPS采用了公开密钥加密(Public Key Encryption)的方式来保护通信过程中的数据。
下面是HTTPS的工作流程:1. 客户端发送HTTPS请求给服务器。
2. 服务器将自己的公钥发送给客户端。
3. 客户端利用服务器的公钥来对称加密一个密钥,并将加密后的密钥发送给服务器。
4. 服务器使用自己的私钥解密客户端发送的密钥。
5. 双方使用这个密钥进行对称加密来传输数据。
通过使用公开密钥加密,HTTPS可以保证数据在传输过程中不会被窃听或篡改。
此外,HTTPS还可以提供对服务器和客户端身份的验证,确保通信双方的身份真实可靠。
二、浏览器对HTTPS的支持大多数现代浏览器都支持HTTPS,并通过以下方式对HTTPS进行支持:1. 内置SSL/TLS支持:浏览器内置了对SSL/TLS协议的支持,使得它们能够与服务器进行安全通信。
这些浏览器会在与服务器建立连接时自动验证其证书的有效性,并在通信过程中使用SSL/TLS进行加密。
2. HTTPS标志:为了提高用户的安全意识,现代浏览器通常会在浏览器地址栏展示一个“锁”图标,来表示当前网页的安全性。
这个标志可以让用户知道他们正在与一个使用HTTPS进行通信的安全网站进行互动。
3. 错误提示:当用户尝试访问一个使用无效或过期的SSL证书的网站时,浏览器会给出警告信息,以提醒用户与此网站继续交互的潜在风险。
英文回答:To encrypt data using OpenSSL public key encryption, it is imperative to first generate a key pair epassing a public key and a private key. The public key is exclusively utilized for encryption purposes, while the private key serves the sole function of decryption. Subsequently obtaining the public key, it bes feasible to encrypt any desired data that necessitates secure transmission to the proprietor of the associated private key.要使用OpenSSL公钥加密数据,必须首先生成一对通过公钥和私钥的密钥对。
公钥完全用于加密目的,而私钥则仅用于解密功能。
随后获得公用钥匙后,对需要安全传送给相关私人钥匙所有人的任何所需数据加密是可行的。
If you want to encrypt some data using OpenSSL and a public key, you can do it like this: Use themand "openssl rsautl -encrypt -in <input file> -out <output file> -inkey <public key file>". This will take the file you want to encrypt, the name of the file where the encrypted data will go, and the public key you made. Then, after running themand, your input file will be all encrypted and saved in the output file.如果您想要使用 OpenSSL 和一个公钥加密一些数据,您可以这样操作:使用它们和“ opens l rsautl —加密—在《输入文件》中—退出“ 输出文件” —inkey 《public key file 》)。
encrypted单词用法加密是一种保护数据安全的重要手段,而 encrypted 就是“加密”的意思。
下面我们来了解一下 encrypted 的常见用法。
1. as an adjective: encrypted 作为形容词使用,表示“加密的”。
例如:The encrypted message cannot be deciphered without the correct key.(没有正确的密钥,无法解密这条加密信息。
)2. as a verb: encrypted 作为动词使用,表示“加密”。
例如:The sensitive data is encrypted to ensure its safety.(敏感数据被加密以保证安全。
)3. encryption algorithm: 加密算法。
例如:The encryption algorithm used in this system is very secure.(这个系统使用的加密算法非常安全。
)4. decryption: 解密。
例如:The decryption process may take some time, depending on the level of encryption.(解密过程可能需要一些时间,取决于加密的级别。
)5. encrypted file: 加密文件。
例如:The encrypted files can only be accessed with the correct password.(只有输入正确的密码才能访问加密文件。
)6. encryption key: 加密密钥。
例如:The encryption key must be kept secret to ensure the safety of the encrypted data.(为了保证加密数据的安全,加密密钥必须保密。
)7. data encryption standard (DES): 数据加密标准。
Black-Box Constructions of Protocolsfor Secure Computation∗Iftach Haitner†Yuval Ishai‡Eyal Kushilevitz†Yehuda Lindell§Erez Petrank†March27,2010AbstractIt is well known that secure computation without an honest majority requires computational assumptions.An interesting question that therefore arises relates to the way such computationalassumptions are used.Specifically,can the secure protocol use the underlying primitive(e.g.,a one-way trapdoor permutation)in a black-box way,treating it as an oracle,or must it benonblack-box(by referring to the code that computes the primitive)?Despite the fact thatmany general constructions of cryptographic schemes refer to the underlying primitive in ablack-box wayonly,there are some constructions that are inherently nonblack-box.Indeed,allknown constructions of protocols for general secure computation that are secure in the presenceof a malicious adversary and without an honest majority use the underlying primitive in anonblack-box way(requiring to prove in zero-knowledge statements that relate to the primitive).In this paper,we study whether such nonblack-box use is essential.We answer this question in the negative.Concretely,we present a fully black-box reduction from oblivious transfer withsecurity against malicious parties to oblivious transfer with security against semi-honest parties.As a corollary,we get thefirst constructions of general multiparty protocols(with securityagainst malicious adversaries and without an honest majority)which only make a black-box useof semi-honest oblivious transfer,or alternatively a black-box use of lower-level primitives suchas enhanced trapdoor permutations or homomorphic encryption.Keywords:Theory of cryptography,secure computation,black-box reductions,oblivious transfer∗This paper combines the results appearing in[17]and[22].The last four authors were supported by grant36/03 from the Israel Science Foundation.†Microsoft Research,New England Campus.email:iftach@.Most of this work was performed while at the Weizmann Institute of Science.‡Department of Computer Science,Technion,Israel.email:{yuvali,eyalk,erez}@cs.technion.ac.il§Department of Computer Science,Bar-Ilan University,Israel.email:lindell@cs.biu.ac.il.Much of this work was carried out while the author was visiting the Technion.1IntroductionIt is a known fact that most cryptographic tasks require the use of computational hardness as-sumptions.These assumptions typically come in two types:specific assumptions like the hardness of factoring,RSA,discrete log and others,and general assumptions like the existence of one-way functions,trapdoor permutations and others.In this paper,we refer to general assumptions and how they are used.Specifically,we consider an intriguing question regarding how secure protocols utilize a primitive that is assumed to carry some hardness property.Here again,there is a clear distinction between two types of uses:1.Black-box usage:a protocol(or construction)uses a primitive in a black-box way if itrefers only to the input/output behavior of the primitive.1For example,if the primitive is a trapdoor permutation,then the protocol may sample a permutation and its domain,and may compute the permutation and its inverse(if the trapdoor is given).Beyond this,no reference is made to the primitive.In particular,the code used to compute the permutation(or carry out any other task)is not referred to by the protocol.The vast majority of constructions in cryptography are of this black-box type.2.Nonblack-box usage:a protocol(or construction)uses a primitive in a nonblack-box wayif it refers to the code for computing its functionality.A typical example of a nonblack-box construction is where a Karp reduction is applied to the circuit computing the function,say, in order to prove an N P zero-knowledge proof,as in[15].A rich and fruitful body of work,initiated in[21],attempts to draw the borders between possibility and impossibility for black-box constructions in cryptography.While many of the relations between primitives are well understood,there are still some important tasks for which the only constructions that we have rely on nonblack-box access to the assumed primitive,yet the existence of a black-box construction is not ruled out.In particular,this is the case for all constructions of public-key encryption schemes that are secure against chosen-ciphertext attacks[8,37,30].More relevant to this work is the fact that all known general constructions of multiparty protocols that are secure without an honest majority and in the presence of malicious adversaries,originating from[16],use nonblack-box access to the assumed primitive.2(We note that by“general constructions”,we mean construction that can be used to securely compute any functionality.)The above phenomenon begs the following informally-stated question:Is it possible to construct general protocols for secure computation without an honestmajority and with malicious adversaries,given only black-box access to a“low-level”primitive?1It is typically also required that the security proof of the construction be black-box in the sense that an adversary breaking the protocol can be used as an oracle in order to break the underlying primitive.In such a case the construction is referred to as a fully black-box reduction.All of the constructions in this paper are in fact fully black-box reductions.See Section2.3and[11,12,36]for further discussion of reductions in cryptography.2We stress that the above discussion is only true when considering general assumptions.Furthermore,it is only true when considering“low-level primitives”like trapdoor permutations.Specifically,there do exist constructions of secure multiparty protocols that use only black-box access to an oblivious transfer protocol with security against malicious parties[25].However,since it is not known how to construct the latter oblivious transfer protocols using only black-box access to,say trapdoor permutations,the overall construction obtained does not use its“low-level”primitive in a black-box way.1Answering the above question is of interest for the following reasons.First,it is of theoretical interest to understand whether or not nonblack-box access to a primitive is necessary for these tasks.An answer to this question would enhance our understanding of how hardness assumptions can(or must)be used.Second,as we have mentioned,the nonblack-box use of the underlying primitive is typically utilized in order to apply a Karp reduction for the purpose of using a(general) zero-knowledge proof.Such reductions are highly inefficient and are unlikely to be very useful in practice.Furthermore,in these protocols the communication complexity depends on the complexity of computing the primitive and the computational complexity grows more than linearly with that of the primitive.(An exception to this rule is the communication-efficient compiler presented in[33], which relies on the communication-efficient arguments of[27,31].However,the computational complexity of the protocol of[33]is even worse than the GMW protocol[16].) To illustrate the type of inefficiency resulting from current nonblack-box constructions,con-sider the following hypothetical scenario.Suppose that,due to major advances in cryptanalytic techniques,the security parameter must be large enough so that all basic cryptographic primitives require a full second of computation on a fast CPU.In such a case,would it still be possible to carry out a distributed task like oblivious transfer?Current nonblack-box techniques(e.g.,the GMW protocol[16])require parties to prove in zero-knowledge statements that involve the compu-tation of the underlying primitive,say a trapdoor permutation.These zero-knowledge protocols, in turn,invoke cryptographic primitives for any gate of a circuit computing a trapdoor permuta-tion.Since(by our assumption)a trapdoor permutation takes one second to compute,its circuit implementation contains trillions of gates,thereby requiring the protocol trillions of second to run. In contrast,a black-box construction of oblivious transfer from the trapdoor permutation primitive would make the number of invocations of the primitive independent of the complexity of imple-menting the primitive,thus making oblivious transfer feasible even in the hypothetical scenario described above.We conclude that the current nonblack-box use of the underlying primitives constitutes an obstacle to efficiency.It is therefore of great interest to know whether or not it is possible to obtain solutions to these tasks that do not suffer from this obstacle.(We note that the inefficiency of nonblack-box constructions here is quite ironic because in many areas of cryptography,black-box constructions have been shown to have inherent computational limitations[28,10].)Despite the above,we stress that the focus of this paper is not on efficiency,but rather on the theoretical question of whether or not it is possible to obtain the aforementioned black-box constructions.We believe this question to be interesting in its own right.Our results.We show how to construct protocols for general secure multiparty computation(for the case of no honest majority and malicious adversaries),given black-box access to any oblivious transfer protocol with security against semi-honest ing previous constructions,the latter oblivious transfer protocol can be based(in a black-box way)on either homomorphic en-cryption schemes(cf.[1])or enhanced trapdoor permutations(cf.[13]).We note that the standard general constructions of secure computation protocols from“low-level”primitives rely on either enhanced trapdoor permutations or homomorphic encryption schemes.However,all previous pro-tocols used these primitives in an inherently nonblack-box way.This was the case even for protocols that implement very simple functionalities,such as oblivious transfer[35,9].More concretely,we prove the following:Theorem1.1There exist protocols for securely computing any multiparty functionality without2an honest majority and in the presence of static malicious adversaries,that rely only on black-box access to a semi-honest-secure oblivious transfer protocol,to a family of enhanced trapdoor permutations,or to a homomorphic encryption scheme.We remark that nonblack-box access is not typically used when considering semi-honest ad-versaries[39,16].Rather,the nonblack-box access is utilized in known protocols in order to have the parties prove(in zero-knowledge)that they are correctly following the protocol specification. This is necessary for preventing a malicious adversary from effectively deviating from the protocol instructions.We note also that in the case of an honest majority,it is possible to securely compute any functionality information-theoretically,and without any hardness assumption[2,5].Thus,no primitive at all is needed.For this reason,we focus on the case of no honest majority(including the important two-party case)and malicious adversaries.Techniques.We prove Theorem1.1by showing that it is possible to construct an oblivious transfer protocol that is secure in the presence of malicious adversaries given only black-box access to an oblivious transfer protocol that is secure in the presence of semi-honest adversaries.Our construction is fully black-box meaning that the protocol that is secure in the presence of malicious adversaries uses only black-box access to the semi-honest protocol,and our proof of security shows the existence of an adversary that breaks the semi-honest protocol given black-box access to any adversary that breaks the malicious protocol.Formally,we prove the following:Theorem1.2The exists a fully black-box reduction from oblivious transfer that is secure in the presence of malicious adversaries to oblivious transfer that is secure in the presence of semi-honest adversaries.In order to prove Theorem1.2,we begin by constructing oblivious transfer protocols that use only black-box access to semi-honest oblivious transfer,but provide rather weak security guarantees. We then“boost”the security of these protocols in order to obtain protocols that are secure in the presence of malicious adversaries.Previous constructions that have followed this paradigm apply general zero-knowledge proofs to have the parties prove that they are behaving according to the specification of the semi-honest protocol[16].Importantly,these proofs employ a Karp reduction on the protocol specification,they are not black-box.Since we wish to make our construction black-box,we take a different route.Specifically,we begin by introducing the notion of a defensible adversary.In order to describe this notion,we describe what a defense is:a defense is an input and random-tape that is provided by the adversary after the protocol execution concludes.A defense is good if the honest party upon that input and random-tape would have sent the same messages as the adversary sent.Such a defense is a supposed“proof”of honest behavior.However,the adversary need not actually behave honestly and can construct its defense retroactively(after the execution concludes).A protocol is said to be private in the presence of defensible adversaries if privacy is preserved in the event that an adversary provides a good defense.However,in the case that the adversary doesn’t provide a good defense,nothing is guaranteed,and the entire honest party’s input may be learned.This notion is therefore rather weak.We note that known oblivious transfer protocol like that of[9]are not secure under this notion.Thefirst step of our proof is therefore a proof that any semi-honest oblivious transfer protocol can be efficiently modified–in a black-box way–into one that is secure under this notion.Next,we show that it is possible to construct oblivious transfer that is secure in the presence of malicious adversaries from oblivious3transfer that is private in the presence of defensible adversaries.Once again,this construction is fully black-box.We now give a more detailed overview of the construction.Recall that thefirst step is con-structing oblivious transfer protocols that are private in the presence of defensible adversaries from any oblivious transfer that is secure in the presence of semi-honest adversaries.This construction is essentially a very degenerate version of the GMW compiler[16].Specifically,it works by having the parties run a coin-tossing and input commitment protocol.The parties are then supposed to run the protocol using the committed inputs and coins.The defense is then just a decommit-ment;observe that given such a decommitment it is possible to check that the parties behaved in a semi-honest manner,as required.We remark that our transformation from semi-honest security to defensible security is generic and works for all protocols(and not just for oblivious transfer).Having obtained oblivious transfer that is secure for defensible adversaries,we use this to construct a new oblivious transfer protocol that is still private in the presence of defensible senders, but is secure in the presence of malicious receivers(where security is“full security”according to the ideal/real simulation paradigm).This is achieved using the so-called cut-and-choose technique. That is,many oblivious transfer executions(using random inputs)are run,and the receiver is asked to present a defense for its behavior in half of them.If it indeed presents good defenses,then we are guaranteed that it behaved somewhat honestly in most of the executions.Finally,the oblivious transfer executions are combined into a single instance of oblivious transfer which has the stronger security guarantee.We stress that much of the difficulty in implementing and analyzing the above step comes from the requirement that the protocol be secure according to the ideal/real simulation paradigm,rather than just private.Indeed,some efficient protocols for oblivious transfer from the literature[34,1,24] are private for both(malicious)parties,but are not fully secure for either party.Nevertheless,we are able to boost both the type of adversary resisted by the protocol(from a defensible to a malicious adversary)and its security guarantee(from privacy to full simulation-based security).Next,we“reverse”the oblivious transfer protocol(i.e.,by switching the sender and receiver roles)in order to obtain a protocol with reversed security properties.Specifically,this next protocol is secure in the presence of malicious senders and private in the presence of defensible receivers. At this point,we reapply our security boosting technique in order to obtain a protocol that is “fully secure”;that is,a protocol that is secure in the presence of malicious senders and receivers. See Figure1for the series of oblivious transfer protocols that we construct.Needless to say,each protocol uses its subprotocol in a black-box way.Protocol number Security for corrupted sender Security for corrupted receiver3.3Private for defensible sender Private for defensible receiver4.2Private for defensible sender Secure for malicious receiver5.1Secure for malicious sender Private for defensible receiverIn Theorem6.1Secure for malicious sender Secure for malicious receiver Figure1:The progression of our constructions:each protocol uses the previous one as a subprotocol.We note that Protocol3.3uses any semi-honest oblivious transfer as a starting point and works for any protocol problem and not just oblivious transfer.This is in contrast to our other constructions that are all specifically tailored to oblivious transfer.4This completes our high-level description of how we prove Theorem1.2.Once we have con-structed secure oblivious transfer protocols that use only black-box access to primitives,we apply the well-known result of Kilian[25,26](alternatively,the recent protocol from[23])which shows that any two-party functionality can be securely computed in the presence of malicious adversaries using black-box access to an oblivious transfer protocol that is secure in the presence of malicious adversaries.This therefore yields Theorem1.1,as desired.Related and subsequent work.In[7]it was shown that there are constant-round protocols for the setting of an honest majority,that use only black-box access to the assumed primitive (a pseudorandom generator).As we have mentioned,in the setting of an honest majority,it is possible to construct information-theoretically secure protocols(which are,by triviality,black-box). Nevertheless,there are no known(general)constant-round protocols for the information-theoretic setting,and so[7]relates to this issue.The techniques used in[7]and here are vastly different, due to the inherent differences between the setting of an honest majority and that of no honest majority.In a subsequent work[6],it is shown that if an ideal commitment is available,then the results of the present work can be extended to provide universal composability and adaptive security(the latter assumes that the semi-honest oblivious transfer is adaptively secure).In another subsequent work[23]it is shown that,building on our black-box reduction from malicious oblivious transfer to semi-honest oblivious transfer,it is possible to obtain a constant rate reduction of the same type.More concretely,n instances of oblivious transfer with security against malicious parties can be implemented by making a black-box use of only O(n)instances of oblivious transfer with security against semi-honest parties(plus an additive term that depends polynomially on a statistical security parameter but does not depend on n).2Definitions2.1PreliminariesA functionϵ(·)is said to be negligible ifϵ(n)<n−c for any constant c>0and sufficiently large n.A distribution ensemble{X n}n∈N is an infinite sequence of distributions,where the support of each distribution X n consists of binary strings of somefixed length m(n).We say that two distribution ensembles{X n}n∈N and{Y n}n∈N,are computationally indistinguishable,and write X n c≡Y n,if for every(non-uniform)polynomial-size circuit family{A n},the distinguishing advan-tage|Pr[A n(X n)=1]−Pr[A n(Y n)=1]|is negligible.Similarly,we say that the two distributions are statistically indistinguishable if the above holds for arbitrary(computationally unbounded)dis-tinguishers A n.We will refer to standard cryptographic primitives such as one-way functions and commitment schemes.For self-containment,we include formal definitions of these primitives in Appendix A.We will consider two-party protocols defined by a pair of probabilistic polynomial time al-gorithms P1and P2.We denote by⟨P1(1n,x1,ρ1),P2(1n,x2,ρ2)⟩the transcript of an execution between parties P1and P2with a security parameter n,where P i has input x i and random-tape ρi.(Such a transcript consists of the messages exchanged between the two parties.)For brevity, we will sometimes omit the security parameter1n.The message sent by party P i(on the above inputs)after having received the sequence of incoming messagesαis denoted by P i(x i,ρi;α).5Stated otherwise,P i(x i,ρi;·)denotes the next message function of P i.We denote the output of P iin an execution by output Pi ⟨P1(x1,ρ1),P2(x2,ρ2)⟩and its view(including its input,random-tapeand received messages)by view Pi ⟨P1(x1,ρ1),P2(x2,ρ2)⟩.We denote by output Pi⟨P1(x1),P2(x2)⟩and view Pi⟨P1(x1),P2(x2)⟩the corresponding random variables whenρ1andρ2are uniformly dis-tributed.Finally,we denote by U k the random variable that receives a uniformly distributed string in{0,1}k.2.2Secure ComputationWe assume readers to have basic familiarity with standard simulation-based definitions of secure two-party computation in a standalone setting.We provide a self-contained definition for com-pleteness,and refer to[13,Chapter7]for a fuller treatment.Overview.In this work,we consider both malicious adversaries,who may arbitrarily deviate from the protocol specification,and semi-honest adversaries,who follow the protocol specification but may try to infer additional information from the messages they receive.We restrict the attention to static corruptions(meaning that the set of corrupted parties isfixed throughout the protocol’s execution).We restrict our protocols to have black-box simulators,which treat the adversary as an oracle,and allow the simulators to run in expected polynomial time(counting each oracle call to the adversary as a single step).Finally,we assume adversaries to be non-uniform polynomial-time algorithms(or circuit families)and therefore,without loss of generality,assume that they are deterministic.However,we note that this is not essential and all of our proofs hold for the uniform model of computation.Definitions.We let n denote a security parameter which is given as input to both parties.For simplicity we assume here that the private input of each party has afixed length k,which does not grow with n.The security of a protocol is defined with respect to a functionality f.A two-party functionality is a(possibly randomized)mapping of a pair of inputs(x1,x2)to a pair of outputs (y1,y2).A two-party protocol for computing f is a protocol running in polynomial time and satisfying the following correctness requirement:For any pair of inputs(x1,x2),the pair of outputs (y1,y2)obtained in the end of an honest execution of the protocol is statistically indistinguishable from f(x1,x2).The security of a protocol(with respect to a functionality f)is defined by comparing the real-world execution of the protocol with an ideal-world evaluation of f by a trusted party.More concretely,it is required that for every adversary A,which attacks the real execution of the protocol by corrupting one of the two parties,there exists an adversary A′,also referred to as a simulator, which can“achieve the same effect”by corrupting the same party in an ideal evaluation of f.As noted above,we make the stronger requirement that there exist a single universal simulator Sim which has black-box access to A.This is made more precise in what follows.The real execution.Letπbe a protocol computing a two-party functionality f.Let A={A n} be an efficient nonuniform adversary which plays the role of either P1or P2.For a security parameter n,inputs x1,x2∈{0,1}k and party index i∈{1,2},we let realπ,A,i(n,x1,x2)be a random variable containing the identity i of the corrupted party,the view of the adversary when playing the role of P i(and interacting with an uncorrupted P2−i on security parameter n and inputs x1,x2),and the6output of the uncorrupted party P2−i.That is,realπ,A,1(n,x1,x2)=(1,view An ⟨A n(1n,x1),P2(1n,x2,ρ2)⟩,output P2⟨A n(1n,x1),P2(1n,x2,ρ2)⟩),whereρ2is uniformly distributed,and similarlyrealπ,A,2(n,x1,x2)=(2,view An ⟨P1(1n,x1,ρ1),A n(1n,x2)⟩,output P1⟨P1(1n,x1,ρ1),A n(1n,x2)⟩).The ideal execution.In the ideal execution,an adversary A′interacts with a trusted party who computes f on inputs provided by the two parties.More concretely,the ideal execution proceeds as follows:•The uncorrupted party sends its real input to the trusted party.The adversary A′may send an arbitrary input on behalf of the corrupted party,depending on the real input and the security parameter.(Any missing or“invalid”value is substituted by a default value.) Denote by x′i the value sent by party P i.•The trusted party computes f(x′1,x′2)=(y1,y2).(If f is randomized,this computation involves random coins that are generated by the trusted party.)It then sends to the adversary its own output.•The adversary chooses whether to continue or abort;this can be formalized by having the adversary send either a continue or abort message to the trusted party.In the former case, the trusted party sends to the uncorrupted party P i its output value y i.In the latter case, the trusted party sends the special symbol⊥to the uncorrupted party.After the above,A′outputs some(randomized)function of its view,and the uncorrupted partyoutputs the value received from the trusted party.We let ideal f⊥,A′,i (n,x1,x2)be the randomvariable containing the identity i of the corrupted party,the output of the adversary in the end of the above process when playing the role of P i(and interacting with an uncorrupted P2−i on security parameter n and inputs x1,x2),and the output of the uncorrupted party P2−i.The subscript“⊥”indicates that the adversary has the ability to abort the ideal execution.Defining security.With the above in place,we can now define our strongest notion of security. Definition2.1(Security against malicious parties)Letπbe a two-party protocol for com-puting a functionality f.We say thatπsecurely computes f in the presence of malicious adversaries if there exists a probabilistic,expected polynomial-time(black-box)simulator Sim such that for ev-ery polynomial-size circuit family A={A n},every choice i∈{1,2}of corrupted party,and everychoice of inputs x1,x2∈{0,1}k,we haverealπ,A,i(n,x1,x2)c≡ideal f⊥,A′,i(n,x1,x2),where A′={A′n}is the ideal execution adversary defined by A′n=Sim A n(1n).A definition of security against semi-honest parties can be obtained by restricting the adversaries A and A′to be semi-honest.In the case of A,this means that all messages sent by the adversary are computed according toπ.(For implementing the honest strategy,A should receive an additional7random inputρi.)In the case of A′this means that A′must send the true input to the trusted party and never abort.We note that the above definition does not allow the choice of inputs(x1,x2)to depend on the security parameter.Since we assume the inputs to come from afixed domain,this is equivalent to the standard(and generally more stringent)definition which requires indistinguishability even when the choice of inputs(x1,x2)may depend on n.We will mostly be interested in functionalities which deliver an output to only one of the two parties.In such a case,any protocol satisfying the above notion of“security with abort”can be easily turned into a similar protocol with full security(without abort).This is done by having the uncorrupted party handle an event where the protocol aborts by computing its output on its own (using a default value for the input of the uncorrupted party).Thus,for such functionalities we will use a simpler form of the above definition which does not allow the adversary to abort in the ideal execution.2.3Black-Box ReductionsA reduction from a primitive P to a primitive Q(sometimes referred to as a construction of primitive P using a primitive Q)consists of showing that if there exists a secure implementation C of Q, then there exists a secure implementation M C of P.This is equivalent to showing that for every adversary that breaks M C,there exists an adversary that breaks C.Such a reduction is semi black-box if the implementation M C of P and the adversary breaking Q ignore the internal structure of Q’s implementation and only use it as an oracle.The reduction is fully black-box if the proof of security is black box as well.That is,the adversary breaking Q ignores the internal structure of both Q’s implementation and the(alleged)adversary breaking3P.One can similarly define a fully black-box reduction from P to a pair of primitives Q1,Q2;here it should be possible to use an adversary breaking P as an oracle for breaking either Q1or Q2.A taxonomy of black-box reductions was provided by[36],and the reader is referred to this paper for a more complete and formal overview of these notions.All the reductions considered in this paper are fully black-box, though the black-box construction of an adversary breaking Q from an adversary breaking P will only be implicit in the security analysis.2.4Defensible Adversarial BehaviorWe introduce the notion of defensible adversarial behavior.Loosely speaking,an adversary that exhibits defensible behavior may arbitrarily deviate from the protocol specification.However,at the conclusion of the protocol execution,the adversary must be able to justify or defend its behavior by presenting an input and a random-tape such that the honest party(with this input and random-tape)would behave in the same way as the adversary did.A protocol is“private”under defensible adversarial behavior if it is“private”whenever the adversary can successfully prevent such a good defense.We stress that if an adversary behaves maliciously and cannot provide a good defense, then no security guarantees are given.3The meaning of“breaking”a primitive is usually clear from the security definition of the primitive.When P is a secure computation protocol with a black-box simulator Sim,as in Definition2.1,an adversary breaking P consists of a real-execution adversary A attacking the protocol along with a distinguisher violating the indistinguishability condition between real and ideal from Definition2.1.8。
pki架构中公钥证书的申请流程When it comes to the application process for public key certificates in a PKI architecture, it is essential to understand the significance of these certificates in ensuring secure communication over networks. 在PKI架构中公钥证书的申请流程中,理解这些证书在确保网络安全通信中的重要性至关重要。
Public key certificates play a crucial role in establishing the identity of entities and enabling secure data exchange through encryption and decryption. 公钥证书在建立实体身份和通过加密和解密实现安全数据交换方面发挥着至关重要的作用。
The process of applying for a public key certificate involves several steps to verify the identity of the requester and ensure the validity of the certificate. 申请公钥证书的过程涉及多个步骤,以验证请求者的身份并确保证书的有效性。
Typically, the first step is for the requester to generate a key pair consisting of a public key and a private key, where the public key is used for encryption and the private key is kept secure for decryption. 通常,第一步是请求者生成一个密钥对,包括一个公钥和一个私钥,其中公钥用于加密,私钥用于解密。
网络安全英文缩写Network security is a critical aspect of ensuring the confidentiality, integrity, and availability of network resources and communication. It involves implementing various measures to protect networks and the data they transmit and store from unauthorized access, misuse, and attacks. In the field of network security, there are numerous acronyms that are commonly used to refer to specific technologies, standards, protocols, and concepts. Understanding these acronyms is important for network administrators and security professionals as they navigate the complex landscape of network security. In this article, we will explore some of the most commonly used acronyms in network security.1. VPN - Virtual Private Network: A technology that allows users to create a secure connection to a private network over a public network, such as the internet. VPNs are commonly used to provide remote secure access to corporate networks.2. IDS - Intrusion Detection System: A software or hardware system that monitors network traffic for suspicious activities or patterns that may indicate an attack. IDSs can detect and alert administrators about potential threats in real-time.3. IPS - Intrusion Prevention System: A system that operates in conjunction with an IDS to not only detect intrusions but also take immediate action to prevent them. IPSs can block or terminate suspicious connections or traffic to protect the network.4. DDoS - Distributed Denial-of-Service: A type of attack where multiple compromised computers (called zombies) are used toflood a target system or network with traffic, overwhelming its resources and causing it to become inaccessible to legitimate users.5. SSL/TLS - Secure Sockets Layer/Transport Layer Security: Protocols that provide secure communication over a computer network. SSL/TLS ensures that the data transmitted between a server and a client is encrypted and cannot be intercepted or tampered with.6. WPA/WPA2 - Wi-Fi Protected Access: A security protocol used to protect wireless computer networks. WPA and WPA2 provide strong encryption and authentication mechanisms to prevent unauthorized access to Wi-Fi networks.7. SIEM - Security Information and Event Management: A technology that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by network devices and systems.8. ACL - Access Control List: A set of rules defined on a network device, such as a router or a firewall, to control traffic flow. ACLs can be used to permit or deny specific types of traffic based on source and destination IP addresses, ports, and other criteria.9. PKI - Public Key Infrastructure: A system of cryptographic techniques, including public-key encryption, digital signatures, and certificate authorities, used to secure communications and verify the authenticity of digital documents and entities.10. IDS/IPS - Intrusion Detection and Prevention System: A combined system that integrates the functions of an IDS and an IPS into a single solution. IDS/IPS systems provide comprehensive network security by detecting and preventing intrusions in real-time.These acronyms represent just a fraction of the extensive network security vocabulary. Understanding and incorporating these technologies, protocols, and concepts into network security strategies is crucial for safeguarding sensitive information and maintaining the overall security of networks and systems.。
公钥密码实现原理Public key cryptography, also known as asymmetric cryptography, isa cryptographic system that uses pairs of keys: public keys, which may be disseminated widely, and private keys, which are known only to the owner. 公钥密码学,也称为非对称加密,是一种使用密钥对的密码系统:公钥可以广泛传播,而私钥只有所有者知道。
The security of public key cryptography relies on the computational difficulty of certain mathematical problems. 公钥密码的安全性依赖于特定数学问题的计算难度。
One of the most widely used public key cryptosystems is the RSA algorithm. RSA is named after its inventors, Ron Rivest, Adi Shamir, and Leonard Adleman. 其中最广泛使用的公钥密码系统之一是RSA算法。
RSA是以其发明者Ron Rivest、Adi Shamir和Leonard Adleman的名字命名的。
In the RSA algorithm, the security of the system is based on the practical difficulty of factoring the product of two large primenumbers, the "factoring problem". 在RSA算法中,系统的安全性基于分解两个大质数的乘积“分解问题”的实际难度。
加密英文I'm sorry, as an AI language model, I cannot generate a 2000-word encrypted text. However, I can explain the concept of encryption and provide a general overview of encryption techniques, if that would be helpful.Encryption is the process of converting normal or plain data into an unreadable format, or ciphertext, that can only be decoded with the use of a secret key or password. The purpose of encryption is to protect sensitive information and prevent unauthorized access or hacking attempts.There are different encryption techniques that can be used, including symmetric key encryption and public key encryption. In symmetric key encryption, the sender and receiver share a single secret key that is used to encrypt and decrypt the data. This method is faster and more efficient but requires the secure exchange of the secret key.Public key encryption, on the other hand, uses a pair of keys for encryption and decryption (a public key and a private key), making it more secure and flexible. The public key can be shared without compromising the security of the data, while the private key is kept secret and used to decrypt the data.Other encryption techniques include hashing, which creates a fixed-length string of characters from a message, and digital signatures, which provide authentication and integrity of the data.Overall, encryption plays a crucial role in securing sensitive data and protecting it from unauthorized access.。
PUBLIC KEY ENCRYPTION CAN BE SECURE AGAINST ENCRYPTION EMULATION ATTACKS BY COMPUTATIONALLY UNBOUNDEDADVERSARYDENIS OSIN AND VLADIMIR SHPILRAINAbstract.The main purpose of this paper is to show why,contrary to a prevalent opinion,publickey encryption can be secure against“encryption emulation”attacks by computationally unboundedadversary,with one reservation:a legitimate party decrypts correctly with probability that can bemade arbitrarily close to1,but not equal to1.1.IntroductionThis paper was prompted,in part,by several discussions,mostly informal,related to an earlier paper[5],where,for thefirst time,a cryptographic protocol based on non-recursiveness of a decision problem rather than on computational hardness of a search problem was suggested.(The protocol of Magyarik and Wagner[2]is not based on non-recursiveness of a decision problem,contrary to what the title of their paper may suggest;this was recently pointed out in[1].)Most readers of[5] were perplexed already by the abstract,where it was claimed that“decision problems may be useful when one addresses the ultimate challenge of public key cryptography:to design a cryptosystem that would be secure against“brute force”attacks by computationally unbounded adversary”.The following statement made by one of the reviewers is typical:...key generations can be performed over and over again,each time with fresh ran-domness,until the public key to be attacked is obtained–this will happen eventuallywith overwhelming probability!Already the correctness(no matter if perfect or onlywith overwhelming probability)of the scheme guarantees now that the correspond-ing secret key(as obtained by the adversary performing key generation)allows todecrypt illegitimately.This statement actually consists of two separate claims,in two separate sentences.We note that thefirst one is correct,whereas the second one is not.The crucial point is that it does matter whether the correctness of the scheme is perfect or only with overwhelming probability.If the correctness was perfect,then the quoted claim would be valid indeed.However,if there is a gap, no matter how small(it can be easily made on the order of10−200,see[5]),between1and the probability of correct decryption by a legitimate party,then this gap can be very substantially“am-plified”for the adversary,thus making the probability of correct illegitimate decryption anything but overwhelming.We explain this phenomenon in our Section2,trying to keep the group-theoretic background to a minimum.One of the problems with the paper[5]is that it is somewhat too heavy on combinatorial group theory,at least for a non-expert.Most of that group theory is needed to separate the receiver (Alice)and the adversary(Eve)in power.This is,indeed,a very non-trivial problem that opens several interesting research avenues.It appears,however,that the main point of perplexity for most Research of thefirst author was partially supported by the NSF grant DMS-0605093.Research of the second author was partially supported by the NSF grant DMS-0405105.1cryptographers was the fact that encryption by the sender(Bob)can be secure against“encryption emulation”attacks by a computationally unbounded adversary.To explain how and why this is possible,we do not really need to introduce any serious group theory.We also note,in passing,that the problem of security of the sender’s encryption algorithms is of independent interest.Of course,in applications to,say,Internet shopping or banking,both the sender’s and the receiver’s algorithms are assumed to be known to the adversary,and the receiver’s decryption algorithms(or algorithms for obtaining public keys)are usually more vulner-able to attacks.However,in some other applications,say,to electronic signatures(not to mention non-commercial,itary applications),decryption algorithms need not be public,whereas en-cryption algorithms always are.It is therefore important to have a consensus in the cryptographic community on the security claim in the abstract of the present paper.The arrangement of the paper is as follows.In Section2,we briefly describe one of the principal ideas behind our scheme(s),and then present a public key encryption protocol which is secure against the“encryption emulation”attack by a computationally unbounded adversary who does not know the encrypter’s hardware computational limitations.Then,in Section3,building on these ideas and combining them with a simple yet subtle trick,we present another protocol which is secure against the“encryption emulation”attack by a computationally unbounded adversary who has complete information on the algorithm(s)and hardware that the sender uses for encryption. More precisely,in our protocol the sender transmits his private bit sequence by encrypting one bit at a time,and the receiver decrypts each bit correctly with probability that can be made arbitrarily close to1,but not equal to1.At the same time,the(computationally unbounded)adversary decrypts each bit(by emulating the sender’s encryption algorithm)correctly with probability atmost34.There are essentially no requirements on the sender’s computational abilities;in fact,encryption can be done by hand,which can be a big advantage in some situations;for example,afield operative can receive a public key and transmit encrypted information over the phone,without using a computer.2.Encryption:beta versionWe assume that the sender(Bob)is given a presentationΓ(published by Alice)of a group G by generators and defining relators:Γ= x1,x2,...,x n|r1,r2,... .No further information about the group G is available to Bob.Bob is instructed to transmit his private binary sequence to Alice by transmitting a word u= u(x1,...,x n)equal to1in G in place of“1”and a word v=v(x1,...,x n)not equal to1in G in place of“0”.Now we have to specify the algorithms that Bob should use to select his words.Algorithm“0”(for selecting a word v=v(x1,...,x n)not equal to1in G)is quite simple:Bob just selects a random word by building it letter-by-letter,selecting each letter uniformly from the set X={x1,...,x n,x−11,...,x−1n}.The length of such a word should be a random integer from an interval that Bob selects up front,based on his computational abilities.Algorithm“1”(for selecting a word u=u(x1,...,x n)equal to1in G)is slightly more complex. It amounts to applying a random sequence of operations of the following two kinds,starting with the empty word:(1)Inserting into a random place in the current word a pair hh−1for a random word h.(2)Inserting into a random place in the current word a random conjugate g−1r i g of a randomdefining relator r i.The length of the resulting word should be in the same range as the length of the output of Algorithm“0”.We do not go into more details here because they are irrelevant to the main Section 3of the present paper,i.e.,all claims of Section3remain valid no matter what algorithm for producing words equal to1is chosen,as long as it does not return the empty word.However, we note in passing that for more practical protocols like the one suggested in[5],Algorithm“1”matters a lot,and it definitely deserves further investigation.Anyway,this is it for Bob;now it is Eve’s turn to work.According to the reviewer’s recipe quoted in our Introduction,if she wants to use the“encryption emulation”attack,she has to ...perform key generations over and over again,each time with fresh randomness,until the public key to be attacked is obtained.Thus,Eve is building up two lists,corresponding to two algorithms above.Ourfirst observation is that the list that corresponds to the Algorithm“0”is useless to Eve because it is eventually going to contain all words in the alphabet X={x1,...,x n,x−11,...,x−1n}.Therefore,Eve may just as well forget about this list and concentrate on the other one,that corresponds to the Algorithm “1”.Now the situation boils down to the following:if a word w transmitted by Bob appears on the list,then it is equal to1in G.If not,then not.The only problem is:how can Eve possibly conclude that w does not appear on the list if the list is infinite?Here our opponent should say“Well,there is no infinity in real life,so the list is actuallyfinite because of Bob’s computational limitations”. Indeed,whether or not the list in question isfinite or infinite is irrelevant to the problem at hand. What matters is that,in theory,Eve does not know a bound on the size of the list.Well,then,the opponent might say,Already the correctness(no matter if perfect or only with overwhelming probability)of the scheme guarantees now that the corresponding secret key(as obtained by theadversary performing key generation)allows to decrypt illegitimately.In other words,our opponent suggests that Eve can stop at some point and conclude that w=1 with overwhelming probability,just like Alice does.The point however is that this probability may not at all be as“overwhelming”as the probability of the correct decryption by pare:(1)For Alice to decrypt correctly“with overwhelming probability”,the probability P1(N)fora random word w of length N not to be equal to1should converge to1(reasonably fast)as N goes to infinity.(2)For Eve to decrypt correctly“with overwhelming probability”,the probability P2(N,f(N))for a random word w of length N produced by the Algorithm“1”to have a proof of length ≤f(N)verifying that w=1,should converge to1as N goes to infinity.Here f(N) represents Eve’s computational capabilities;this function can be arbitrary,butfixed.We see that the functions P1(N)and P2(N)are of very different nature,and any correlation between them is unlikely.We note that the function P1(N)is generally well understood,and in particular,it is known that in any infinite group G,P1(N)indeed converges to1as N goes to infinity;see Section5of[5]for more details on this convergence.On the other hand,functions P2(N,f(N))are more complex;note also that they may depend on a particular algorithm used by Bob to produce words equal to1.The Algorithm“1”described in this section is very straightforward;there are more delicate algorithms that will be discussed in another paper.Anyway,functions P2(N,f(N))are currently subject of active research,and in particular,it appears likely that there are groups in which P2(N,f(N))does not converge to1at all,if an algorithm used to produce words equal to1is chosen intelligently.We also note in passing that if in a group G the word problem is recursively unsolvable,then the length of a proof verifying that w=1in G is not bounded by any recursive function of the length of w.Of course,in real life,Eve may know a bound on the size of the list based on a general idea of what kind of hardware may be available to Bob;but then again,in real life Eve would be computationally bounded herself.Here we note(again,in passing)that there are groups G with efficiently solvable word problem and words w of length n equal to1in G,such that the length of a proof verifying that w=1in G is not bounded by any tower of exponents in n,see[4].Thus,the bottom line is:in theory,Eve cannot positively identify the bit that Bob has encrypted by a word w if she just uses the“encryption emulation”attack.In fact,such an identification would be equivalent to solving the word problem in G,which would contradict the well-known fact that there are(finitely presented)groups with recursively unsolvable word problem.It would be nice,of course,if Eve was unable to positively decrypt using“encryption emulation”attacks even if she did know Bob’s computational limitations.This,too,can be arranged,see the next section.3.Encryption:trick and treatBuilding on the ideas from the previous section and combining them with a simple yet subtle trick,we describe here an encryption protocol with the following features:(F1)Bob encrypts his private binary sequence by words in a public alphabet X.(F2)Alice(the receiver)decrypts Bob’s transmission correctly with probability that can be made arbitrarily close to1,but not equal to1.(F3)The adversary,Eve,is assumed to have no bound on the speed of computation or on the storage space.(F4)Eve is assumed to have complete information on the algorithm(s)and hardware that Bob uses for encryption.However,Eve cannot predict outputs of Bob’s random numbers gen-erator(the latter could be just coin tossing,say).(F5)Eve cannot decrypt correctly any bit of Bob’s binary sequence with probability>34byemulating Bob’s encryption algorithm.This leaves Eve with the only hope:to attack Alice’s decryption algorithm or her algorithm for obtaining public keys,but this subject is outside of the scope of the present paper.Here we only discuss the“encryption emulation”attack.We also have to say up front that the encryption protocol that will be presented in this section is probably not very suitable for commercial applications(such as Internet shopping or banking)due to a large amount of work required from Alice to receive just one bit from Bob.For a commercial implementation of the ideas presented in the previous section,we can recommend the protocol de-scribed(with specific parameters)in[5].That protocol has encryption with a fairly large expansion factor(on the order of150),but not to the point of being impractical,especially given that the encryption amounts primarily to generating random words of reasonable length,which can be done quite efficiently.Now we are getting to the protocol description.In one round of this protocol,Bob transmits a single bit,i.e.,Alice generates a new public key for each bit transmission.(P0)Alice publishes two presentations:Γ1= x1,x2,...,x n|r1,r2,...Γ2= x1,x2,...,x n|s1,s2,... .One of them defines the trivial group,whereas the other one defines an infinite group,but only Alice knows which one is which.Bob is instructed to transmit his private bit to Alice as follows:(P1)In place of“1”,Bob transmits a pair of words(w1,w2)in the alphabetX={x1,x2,...,x n,x−11,...,x−1n},where w1is selected randomly,while w2is selected to be equal to1in the group G2defined byΓ2(see Algorithm“1”in the previous section). (P2)In place of“0”,Bob transmits a pair of words(w1,w2),where w2is selected randomly, while w1is selected to be equal to1in the group G1defined byΓ1.Under our assumptions(F3),(F4)Eve can identify the word(s)in the transmitted pair which is/are equal to1in the corresponding presentation(s),as well as the word,if any,which is not equal to1.There are the following possibilities:(1)w1=1in G1,w2=1in G2;(2)w1=1in G1,w2=1in G2;(3)w1=1in G1,w2=1in G2.It is easy to see that the possibility(1)occurs with probability12(when Bob wants to transmit“1”and G1is trivial,or when Bob wants to transmit“0”and G2is trivial).If this possibilityoccurs,Eve cannot decrypt Bob’s bit correctly with probability>12.Indeed,the only way for Eveto decrypt in this case would be tofind out which presentationΓi defines the trivial group,i.e.,she would have to attack Alice’s algorithm for obtaining a public key,which is outside of the scope of the present paper.Here we just note,in passing,that there are many different ways to construct presentations of the trivial group,some of them involving a lot of random choices.See e.g.[3]for a survey on the subject.In any case,our claim(F5)was that Eve cannot decrypt Bob’s bit correctly with probability>34by emulating Bob’s encryption algorithm,which is obviously true in this scheme since theprobability for Eve to decrypt correctly is,in fact,precisely12·12+12·1=34.(Note that Evedecrypts correctly with probability1if either of the possibilities(2)or(3)above occurs.)Our abrasive opponent may say that34is a rather high probability of illegitimate decryption,even though this is just for one bit.Recall however that we are dealing with computationally unbounded adversary,while Bob can essentially do his encryption by hand!All he needs is a generator of uniformly distributed random integers in the interval between1and2n(the latter is the cardinality of the alphabet X).Besides,note that with the probability of correctly decryptingone bit equal to34,the probability to correctly decrypt,say,a credit card number of16decimaldigits would be on the order of10−7,which is comparable to the chance of winning the jackpot in a lottery.Of course,there are many tricks that can make this probability much smaller,but we think we better stop here because,as we have pointed out before,our focus here is on the new paradigm itself.References[1]J.-C.Birget,S.Magliveras,M.Sramka,On public-key cryptosystems based on combinatorial group theory,preprint./2005/070[2]M.R.Magyarik,N.R.Wagner,A Public Key Cryptosystem Based on the Word Problem.CRYPTO1984,19–36,Lecture Notes in Comput.Sci.196,Springer,Berlin,1985.[3]A.D.Myasnikov,A.G.Myasnikov,V.Shpilrain,On the Andrews-Curtis equivalence,Contemp.Math.,Amer.Math.Soc.296(2002),183–198.[4]A.N.Platonov,An isoparametric function of the Baumslag-Gersten group.(Russian)Vestnik Moskov.Univ.Ser.I Mat.Mekh.2004,no.3,12–17;translation in Moscow Univ.Math.Bull.59(2004),no.3,12–17(2005).[5]V.Shpilrain and G.Zapata,Using decision problems in public key cryptography,preprint./˜shpil/wppkc.pdfDepartment of Mathematics,The City College of New York,New York,NY10031E-mail address:denis.osin@,shpil@/~shpil。
