Mon, 25 Sep 2006 03:33:00 GMT

译者按�Q?br />加密和解密��用同一个密钥的��法�Q�称为对�U�加密算法；加密和解密��用的是不同的密钥�Q�称为非对称加密��法�Q�公钥系�l�即属于非对�U�加密算法。对于对�U�加密而言�Q�需要着重保护的是对�U�密钥，对于公钥��法而言�Q�需要着重保护的是私钥�?br />公钥加密��法�Q�以及衍生出的数字签名、数字证书技术，不仅�q�泛应用于Internet通讯中，例如HTTPS协议中的SSL/TLS�Q�在单机�pȝ��中也��来��受到重视，例如Windows XP的设备驱动程序�?NET的GAC assembly都要求数字签名。微软从Windows98/NT4起即提供了Cryptograph API�Q�支持DES�Q�RC2�Q�RC4�Q�IDEA�{�对�U�加密算法和RSA公钥�pȝ��{�非对称密算法，以及MD5�Q�SHA�Q�MAC�{�摘要（Digest�Q�也�U�CؓHash�Q�散列）��法�?br />本文译自�Q?br />http://developer.netscape.com/tech/security/ssl/howitworks.html

�q�是一��生动浅昄��文章�Q�对了解公钥�pȝ��的工作原理很有帮助，CSDN上已有一��译文：

http://www.csdn.net/Develop/article/27/27524.shtm
但本��Z��文的关键地方不够准确�Q�欠通顺。本译文在上��译文的基础上，关键的术语采用了通用译法�Q�少数地斚w��用了意译�Q�而且附有英文原文�Q�有��译不当的地方大家可以对照原文�?br />希望能对公钥�pȝ��有兴��的朋友们有所帮助�?/p>

BTW�Q�上面提到的所有对�U�加密和非对�U�加密，它们的加解密��法都是公开的，只要不知道密钥，��法的设计者有信心使加密结果不会被��L��破解�Q�这点与WAPI截然不同�Q�） �?/p>

以下是中英文对照的译文：

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.
公钥加密是��用一寚w��对称的密钥加密或解密的技术。每一对密钥由公钥和私钥组成。公钥被�q�泛发布。私钥是隐密的，不公开�?/p>

Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful.
用公钥加密的数据只能够被�U�钥解密。反�q�来�Q��用私钥加密的数据只能用公钥解密。这个非对称的特性��得公钥加密很有用�?/p>

USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION
使用公钥加密法认�?/p>

Authentication is the process of verifying identity so that one entity can be sure that another entity is who it claims to be. In the following example involving Alice and Bob, public key cryptography is easily used to verify identity. The notation {something}key means that something has been encrypted or decrypted using key.
验证是一个核实��n份的�q�程�Q�以便一方能��认另一方的��是其所声称的那个��n份。在下列例子中包括甲和乙�Q�公钥加密会��L��地校验��n份。符号{数据} key意味着"数据"已经使用key加密或解密�?/p>

Suppose Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses to Alice his public key (the way he does this is discussed later). Alice then generates a random message and sends it to Bob:

A->B random-message

Bob uses his private key to encrypt the message and returns the encrypted version to Alice:

B->A {random-message}bobs-private-key

Alice receives this message and decrypts it by using Bob's previously published public key. She compares the decrypted message with the one she originally sent to Bob; if they match, she knows she's talking to Bob. An imposter presumably wouldn't know Bob's private key and would therefore be unable to properly encrypt the random message for Alice to check.
假如甲想校验乙的�w�䆾。乙有一对密钥，一个是公开的，另一个是�U�有的。乙透露�l�甲他的公钥。甲产生一个随��Z��息发送给乙�?/p>

甜y��—〉乙�Q�random message

乙��用他的私钥加密信息，把加密后的信息返回甲�?

乙——〉甲�Q�{random-message}乙的�U�钥

甲收到这个信息然后��用乙的前面公开的公钥解密。他比较解密后的信息与他原先发给乙的信息。如果它们完全一��_��׃��知道在与乙说话。�Q意一个中间�h不会知道乙的�U�钥�Q�也不能正确加密甲检查的随机信息�?/p>

BUT WAIT, THERE'S MORE
�{�一下，事情�q�没有完

Unless you know exactly what you are encrypting, it is never a good idea to encrypt something with your private key and then send it to somebody else. This is because the encrypted value can be used against you (remember, only you could have done the encryption because only you have the private key).
用私钥加密某些信息，然后发送给其他��Z��是一个好��L��Q�除非你清楚知道�q�个信息的含义。因为加密后的信息可能被用来对付你（��C��Q�别人知道该信息是你加密的，因�ؓ只有你有加密用的�U�钥�Q��?/p>

So, instead of encrypting the original message sent by Alice, Bob constructs a message digest and encrypts that. A message digest is derived from the random message in a way that has the following useful properties:

The digest is difficult to reverse. Someone trying to impersonate Bob couldn't get the original message back from the digest.
An impersonator would have a hard time finding a different message that computed to the same digest value.

所以，取代直接加密甲发来的原始信息�Q�乙创徏一个信息摘要�ƈ且加密该摘要。信息摘要由��L��信息�q�算而来�Q��ƈ��h��以下有用的特性：

1. 从这个摘要值难以还原出原始信息。�Q何�h即��伪装成乙�Q�也不能从摘要值得到原始信息；

2. 不同的信息很难计��出相同的摘要��|��

By using a digest, Bob can protect himself. He computes the digest of the random message sent by Alice and then encrypts the result. He sends the encrypted digest back to Alice. Alice can compute the same digest and authenticate Bob by decrypting Bob's message and comparing values.
使用摘要�Q�乙能够保护自己。他计算甲发出的��L��信息的摘要，加密摘要��|��然后发送加密的摘要值给甌Ӏ�甲能够计算出相同的摘要值�ƈ且解密乙的信息，最�l�认证乙�?
�Q�译者注�Q�摘要（Digest�Q�算法又�U�Cؓ散列(Hash)��法�Q?/p>

GETTING CLOSER
�q�一步的讨论

The technique just described is known as a digital signature. Bob has signed a message generated by Alice, and in doing so he has taken a step that is just about as dangerous as encrypting a random value originated by Alice. Consequently, our authentication protocol needs one more twist: some (or all) of the data needs to be originated by Bob.

A->B hello, are you bob?
B->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

When he uses this protocol, Bob knows what message he is sending to Alice, and he doesn't mind signing it. He sends the unencrypted version of the message first, "Alice, This Is Bob." Then he sends the digested-encrypted version second. Alice can easily verify that Bob is Bob, and Bob hasn't signed anything he doesn't want to.

刚刚讨论的技术称为数字签名。乙直接在甲产生的信息上�{�֐��Q�这样做和加密甲产生的�Q意信息是同样危险的。因此我们的验证协议�q�需要加一些技巧：某些或全部信息需要由乙��生：

甜y��—〉乙�Q�你好，你是乙么?
乙——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] } 乙的�U�钥

使用�q�个协议�Q�乙知道他发送给甲的信息的内容，他不介意在上面签名。他先发送不加密的信息，"�Ԍ��我是�?�Q�然后发送该信息的加密后的摘要。甲可以非常方便地核实乙��是乙，同时�Q�乙�q�没有在他不想签名的信息上签名�?/p>

HANDING OUT PUBLIC KEYS
分发公钥

How does Bob hand out his public key in a trustworthy way? Let's say the authentication protocol looks like this:

A->B hello
B->A Hi, I'm Bob, bobs-public-key
A->B prove it
B->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

那么�Q�乙怎样以可信的方式提交他的公钥呢？看看如下所�C�的验证协议�Q?/p>

甜y��—〉乙�Q�你�?br />乙——〉甲�Q�嗨�Q�我是乙�Q�乙的公�?br />甜y��—〉乙�Q�请证明
乙——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] } 乙的�U�钥

With this protocol, anybody can be Bob. All you need is a public and private key. You lie to Alice and say you are Bob, and then you provide your public key instead of Bob's. Then you prove it by encrypting something with the private key you have, and Alice can't tell you're not Bob.
使用�q�个协议�Q��Q何�h都能够成�?�?。只要你有一对公钥和�U�钥。你�ƺ骗甲说你就是乙�Q�只要提供你的公钥，而不是乙的公钥。然后，你发送用你的�U�钥加密的信息，证明你的�w�䆾。甲�q�不能发觉你�q�不是乙�?/p>

To solve this problem, the standards community has invented an object called a certificate. A certificate has the following content:

The certificate issuer's name
The entity for whom the certificate is being issued (aka the subject)
The public key of the subject
Some time stamps

The certificate is signed using the certificate issuer's private key. Everybody knows the certificate issuer's public key (that is, the certificate issuer has a certificate, and so on...). Certificates are a standard way of binding a public key to a name.

��Z��解决�q�个问题�Q�标准化�l�织发明了证书。一个证书有以下的内容：

证书发行者的名称
被发�l�证书的实体�Q�也�U�Cؓ主题�Q?br /> 主题的公�?br /> 一些时间戳

证书使用发行者的�U�钥加密。每一个�h都知道证书发行者的公钥�Q�就是说�Q�每个证书的发行者也拥有一个证书，以此�c�L��Q�。证书是一个把公钥与一个名�U�绑定的标准方式�?/p>

By using this certificate technology, everybody can examine Bob's certificate to see whether it's been forged. Assuming that Bob keeps tight control of his private key and that it really is Bob who gets the certificate, then all is well. Here is the amended protocol:

A->B hello
B->A Hi, I'm Bob, bobs-certificate
A->B prove it
B->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

Now when Alice receives Bob's first message, she can examine the certificate, check the signature (as above, using a digest and public key decryption), and then check the subject (that is, Bob's name) and see that it is indeed Bob. She can then trust that the public key is Bob's public key and request Bob to prove his identity. Bob goes through the same process as before, making a message digest of his design and then responding to Alice with a signed version of it. Alice can verify Bob's message digest by using the public key taken from the certificate and checking the result.

通过使用证书技术，每个人都可以��查乙的证书，判断其是否被伪造。假设乙控制好他的私钥，�q�且他确实是得到证书的乙�Q�就万事大吉了。下面是修订后的协议�Q?/p>

甜y��—〉乙�Q�你�?br />乙——〉甲�Q�嗨�Q�我是乙�Q�乙的证�?br />甜y��—〉乙�Q�请证明
乙——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ�� 我是乙] } 乙的�U�钥

现在当甲收到乙的�W�一个信息，他能��查证书，核查证书上的�{�֐��Q�如上所�q�ͼ�使用摘要和公钥解密）�Q�检查证书中的主题（�q�里是乙的姓名）�Q�确定是乙。他��p��怿�公钥��是乙的公钥�Q�然后要求乙证明自己的��n份。乙通过前面描述�q�的�q�程�Q�制作一个信息摘要，用一个签名版本答复甲。甲可以通过使用从证书上得到的公钥检验乙的信息摘要，�q�对比结果�?/p>

A bad guy - let's call him Mallet - can do the following:

A->M hello
M->A Hi, I'm Bob, bobs-certificate
A->M prove it
M->A ????

But Mallet can't satisfy Alice in the final message. Mallet doesn't have Bob's private key, so he can't construct a message that Alice will believe came from Bob.

假设有一个坏��子�Q�我们称他�ؓH�Q�他可以�q�么做：

甜y��—〉H�Q�你�?br />H——〉甲�Q�你好，我是乙，乙的证书
甜y��—〉H�Q�请证明
H——〉甲�Q�？�Q�？

H不能满��甲的最后一个信息，他没有乙的私钥，因此他不能徏立一个��o甲相信是来自乙的信息�?/p>

EXCHANGING A SECRET
交换密钥�Q�secret�Q?/p>

Once Alice has authenticated Bob, she can do another thing - she can send Bob a message that only Bob can decode:

A->B {secret}bobs-public-key

The only way to find the secret is by decrypting the above message with Bob's private key. Exchanging a secret is another powerful way of using public key cryptography. Even if the communication between Alice and Bob is being observed, nobody but Bob can get the secret.

一旦甲已经验证乙后�Q�他��可以做另外的事情了--发送给乙一个只有乙可以解密、阅�ȝ��Q�另一个）密钥�Q?/p>

甜y��—〉乙�Q�{ secret }乙的公钥

只有使用乙的�U�钥才能解密上述信息�Q�得到secret�Q�另一个密钥）。交换（额外的）密钥是公钥密码术提供的另一个强有力的手�D�c��即使在甲和乙之间的通讯被侦听，只有乙才能得到密钥�?/p>

This technique strengthens Internet security by using the secret as another key, but this time it's a key to a symmetric cryptographic algorithm (such as DES, RC4, or IDEA). Alice knows the secret because she generated it before sending it to Bob. Bob knows the secret because Bob has the private key and can decrypt Alice's message. Because they both know the secret, they can both initialize a symmetric cipher algorithm and then start sending messages encrypted with it. Here is a revised protocol:

A->B hello
B->A Hi, I'm Bob, bobs-certificate
A->B prove it
B->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
A->B ok bob, here is a secret {secret} bobs-public-key
B->A some message}secret-key

How secret-key is computed is up to the protocol being defined, but it could simply be a copy of secret.

使用secret作�ؓ另一个密钥增��Z��|�络的安全性，但是现在�q�个密钥��用于对�U�加密算法的�Q�例如DES、RC4、IDEA�Q�。（译者注�Q�公钥算法在加密大信息量时开销比较大，所以在加密大信息量时一般采用对�U�加密算法，常规通讯使用公钥�pȝ��是不堪重负的。所以本文在�w�䆾验证后要利用公钥�pȝ��的可靠性交换一个对�U�加密的密钥�Q�以后的通讯��采用对�U�加密算法进行保护。）因�ؓ是甲在发送给乙之前��生的密钥�Q�所以甲知道�q�个密钥。乙也知道密钥，因�ؓ乙有�U�钥�Q�能够解密甲的信息。由于他们都知道密钥�Q�他们就都能够初始化一个对�U�加密算法，从开始发送（用对�U�加密算法）加密后的信息。下面是修定后的协议�Q?/p>

甜y��—〉乙�Q�你�?br />乙——〉甲�Q�嗨�Q�我是乙�Q�乙的证�?br />甜y��—〉乙�Q�请证明
乙——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] }乙的�U�钥
甜y��—〉乙�Q�你好乙�Q�这里是密钥 {secret}乙的公钥
乙——〉甲�Q�{some message}secret-key

�Q�对�U�密钥）secret-key是如何计��出来的�Q�完全由�Q�双方定义的�Q�通讯协议自已军_��Q�当然可以简单地��把secret做�ؓsecret-key�?

YOU SAID WHAT?
你在说什么？

Mallet's bag contains a few more tricks. Although Mallet can't discover the secret that Alice and Bob have exchanged, he can interfere in their conversation by damaging it. For example, if Mallet is sitting between Alice and Bob, he can choose to pass most information back and forth unchanged but mangle certain messages (easy for him to do because he knows the protocol that Alice and Bob are speaking):
H�q�有其他花招。虽然不知道发现甲和乙已�l�交换的密钥�Q�但H能干��C��们的交谈。如果黑客H在甲和乙�Q�的通讯链�\的）中间�Q�他可以放过大部分信息，选择破坏一定的信息�Q�这是非常简单的�Q�因��Z��知道甲和乙通话采用的协议）�Q?/p>

A->M hello
M->B hello

B->M Hi, I'm Bob, bobs-certificate
M->A Hi, I'm Bob, bobs-certificate

A->M prove it
M->B prove it

B->M Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
M->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

A->M ok bob, here is a secret {secret} bobs-public-key
M->B ok bob, here is a secret {secret} bobs-public-key

B->M {some message}secret-key
M->A Garble[ {some message}secret-key ]

Mallet passes the data through without modification until Alice and Bob share a secret. Then Mallet gets in the way by garbling Bob's message to Alice. By this point Alice trusts Bob, so she may believe the garbled message and try to act on it. Note that Mallet doesn't know the secret - all he can do is damage the data encrypted with the secret key. Depending on the protocol, Mallet may not produce a valid message. Then again, he may get lucky.

甜y��—〉H�Q�你�?br />H——〉乙�Q�你�?/p>

乙——〉H�Q�嗨�Q�我是乙�Q�乙的证�?br />H——〉甲�Q�嗨�Q�我是乙�Q�乙的证�?/p>

甜y��—〉H�Q�请证明
H——〉乙�Q�请证明

乙——〉H�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] }乙的�U�钥
H——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] }乙的�U�钥

甜y��—〉H�Q�你好，乙，�q�里是密�?{secret} 乙的公钥
H——〉乙�Q�你好，乙，�q�里是密�?{secret} 乙的公钥

乙——〉H�Q�{some message}secret-key
H——〉甲�Q�Garble[{s ome message}secret-key ]

H忽略一些数据不修改�Q�直到甲和乙交换密钥。然后H�q�扰乙给甲的信息。在�q�时�Q�甲已经信�Q乙，所以他可能�怿�已经被干扰的信息�q�且��力解密。需要注意的是，H不知道密钥，他所能做的就是毁坏��用密钥加密后的数据。基于协议，H可能不能产生一个有效的信息。但下一�ơ呢�Q?/p>

To prevent this kind of damage, Alice and Bob can introduce a message authentication code (MAC) into their protocol. A MAC is a piece of data that is computed by using a secret and some transmitted data. The digest algorithm described above has just the right properties for building a MAC function that can defend against Mallet:

MAC := Digest[ some message, secret ]

Because Mallet doesn't know the secret, he can't compute the right value for the digest. Even if Mallet randomly garbles messages, his chance of success is small if the digest data is large. For example, by using MD5 (a good cryptographic digest algorithm invented by RSA), Alice and Bob can send 128-bit MAC values with their messages. The odds of Mallet's guessing the right MAC are approximately 1 in 18,446,744,073,709,551,616 - for all practical purposes, never.

��Z��L��q�种破坏�Q�甲和乙可以在他们的协议中引入一个信息验证码�Q�message authentication code�Q�以下称MAC�Q�。MAC是根据密钥和被传输的信息计算出的一�D�|��据。前面描�q�的摘要��法的特性在生成MAC时正好可以派上用场，用来抵�MH的攻击：

MAC= Digest[some message�Q�secret ]

因�ؓH不知道密钥，他不能计��出正确的摘要倹{��即使H随机�q�扰信息�Q�只要数据量大，他成功的��Z��微乎其微。例如，使用MD5�Q�一个RSA发明的好的加密摘要算法）�Q�甲和乙能够�l�他们的信息加上128位MAC倹{��H猜测正确的MAC的几率将�q?/18�Q?46�Q?44�Q?73�Q?09�Q?51�Q?16�Q�约�{�于零�?/p>

Here is the sample protocol, revised yet again:

Mallet is in trouble now. He can garble messages all he wants, but the MAC computations will reveal him for the fraud he is. Alice or Bob can discover the bogus MAC value and stop talking. Mallet can no longer put words in Bob's mouth.

下面又一�ơ修改后的协议：

甜y��—〉乙�Q�你�?br />乙——〉甲�Q�嗨�Q�我是乙�Q�乙的证�?br />甜y��—〉乙�Q�请证明
乙——〉甲�Q�甲�Q�我是乙 {摘要[�Ԍ��我是乙] } 乙的�U�钥
甜y��—〉乙�Q�你好，乙，�q�是密钥 {secret} 乙的公钥
乙——〉甲�Q�{some message�Q�MAC}secret-key

现在H已经无技可施了。他可以�q�扰��M��信息�Q�但MAC计算能够发现他的诡计。甲和乙能够发现伪造的MAC值�ƈ且停止交谈。H不再能假借乙通讯�?/p>

WHEN WAS THAT SAID?

Last but not least to protect against is Mallet the Parrot. If Mallet is recording conversations, he may not understand them but he can replay them. In fact, Mallet can do some really nasty things sitting between Alice and Bob. The solution is to introduce random elements from both sides of the conversation.
仅仅防范H的学舌式��d��是不够的。如果H记录下（甲和乙的�Q�通讯�Q�虽然他不能明白�Q�通讯的）含义�Q�但是他可以重现�Q�通讯�Q�。事实上�Q�隐藏在甲和乙中间的H可以做一些颇具威助的��d��。解��x��案是在双斚w��讯中引入随机因素�?br />

爱饭�?/a> 2006-09-25 11:33 发表评论

99久久久久,亚洲国产精品无码久久98,久久婷婷国产麻豆91天堂