Вы находитесь на странице: 1из 30

(key agreement) (),

,
,

(key transport),

:

1


: (initiator), (responder).
(static key)

/ (ephemeral key) ( )

-

(Diffie, Hellman, Merkle, 1976)
Williamson, 1974; Cocks, 1973
g G, G . , G = GF (p) G =
Ea,b(GF (p)).
A, B , A (initiator), B
(responder)
3

A:
B:
A B:
B A:
A:
B:

sA R Z, PA = g sA G
sB R Z, PB = g sB G
PA
PB
K = (PB )sA = g sB sA
K = (pA)sB = g sAsB

-
DLP.

Problem, DLP): a, b G x Z : ax = b

(Discrete

Logarithm

- (Diffie-Hellman problem, DHP): {g a, g b}


g ab

-
?
DLP DHP:
?

DHP DLP
, (GGM) , DLP DHP G, iff
q : q|#G, q = log(#G)O(1) (Shoup, 1997)
DHP, ?
5

-
G:
G = Ea,b(GF (p)) :
Ea,b = {(x, y) Z2 : y 2 x3 + ax + b

mod p}

-
: G =< P > Ea,b(GF (p)).
A, B , A (initiator), B
(responder)
A:
B:
A B:
B A:
A:
B:

sA R Z, PA = sAP G
sB R Z, PB = sB P G
PA
PB
K = sA P B = sA sB P
K = sB PA = sB sAP
7


Man-in-the-middle attack: E ,

A:
B:
E:
A , B:
E A:
E B:
B , A:
A:
B:
E:

sA R Z, PA = g sA G
sB R Z, PB = g sB G
sE R Z, PE = g sE G
PA
PE
PE
PB
K1 = (PE )sA = g sE sA
K2 = (PE )sB = g sE sB
K1 = (PA)sE = g sAsE , K2 = (PB )sE = g sB sE
8


1.
2.
3. , Forward Secrecy A (B, A
B): sA (sB , sA sB ),
K
4. A (B, A B): sA (sB ,
sA sB ), K

5. Key-compromise impersonation (KCI),


:
sA(sB ), B(A)
9

6. Unknown key-share (UKS, source-substitution), : A B K, B E 6= A


(eavesdropping)
(cryptoanalysis) . ()
.

10

, .
.


(modification attack)
(impersonation)
(reply attack)
, (reflection attack)

(forced delay attack)
11

(adapted
messages attack)

(timing attacks)

A () (known-key
attack)


( , , . .)
, (bindings attack) ,
()
(denial of service, DoS)


1.
2.
3.
4.
5.

(implicit key authentication)


(key confirmation)
(authentication)
(forward secrecy )
,
(key freshness)
6.
( K-CI)
7. UKS-
12


1.
2. ( )
3. ( /
) (online/offline)
4. /

5.

13


ISO (International Standards Organisation):

ISO/IEC 11770-3:2007 (Information technology - Secutity


techniques - Key management Part 3: Mechanisms using
asymmetric techniques), 2007

11 .

-
14

-
-
MTI/A0
-
-
-

full-UM

MQV 1-

MQV

ISO-STS-MAC

- ()



ASC (Accredited Standarts Committee, ):

ANS X9.42 (draft) Public Key Cryptography for the Financial


Services Industry: Agreement of Symmetric Keys Using Discrete
Logarithm Cryptography, 2001

ANS X9.63 (draft) Public Key Cryptography for the Financial


Services Industry: Key Agreement and Key Transport Using
Elliptic Curve Cryptography, 2001
15

DH (7 ), MQV (2 ) ECC-,
KDF



NIST (National Institute of Standards and Technology)

NIST SP 800-56A, Recommendation for Pair-Wise Key


Establishment Schemes Using Discrete Logarithm Cryptography,
2007

NIST SP 800-56B, Recommendation for Pair-Wise Key


Establishment Schemes Using Integer Factorization Cryptography,
2009
16

NIST SP 800-56A

14

17

NIST SP 800-56A
ephemeral
C(2)
C(1)
C(0)

(ephemeral,static)
C(2,2), C(2,0)
C(1,2), C(1,1)
C(0,2)

DH, Full-UM MQV

18


RSA PKCS (Public Key Cryptography Standard)#3

IEEE (Institute of Electrical and Electronics Engineers) P1363


Standard Specifications for Public Key Cryptography

19

P1363
:

Discrete Logarithm Secret Value Derivation Primitive, DiffieHellman

DLSVP, Diffie-Hellman + cofactor

DLSVP, Menezes-Qu-Vanstone

DLSVDP-MQVC
20

ECSVDP-DH

ECSVDP-DHC

ECDLSVP-MQV

ECDLSVDP-MQVC

(): 2 DH + MQV.

Internet
IETF RFC 2246 (TLS)

IETF RFC 2409 (IKE)

IETF RFC 2631 (D-H)

21