Вы находитесь на странице: 1из 420

Practical Cryptography

Niels Ferguson
Bruce Schneier

-
2005

32.973.26018.2.75
43
681.3.07

..
. ..
..
..
:
info@dialektika.com, http://www.dialektika.com

, , , .
43

. : . . . :
, 2004. 432 . : . . . .
ISBN 5845907330 (.)

. , , , ,
. , , . , ,
,
.

32.973.26018.2.75
.

,
, ,
JOHN WILEY&Sons, Inc.
c 2005 by Dialektika Computer Publishing.
Copyright
c 2003 by Niels Ferguson and Bruce Schneier
Original English language edition Copyright
All rights reserved including the right of reproduction in whole or in part in any form. This
translation is published by arrangement with Wiley Publishing, Inc.

ISBN 5845907330 (.)


ISBN 0471223573 (.)

c - , 2005

c Niels Ferguson and Bruce Schneier, 2003

1.
2.
3.
I
4.
5.
6.
7.
8.
9. . I
II
10.
11.
12.
13. RSA
14.
15.
16. . II
III
17.
18.
19. PKI:
20. PKI:
21. PKI
22.
IV
23.
24.
25.

16
20
25
39
61
62
87
104
118
132
150
175
176
208
229
245
266
282
301
319
320
331
337
345
362
369
387
388
395
402
407
408
416

16
18

1.
1.1
1.2

20
21
24

2.1
2.2
2.3
2.4

2.




2.4.1




25
26
27
29
30
31
33
35
36
37
38

3.
3.1
3.1.1
3.2
3.3
3.4
3.5
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6 ,

39
39
41
42
44
46
47
49
49
49
50
51
51

2.5
2.6
2.7
2.8
2.9

52

3.7
3.8
3.9

3.6.7
3.6.8

4.1
4.2
4.3
4.4

4.
?



4.4.1
4.5
4.5.1 DES
4.5.2 AES
4.5.3 Serpent
4.5.4 Twofish
4.5.5 AES
4.5.6
4.5.7
4.5.8

5.1
5.2
5.3

5.4
5.5
5.6
5.7
5.8

5.

(ECB)
(CBC)
5.3.1
5.3.2
5.3.3
5.3.4
(OFB)
(CTR)



5.8.1
5.8.2
5.8.3

7
53
55
55
56
58
61
62
62
63
65
65
68
70
71
74
78
79
82
82
83
85
87
88
89
90
90
90
91
92
93
95
97
98
99
101
102
103

6.
6.1
6.2
6.2.1 MD5
6.2.2 SHA-1
6.2.3 SHA-256, SHA-384 SHA-512
6.3
6.3.1
6.3.2
6.4
6.4.1
6.4.2
6.5
6.6

104
105
107
108
109
110
111
111
112
113
114
115
116
117

7.1
7.2
7.3
7.4
7.5

118
118
119
119
120
122
124
125
125
126
127
128
128
129
129

8.
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.2
8.3
8.3.1
8.3.2
8.3.3

132
132
132
133
134
134
136
139
139
140
141

7.
MAC
MAC
MAC
CBC-MAC
HMAC
7.5.1 HMAC SHAd ?
7.6 UMAC
7.6.1
7.6.2
7.6.3
7.6.4
7.6.5 UMAC?
7.7 MAC
7.8 MAC

8.4

8.5
8.6

8.3.4

8.4.1
8.4.2
8.4.3
8.4.4

141
142
142
143
145
146
147
149

9. . I
9.1
9.1.1
9.1.2
9.1.3
9.1.4 ?
9.2
9.3
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.5
9.6

150
152
152
153
154
155
156
157
157
160
161
163
165
166
167
168
168
169
170
171
172
173
174

II

175

10.
10.1
10.1.1
10.1.2
10.1.3

10.2

176
177
178
179
180
181

10

10.3 Fortuna
10.4
10.4.1
10.4.2
10.4.3
10.4.4
10.4.5
10.5
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.5.6
10.6
10.6.1
10.6.2
10.6.3
?
10.6.4
10.6.5
10.6.6
10.7 ?
10.8

11.
11.1
11.2
11.3
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6 2
11.4
11.4.1 ,
11.4.2

183
183
186
186
187
188
189
189
190
191
194
197
197
199
200
201
201
202
202
203
204
205
206
208
208
211
213
214
215
215
217
218
219
220
223
227

11

12.
12.1
12.2
12.3
12.4
12.5
12.6
12.7 p
12.8
12.9

229
230
231
233
235
236
237
238
241
242

13. RSA
13.1
13.2
13.2.1
13.2.2
13.2.3
13.2.4
13.3 n
13.4 RSA
13.4.1 RSA
13.4.2
13.4.3
13.4.4 n
13.4.5 RSA
13.5 RSA
13.6
13.7

245
245
246
247
248
248
250
250
251
252
252
253
255
255
257
259
262

14.
14.1
14.2
14.2.1
14.3
14.4
14.5
14.5.1
14.5.2
14.5.3
14.5.4
14.5.5
14.5.6

266
266
267
269
269
272
273
273
274
275
276
277
279

12

15.
15.1
15.2
15.3 !
15.4
15.5
15.6
15.7
15.8
15.8.1
15.8.2
15.8.3
15.8.4
15.9
15.9.1
15.10
15.11
15.12

282
282
283
285
286
287
288
290
292
292
293
293
295
296
297
297
299
299

16. . II
16.1
16.1.1
16.1.2 DH
16.1.3 RSA
16.1.4 RSA
16.1.5
16.2
16.3
16.3.1
16.4
16.4.1

16.4.2
16.4.3

301
301
303
307
308
308
309
309
311
312
314

III

319

17.
17.1
17.1.1
17.1.2
17.1.3

314
315
317

320
320
320
320
321

17.2
17.3

17.4
17.5
17.6
17.7

17.1.4


17.3.1
17.3.2
17.3.3

13
322
322
323
323
324
325
326
327
329
330

18.
18.1
18.2 Kerberos
18.3
18.3.1
18.3.2
18.3.3
18.3.4
18.4

331
332
332
333
334
335
335
336
336

19. PKI:
19.1
19.2
19.2.1
19.2.2
19.2.3
19.2.4
19.2.5
19.3
19.3.1
19.3.2
19.3.3
19.4

337
337
338
338
339
339
339
340
340
340
342
342
343

20. PKI:
20.1
20.2
20.3
20.4
20.5
20.6

345
345
348
349
350
351
352

14

20.7
20.8
20.8.1
20.8.2
20.8.3
20.9
20.10

355
356
356
358
358
359
361

21. PKI
21.1
21.1.1
21.1.2
21.2
21.3
21.4 ?

362
362
362
363
364
367
368

22.
22.1
22.2
22.2.1
22.3
22.4
22.5
22.6
22.7
22.8
22.9
22.10
22.10.1
22.10.2
22.10.3

369
369
370
372
375
376
377
379
380
381
382
383
383
384
386

IV

387

23.
23.1
23.1.1
23.1.2
23.1.3
23.2 SSL
23.3 AES:

388
388
390
390
391
392
393

15

24.
24.1
24.2
24.3
24.4
24.5
24.6
24.7
24.8

395
395
396
397
397
398
400
400
401

25.

402

407

408

416



, . 90-
, Internet.
,
. ,
, . ,
, ,
.
, ,
.
10 , .
, Internet
-.
, .
. ,
.

Internet , . ,
. ( , , ).

, . , . ,

16

17

, . .
.
, .
, . ,

, .
, , . , ,
, , , . ,
112 128 , , . ,
, . ,
: .. , .
,
10 , .
DES, , 112-
, ,
. ,
-, ,
, .
.
, ,
. , , .
Applied Cryptography [86], 10 . , Applied Cryptography,
, ,

18

. ; , , . Applied
Cryptography
,
, , .
, .
, .
Applied Cryptography ( ) Secrets
and Lies [88], Crypto-Gram.
, CWI (
)
DigiCash.
Blowfish,
Twofish.
. .
, . 1991 1999
Counterpane Systems
. Counterpane Internet Security,
Inc.

. Counterpane ,
MacFergus. . ,
, , .
,
, .


. -

19

, . -
, : . , , ,
.
,
. , . ,
. ( ,
; .) , , ,
, , ( ,
, ) - .
, Web- http://
www.macfergus.com/pc .
, ,
.
, , :
practical-cryptography@macfergus.com
.
, . ,
. , .
2003

niels@macfergus.com

schneier@counterplane.com

, ,
. ,
, .
,
. . , , .
, ,
.
,
. ,
.
. , , : ,
. ,
. . , .
- .
, ,
. , .
. , .
, .
,
.

20

1.1.

1.1

21

--
, . XIX , .
, .
, ,
: .
: , . .
.

, .
,
. , , .
, . ,
. ,
.
, - , .
--
. 1878 (Thomas Bouch) -- ,
. ,
, . , , 28 1879
, 75 . .
1 .
--, ,
1

- (William McGonagall) , : For the stronger we our houses do build/The less


chance we have to be killed ( , ,
). .

22

1.

, ,
.
, ,
- . .
: -
, .
.
,
, ,
. ,
- ,
, . !
, , . ?
. , 90% .
,
. -
.

,
. , ,
.
Internet -,
.
. ,
Secrets and Lies,
, [88].

, , (
). , , .
, ,
90% . ? 10 ( ),
,
10 . . 90%
,

1.1.

23

10 ,
.
.
, : Web-, ,
, ..
.
, .
, -, . , ,
, ,

. ,
, .
, 10 ?
. ,
, .
-
, : . ?
, ,
.
, , ,
- . , ,
, . ,
.

.
, .
.
, , . , , :
.
.

24

1.2

1.

, . ; , ,
.
, . . 20 ,
. . ,
.
, . , , . 20. ,
- , .
. ,
. ,
.
, ,
. , .
.
.
, .
- . . ,
.
. , ,
, , , .
,
.
, , .



.
. ,
. :
,
, .
.
,
, , ,
, , , , , ,
..
, . , .
,
. ,
. -
, . ,
.
. ,
. ,
. , : -

25

26

2.

. ,
.

2.1

. .
. . ,
, , , -.
.
:
.
, , . ,
- , .
. , .
: .
, . ,
.
, . ,
. . , , (
) . , . , , .
, , . ,
Web- . :
.
, .
, , , , .

2.2.

27

,
. ,
. .
, , . ,
. -
. ,
, . . .

2.2

,
:
,
.
, , . ,
.

. ,
,
. , .
, .
.
, .
, ?
, , .
.
,
. . , ,
.
, :
, , .
. (),
(). -

28

2.



"-"

. 2.1.

, ,
.
,
. ,
. . , , ,
.
(attack tree). , . 2.1. , . , ,
. . .
: , ,
, , , . ,
, . ,
, ..

, .
, .
-

2.3.

29

. , ,
, .. ,
, ,
.
. , , , . . , , .
.
, . ,
12- ,
.
.
, . . , ,
.
.
.
.
, .

2.3



, (adversarial setting).
,
, .
, .
-. , , ; , .
, .
.
, ,
,
. , -

30

2.

, ,
.
,
. ? , .
. ,
-.
,
, . ,
, .
,
. , , ,
? : .
, , . .
,
.
.
, , .
; , , ,
.
, -
, . , , ,
,
. , , , .
!

2.4

, .
, . ,
. ,

2.4.

31

, . ,
, , .
, .
. , . , - . . . 1 .
. , . : , , .
, .
, . ,
.

2.4.1

. , ,
. ,
. ,
, : ,
?.. , .
,
. ,
. - -, .
, 2 .
,
. :
. ,
. , 1

: , , , ,
.
2
, ,
, .

32

2.

, , .
, .

. , , , , . 1999
, AES.
Magenta
. , - Magenta ,
, .
. ,
. . ,
,
. ,
,
. .
. , , .
, , .
. , . - :
, : , , ,
. ,
:
- -, . ,
, . ,
.
, - ,
.
, , , .

2.5.

2.5

33

.
, - . , , -, , .
, .
, . ?
, . . ,
.
.

(Secure Electronic Transaction SET), , Internet . SET
, , , . . , ,
, .
.
,
. , . SET
, ,
. (
SET , , .)
, SET .

. . SET .
SET , .
, , SET.
Internet.

34

2.

. Internet .
- :
, - .
, .
, , ,
( PIN-), .
,
. , ,
. SET -. SET (
13, RSA).
, .
.

. , ,
SET? , .
, , SET , .
, . SET .
, SET , /
. , : , -
, : , -
.
. , , .
. ,
,
.

2.6.

2.6

35

, .
, . ,
.
? .
. , . ,
. . (
) , . , :
. ,
. ,
, . ,
, .
. ,
, .
.
- , ,
, , ( , ).
? . , .
. ,
,
, , , .
, , , :
. , . , .
, , .
. . , , .

36

2.

,
. , , ,
. ,
,
. ( ) ,
, - , .

2.7

.
, . , .
.
. , , . , , ,
. ,
: , .
.
, , . , ,
. ( , , ,
20-30 , , , .)
,
. , ;
, . .
,
.
, , , -
, .
, Applied Cryptog-

2.8.

37

raphy [86] .
,
. ,
.
? , .
, , -
, .
, ,
.
, .
.

2.8

, ,
. , , .
, . ,
, , , ,
. . , ,
, , !
,
, . , . , ,
.
. , ,
, .
, . , -

38

2.

.
,
. , .

2.9

, ,
(David Kahn) The Codebreakers [45]. XX . ,
, .
, , Applied Cryptography [86],
.
, .
(Menezes), (van Oorschot) (Vanstone) Handbook
of Applied Cryptography [64]. , , ,
.
Secrets and Lies [88] , . ,
(Ross Anderson) Security Engineering [1].
.


,
,
.

3.1

.
. 3.1 ,
. . ( , Alice, Bob
Eve.) , . . m, , .
( ,
, , . ,
, ,
.) ,
?
, , , . 3.2.
Ke . , (,

39

40

3.

m

m
m

. 3.1. ?

c

m, c := E(Ke, m)

c, m := D(Ke, c)

. 3.2.


).
m, . E(Ke , m), (ciphertext) c. ( m
(plaintext).) m, c := E(Ke , m).
c,
D(Ke , c) m, .
Ke , c, . m
c Ke .

( ),
.
, .
,
.

3.1.

3.1.1

41

: D Ke .
: Ke
.
. .
, . .
. , .
( ). .
( ) .

, . ,
. ?
.

. , . ,
, . . ,
,
. ,
. :
, .
. , , , . ,
.

42

3.2

3.

(. . 3.1)
. .
.
, . , . 3.3
, m, . m,
m0 . , , .
, , ,
,
.
, .
, ?
. ,
, - .
. , ,
. Ke , Ka .
m . 3.4. m,
(Message Authentication Code MAC ).
MAC a a := h(Ka , m), h MAC, Ka .
m a.
m a, ,
Ka , , a.

m'

m'
m

m'

. 3.3. ,

3.2.

43

. 3.4.

m,
m0 . m m0 ,
h(Ka , m0 ) a. MAC
, ,
, .
, Ka , MAC ,
. .
MAC, , - .
. , ,
.
, . m
, ,
. , MAC,
, .

. ,
.
.
,
m1 , m2 , m3 , . . .. , MAC -

44

3.

1
. , , . ,
.
,
. , ,
, .
,
, , ,
.
,
.
, : ! ,
.
, . .

3.3

, 3.1, Ke .
? ,
.
, .
, -
. , 20 ,
,
19 .
190 . ,
.
1

3.3.

m, c := E(PB, m)

45

c, m := D(SB, c)

. 3.5.

.

.
(. 3.5). ; , ,
, .
, . 3.2. ,
. .
.

(SB , PB ). SB PB .
: PB . (
?)
, PB , .
m PB
c. SB , m.
,
, , . , D(SB , E(PB , m)) = m m. .
, . .
,
.
(asymmetric-key encryption) (public-key encryption) (symmetric-key

46

3.

encryption) (secret-key encryption),


.

. ,
. ,
.

, .
, , ?
: .
.
, ,
.
, , ,
.
.

3.4

(MAC).
. 3.6.
(SA , PA ).
m, s := (SA , m). m s . PA
(PA , m, s) . . ,
,
.
, , . ,
, .

3.5.

47

m, s := (SA, m)

m, (PA, m, s)?
m, s

. 3.6.


(digital signature). . -
m s ,
.
, . . . . , .
, , . ,
,
. ,
, .
.

3.5


, . ,
PB , - ? .
(public key infrastructure PKI).
, (certificate authority CA).
. . ,
(certificate), : , , ,
PB . , -

48

3.


.
. , , .
PB . ,
PB , . , PB
.
, .

,
,
. , . :
, .
. , (root),
, , , .
,
, .
;
. ,
. . , . , , ,
. ,
, .
. , ? - . ?
, , - .
.

3.6.

49

, .
, , VeriSign.
.
100 . ,
Internet (
, VeriSign).
, .
, , 100 .
, , 19, PKI: , 20,
PKI: , 21, PKI.

3.6

,
. , . ,
.

3.6.1

, (ciphertext-only attack).
,
.

. ,
.

3.6.2

(known plaintext attack)


. , , , . :
? ,
. . :

50

3.

, :
.
. , , .
.
, , .
, , . , ,
.
-.
- , .

, . , .
IP-. ,
.
. ,
,
.

3.6.3

,
. ,
. , , .
.
,
, . , .

3.6.

51

(, )
.
(chosen plaintext attack) . . ,
, , ,
: ,
.
:
(offline) (online). ,
, ,
. ,
. . , ,
,
, .

3.6.4

(chosen ciphertext
attack) . , .

. , , .

,
.
,
, ,
. , ,
, .
.

3.6.5


. , -

52

3.

, .
, , , . ,
,
. ?
, . (distinguishing attack)
,
. ,
, . , , .
, ? .
, .
,
. , ,
.
, ,
- . ,
, , . ,
, - .

3.6.6


, : 23 , , ,
50%. , ,
365 .
, ,
(birthday attack)? , ,
, (collisions), , .
,
64- . ( , .)
264 ( , 18 1018 , .. 18

3.6.

53

),
, ? ! 232 , ,
. , , , : ?
, MAC ,
. ,
,
. ,
, .
, N ,

N . , , N

.

N = 365 N 19. ,
50%, 23,
N . . k
N , k(k 1)/2 . ,
, 1/N . , ,

k , k(k 1)/2N . k N ,
50%2 .
n- . n-
2n ,

2n = 2n/2 , . 2n/2
(birthday bound).

3.6.7

,
,
(meet-in-the-middle attacks). (
(collision attacks).)
.
2
,
.

54

3.

, ,
.
, 64-
. , .
232 64- . MAC : ? MAC .
,
MAC . , ,
,
MAC. , , . (,
, .)
? MAC 232 . , , 1 232
, , 232 ,
. , 232 232 . ,
264 .
,
, .
,
. ,
, .
.
, ,
. . ,
N . P , Q . P Q , , . , , 1/N . -

3.7.

55

, P Q/N
. P Q N .
, .
, P Q. ,
, .
P Q N . P N 1/3 , Q N 2/3 . 240 MAC
224 .
, ,
N ,
, . ,
, .
, P Q ,
P Q N .

3.6.8

.
, , , ..
.

3.7

, , . ,
.
, , . 2235 ,
235- .
, , , .
,
.
, .
. .

56

3.

, ,
. , ,
, , -
. . , ,
. ,
.
128- . , , , 2128 . , , , 30 20 . ,

50 . ,
, . 128- [62]. ,
110 100 , , , ,
128- .
. , , ,
. .
- .
,
.

3.8


, .
.
, . , . ,

3.8.

57

,
. . -,
.
. ,
,
.
,
. , ,
.
, , . , .
, ,
.
. , . , , 100 /, AES 20%
Pentium III 1 . ( ,
100 / - .) ,
, , . -

1 /. , , . ,

.

.
Web-, SSL-. SSL- . , SSL,

58

3.

. .
SSL,
. .
.
.
, : . ?
. , ,
. ,
, .

3.9

, .
1. .
,
. IT-
. - , . . . , ,
. , , ,
.
: ,
, ,
.. , , .
,
. ,
, ,
. ,
.
.
, , .
.
, .

3.9.

59

, .
. . ,
. ,
-
. ,
.
. , ,
. , , . ,
. , , ,
.
. . , , , .
.
2. .
, , , .
- : ,
.
-
. .
,
. ,
, ,
.


. ,
,
.

4.1

(block cipher) , .
128 (16 ).
128- 128- . :
, 128-
128- .
,
(block size).
, .
, - .
,
. 128 256 . p K E(K, p)
EK (p), c K
D(K, c) DK (c).
, . . ( -

62

4.2.

63

), ,
5, .
,
. ,
. (
)!
, . ,
. , . 32 16 ,
64 150 . ,
128 51039 . ! , ,
. , . ,
, .

. , . ,
, . (permutation).
k k-
.

4.2

, ,
: ,
. ,
, . ,
.
[53, 91], .

64

4.

. 3.6
. .
, .
(relatedkey attack). 1993 [7],
, . , ,
. , , , . , , .
. , ,
, . ,
.
.
Twofish
(chosen key attack),
[85]1 .
- , , ?
. ,
,
. .
[95]. ,
, . , , . , . , , - .
1

,
Twofish [31], .

4.3.

65

4.3

,
. ? , . :

, . , 128- ( 128- )
,
2128 128 .
,
(..
).
,
, . , ,
. ,
.
.
, .
,
. ,
.

4.4

(, [52]). , , . ,
.
1 ,
.

66

4.

, ? ,
.
2 .
?
X ,
.
, , X . ( , , .) , .
, .
, ,
: X .
, .
, , . 0 0 , , X. , , ,
. .
.
: ,
, 2 . ,
.
, , .
. 0
1, . . . , 232 , 32 .
2

1964 (Potter Stewart)


, :
. . . , ,
.

4.4.

67

X , t
. .
,
X. (,
t.)
, .
1000 ,
.
X ,
. , 0,001. ,
, ,
, , .

. , . ,
, .
, , . ,
. n , ,
n- .
, . , . ,
2n . , , , ,
.
.
: 2n1 75% .
( , . , 50%-
. ,
0,5 + 0,5 0,5 = 0,75.)
,
.

68

4.

. , , (
, , ),
.
.
, ,
?
, . . , ,
,
. , .
, ,
, , . , ;
, .
, .

4.4.1

, . , . ,
. ,
i i. , . , :
( ), ( ). , ,
, ,
.
128 ,
32- . 32- . , .

4.4.

69

, .
.
. (parity attack).
,
. , , ,
. , .
75 . , ,
. ,
.
,
. ,

, . ( :
.)
, . ,
,
: ,
.
, .

.
3 , , .

,
. . ,

70

4.


.
- , , .
,
, .

4.5


.
. .
:
.
, , ,
. ,
, .
,
: ,
! ,
.
, . , .
,
.
,
(round).
. , , , .

.
.

.
Internet.
.

4.5.

4.5.1

71

DES

DES (Data Encryption Standard ) [69], , .


56 64 DES .
DES 3DES [72]
,
DES. ,
.
DES , 3DES
. , DES
, DES 3DES .
. 4.1 DES. , DES; . , , .
.
XOR (
) ,
, .
, .
DES 64- , 32- : L () R (). L

R
Ki
F

. 4.1. DES

72

4.


. ,
DES
; DES
.
,
64- , .
DES 16 ,
1 16. i (L, R) (L, R)
Ki . F ( . 4.1 ).
, R .
16 R, 32- 48-.
XOR 48- Ki . S-. S- ( S substitution, .. ) .
48-
, S- , 6 4- .
, 48- S-,
32- .
, XOR L. ,
. 15 .
DES [29].
.
L F (Ki , R) ( F
) L R. , . L
R L F (Ki , R).
.
, ,
.
L R, .

.
, .

4.5.

73

DES 48- . 48 56 , -3 .
DES .

.
XOR , , , . S- .
, , . , S-, . ,
F , .
..
, .
DES ,
.
. 0,
0. , , , .
,
.
. , 0 ,
0. , ,
4 .
DES ( ). K P
:
P ) = E(K, P ),
E(K,
, X
X. , 3

,
DES [69].
4
, .
DES.

74

4.

, ,
() .
. . 4.1 ,
, L, R Ki . , .
XOR , . S-
, , , . XOR ,
. L ( R) . ,
L, R Ki , ,
,
. .

. , , DES.
, DES . .
DES .
3DES . , DES ,
. , . ,
3DES , 64 . ,
. (
5.8.) 3DES ,
.

4.5.2

AES

, AES (Advanced Encryption


Standard ). , (National Institute of Standards

4.5.

75

and Technology NIST) . 15 [71], [73].


Rijndael, 5 . , . ,
. , , AES,
, .
, ,
, , .
AES DES. AES . . 4.2
AES. . 16 .
XOR 16- (128-) . (
). 16 S, 8- 8- . S- .
. , . , 4 ,
.
, XOR .
.
10-14 , .
DES, AES , DES.
AES . , , AES. ,
. S5

, , Rijndael. : -, ,
, .

76

4.

. 4.2. AES

, , ,
.
DES, AES , . XOR , S- ,
.
AES ,
.
AES
. AES .
6 ,
1014 , [18].
, 7 128- , 8 192-
9 256- [30]. ,
3 5 . ,
128- 70%
. , AES ,
- .
, , ,
. -

4.5.

77

DES, FEAL IDEA.



. , ,
,
-
.
,
. , AES, , , 2120 2100 .
, , , 120 .
,
- .
50
, (.
3.7).
AES [33]. AES

256 . , , ,
- - , AES
, .
. ,
, , AES.
. . AES .
- , . :
.
. , , - .
, . . . 20 :
, .
.
AES. . , AES.
AES .

78

4.

. ,
, , . , , ,
, .
, -
10%. ,
, 10%. ,
AES 1% ,
, .
, AES, .
AES,
,
. AES - , , . , AES

.

4.5.3

Serpent

Serpent ,
AES [2].
. ,
Serpent AES. AES , Serpent
.
10 32 [6]. Serpent
AES.
, S-
, .
Serpent AES.
32 . 128- XOR, 128-
32
S-. 32 S, . ,
S-, .

4.5.

79

Serpent.
,
32 S-,
32. 1024 ,
. S- .
.
,
AND, OR XOR. , 32-
32 ,
, .
- (bitslice). Serpent - .
S-,
.
Serpent , Rijndael ( AES),
. . Serpent , DES,
, 3DES.
AES.

4.5.4

Twofish

Twofish AES. AES Serpent


, AES, .
, .
8 16.
Twofish
. , Twofish
.
DES, Twofish .
Twofish . 4.36 . 128-
. 32- , 32- . ,
6
, .
, Twofish, , Twofish [85].

80

4.

p (128 )
K1

K0
F

K2
g

K2T+8

S0
S1
S2

K3

<<<1

PHT
MDS

S3
g

S0
<<<8

S1
S2

MDS

S3

K2T+9

>>>1

15

K4

K5

K6

K7

(128 )

. 4.3. Twofish

Twofish . F
, g,
PHT . F
XOR ( ). <<< >>>
32-
.
g S-,
, ,

4.5.

81

AES. S- .
, , S- Twofish
; . , S- . S-
, , ,
. ,
Twofish .
S- .
PHT g, 32 . F . , , .
, Twofish (whitening).
.
,
.
, Twofish
, , .
: . Twofish, . , . Twofish ,
. AES Serpent ,
,
. , Twofish
. .
,
. 5%. ,
, , , AES.
, AES . AES, , ,
Twofish .
, , , .
.

82

4.5.5

4.

AES

, AES . :
RC6 [77] MARS [13]. ,
.
RC6 , 32- . AES 17 RC6. 20
,
.
MARS . ,
MARS , . , . ,
S- MARS, ,
S- , . , ,
MARS ( ), .
MARS
. ,
.
- RC6 MARS . ,
AES, Serpent Twofish ,
.

4.5.6


.
. ,
, ,
XL, FXL XSL.
2002 (Nicolas Courtois) (Josef
Pieprzyk) , Serpent AES [17].
.
AES.
32- Serpent,
AES.

4.5.

83

. ,
. XSL , . , AES Serpent,
. , 2128 , ,
128- , XSL-. XSL- ,
. ,
,
.
, . ,
AES Serpent. - , XSL
. ,
.
? . , .
, .
, . XSL- , .
. , ( ,
), XSL- .
Twofish?
Twofish. Twofish ,
AES Serpent, . ,
.
- XSL- AES Serpent,
, , Twofish.

4.5.7

. , ,
Twofish.
, AES, .

84

4.

XSL- . ,
.
, , , .
XSL-, . ,
XSL-. , ,
.
, , AES.
, .
. , ,
. ,
AES , . , ,
: , IBM.
, AES. ,
/ , AES.
AES . .
, . , , AES.

, Serpent.
AES , Serpent
( )
.
Twofish. Twofish , AES
. , AES
. Twofish , .
3DES.

64 , 3DES. , , , ,
64- .

4.5.

4.5.8

85

,
(AES, Serpent Twofish), 128, 192
256 .
128 . , 128- .
, : . , , , .
, , , ,
, .
. ,
.
3.
n , , , 2n .
, . , , . , 128-
256 ,
128 . , .
, .
, , ,
, .
: 256- !
, AES (Rijndael)
AES, 256- , 128-7 . ,
. , 128- .
128- , 128- , . ,
.
7

Serpent . Twofish

,
.

86

4.

, .
, . 256- .
, 256- 128 . ,
, , 2128 .
,
(128 ),
(256 ).
. 256-
128- .
XSL- AES Serpent
. , , .
Serpent,
2128 . XSL-, ,
256- Serpent, 256- Serpent, Serpent (
) 128 . ,
128 , ,
2128 , XSL- Serpent .
XSL- AES.


. - , ,
(block cipher modes).
, .
, . ,
. , , . , . ,
, . ,
() ( , ,
) . , .
, .
, . . ,
,
, 7,
.

87

88

5.1

5.


P , C,
.
, P .
. .
, , .. .

. . ,
p ,
p k 0. ( k .)
, . , .
, .
,
.
, . ,
, . , , ,
.
,
, .
, ? P ,
l(P ) , b
. .
128,
, b.
0, . . . , b 1.
, ,
b. n, 1
n b n+l(P ) b. n ,
n.

5.2. (ECB)

89

. , , . , .
.
, , . P P1 , . . . , Pk . k
d(l(P ) + 1)/be, d. . .e
, .
, P
P1 , . . . , Pk .

, . ,
. . ,
.

5.2

(ECB)

, ,
(electronic codebook ECB). :
Ci = E(K, Pi ) i = 1, . . . , k.
: . , ,
? ECB!
,
.
ECB? ,
, .
,
.
,
. ,
.

90

5.

, , . Unicode
, .
, ,
. , ECB - .

5.3

(CBC)

(cipher block chaining CBC).


, ECB, XOR
. CBC
:
Ci = E(K, Pi Ci1 ) i = 1, . . . , k.
,
. CBC
,
, .

5.3.1

, C0 ,
(initialization vector IV). .
, ECB.

, . ,
.

5.3.2

. ,

5.3. (CBC)

91

0, 1 .. . , . , XOR
. , 0 1 .
(
, ),
.
,
.

5.3.3

ECB,
CBC , .
, . CBC
,
.
.

. . IV
. :
C0 := ,
Ci := E(K, Pi Ci1 ) i = 1, . . . , k
, () P1 , . . . , Pk
C0 , . . . , Ck . ,
C0 , C1 ; ,
. :
Pi := D(K, Ci ) Ci1

i = 1, . . . , k.

92

5.

.
, .
, , .
, .

5.3.4

, , . .
, , , (nonce).
number used once , . .

. , , , . , , ..
, .
,
,
.
, CBC, .
.
.
1. . , 0. :
,
.
2. .
,
. ,
, , .
.

5.4. (OFB)

93

3. ,
.
4. CBC,
.
5. , .
.
( C0 )
.
6. , . , .
, ,
, ,
. 32-
48- , 128 .
, .

5.4

(OFB)


. (output feedback OFB)
,
.
( ),
XOR . ,
, (stream cipher).
- , . !
, . .
( , )
. CBC
. .

94

5.
OFB :
K0 := IV
Ki := E(K, Ki1 ) i = 1, . . . , k,
Ci := Pi Ki .

, K0 ,
K1 , . . . , Kk
Ki .
XOR
.
. CBC,
(. 5.3.3)
(. 5.3.4).
OFB ,
.
. , , ,
.
OFB . , ,
. ,
,
, . ,
.
, OFB . -
, .
. , P P 0
. C C 0 .
, Ci Ci0 = Pi Ki Pi0 Ki = Pi Pi0 . ,
. ,
. (
.)
. ,

5.5. (CTR)

95


[44].

OFB. , , -
,
, . , , , ,
.
, .
, .

. ,
, , 264 .
,
, . , ,
.

5.5

(CTR)


(counter CTR).
, DES [68],
. CTR NIST [26]. OFB,
. :
Ki := E(K, N once k i) i = 1, . . . , k,
Ci := Pi Ki .
, CTR ( Nonce).

, .

96

5.

CTR .
. ,
, 128- .
, ,
i. 128-
48- , 16 , , 64 i.
248 ,
268 .
OFB, ,
.
CTR, CBC.
, . CBC ,
,
. ,
, ,
, . ,
CBC CTR , .
, CTR .
, CTR .
CTR
, , .
. , CTR
. CTR
.
: ,
CTR ( ,
).

5.6.

5.6

97

70-
80- . .
, , (offset codebook), OCB [82, 83].
, .
, .
-, , . ,
OCB, .
. . .
, , ,
. ( .)
,
. (security reduction)
. , , ,
OCB X, Y . ,
. ,
. :
, ,
,
.
-,
, .
,
.
. .
.

98

5.

5.7

, .
: CBC CTR. , ECB .
OFB , CTR,
. OFB, CTR .
CBC CTR? .
. CBC , CTR
.
. . CTR
, CTR
.
. CTR,
. CBC
.
. ,
CBC . CTR .
. CBC . CTR . , , CBC
, CBC CTR .
, CTR CBC , . - ,
CTR . ,
. ,
CTR ,
, ,
.
, ,
. , CTR,

5.8.

99

. ? .
, . ,
. . .
, .
,
.
, ,
( 8, ).
, .
,
. ,
, ,
, , ,
1 .
.

5.8


. .
.
, .
, ,
. , ,
.
.
ECB. Pi Pj Pi = Pj ,
Ci = Cj . ,
1
(traffic analysis).
.
,
(, , ).

100

5.

, . ,
. ECB.
CBC? ,
XOR .
; , ,
.
, ?
:
Ci = Cj ,
E(K, Pi Ci1 ) = E(K, P j Cj1 )
Pi Ci1 = Pj Cj1
Pi Pj = Ci1 Cj1

CBC,
,

.

, XOR ,
, , . , , . (, ,
), , , ,
.
, . , Ci 6= Cj , , Pi Pj 6=
Ci1 Cj1 , .
CTR. ,
Ki , .
, (
) . Ci Cj , Pi Pj 6= Ci Cj ,
. ,
CTR
.

5.8.

101

CTR .
, . , CTR
, .
OFB , CBC CTR.
, OFB , CTR. ,
OFB - , .
, , CTR
OFB.

5.8.1

, ,
? , M
. , , .
.
M (M 1)/2 . , , 2n ,
n . , M (M
1)/2n+1 , M 2n/2 . , 2n/2 ,
2 .
128 , , 264 . ,
3.6.6. 264
, , 30 . , -
.
. 240
( 16 ), 248 . , .
240 , .
2
,
p
,

, 2n1 = 2n/2 /2,


, .

102

5.

,
248 . , , ,
240 248 = 288 , , 128 .
CBC CTR.
CTR
. CBC , , ,
. ,
, , CTR .

5.8.2

128- ? -
. 128-
,
128 . 256- .
, . , ,

, .
CTR . , 264 C. P 264
, , P C. ,
, 50%. , CTR
, ,
P . ,
. , . 248 ,
1/232 ,
.
. , CTR ,
, , ,
. 260 , 264
.

5.8.

103

CBC .
CBC , 128
.
. ,
CBC, 232 .
128 264 , , , , 128 .
: ,
. ,
, .
,
. , ,
CTR CBC , .
. ,
, .

, ;
. , ,
.

5.8.3

,
, , . , ,
. , , .
. , ,
, .
, . ,
,
.


.
, 1 .
,
( )
.
.
m.
. ,
m,
h(m). h 128 512
, m. , h(m) ,
m.
, : m1 m2 , . .

(message digest),
(digest) (digital fingerprint). (hash function), , , . 1

, (Leslie Lamport), [21].

104

6.1.

105

:
, - , . ,
. , , .
- . .
.
.
. , ,
.
.
, ,
, , -
, .
,
, .
. ,
.

6.1

, m h(m) .
128 512 .
.
(one-way property): m h(m), x
m, h(m) = x. , , , ,
( ).
, ,
(collision resistance). , -

106

6.

.
m1 m2 , h(m1 ) = h(m2 ). , . (
.) ,
.
, , , .

.
,
,
, , ..
, . , . ,
,
.
4 .
,
(. 4.3), .
, ;
.
.
.
5
,
.
, ,
, , . ,
.
.

6.2.

107

,
. ,
. ,
.
.
,
. , . n- 2n/2 .
.
( x m, h(m) = x)
. 2n . , . ,
, ,
. , , , . -
, ,
,
.
, . , ,
.
, , .
512- , 128 .
2128 .

6.2

. .
SHA , , MD5.
, , . ,

108

6.

SHA , ,

(National Security Agency NSA) NIST2 .
( , ) .

m1 , . . . , mk ,
. h0
. H0 Hi = h0 (Hi1 , mi ).
Hk .

. -,
, . -, - ,
. , , ,
.
, .

Internet.
,
.

6.2.1

MD5

(Ron Rivest) [81] 128-


MD5 MD4
[78] 3 .
MD5
512 . ,
. MD5 128- , 32 . h0 ,
2

, .
3
MD4 , [24],
.

6.2.

109


. , XOR, AND, OR 32 . ( [81].)
, .
h0 h0 .
32- 32- .
MD4 .
: h0 , h, h0 ,
. ,
h h0 .
MD5 , h0
[20]. MD5
, MD5
.
128- -
MD5 . ,
MD5 264
, .
MD5.

6.2.2

SHA-1

(Secure Hash Algorithm SHA) (National Security


Agency NSA) NIST [70].
SHA ( SHA-0)
. NSA . NIST
SHA SHA-1.
NIST .
(Chabaud) (Joux) SHA-0 [16]. SHA-1,
, ,
NSA.

110

6.

SHA-1 160- , MD4. SHA-1


MD5; SHA-1 - , MD5. , SHA-1, ,
.
SHA-1 160- , 32- . MD5,
, 32 . , SHA-1 ,
16 80 . , MD4. MD5 . SHA-1
, . ,
SHA-1 SHA-0 .
SHA-1 160-
.
280 , 128 256 .
128- .

6.2.3

SHA-256, SHA-384 SHA-512

NIST ,
[74], 256-, 384- 512- .
128-, 192- 256- AES. SHA-1.
. , .
, , SHA-1, .
. SHA,
NSA, , .

6.3.

111

SHA-256 , SHA-1. SHA-256


, AES Twofish, ,
. .
, , , ,
. , SHA-1
MD5. ,
, .
SHA-384 .
, SHA-512, . , . SHA-256
SHA-512.

6.3

, ,
.

6.3.1

.
, .
. m m1 , . . . , mk , H. m0 , m1 , . . . , mk , mk+1 . k
m0 k m,
h(m) , h(m0 ) k m0 . ,
h(m0 ) = h0 (h(m), mk+1 ). MD5 SHA,
m0 ,
. , , .
- ,
. , h(m) , k m0 .

112

6.

, , , , ,
. ,
. , ,
(m, m0 )
. , ,
, .
, , .
? ,
, h(X k m), X
, , m .
h ,
. , m
h
. ,
, , .

6.3.2

.
.
, . : , . . , , m h(m k X),
X .
m, 4 .
n n .
4


; ,
. ,
.

6.4.

113

m, h(m k X) X
. ,
, .
m m0 , h
. ,
, 2n/2 .
m m0 . , h , ,
,
, ,
- . m
m0 , h(m k X) = h(m0 k X) X.
. (, )
. , , , ,
. , ,
,
.

6.4

, . , .
,
?
? - , ?
, , . :
, .
, . , , . , ,
, .. , , -

114

6.

. .
, .
; . ,
. ,
,
. .
- , ,
.

6.4.1

,
. , .
, . , .
, . , (, , - ). .
h .
m 7 h(m), m 7 h(h(m) k m)5 . ,
m h(m).
- , ,
.
6 h .
hDBL hDBL (m) := h(h(m) k
m).
h ,
,
n , n .
5

x 7 f (x) . ,
. , x 7 x2 ,
.

6.4.

115

.
,
. ,
.
, ?

, - .
m. -
.
, hDBL .

6.4.2

?
. h(m)
h(h(m)) , n/2 .
, n- n ,
6 .
, , n/2 ,
.

, . ,
.
SHA-256,
128- , .
, n-
n/2- .
. ,
,
, n- . , SHA-256 256 AES, , 256- . , 256-
6

SHA-256 , n-
2n .

116

6.

128- ,
SHA-256.
. . ,
,
.
.
7 h .
hd hd := h(h(m)) , min(k, n/2), k
h, n .
SHA. SHA-X, X 1, 256, 384 512, SHAd X ,
m SHA X(SHA X(m)). , SHAd 256
m 7 SHA 256(SHA 256(m)).
,
. , , hd , , ,
h7 . HMAC .
hDBL , hd
, .
, hDBL n- , . n/2- , hd .

6.5

.
SHAd . , .
7

. , ,
, . , ,
, .

6.6.

117

,
. ,
,
. ,
.
, , hd , n/2- , .
SHA , , ,
.
, , SHAd -1, 80- . SHAd -256 SHAd -512.
( SHAd -384 , ,
, SHAd -512.)
128 ,
SHAd -256 .
SHAd -512. , , ,
256 . , , SHAd -512,
. 128-
SHAd -256.

6.6

.
,
,
80- .
, . SHA
. , ,
.


(message authentication code MAC)
, .
, .
MAC. ,
K, ,
.
m, MAC , . ,
MAC, , MAC . ,
.
: K,
MAC, .
.
, 8, .

7.1

MAC

, MAC, , ( K
m ) .
MAC MAC(K, m).

m, MAC(K, m).
118

7.2. MAC

119

MAC. : MAC
, . 7.8.

7.2

MAC

MAC.
MAC , . ,
, MAC . n MAC .
8 MAC
n-
.
MAC . . MAC, ,
.

7.3

MAC

, MAC K m. K
, , .
,
K. k , K.
K, . , k, K
2k (, )1 .
9 n MAC, k
, K.
MAC
1
, . : k
K ( ) , .

120

7.

MAC MAC 2min(n,k) .


, MAC , k .
, .
; K. (
K, k = 0, ,
.)
, MAC
, . 2min(s,k) , s .
K
, MAC , .
, , , MAC . MAC . ,
,
n MAC
. n+1 , MAC.
, , ,
. , ,
.

7.4

CBC-MAC

MAC.
K .
CBC-MAC , m , CBC,
. , P1 , . . . , Pk , MAC :
H0 := IV,
Hi := EK (Pi Hi1 ),
MAC := Hk .

7.4. CBC-MAC

121

CBC-MAC
, .
CBC-MAC ,
. . ,
CBC-MAC , CBC, .
( ). CBC
CBC-MAC . MAC
.
CBC-MAC . ,
. , CBC-MAC [12].
. M CBC-MAC.
, M (a) = M (b), , M (a k c) = M (b k c). CBC-MAC.
, c . ,
M (a k c) = EK (c M (a)),
M (b k c) = EK (c M (b)).
M (a) = M (b), .
.
MAC , . a b,
M (a) = M (b). a k c,
b k c, MAC . MAC . (,
. ,
.
.) ,
[12].
,
MAC. . , a b,

122

7.

M (a) = M (b), , MAC ,


CBC-MAC.
, ,
CBCMAC 64- , 128 [4]. ,
, . CBC-MAC, 256- .
CBC-MAC .
CBC-MAC . .
1. s l m, l
m, .
2. s, . (
5.1.)
3. CBC-MAC s.
4. CBC-MAC
.
MAC .
CBC-MAC : , . MAC, , . ,
.
, CBC-MAC,
.

7.5

HMAC

MAC ,
,
, MAC ? HMAC [3, 58].
, ,
, 6, .
n/2-

7.5. HMAC

123

, MAC n- .
MAC(K, m) h(K k m), h(m k K) h(K k m k K)
[76]. ,
. ,
2n/2 .
HMAC , . HMAC , , .
, HMAC n/2- . ,
,
. HMAC , 2n/2 .
, 2n/2 .

. , . , , HMAC n/2
n- .
[3], HMAC, , , ( )
. .
HMAC h(K a k h(K b k m)),
a b . , ,
. HMAC [3, 58]. HMAC , 6,
. ,
SHA, SHAd HMAC ,
SHAd .
HMAC. , . HMAC MD5 SHA-1.
. , 128-

124

7.

HMAC
256- , SHA-256.
HMAC SHA-256, SHAd -256
.

7.5.1

HMAC SHAd ?

, MAC, h(K k
m), , h. SHAd -256.
MAC :
(K, m) 7 SHA 256(SHA 256(K k m)).
HMAC SHA-256. :
(K, m) 7 SHA 256((K a) k SHA 256((K b) k m)).
HMAC, ?
. . HMAC
, . , MAC . , ,
, . , HMAC
(.. )
, (.. ), ,
. HMAC
.
HMAC, , . , . , , . ,
:
S . , S, , ,
MAC. ,
128- .
HMAC.

7.6. UMAC

125

, 128- .
264 ,
. , .
?
HMAC. ,
SHAd 256(K k m), HMAC .
, HMAC, , .

7.6

UMAC

UMAC ,
K MAC,
, 2
(universal hash function). , . . [8, 59].
UMAC HMAC. , UMAC .
, UMAC ,
MAC.

7.6.1

UMAC 64- , , , . ;
. , MAC
, ,
MAC .
MAC,
, ,
. ,
MAC .
, , , 64 . MAC . , ,
2

UMAC

126

7.

MAC3 .
. MAC,
.
. ,
. 128- MAC.
, 3 (. 4.5.8), 256- MAC
128- , .
, 256- MAC. ,
64- 96-
MAC, 256-
( , MAC ).
MAC
, 128- .

7.6.2

, : UMAC ? , UMAC [8],


: UMAC-STD-30, UMAC-STD-60, UMAC-MMX-30
UMAC-MMX-60. RFC [59] : UMAC16 UMAC32.
, UMAC , UMAC16 UMAC32
.
, ,
? UMAC. , .
Pentium MMX, 32- .
, .
. , -,
, .
3

MAC . ,
IKE IPSec [40] MAC ,
, !

7.6. UMAC

127

UMAC 3-5 ,
,
.
UMAC . UMAC
,
.
. , . HMAC SHA-1,
UMAC . UMAC. ,
UMAC.
UMAC ,
, UMAC. ,
20-30
. ,
, .

7.6.3

, UMAC . ,
. , UMAC
. , ,
- 8- . UMAC
, -
.
, UMAC 4 . , UMAC
HMAC. 4

, ,
. .
. ,
.. 1970- 8-
, , , 10 .

128

7.

UMAC , .
, .

7.6.4

UMAC
, . , UMAC, , . , , .
, , ,
AES, SHA-256, ,
. , , AES. ( ,
.) SHA-256 (NSA),
. NSA .
, , SHA-256 , . ,
, .
, , , , . UMAC ,
.
,
UMAC 95%. 5%
, UMAC ,
.

7.6.5

UMAC?

UMAC, ?
. - , UMAC
. K , MAC, .
. -
MAC,
, ,
, .

7.7. MAC

7.7

129

MAC

, , ,
HMAC-SHA-256, .. HMAC, SHA-256. ,
256-. , ,
64- 96- MAC, .
32 (256 ) .
, MAC
, ,
, HMAC-SHA-256 128
.
,
HMAC SHAd -256 , HMAC . 128- HMAC 256-
, SHA-1 .
, HMAC . MAC, .

7.8

MAC

MAC , .
, .
MAC(K, m), , , K, m. .
,
, - .
, . , K
. A, ,
.
m, d.

130

7.

, (replay attacks), ..
(
) . MAC m, d. ,
MAC m, d k m.
.
4. :
, , , .
MAC ,
. , (, , ),
, (, ),
.
, MAC m := a k b k c, a, b c .
m a, b c.
? . ,
, .
, . , m , .
. . ,
. , . -
. ,
,
. ,
, . .
, ,

7.8. MAC

131

. ( ,
, .
MAC , .)

, , .
5 . , . , MAC
m, ,
.
,
, , , ..
XML, -
.
,

. IP- ,
. , , , , , . (,
).
: , . ,
.
, . d k m,
, d
m.

, , : - (Dr. Seuss), [89].


, . ,
.

8.1

: .
, , .

8.1.1

.
,
. ,
. , .
( , ) .
,
, .
, , . , , . ,
, , .
132

8.1.

133

, ,
.
. ,
.
, , , . ,
. , ,
, .

8.1.2

, -
. , K, , .
. .
. , , : -, K .
,
, K ,
.
. , .
15, . K
:
;

K.
, .
,

, . , ,

134

8.

K
. K, , (session key). , 15,
.
,
128- . 3 (.
4.5.8), 256- . , K 256 .

8.1.3

, : (,
) (,
). , .

, .
.
, , ,
. ,
TCP/IP . ,
, TCP-, . TCP
. . , , ,
. ( ,
.)

8.1.4

.
m1 , m2 , . . .,
.
, m01 , m02 , . . ..

8.1.

135

:
mi
;
, , , m01 , m02 , . . ., , m1 , m2 , . . .,
, . (
.)
. . , ,
.
.

. ,
.
, .
,
, , . (traffic analysis).
,
. , ,
,
.
,
. ,
. , .
. ,
, . , , , .
, , -, . , , .

136

8.

, , .
, .
, ( ) .
, . ,
. ,
, , .
? .
. , , , . , . ,
, .

8.2

, . : ,
, , MAC.
. , ,
, , , , , , . , , ,
,
.
.

. (
.) MAC ,

8.2.

137

, .
, . ,
(, CTR) CBC.
, ,
. ,
, MAC
, .
(.. MAC),
. , , .
, . , ,
MAC. ,
. , . ,
. , ( , )
(denial-of-service
DOS). DOS- ,
. , .
,
, .
,
, MAC, MAC. , MAC; ,
MAC (.. ),
MAC .
MAC . , ,

138

8.

. , . ,
. .
, MAC .
: , . . ,
, . , ,
. ,
, - .
, . ,
, , .
. ,
, , . ,
, , .
, , () IPSec [32].
, . , , - . ;
MAC .

(. 8.4.1). ,
:
.
,
.
, . , ,
.

8.3.

139

, ,
.

8.3

: , .

8.3.1

.
, . , ,
. , . , ,
.
(..
, )
( , ).
.
1, 2 .. , .
.
, ,
- .
32 . 1. 232 1. , ,
. , , .
, 64- ,
. (
, .) 32- . ,

140

8.

1 . , , 40- 48- ;
.
, C
? .
N ,
N + 1 . ,
{0, . . . , N }. 232 1,
32- .
,
, ,
.
, .
, ,
, . , ,
, .
i.

8.3.2

MAC. , , ,
HMAC-SHA-256 256- . MAC mi
xi . 7,
,
, . .
,
, , . ,
xi
. , xi , .
1

. . ,

, 232 1 .

8.3.

141

`() ,
( ). MAC a
ai := MAC(i k `(xi ) k xi k mi ),
i `(xi ) 32- , , . `(xi )
, i k `(xi ) k xi k mi
. `(xi )
i, xi mi , , . , xi , -
,
. , .

8.3.3

AES
CTR. , CTR, .
16 232 , 32 . , 64- , 32- . ,
.
k0 , k1 , . . .. i

k0 , . . . , k236 1 := E(K, 0 k i k 0) k E(K, 1 k i k 0) k . . . k E(K, 232 1 k i k 0),
32- , 32- 64 . .
`(mi ) + 32 . (, , . . . )
mi ai XOR k0 , . . . , kl(mi )+31 .

8.3.4

mi k ai ,
. mi k ai i,

142

8.

32- , .

8.4


. ,
. , -,
.
.
, , ,
. if/fi do/od.

8.4.1

, ,
. : .
:
,
,
, .
InitializeSecureChannel
:
K , 256 .
R
. ,
.
: S
.
.
ASCII -.
KeySendEnc SHAd 256(K k )
KeyRecEnc SHAd 256(K k )
KeySendAuth SHAd 256(K k )
KeyRecAuth SHAd 256(K k )

8.4.

143

, .
if R = then
swap(KeySendEnc, KeyRecEnc)
swap(KeySendAuth, KeyRecAuth)
fi
0.
. .
(MsgCntSend, MsgCntRec) (0, 0)
.
S (KeySendEnc,
KeyRecEnc,
KeySendAuth,
KeyRecAuth,
MsgCntSend,
MsgCntRec)
return S
, S.
. , , ,
S.
. , S
.

8.4.2

, , . ,
, , , , , . ,
.
SendMessage
:
S
.
m , .

144

8.
x

: t

,
.
, .

.
assert MsgCntSend< 232 1
MsgCntSend MsgCntSend + 1
i MsgCntSend
MAC. `(x) i
4- , .
a HMAC-SHA-256(KeySendAuth, i k `(x) k x k m)
tmka
. , , 4- , i .
, . E
AES 256- .
K KeySendEnc
k EK (0 k i k 0) k EK (1 k i k 0) k . . .
. i
4- , .
t i k (t First `(t) bytes(k))
return t
(. 8.3).
, .
. -
, . , . , . , i,
.
: , . , . , .

8.4.

8.4.3

145

,
SendMessage, x,
.
ReceiveMessage
:
S
.
t
, .
x
,
.
: m , .
, , 4-
32- MAC. ,
.
assert `(t) 36
t : i . , i 4 .
iktt
, .
K KeyRecEnc
k EK (0 k i k 0) k EK (1 k i k 0) k . . .
t MAC. , a 32 .
m k a t First `(t) bytes(k)
. `(x) i
4- , .
a0 HMAC-SHA-256(KeyRecAuth, i k `(x) k x k m)
if a 6= a0 then
destroy k, m
return AuthenticationFailure
else if i MsgCntRec then
destroy k, m
return MessageOrderError
fi

146

8.
MsgCntRec i
return m

. , , ,
, . ,
, . , .
,
.
; ,
, , .
,
. ReceiveMessage , . ,
, .
, .
?
, ,
. ,
( MAC). , ,
. , , ,
ReceiveMessage, . , k m, ReceiveMessage ,
- .

8.4.4

, S,
MsgCntRec. ,
. , ,
, ( ) .

8.5.

147

( ).
, , ,
, .
.
, ( ).
,
, , .
, ,
; .
IPSec IP (IP Security) [50],
IP-. IP-
, IP, , IPSec
,
. c , IPSec c31, c30, c29, . . . , c1, c.
, . , c 31,
. c31 c1 , 0 (,
1). c,
c , . .

8.5

. , SHA-256
. - ?
, , . OCB [82, 83].
,
, -

148

8.

. , OCB .
,
,
.
(Doug Whiting), (Russ Housley) CTR
CBC-MAC.
CCM ( CTR, CBC MAC) [93]. OCB CCM
, , ,
. CCM
, ,
. (Jakob Jonsson) CCM [14], NIST CCM
.
, : OCB CCM?
(CCM ),
. , . CCM
, OCB
. OCB ,
.
CCM OCB
. CCM CTR, 264 ( ,
128 ) . CCM ,
, 260 . ( ). CCM, ,
. , CCM
128- , ,
.
CCM, OCB , . [34]. ,
OCB 128- . ,

8.6.

149

, 248 , OCB
81 . ,
,
.
, , , CCM.
, . , ,
,
.
: CCM, OCB
.
.
, ,
MAC. , InitializeSecureChannel,
.
.

8.6

, .
. , , , , .
, ,
, .

. I
, ,
.
,
.
, ,
(. 2.2). ,
. (
)
. , , ,
, .
. , ; , , . ,
,
. ?
. , ,
, . .
, ; . , ,
. , .
, ,
. ,
150

151
. , . ,
, , . ,
, , , . , ,
? . ,
,
. , . :
;
. - , ,
.
, , : ,
.
, .
, .
, , ?
,
. , . , , , .
- .
, , , ,
(, , - ). ,
, ,
.
, . . ,
, , .
, ,
. .
70- 80-
! , -

152

9. . I

30-50 . ,
.

9.1

, , IT-, , . ( , , .) ,
.

9.1.1

.
, . , ,
.
.
,
. . , , , , , . ,
.
.
. , . , , .
. .
.
.
, .
- , , ,
,
. , . ,

9.1.

153


.
. ,
. ,
, .

. , ,
.
. . .
, .
. ,
,
.
, , . .
,
. ,
.

9.1.2


. , . , .
, . ,
( , , ) .
1972 (Edsger Dijkstra)
, ,
[22]. . , .

154

9. . I

,
,
.
, . , - . , . ,
,
, .
,
.
, ,
. , .
, .
, , .
, , .
, ?
.
.
, ,
.. .
,
. , , , -
. ,
, .
- .

9.1.3


, .
.
,
, . :

9.1.

155

. , .
, ,
,
. ,
. , , -,

.
. -
.

9.1.4

, , , ,
ISO 9001, . .
,
.
. , , . .
. ,
. ,
,
- . .
, .
. ,
. .
,
.
, ,

156

9. . I

- . ,
,
,
. . ,
.
, , .
, , ,
.

9.2

. ,
.
.
? : A, . : . ,
X. ; , .
- . ,
. :

.
, . , .
, , , .
.

9.3.

157

,
: , . , ,
, .

9.3

, , .
, . ,
, , ,
.
,
: . ; .
, .
.
. , 22, .
. , . , .

9.3.1

:
, .
, , - . ,
, ,
. .
, .
.
C, .
,
, , . , ,

158

9. . I

. ,
,
? ,
.
- . C++ , . , C++.
, . C++ ,
, ,
(), .
, . ,
. , ,
. , .

, . , .
, , ,
. C memset.
memset, ,
.
. ,
, memset. ,
. ,
. ,
- , , .
, ,
, .

9.3.

159

Java. ,
(garbage collector). ,
Finalize ( C++) ,
, .
, ,
. ,
. .
, , . ,
, try. , .
,
Java. Java
,
. Java
. , , Finalize
. main try-finally. , finally,
, , Finalize. (. System.gc() System.runInitialization().) , Finalize
, , .

. C++ , ,
. ,
. Java
. ,
, sensitive ( ), .
, , .
.
.
. . ,

160

9. . I

Pentium,
, , - , .
( ) ,
, ,
. , , , .

9.3.2

( Windows UNIX) , . . ,
. ,
, . ,
.
, .
,
- , .
,
, .
, -
. . ,
.
, . ,

. , , ,
. , -

9.3.

161

? , ,
1 .

?
. ,
. (, , ) ,
. , , . , , .
, .
, .
? , ,
. . ,
. , , .
, . , , . ,
, ,
, , . ,
.
, .
, .
, , .

, ,
.

9.3.3

- . .
1
-
, , .

162

9. . I

, . , . , .
. - ,
. , .
, ( ) , .
,
- .
?
, . ,
, , , .
, . ,
. , . ,
,
, .
, , .
, ,
.
, , . ,
(, ). , -
, , . ,
.
. -
,
. , ,
. , , .

9.3.

9.3.4

163

,
.
, ,
- , .
, .
,
.
, ( ) [38].
.
(Static RAM SRAM), . [9].
BIOS, (magic value),
, , : (cold reboot) (warm reboot)2 .
, ,
. , .

, SRAM ,
. :
, .
, (Dynamic RAM DRAM).
DRAM .
, 2
, ,
, , , .
. . , Reset.
, ,
, .

164

9. . I

, [38].
, ,
,
.
, - ,
. - (, ), , , ,
,
. .
, ( )
. ,
Boojum3 , , ,
. m , . m, R
R R m.
,
. , R. (, 100 )
R0 ,
R R0 R R0 m. ,
. ,
m, .
.
, XOR.
m. m,
R
.
, R Rm
. , , . , ,
, ,
.
0x5555,
. (, , ,
3

[15].

9.3.

165

, .)

. ,
,
.
,
. . ,
,
(
).
. ,
, , , - . ,
, ,
.
, Boojum, .
- ,
, .
, Boojum ,

, .
, , ,
MMX, ,
, .
, ,
.
. ,
Boojum. [23].

9.3.5

,
. . , .

166

9. . I

,
. .
-. , . Windows . , . , UNIX .
(core dump) , , , .
.
, (superusers) (administrators), ,
. , UNIX .

. , , ,
,
.
, .

9.3.6

, .
(MAC), ,
?
, . , - . ,
, , .
, (error correcting code ECC)4 .
- , ECC
. ECC ,
.
4

, ECC.
, , . ECC.

9.3.

167

? . , , ,
1015 .
128 , 109 , , 11 , , ,
. , 1
32 . ECC, .
, .
, . , .
, ,
.
, .
, .
,
.

9.3.7


, . .
. , , . , . ,
.
, . . ,
, ; . ,
.

168

9.4

9. . I

, . .
,
,
.

9.4.1

. . ,
(, ). ,
. ,
. ,

.
.
. .
. ,
. ,
. , ,
. - ,
.
. ( - ) .
, . ,
.
,
. ,
, . ,
?

9.4.

9.4.2

169


. , : .
,
, .
, . .
. .
. . ,
- . , . .
,
. .
,
. - , .
, , . 20 ,
, , .
, , , .
,
.
.
, ,
,
, .
, . ,
.
IBM PC BIOS. ,
, .

170

9. . I

, .
, , , .
, DOS.
. ,
. ,
.

9.4.3

(assertions) ,
5 .
,
.
, . . , ,
. , .
: , - , . ( , ). , ,
.

, . , .
,
,
5
, ,
? , ,
, .

9.4.

171

? , , , ? -
, , , ?
,
- . , , (, , )
, , , . , ,
, .
, , .
!

9.4.4

IT-
. 40 .
. , Algol 60,
. ,
,
, Internet. . . ,
?
, , -
. IT- , . (,
,
.) , :
- , ?
, .
,
. , . , C C++. , . ,

172

9. . I

, .

9.4.5

.
, . .
, .
, . , . , .
. ,
.
, . ,
.
, , - .
. - . ,
4 , , .
.
,
.
(pseudorandom number generator PRNG) 10,
.
. ,
, , .
.
, - , .
AES.

9.5.

173

AES
, . AES ,
.

9.5

, (side-channel attacks) [48]. ,


. , ,
, .
-,
, - . , , ,
, .
, ,
. (power attacks), - [56].
, .
,
. - - -.
, , , ,
. (timing attacks , ) ,
. ,
, -.
, - .

.

174

9. . I

, ,
.
.
, -
,
. , ,
,
. -,
, .
. (-, ,
.)

9.6

, :
. .
, :
, , ,
,
, , .
. .
, .
, ,
(, , ).
. !
, , .
,
. , , , .

II

10


, (random number generator RNG). .
, . ,
.
, .

. 1, ,
. ,
, .
- .
. ,
.
Netscape [37].
(entropy) [90]. , , , .
32- ,
, , 32 . 32-
, 25%, .
, ,
. , ,
176

10.1.

177

. , , . 32- 32 . , : 18
0, 14 1. 228,8 , , 28,8 . , , .
, . X :
X
H(X) :=
P (X = x) log2 P (X = x),
x

P (X = x) , X x.
, . ,
. ;
, . ,
.

10.1

.
,
.
.

.
, [19].
,
.
, .
, 1-2
. ,
.
. ,

178

10.

. , . , ,
. , , ,
. , , .
, .
, . ,
.
,
. , , . , . -, , . , .
, , , , - . (
,
.) , , .
, . , , ,
[5, 11]. , ,
.
[41]. , ,
, .
,
.

10.1.1

,
. -,
. -

10.1.

179

, ,
. , Web-, ,
. ,
. , , ,
.
, , , ,
. . ,
, . , .
, ,
.
, , .
.

10.1.2


.
. (seed).
, . (pseudorandom number generator
PRNG) . , ,
. (Donald Knuth) The Art
of Computer Programming [54] ,
. ,
, .
, ,
, ( ) ?
. .

180

10.

. , ,
-
. . , .
, . .
,
.
, ,
.

10.1.3

,
, . ,
( ,
) . .
, , -
.
, ,
. ,
.
(unconditionally secure). , , .
(computationally secure). , , . .
. ,
, ,

10.2.

181

, .
. , ,
,
, , ,
.

10.2

. () . , [47]. , , Yarrow [46].


, ,
(John Kelsey).

. ,
. , ,
. ;
.
. ,
. , , .
, -
. ,
. , - ,
, , ,
. . , -

182

10.

. ,
, -
, .
,
, . ,
. ,
,
( , )
.
, , . . , ,
, , 30 ,

, . 230 , 1 .
,
, .
, , , .
, , . ? ,
2128 , 128 . , , : - , .
, ,
. Yarrow.
, , .
1

, , .
(guessing entropy),
. [14].

10.3. Fortuna

10.3

183

Fortuna

Yarrow. Fortuna 2 . Fortuna , .



Fortuna3 .
Fortuna .
. , . , ,

.

10.4

. AES- . ,
, AES (Rijndael), Serpent Twofish (. 4.5.7). 256-
128- .
,
. , CTR
, .
.
, . , . ,
, .
256
2

, , Tyche.
3
, Fortuna, Fortuna (, , ), ( ). . .

184

10.

. , .
,
. , , . ( 5.8.2.) . , , . (pseudorandom function),
. ,
, ,
. .
264
,
.
,
; . ,
, 216 (.. 220 ). 216
297 , 297 .
, ,
2113 . , , 2128 ,
.
, ,
(, ) . ,
, , .
,
128- . SHA-256, . ,
, .

10.4.

185

.
, ,
.
256- , . ,
- . 2113 , . 2113
. ,
,
.
,
. , . ,
- , . ,
, , .

, . , . ,
.
- ,
,
. . - , ,
, . 128 ,
( 2128
), - . 0
, , ,
.
: , , 1 , . ,
. , .
. , For-

186

10.

tuna, . , -4 . , . , (,
). .
.
, ,
. , .
. ,
.
.

10.4.1

. , ,
.
InitializeGenerator
: G
.
K C .
(K, C) (0, 0)
.
G (K, C)
return G

10.4.2

Reseed
. , . , .
Reseed
:
G
; .
4

,
.

10.4.
s

187
.

.
K SHAd 256(K k s)
, ,
, . C 16- , , .
C C +1
C .
.

, .
, 16 : p0 , . . . , p15 .

15
X

pi 28i .

t=0

, C 16-
, .

10.4.3


. , . .
GenerateBlocks
:
G
; .
k
, .
: r
16k .
assert C 6= 0
.
r
.
for i = 1, . . . , k do
r r k E(K, C)
C C +1

188

10.
od
return r

, , , E(K, C)
, K
C. GenerateBlocks , C
( , ). r
, . , ,
.

10.4.4

PseudoRandomData
.
220 , .
PseudoRandomData
:
G
; .
n
,
.
: r
n .
, . ,
.
assert 0 n 220
.
r n (GenerateBlocks(G, dn/16e))
, .
K GenerateBlocks(G, 2)
return r
, PseudoRandomData GenerateBlocks.
PseudoRandomData
. ( d. . .e .) ,
. K ,

10.5.

189

r. PseudoRandomData r , ,

- r.
, - ,
. ,
.
, ,
PseudoRandomData, . ,
PseudoRandomData. :
, , , .
PseudoRandomData . , 32
( ) .
.

10.4.5

Fortuna, , ,
. Fortuna . PC-

20 . ,
.

10.5

190

10.5.1

10.

,
. , , . , .
, , . , ,
, . ,
.
.
( )
, ,
. ,
; ,
.

. ,
.
.
, 0 255. , .

. , . ,
. ,
.
, . , , , ,
. . ;
; , .
, ,
.
, ,

10.5.

191

. ,
. ,
,
.

10.5.2

, . ,
.
, . ,
, ,
. Yarrow
.
Fortuna .
32 : P0 , . . . , P31 . . .
.
Fortuna - .
. , , ,
. , ,
, .
, P0 .
1, 2, 3, . . .. r .
Pi , 2i r. ,
P0 , P1
, P2 ..
,
.

.
, P0 . ,

192

10.

?
, , P0 ,
. ,
P1 , ,
, P2
.. ,
,
,
, ,
.

,
( )
. ,
, t t . t/32 .
, , 128
. . P0 128 , .
, P0 , . P0 - ,
( ). t . Pi
2i t/32 . , 2i t . Pi , 128 2i t/32 < 256.
( : 2i t/32 256, , 128
Pi1 , ,
Pi .) ,
2i t
< 256,
32
,
2i t <

8192
.

10.5.

193

,
, 213
(8192/). 213 ,
.
, 27 .
,
27 , , 28 . . 32 , 25 .
.
64 ( 64
, ). ,
, . ,
, . Fortuna
Yarrow. ,
, .
;
, .
, .
, 32 . , P31
, ?
,
, 232
, , , 213 . , , ,
, .
100 . 10
, , P32 , , 13 !
,
10 ,
32 .
(2i t)

194

10.5.3

10.

.

- . ,
. , . ,
.
, ,
.
P0 ,
.
P31 ,
.
, , . , , ,
. , , ,
.
, .
,
, . ,
, .
, .
- ? , . ,
- , 5- .
? ?
, , , . ? ,

10.5.

195

- -
. , , .
, .
. :
, ,
, . , .
: ,
- .
. - ,
, ( , , ), .

, .

.
, .
, . ,
. , ,
. -
. ,
.
, .
,
. , . ,

.

196

10.

. ,
. ,
, .

, . , ,
.
RandomData , PseudoRandomData.
, ,
. ,
- .
SHAd -256 , .
, . , .
.
, ,
. ,
- .
, -
.
- , - .
, , ,
.
,
.
.
, .
, - .
.

10.5.

10.5.4

197

, , .
, , ,
Fortuna. PRNG ,
.
InitializePRNG
: R
32 .
for i = 0, . . . , 31 do
Pi
od
0.
ReseedCNT 0
.
G InitializeGenerator()
.
R (G, ReseedCNT, P0 , . . . , P31 )
return R

10.5.5

, RandomData -.
,
.
RandomData
:
R ; .
n
,
.
: r
.
if length(P0 ) MinPoolSize > 100
then
.
ReseedCNT ReseedCNT + 1
- ,
.
s

198

10.
for i = 0, . . . , 31 do
if 2i |ReseedCNT then
s s k SHAd 256(Pi )
Pi
fi
od
, .
Reseed(G, s)
fi
, , . , R.
return PseudoRandomData(G, n)

RandomData P0 MinPoolSize, , . ,
, 128 . ,
8 4 ( ,
2 ),
MinPoolSize 64 . - , , 32 ,
. ,

.
.
ReseedCNT 0,
1. , , , P0 .
for ... do - , . , .
2i |ReseedCNT . ,
2i ReseedCNT. ,
, :
- i,
i, .
, .

10.5.

10.5.6

199

AddRandomEvent,
. , . , ,
.
AddRandomEvent
:
R ; .
s
0, . . . , 255.
i
0, . . . , 31.

.
e
. ,
1, . . . , 32.
.
assert 1 length(e) 32 0 s 255 0 i 31
.
Pi Pi k s k length(e) k e
, 2 + length(e) ,
s length(e) .
. ,
.
,
. .
, ,
.
32 .
. , , .
,
. AddRandomEvent
. ,
.
AddRandomEvent.
, , AddRandomEvent

200

10.

, .

AddRandomEvent (mutex object), ,
5 .

AddRandomEvent. ,
.
, ,
- .
, . .

10.6


. , , ,
.
, ,
.
.
,
, .
,
. , .
. ,
, , .
5
, .

10.6.

10.6.1

201

.
.
WriteSeedFile
:
R ; .
f
, .
write(f, RandomData(R, 64))
64
. - ,
.

10.6.2

, . , ,
.
UpdateSeedFile
:
R ; .
f
, .
s read(f )
assert length(s) = 64
Reseed(G, s)
write(f, RandomData(R, 64))
,
. .
UpdateSeedFile ,
.
, UpdateSeedFile,
. , , UpdateSeedFile
. , , UpdateSeedFile .
, ,

202

10.

. ,
- ,
.
, !
.
,
.
, . ,
(. 10.6.5).

10.6.3

,
.
. , .
,
. , -
.
.
, . ,
. , ,
.
, , , 10 .

10.6.4

, . ,
. , . , ,
. .

10.6.

203

, .
,
.

, . ,
,
. .
, , .
. ,
.

, , , , .
, .
, ,
. .
. ,
,
- .

10.6.5

, , .

.
. (
), , ,
.
,
, - . , , . , ,

204

10.

.
.
,
. !
. .
, .
,
. . ,
,
.
,
, . ,
, , .

10.6.6

,
! , , .
. . .
, . ,

, . , ,
.
, . , ,

10.7. ?

205

,
, . ,
. ,
. ,
,
, .
, Fortuna
,
. ,
(, Fortuna ),
. ,
,
.

10.7

, ,
. , . Fortuna, ,
, ,
, . , ,
.
.
. Fortuna ,
,
. ,
, .
, . , -

206

10.

. ,
.
. ,
. !

10.8

.
, . , , ,
. .
, ,
( ). ,
6 . ,
.
n ,
. ,
0, 1, . . . , n 1.
, n.
n = 0,
. n = 1, . n = 2k , k

0, . . . , n 1. . (, ,
k, .)
, n ? 32-
n. ,
32 .
n = 5 m := 2 /5 .
32- 5, 1, 2, 3 4 m/232 , 0
6
128- , 2128 ,
- .

10.8.

207

(m + 1)/232 .
, .
2128 , .
,
. , 0, . . . , 4, 0, . . . , 7. ,
8 . 5, 0, . . . , 7.
, 0, . . . , 4. , ,
.
,
0, . . . , n 1 n 2.
1. k , 2k n.
2. ,
k- K.
0, . . . , 2k 1. ,
, .
3. K n, 2.
4. K .
.
, . n = 5.
232 1 5, 0, . . . , 232 2 5.
0, . . . , 232 2,
,
, , .

k , k,
k
2 n. q := 2 /n . r 0, . . . , nq 1, . r
, (r mod n).

, ,
.
.
.

11



. , . , ,
, . - , . ,
- . , ,
, .
. .
,
, . ;
. , ; , ,
( , ,
, ).
. , , .

11.1

a b ( a|b
a b), b a . , 7
35, , 7|35.
208

11.1.

209

(prime), :
. , 13 ,
: 1 13.
2, 3, 5, 7, 11, 13 .. , , , (composite). 1
, .
,
.
. ,
.
.
1. a|b b|c, a|c.
. a|b, s, ,
as = b. (, b a, a.) b|c, t, , bt = c.
, c = bt = (as)t = a(st), , a c.
( , ,
. , c
a(st).)

. ,
. . 1 .
, , , a|b.
.
, , , 2000 , . ( , . 1700
,
.) ,
, ,
. , .
.
1
.
, , .

210

11.

,
.
2. n , . d
n, . d .
. ,
d . ( n, , d
.) , n n n > 1. , n , 1.
, d , reductio ad absurdum,
(proof by contradiction). X, , , ,
. , X , , , , , X .
, d .
e, , 1 < e < d. 1, e|d d|n, e|n, e n e < d.
, d n.
, ,
, d .


.
, .
1 ().
.
. .
, , ,
. p1 , p2 , p3 , . . . ., pk ,
k . n := p1 p2 p3 . . . pk + 1 ( 1).
n, , d. , d ( 2)
d|n.
n. , pi
(n 1), n 1.
, d ,
. , p1 , p2 , p3 , . . . , pk , ,

11.2.

211

. ,
.

2000
.
, . , , , .
. ,
, , 2, .
, ,
.
: , , ,
( , ). : 15 = 3 5, 255 = 3 5 17, 60 = 2 2 3 5.
.
.

11.2

. ;
.
SmallPrimeList
:
n
.
2 n 220 .
: P
n.
n. ,
.
assert 2 n 220
.
1.
(b2 , b3 , . . . , bn ) (1, 1, . . . , 1)
i2
while i2 n do

212

11.
i. , i, .
for j 2i, 3i, 4i, . . . , bn/ic i do
bj 0
od
. , i > n,
bi .
repeat
ii+1
until bi = 1
od
1. .
P []
for k 2, 3, 4, . . . , n do
if bk = 1 then
P P kk
fi
od
return P

.
c , c. 2 n
, , . .
1. i , .. 2. , ,
2, , 2i, 3i, 4i
.. , 0. i,
. ,
,
, .
, i . , i2
, n.
,
,
, . (,
, 2i, 3i, . . . .
i, .)

11.3.

213

, i2 > n? , k . p , . , p ( 2).
q := k/p. , p q; q
k,
p,
p.

, p k.

k,


k = p q > k q k p > k k = k.
,

k > k, . , p k.
,
k ,
k. ,

n n. i2 > n, i > n.
, - ,
i, , .
, ,
.

.
,
. .
, , . , ,
.

11.3


,
.
p .
p, 0, 1, . . . , p 1.
: , , ,
r, p.
: r p . r p . ,
25 7, 25 7, 3 4, , ,
(25 mod 7) = 4. (a mod b) a b, ,

214

11.

, , .
- , (modp), ,
p. , , (modp)
, ,
p.
- . a mod b. ,
mod, . , (a mod b)
.
: , p,
0, . . . , p 1, .
( ).
, 1 p, p 1. : (a mod p),
q r, , a = qp + r 0 r < p.
(a mod p) r. a = 1, q = 1 r = p 1.

11.3.1

p . p,
p. 0, . . . , p 1,
2p 2, ,
, p .
. , ,
p.
, p.
0, . . . , p 1, p.
, .
5 + 3 = 1(mod7). , 5 3 1, 8. ,
7, , 8 mod 7 = 1, , 5 + 3 = 1(mod7).
, ,
. , -

11.3.

215

12 ( 24).
, 55 - ,
15 . ,
, 55 + 15 = 10(mod60) ,
10 . ,
, .

11.3.2

, , , . (ab mod p), ab


p.
0, . . . , p1,
(p 1)2 = p2 2p + 1. , (q, r), , ab = qp + r
0 r < p. q; r.
. p = 5.
3 4(modp) 2. , 3 4 = 12 (12 mod 5) = 2.
, 3 4 = 2(mod5).

11.3.3

p(0, 1,
. . . , p 1) (finite field) mod p
modp. modp.
modp p p, .
modp 0, 1, . . . , p 1.
.
, modp (,
a(b + c) = ab + ac).

p. Zp .
GF(p) Z/pZ.

216

11.

(group)
, . , ,
2 .
. , , 0. (-, 0 -
, -, 0 .) 1, . . . , p 1
p .
p (multiplicative group
modulo p) -;
Zp . : ( )
. , Zp , p,
Zp .
(subgroup). .
, .
,
. 8 ( 8) . {0, 2, 4, 6} .
8, . .
7 1, . . . , 6
7. {1, 6} , , ,
{1, 2, 4}.
7, ,
.

.
. .
,
p. ,
, , .. . ,
p. : a/b(modp)
c, c b = a(modp). 0 , , a/b(modp) b 6= 0.
2

, ,
, .

11.3.

217

p ? , , .
2000
.

11.3.4

: (greatest common divisor GCD), , a


b k, , k|a k|b. ,
(a, b) , a b.
, ,
.
[54].
GCD
:
a
.
b
.
: k
a b.
assert a 0 b 0
while a 6= 0 do
(a, b) (b mod a, a)
od
return b
? , , , a b. , (b mod a)
b sa s. k, a b, a (b mod a). ( ,
.) a = 0, b a b, . ,
, a b ,
.
21 30. (a, b) =
(21, 30). (30 mod 21) = 9, , (a, b) = (9, 21). (21 mod 9) = 3
(a, b) = (3, 9). , (9 mod 3) = 0
(a, b) = (0, 3). 3, 21 30.
: (least
common multiple LCM), . a b

218

11.

, a b. , (6, 8) =
24. :
(a, b) =

ab
.
(a, b)

,
.

11.3.5

,
p. , .
: (a, b), u v, , (a, b) = ua + vb.
a/b(modp).
ExtendedGCD
:
a
.
b
.
: k
a b.
(u, v) , ua + vb = k.
assert a 0 b 0
(c, d) (a, b)
(uc , vc , ud , vd ) (1, 0, 0, 1)
while c 6= 0 do
: uc a + vc b = c ud a + vd b = d
q bd/cc (c, d) (d qc, c) (uc , vc , ud , vd ) (ud quc , vd qvc , uc , vc )
od
return d, (ud , vd )
. a b c d, a b, . c
d a b, . (
d mod c ,
.) , ,
; c d ,
a b. , c a,

11.3.

219

d b. c d ,
u v .
?
1/b mod p, 1 b < p. , ExtendedGCD(b, p). ,
b p , p .
ExtendedGCD u v, , ub+vp = (b, p) = 1.
, ub = 1 vp , , ub = 1(modp). , u = 1/b(modp), .. u , b p.
a/b a u. a/b = au(modp),
.

p, , ,
p. ,
p
p.
: u , ,
b,
u mod p.
ExtendedGCD, :
u, vc vd ,
u. ,
p.

11.3.6

2. , 2 ,
2. 2
, - . . 11.1
2. 2 , (XOR),
. 2
AND. 2
(1/1 = 1), . , , Z2
, .

220

11.

. 11.1. 2

11.4


. ,
.
. .
, (multiprecision library). ,
. ,
.
.

. [54, 4.3]. ,
. ,
, .
, .

Internet Python,
.
2000-4000 .
:
, . , , . . n
ln n . ( n,
ln n , -

11.4.

221

. ,
, : 2k , 0,7 k.)
2000 21999 22000 . 1386 . ,
, .
.
GenerateLargePrime
:
l
,
.
u
,
.
: p
l, . . . , u.
.
assert 2 < l u
.
r 100 (blog2 uc + 1)
repeat
r r1
assert r > 0
n.
n R l, . . . , u
, .
until isPrime(n)
return n
R
. , .
. , . l 2 l u
.
: l = 2 3 . , , . , . ,
3
, , , 2. , 2 ,
GenerateLargePrime .

222

11.

90, . . . , 96 .
, , ,
, . , u
0,7 log2 u . ( log2 2. : log2 (x) := ln x/ ln 2). log2 u ,
blog2 uc + 1 : , ,
u . , u
2017 , blog2 uc + 1 = 2017. 100 ,
.
, ,
2128 , .
, GenerateLargePrime
- . assert ;
, .
. , , isPrime
, .
, n l, . . . , u. ,
, l, . . . , u . , ,
2128 ,
.
,
, n. 2 , , ,
.
, , u .
n .
isPrime , .
, n
. ,
. ,
(RabinMiller).

11.4.

223

isPrime
:
n
3.
: b
, , n .
assert n 3
for p { 1000} do
if p n then
return p = n
fi
od
return Rabin-Miller(n)
, . ,
2 3, 5, 7, . . . , 999 .
1000, .
,
9 . 1000
.
, ,
, .

11.4.1

, , ,
( ). ,
. . .
, .
, ,
.
, . ,
n . a,
n ( a (basis)), a n, , n . , ,
n ,

224

11.

25% . a,
. n ,
.
75% a, , n ,
.
2128 , .
.
Rabin-Miller
:
n
3.
: b
, , n .
assert n 3 n mod 2 = 1
(s, t), s 2t s = n 1.
(s, t) (n 1, 0)
while s mod 2 = 0 do
(s, t) (s/2, t + 1)
od
k. 2k .
,
.
k0
while k < 128 do
a, , 2 a n 1.
a r 2, . . . , n 1
: .
v as mod n
v = 1, n a.
if v 6= 1 then
t

n , v, v 2 , . . . , v 2
1, , , n 1.
i0
while v 6= n 1 do
if i = t 1 then
return false
else

11.4.

225

(v, i) (v 2 mod n, i + 1)
fi
od
fi
, , n
a. , 22 ,
k 2.
k k+2
od
return true
n, 3, .
isPrime Rabin-Miller ,
. ,
.
,
4 . n 1 a < n an1 mod n = 1. ,
, , . (
)
a. ,
, (Carmichael).
, () a.
.
n 1 2t s, s . an1 , as
t
t , as2 = an1 . as = 1(modn),
,
, an1 = 1(modn). as 6= 1(modn), 2
3
t
as , as2 , as2 , as2 , . . . , as2 (, n). n , , ,
1.
, n , , x2 = 1(modn), 1 n 1. ( ,
4
, (Fermat). , an + bn = cn .
, .

226

11.

(n 1)2 = 1(modn).) , n , n 1,
.
, .
a , n , false. n
, a , 2128 .
,
.
n .
5-10 . ,
, 2128 . , isPrime
. ,
, - .
, isPrime
2128 .
64 , , , - . , . , ,
. (
.)
, ,
, 64 ,
, , 10 .
Rabin-Miller
, .
, . (
) , 2128 .
2128 , isPrime . ,
, ,

11.4.

227

, . ,
2128 . ?
isPrime.

11.4.2

as mod n. as
n.
,
as , , . a s .
as mod n. mod n ,
.
as mod n,
. as mod n, .
s = 0, 1.
s > 0 , y :=
as/2 mod n, .
: as mod n = y 2 mod n.
s > 0 ,
y := a(s1)/2 mod n, . : as mod n = a y 2 mod n.
.
, ,
.
.
, as mod n?
k s; , 2k1 s < 2k .
2k n. . , 2000 , s 2000
4000 . , , .
. -

228

11.


. ,
(Montgomery). as [10, 4].
10 30% , ,
.

-. -
16.

12


,
.
1976 (Whitfield
Diffie) (Martin Hellman)
New Directions in Cryptography ( ) [21].

. ?
, , 10 ,
. , ,
, . 10 45
.
. , , 4950 ! -
.
,
. , , . ,
.
,
. .
,
. (Diffie-Hellman key exchange protocol),
DH [21].
229

230

12.

DH . , ,
,
,
, ,
.

12.1

, , , .
p . p
2000-4000 .
p, . DH Zp p, 11.3.3.
g 1, g, g 2 , g 3 , . . . (, p). .
, Zp . (,
Zp 1, . . . , p 1, p.) -
. , g i = g j ,
i < j. p, ,
g i ,
: 1 = g ji . , q := j i, ,
g q = 1(modp). q, g q = 1(modp), (order) g. ( , .
, . ,
.)
g , 1, g, g 2 ,
. . . , g q1 . ,
g q = 1. g (generator) , 1, g, g 2 , . . . , g q1 . ,
g, q, ..
g.
p :
g, Zp .
, g, q = p 1.
, Zp
1, . . . , p1, 1, g, g 2 , . . . , g p2 .

12.2.

231

g, ,
(primitive element) .
g . : , g, g, ,
. ,
, , g, .
,
, p. ,
, (. 11.3.3).
.
. g g p1. . g
, h - . g , x, h = g x . , h. 1, h, h2 , h3 , . . .,
1, g x , g 2x , g 3x , . . . . (,
p.) h q, hq = 1. , q, g xq = 1. t g t = 1
, t = 0(modp 1). , h q, xq = 0(modp 1). ,
q = (p 1)/(x, p 1). , q p 1.
. p = 7. g = 3
, 1, g, g 2 , . . . , g 5 = 1, 3, 2, 6, 4, 5. (, p.) h = 2
1, h, h2 = 1, 2, 4, h3 = 23 mod 7 = 1. h = 6 1, 6. 3 2 . ,
p 1.
, 11.4.1. , a
ap1 = 1. . g Zp . x, , g x = a. g
, x a.
ap1 = g x(p1) = (g p1 )x = 1x = 1.

12.2

DH .
p g,

232


12.

*
p

gx

gy

( g y )x

*
p

( g x )y

. 12.1.

Zp . p g
, , , .
. 12.1.
. :
. . x Zp ,
1, . . . , p 1. g x mod p , , ,
Zp y. g y mod p .
g xy . ,
g y , , x. (
: (g y )x = g xy .)
k (g x )y . k,
.
? g x g y ,
x y. g xy g x g y
( DH). p g , g xy
, . , x
g x , k (g y )x ,
. x g x . . Zp (discrete logarithm). x
g x
, DL.

12.3.

233

DH .
. x g x mod p . , ,
g y g xy x.
g xy - . ,
.

12.3

,
(man-in-the-middle attack).
. , - ,
, . ,
, . . 12.2.
, .
, ,
. .
,
. ,
, , , ,
. , ,
, . , ,
,
k, k 0 ,
.
, ,
.

. , ,
, g x , , g x . -

234


12.

*
p

gx

*
p

gv

( g w )x

*
p

*
p

( g x )y

k'

( g y )v

k'

( g v )y

. 12.2.

,
, .
, - .
k ,
. h . h(k),
,
, .
, , k
, . . , ,
. ,
. , ,
.

12.4.

12.4

235

DH . ,
g x g y
, k = 1.
, ,
: . , ,
, , -
.
, g Zp , .

g .

1, g, g 2 , . . . , g q1 . k,
. , , g
. p g?
p g,
- .
, p g . , p g
p.
p.
, g x 1;
. g x h, .
, , ,
h. , , k. (, .)
, .
. ()
. Zp 1, . . . , p 1. 1, h, h2 , h3 , . . . , hq1 , h
Zp , q h. , ,
q p 1. , p 1. :
d, p 1,

236

12.

d. , ,
p 1, .
. p ,
p1 , , 2. ,
, :
1 p 1. , ,
, , p1
.

12.5

, p
(safe prime). 2q+1,
q . Zp
:
, 1;
2, 1 p 1;
q;
2q.
, . ,
. , Zp , .
p, - (, p). ,
1, . . . , p 1 , . , , . (
,
, , ,
.)
,
(Legendre symbol). , p , . . , g g x ,
(, ) , x . x , g x . x , g x .
, ,

12.6.

237

, , x
. :
x, . ,
p. q. , q , ,
.
. (p, q), , p = 2q + 1 p q . (
isPrime .)
2, . . . , p 2 g = 2 (modp). , g 6= 1 g 6= p 1. ( g , .)
(p, q, g)
.
, ( ) , ,
, g, , , g. , ,
. , .
r , rq = 1(modp).
1, .
: r 6= 1 rq mod p = 1.

12.6

. p n , q
n1 , , n1 . 3n/2 p. p
.

. . q
256- . ( , 2255 < q < 2256 .) p, , p = N q + 1
N . N , p N q + 1 ,

238

12.

p . p , , N
. p .
q. ,
. Zp
g = N . , g 6= 1 g q = 1. ( g = p 1
, q .)
g ,
. (p, q, g)
.
, , , ,
g. g x . , , , , ,
, g, , . ,
. r ,
r 6= 1 rq mod p = 1. , ,
r p,
1 < r < p rq = 1.
r , g,
q
r = 1. , r e, re mod q . ,
e , q.
? p , , 2000 .
g x 3000 .
384, x
q, x 256 . ,
g x 8 , . p, .
.

12.7

. ,
2128 , . .

12.7. p

239

,
.
2128 , p
6800 . p
.
. , ( 128
256 ) , .
,
1 .
,
, .

, . .
. , .
, . ,
,
. , 30 ,
20 ,
. ,
50 . ,
, 20 . ,
.

20 . ,
21 , 50 ,
. ,
1

, . , , .

240

12.

.
, p,
[62]. ,
2048 2022 ,
3072 2038 , 4096 2050 . 6800 ,
[62]. p , 2128 .
. ,
,
.

10 , ,
50 , . , 50 .
, [62], ,
.
? ,
, 20 . ,
2048 . , ;
.
, .
: 2048
. ( , .) , 4096 . : ,
8192 .
.
.
. , , . ,
, ,
.
, 20 . .

12.8.

12.8

241

,
, DH.
q 256- . (
DH ,
256 , 2128 .) p
N q + 1 N . ( ,
p, . 12.7. N .) g,
, g 6= 1 g q = 1. ( , g = N , g.
.)
, (p, q, g),
:
p q , q 256 ,
p ( );
q (p 1);
g 6= 1 g q = 1.
, . , ,
,
. (p, q, g) . ,
, .
, r,
, , 1 < r < p
rq = 1. : r = 1 .
, , . 12.3.
.
. DH . ( ,
,
.)
DH
, . 12.1.
, x y 1, . . . , q 1. ,

242

12.

. 12.3.

,
, .
. 12.3 (, =
<), . ,
( ) , . , .
, ,
. , ,
. ,
, , x
Y . , ,
14.5.5.

, , .
k ,
. 15.6.

12.9

, , ,
. IKE (Internet Key Exchange Internet), IPSec. IKE -

12.9.

243

. IKE ,
. IKE
,
. IKE ,
,
. .
,
DH (. . 12.3), X Y . ,
k, , . (
, IKE.)
.
, Y , k . , ?
. d (p1). Y d. k
d Y (x mod d).
(x mod d), k, ,
, . (x mod d) ,
, (x mod d).
, p1 (d1 , d2 , . . . , dk )?
(x mod d1 ), . . . , (x mod dk ).
(. 13.2),
(x mod d1 d2 d3 . . . dk ). , p 1 ,
x. x
,
. , Y ,
, . x, k,
.
: IKE. IKE, . ,
, , .

244

12.

, , - ,
.
, p1 . , 2128 .
p1 2128 .
, , , 128 x, ,
2128 .
x, . x
256 , . , X Y .
,
, (p, q, g).
, p 1
p , q. , .
, . NIST , DSA
(Digital Signature Algorithm ),
, .
(NSA, , ..) ,
. , ,
, , . ;
, NIST ,
, , . ,
.
, :
,
.
, ,
.
p 1, . , ,
, p1, .
, .

13

RSA
(RivestShamirAdleman RSA), , (
).
RSA , , . , RSA ,
,
.

13.1

RSA (. 12, ), . ( DH) : , p g , g x (modp) x,


x g x (modp). RSA, ,
(trapdoor one-way function). n e, me (modn) m, . , , n ,
. n . ,
, , . RSA ,
. RSA (Ronald
Rivest), (Adi Shamir) (Leonard Adleman) 1978 [80].
245

246

13. RSA

p, q n. p q
, . n n := pq.
( , -
.)

13.2

p,
, n. , . ,
(Chinese Remainder Theorem CRT). , (Sun
Tsu), . (
,
RSA, ,
, ?)
n 0, 1, . . . , n 1. , , n . Zn (ring),
. x Zn
(x mod p, x mod q). ,
: (x mod p, x mod q), x.
(a, b) := (x mod p, x mod q).
, x , . x
(a, b), , Zn
x0 , x0 mod p = a x0 mod q = b. x
x0 (a, b),
, .
d := x x0 ,
(a, b). (d mod p) = (x x0 ) mod p = (x mod p) (x0 mod p) =
aa = 0, , d p. , d
q. , d (p, q),
. p q
, (p, q) = pq = n, , x x0 n. x x0
0, 1, . . . , n 1, x x0 , n,

13.2.

247

n + 1, . . . , n 1.
, n, xx0 = 0, x = x0 . ,
(a, b) x,
. x.

13.2.1

x (Garners formula):
x = (((a b)(q 1 mod p)) mod p) q + b.
(q 1 mod p) ,
p q. , p,
, (1/q mod p),
(q 1 mod p).
, ;
, x .
, x 0, . . . , n 1. ,
x 0. t := (((ab)(q 1 mod p)) mod p)
0, . . . , p 1, p.
t p 1, tq (p 1)q x = tq + b (p 1)q + (q 1) = pq 1 = n 1.
, x 0, . . . , n 1.
, x
p, q.
x mod q = ((((a b)(q 1 mod p)) mod p) q + b) mod q
= (K q + b) mod q

= b mod q
=b
(((a b)(q 1 mod p)) mod p), q,
K, q
q . x mod p .
x mod p = ((((a b)(q 1 mod p)) mod p) q + b) mod p
= (((a b)q 1 ) q + b) mod p
= ((a b)(q 1 q) + b) mod p
= (a b) + b) mod p
= a mod p
=a

248

13. RSA

(x mod p).
mod p. , . (,
, , .. (ab)c = a(bc).) ,
(q 1 q) = 1(modp), .
.
, , ,
, .
, .
,
x, (a, b) = (x mod p,
x mod q). ,
,
.
q 1 mod p ,
p, p,
.

13.2.2

, n
1 .
, ,
.

13.2.3

?
- n,
.
0 x < n (x mod p, x mod q) x
CRT- x. x y
, CRT- (x+y)
((x + y) mod p, (x + y) mod q), ,
CRT- x y. (x + y) mod p
((x mod p)+(y mod p) mod p). ( 1
n, , .

13.2.

249

p) CRT- x y.
.
. CRT- xy (xy mod p, xy mod q), ,
CRT- x y. (xy mod p) (x mod p) (y mod p)
p. , q.
k n. p q
k/2 .
n k- ,
k- , n. CRT-, ,
,
. , .
CRT- . k- , k/2- .
CRT-
, .
.

. , xs mod n. s k .
3k/2 n.
CRT- ,
. (xs mod p, xs mod q).
p, s (p 1). (q 1). ,
(xs mod (p1) mod p, xs mod (q1) mod q). k/2 ,
3k/4 .
3k/2 n 2 3k/4 = 3k/2 p q.
3-4 .
CRT-
.
, .

250

13. RSA

RSA. , , CRT- RSA.


. ,
RSA.

13.2.4

: x n
(x mod p, x mod q), n = pq. . CRT-
,
, . (
CRT- ,
, n .)

13.3

RSA, ,
n . p.
p 0 < x < p
xp1 = 1(modp).
n. RSA,
t, xt = 1 mod n ( , ) x.
, ,
.
.
t, x
xt = 1(modn). , xt = 1(modp) xt =
1( mod q). p q ,
, p1 q1 t. t,
, (p1, q1) = (p1)(q1)/(p1,
q 1). t =
(p 1, q 1).
p, q n ,
. t
(Euler) (n). n n = pq (n) = (p 1)(q 1), t.
, x(n) = 1 (n) t
, - t.

13.4. RSA

251

, t, : xt mod p , x mod p = 0. xt mod n = 1 x.


, : q ,
x mod p = 0, p , x mod q = 0. p + q,
, p + q 1, 0 .
, n = pq. , RSA
: xt+1 = x(modn).
. CRT-.
x = 0(modp), xt+1 = 0 = x(modp). q.
, xt+1 = x(modn) Zn .

13.4

RSA

RSA. p q n = pq. p
q , n
.
,
e d. ed = 1(modt),
, , t = (p 1, q 1).
e ,
ExtendedGCD (. 11.3.5), d e
t. , ed = 1(modt).
m, c := me (modn). c, cd (modn). (me )d = med =
mkt+1 = (mt )k m = (1)k m = m(modn), k , . ,
me , m.
(n, e) . . (p, q, t, d)
(private key) ,
RSA.
cd mod n c1/e mod n. ,
n t,
xt = 1(modn), , t . d e t, d 1/e

252

13. RSA

. c1/e , RSA.
e c. , n
.

13.4.1

RSA

RSA.
, . .
m, s := m1/e mod
n. (m, s) . , , , ,
se = m(modn).
,
, e m
, .

13.4.2

. e
t = (p1, q1), d . p, q e ,
. , ,
.
RSA, e .
e . e,
p q, .
,
- . , c, . , c ,
c. , , ,
RSA
. -

13.4. RSA

253

RSA,
.

n . e = 3 e = 5 .
,
n .
[28].
e . ,
, p 1 q 1 3 5. ,
p q.
3 5 . 2 . , ,
.
.
,
e, 17 65 537. ,
. ,
, ,
, .
d,
. (e, d)
d , d [94].
, d.

13.4.3

p, q, t
d, (n, e).
n ,
. , , n p q
d.
.
2

e = 2,
.

254

13. RSA

, p, q, t d. , ,
. .
, (n, e), . p q, . p,
q = n/p, t d , .
, (n, e, t)? -, t =
(p 1)(q 1)/(p 1, q 1), , (p 1)(q 1)
n, (p 1, q 1)
n/t . ( (p 1, q 1)
, ,
.) (p1)(q
1). n (p 1)(q 1) + 1 = pq (pq p q + 1) + 1 =
p + q. n = pq s := p + q. ,
:
s = p + q;
s = p + n/p;
ps = p2 + n;
0 = p2 ps + n.
, p, . , p, .
, d.
e . d < t,
ed 1 t.
, t p q . . ( ,
.)
, p, q, t d,
. , .
RSA . ,
,
RSA.
.

13.4. RSA

255

, ,
, d.
p q, , n,
CRT-. , RSA
d , CRT- 3-4 .

13.4.4

n , p, .
12.7. :
20 , n 2048
. . ,
n 4096 . ,
, n 8192 . , ,

.
p q . k- n, k/2 . (k 1)- n, .

13.4.5

RSA

, ,
RSA, .
GenerateLargePrime, 11.4. p mod 3 6= 1 p mod 5 6= 1, ,
3 5. ,
e , .
GenerateRSAPrime
:
k
.
: p
2k1 , . . . , 2k 1, p mod 3 6= 1 p mod 5 6= 1.

256

13. RSA
, .
assert 1024 k 4096
.
r 100k
repeat
r r1
assert r > 0
n.
n R 2k1 , . . . , 2k 1
, .
until n mod 3 6= 1 n mod 5 6= 1 isPrime(n)
return n

, , .
, RSA .
.
isPrime(n),
n 3 5, isPrime(n) .

?
? ,
. , , ,
. , ,
. GenerateRSAPrime . isPrime, .
.
GenerateRSAKey
:
k
.
: p, q
.
n
k .
d3
.
d5
.
, .

13.5. RSA

257

assert 2048 k 8192


.
p GenerateRSAPrime (bk/2c)
q GenerateRSAPrime (bk/2c)
, . . .
assert p 6= q
t (p 1, q 1).
t (p 1)(q 1)/GCD(p 1, q 1)
. .
g, (u, v) ExtendedGCD(3, t)
.
.
assert g = 1
u t, u ,
d3 .
d3 u mod t
d5 .
g, (u, v) ExtendedGCD(5, t)
assert g = 1
d5 u mod t
return p,q, pq, d3 , d5
, ,
(e = 3),
(e = 5).

13.5

RSA

RSA .
, RSA . , m1 m2 , ,
m3 := m1 m2 mod n. ,
1/e
1/e
, m1 m2 ,
, (m1 m2 )1/e .
,
. e = 5 m < 5 n, me = m5 < n,

258

13. RSA

. m, m5 . ,
.
, AES. 256-
, 22565 = 21280 ,
.. n. , ,
.
,
RSA, ,
. .
. , n. :
, RSA,
.
,
. ,
. (padding) , ,
.
RSA,
. ,
, . (encoding function).
RSA ,
, PKCS #1 v.2.1 [84]. , .
RSA,
. , ,
. ,
PKCS.
PKCS #1 v.2.1 : .
RSA : m = cd mod n, CRT-.
:
. ,
. . ,

13.6.

259

PKCS.
.

13.6

RSA. . : ,
RSA, n.
, .
, RSA , RSA.
: K RSA. m ,
K. ,
ERSA (m), ERSA (K) EK (m). ,
RSA. ,
,
.
. K, r Zn
K := h(r)
h. r r
n. (, e = 5.)
. r , - ,
RSA. ,
, ,
r K, , r K.
r 0, . . . , 2k1 ,
k , 2k < n.
k- , Zn , -

260

13. RSA


.
.
EncryptRandomKeyWithRSA
:
(n, e) RSA, e = 5.
: K
, .
c
RSA.
k.
k blog2 nc
k


r, , 0 r 2 1.
k
r R 0, . . . , 2 1
K SHAd 256(r)
c re mod n
return (K, c)

K = h(c1/e mod n) K.
DecryptRandomKeyWithRSA
:
(n, d) RSA e = 5.
c
.
: K
, .
assert 0 c n
.
K SHAd 256(c1/e mod n)
return K
, , c1/e , .
, CRT- 3-4 .
. ,
K .
.
. K,
(, ). K
,
. (
, , .)

13.6.

261

. r. RSA ( , , ), -
r, re mod n, . r
, , K.
, E
K (, - - ).
?
. K ,
- . , c,
K r. A r,
.
DecryptRandomKeyWithRSA. , c1/e mod n.

. , ,
. c1 , c2 , c3 , . . .
1/e 1/e 1/e
c1 , c2 , c3 , . . .. . ,
- . h, DecryptRandomKeyWithRSA, . K c1/e .
, K ,
. , RSA
.
, ,
, , r, c, 0, . . . , 2k 1. -

262

13. RSA

, .
, , .
, : c ,
c1/e mod n < 2k .
, , ? ,
, , c
, r 3 .
:
(c, c1/e ) c1/e c,
- . (c, c1/e ) .
r, (re , r)
c := re . . ,
, c1/e c, , c , (c, c1/e ),
. :
.

13.7

. , m, ,
. , ,
RSA, . .
. , m h(m), h . SHAd -256, 256-
. n ,
h(m) .
3

r .
EncryptRandomKeyWithRSA,
.

13.7.

263

,
h(m), s
0, . . . , n 1. m
s1/e (modn). h(m) n
(. 10.8). , h(m) 0, . . . , 2k 1, k
, , 2k < n. 0, . . . , 2k 1 , k
.
, . , .
Fortuna, 10, . h,
, ,
. ,
, RSA.
: , m s, , ,
, .
MsgToRSANumber
:
n
RSA, ,
.
m ,
n.
: s
n.
.
G InitializeGenerator()
- .
ReSeed(G, SHAd 256(m))
k.
k blog2 nc
x PseudoRandomData(G, dk/8e)
, x , , .
AND x.
s x mod 2k

264

13. RSA
return s

SignWithRSA
:
(n, d) RSA e = 3.
m
, .
:
m.
s MsgToRSANumber(n, m)
s1/e mod n
return
() ,
s (signature ). s1/e mod n , .
VerifyRSASignature
:
(n, e) RSA e = 3.
m
, .

m.
s MsgToRSANumber(n, m)
assert s = e mod n
, , , .
assert,
, - . ,
: , . (
) , . ,
.
RSA
, RSA. m1 , m2 , . . . , mi ,
(s, s1/e ), s . , h(m)
. .
(s, s1/e ) s,
. , m
(s, s1/e ) , , h(m) s, s1/e .

13.7.

265

. , , , , ,
.
RSA, . RSA
(PKI), ,
. .

14


. 12, .
, , . ,
. .
, , .
, . , , ,
.

14.1


, , .
, ,
. . ,
. , , .

266

14.2.

267

, 1 .
.

DH. , . (,
.)

14.2

, . ,
? , , . , .
, , , . ,
, . . ,
.
.
. . ( )
, . , .
- ,
.
. .
.
-
.
.
,
, . .
.
,
1

.

268

14.
, .
, . .
- (mutually assured destruction MAD). .
, . , , . - , .

,
. . ,
,
: , .
,
Internet. , Web- ACME, ; .
- ,
, .
,
- .
, ACME .
: ACME , . , . - (
) ACME,
2 . ,
. , ,
.
2

, ,
Internet, , ,
, .

14.3.

269

- : , . .
100 , , - . ,
,
. : ? . :
X?.

14.2.1

, . . ,
.
, , . ,
,
, , . , . , ,
. ,
.

14.3


.
? ? .
: , . . . . ,
: ? , , ,
. . -, , , ,
, , . -, ,
.
,

270

14.

. Microsoft , , .
, ,
.
.
.
. .
: . , . ,
? ,
, ,
. ,
,
, .
.

. , , . ,
.
. . ,
, . , .
, : , ; ,

. : ,
, , , ;
, ? .
, ,
.
, , ,
. ,
.

14.3.

271

80-
. ,
. . .
, , . , .
,
.
. , , .
, .
. ,
, , , . , ,
.
. -
, .
, ,
, , . ,
, Firestone , , , .

. -, .
, ,
. ,
: , .
, .
-, .
, -

272

14.

.
,
. Internet,
.
, , .
. , , . .
, . .

14.4

, .
:
, . ,
, .
.
, , , .
. ,
.
, .
. , .
, ,
. ,
Web- SSL, Web- . Internet-
,
. Web-, , .

14.5.

273


PayPal.
, . , , ,
.

.
, .

14.5


, ,
, .
. .
, .
, ,
.
. , .
, , , .
, , . , . . , . , .

14.5.1

,
. ,
,

274

14.

. , ,
. , , .
UDP, TCP,
. . ,
,
. . TCP ,
, ,
TCP, .
. ,
. . . , ,
, .
.

, TCP-. , .
.
8, .
, .
, , , .

14.5.2

( ) . , ,
.
.
, . ,
. , -

14.5.

275

,
, , .. ,
.
,
. ,
, ,
.
, ? ? , . ; . . ,
, .

.
,
, .
, .
. .
, , , . ( ),
.
,
.

14.5.3

. . , , .
(parsing). ,
.
.

276

14.

, ,
. ,
. ,
, , ,
.
.
- .
, . ,
.
, .
TLV (TagLength
Value ).
. ()
, () , () ,
. TLV ASN.1 [42],
, . , ASN.1
.
ASN.1 XML. , XML; .
DTD (Document Template Definition
), -
.

14.5.4


. , .
, .
-
(event-driven programming), .
,

14.5.

277

-
.
- .
, ,
. . , .

14.5.5

.
, , , ,
.
, .

, .
.
, . , ,
, .
,
. , .
, , .
, . , :
.
-. . , , , ,
, .
,
.
-. -

278

14.

PIN-. PIN- , ,
. , PIN- 10 000 . -
PIN- , ,
.
: , PIN-,
, , PIN- 1 2000.
. . 1 2000
. , - . PIN-, , .. PIN- ,
, .
, , PIN-, PIN-.
. ,
, .
PIN- 40 .
( 10 , , 10
..)
PIN- 1 143. ,
1 2000. , 20 ,
PIN- 60%, 0,2%.
, 20 40
, . -, PIN-, ,
PIN-. , PIN. , - . - , PIN-, -
. , . PIN-, ,
. 40
PIN- .

14.5.

279

,
.
. ,
, !

14.5.6

, .
. , . ,
.

(retry). ,
, . , ,
.
, ,
. .
.
, , , , . -

.
.
.
, .

. UDP
(, IP), , ,
. TCP, ,
, .
, , TCP,
. ,

280

14.

- , ,
.
, , .
, .
, ,
. ,
, . , , ..
,
.
. ;
. , .
,
- , ,
, .
, .
, - ?
. ,
. , , ,
. ,
. .
,
, . .
, , . , , DH
, ,
. .
, . , ,
, .
, . ( ,

14.5.

281

.
.)
,
. . , , , . ,
. , .
,
. ,
, - .
. , ,
.
. , , . , ,
. . ,
, .
,
. ,
. - ,
.
: ,
, .
, , . , , . , , , . , ,
, . ,
.

15


- . , 8, .
,
. , . ,

.

15.1

:
. . ,
k, k
.

. 3, ,
, , .
RSA (

)
MAC.
282

15.2.

283

,
? .
() . (, -
),
. , ,
,
, . ,
.
: .
,
(, ). , , 30- , - . (dictionary attack),
. . ,
.

15.2

(. 15.1).
. DH,
. ( .) k ,
k. k
.
, . : , , . , AUTHA (k),
AUTHB (k). ,
MAC, . .
.

284

15.

: (p, q, g)
x R {1, ..., q-1}


: (p, q, g)
X := gx
y

{1, ..., q-1}

Y := gy

Yx

Xy

AUTHA(k)
AUTHA(k)
AUTHB(k)
AUTHB(k)

. 15.1.

,
(p, q, g).
.
,
.
. , . , ,
. , , .
: . k
,
.
. ,
, MAC, ,
.
MAC, , , . ,
, .

15.3. !

285

k , ,
.
, , , , .
,
.

15.3

. .
2000 ,
,
. .
,
. . ,
, ,
.
, , . , , . , , (version-rollback
attack).
, ,
- .
, .
( ). .
, .
DH. ,
,
.

286

15.4

15.

,
.
,
, . , .
.
,
, ,
, ..
,
. , . 15.1,
k, X Y . ,
X, Y AUTHA .

, . ,
. ,

.
,
. AUTHA (X, Y ), AUTHA . , , , .
, , .
:
. , , ,
, . , , - . ,
, , .

15.5.

15.5

287

? DH. .
, , (. 15.2). DH x, X
. , DH
X . ( 12, .) . Y AUTHB ,
DH.
DH. , , ,
, , , .
, .
,
, ? ,
, , , .

(p, q, g)
x R {1, ..., q-1}

(p, q, g), X: = gx,


AUTHA
(p, q, g), X, AUTHA
y R {1, ..., q-1}
Y := gy, AUTHB
Y, AUTHB
k

Yx

Xy

. 15.2.

288

15.
.
: DH k , .
.
. , . - , ,
, ,
( ). , , k . , k, x, x
, k.

, ,
.

. ,
, .
, .

15.6

. DH .
, .
. (,
. ,
, .)
, . ,
. .
. 15.3. s p.
256- Na
,

15.6.

289


s
p
Na

0, ..., 2256-1
s, Na
(p, q, g)
x R {1, ..., q-1}
(p, q, g), X := gx,
AUTHB

(p, q, g), X, AUTHB


y R {1, ..., q-1}
Y := gy, AUTHA

Y, AUTHA
x
Y
k

. 15.3.

DH x.
, g x . DH,
Y .
. k
, .
, k ,
-
. , ,
.
,
- .
. 20

. , ,
. , .
.
.

290

15.7

15.


(. 15.4), .
, ,
. (p, q, g),
. . 15.5.
p.
p, , p, . , , s .
, 100 000- , s.
, .
p.
;
,
.

. 15.4.







15.7.

291


sa
p
Na

0, ..., 2256-1

sa, Na

sb

max(sa, sb)

2 sb
(p, q, g), log2 p
x R {1, ..., q-1}
s

s 1

(p, q, g), X := gx,


AUTHB

(p, q, g), X, AUTHB


?
?
sa 1 log2 p 2 sa
?

255 log2 q 256


, p q
?
?
?
q | ( p 1) g 1 g q 1
X
y

1 Xq 1
R {1,...,q-1}

Y := gy, AUTHA

SHAd-256(Xy)

Y, AUTHA
?
?
Y 1 Yq 1
k
SHAd-256(Yx)

. 15.5.

,
, .
.
, .
. ,
, 2 .
2, 3; .
(. . 15.5)
. ,
DH.

292

15.

DH, .
DH,
. , ,
. . , . ,
,
. , , ,
, .

15.8

. ,
, .

15.8.1

. . ,
,
, , ,
Na , .

.
, DH , DH
. , y Y , , k
, x, , g x = X. DH. X,
, . ,
x .
, ,
k .

15.8.

293

, ,
.

15.8.2

. , , . ,
- sa
Na .
-. , ,
. , , X , . , , . .
, , ,
.
DH;
, . , , ,
k , y, , g y = Y .
Y ,
, y.
, k
.

15.8.3

, . ,
, .
k DH, ,
DH , k. ,
.
.

294

15.

. , , ,
. ,
- ,
.
X .
, .
, , sa . ,
. . , sa , DH, DH .
,
.
, .
sa ,
. ( , p.)
, , .
, ? , , sa .
, ,
DH, , , . , ,
, ,
. , ,
, ,
, . ,
.
,
sa . , , ,
.
.
,
. .

15.8.

15.8.4

295

, , - .
,
, .
. .
, .
,
,
, .
, . ,
,
,
. . , , ,
. ,
. , , : ,
. ,
k ,
. ,
. (forward secrecy)1 .
.
, , . k - g xy , x y
. , . k, , k,
( ,
,
).
1
(perfect forward secrecy PFS),
,
.

296

15.

,
.

15.9

. ,
DH , , .
, :
DH
;
;
;
, ,
, 2 .
, DH. , .
256- .
1150 3 .
, , RSA, RSA
DH . s- 3s/2 ,
(Chinese Remainder Theorem CRT). CRT- ,
RSA s- 3s/8 . :
RSA DH
2

.
DH, ,
.
3
.

1000 .

15.10.

297

. 3000 .
, DH
256- , RSA
.
,
DH
RSA.
,
.
RSA, . ( RSA
, .)
. , , ,
, .

15.9.1

, DH, . (addition chain heuristics)



. , X q X y . (addition
sequence heuristics), ,
250 . (Bos) [10, 4].
,
y g y ,
, .

15.10

, .
,
DH , ( ). ,
, , . .

298

15.

-, - , . 50
, , ! , , 50
.
. ,
.

- . , ,
, .
-, . , , -. - (Marius Schilder), , , ,
. , ,
. - ( , ).
-. ,
, -
. ,
. !
,
.
. ,
. : !

,
. . : DH,
DH . -

15.11.

299

, .
, - . ,
, , . ,
.
- ,
. ,
. . ,
, , ,
. ,
, , . : ,
. , ,
: ,
.

15.11

, . .
,
. . ,
, , , , ,
.

15.12

,
. , ,
.
MAC,
, : ( ),
. MAC , .

300

15.

. , , . ,

.
; ,
SRP [96]. . ,
.
, , .
(Stanford University) SRP, , ,
, SRP. ,
. ,
, .

16

. II
, , .

16.1

. , .
. , , , , . ,
(Add With Carry ADC)
. C .
, , . ,
, , , .
. .
[54]. ,
, ,
.
301

302

16. . II

, . 264 (
18 ) , .
220 ( ) ,
. , , , .

1 .
, . S- AES,
.
. ,
,
.
,
.
.
, , . , ,
, .
,
232 264 . .
.
32- 240
, 32-
, 64 .
, . , . ,
. 1
IDEA
MARS, .

16.1.

303

, . ,
a < b,
a = b 1, a = b a = b + 1 (,
).
. , . ,
, , ..,
.
. .
, RSA,
, p, q. ( ,
CRT-.) ,
+ kq, k . ( , , q,
p, + kq.) 3 mod n ,

. ( + kq)3 3 q.
n, q
n .
!
, ? -,
. - . , , . -,
. , . -,
.
.

16.1.1

, , (wooping).
(David Chaum) (Jurjen Bos)
. -

304

16. . II

- woop 2 .
. [10, 6],
wooping, .
, .
. , . ,
.
,
. ,
, , ( ,
,
).

t 64-128 . t
, . t
. x, , x
:= (x mod t). x

WOOP(x). WOOP(x) . . WOOP(x)
.
, x WOOP(x).
, , x
x mod t.
WOOP. ,
WOOP , WOOP
, WOOP , .
c := a + b. ,
, c, c = a
+ b(modt). 2

wooping ( whooping) , . , . . .

16.1.

305

.
c , , c mod t = c. , .
n ,
. c = (a +
b) mod n, c = a+b+k n, k
, c 0, . . . , n 1.
. k 0
1 , a b 0, . . . , n1. n) mod t.
c = (
a+b+k
,
k. k,

k.
.
c = a b + k n. c = a
b + k n
(modt),

a
, b, n
k. ,
k - .
,
. : a b, n, .
k,
WOOP(k). c.
.
, .
. (
,
.) x WOOP(x)
WOOP
WOOP .
, , , WOOP WOOP .
WOOP , WOOP
.
, WOOP
.

306

16. . II

WOOP.
x, , (x mod t) = x
.
, x mod t x
. ,
,
, t . , ,
t, . ,
t. , .

. .
WOOP(x)? . , , 1/t. , . , , , .
, . t
; t, , .
?
, , . ,
t. t
, .
, 64- t,
16 64 = 1024 .
, ,
t , .
t, .
, t. , , 128 , t
128 .

16.1.

307

,
; , .
, , , .
(fatal error).
. t 64- .
128- .
64- t, 32-
, . 32- t
32- ,
.
, ,
WOOP(x). ?

: (x mod t) = x
. , , , .


. , ,
. , , ,
, .

16.1.2

DH

,
. DH, ,
. , ,
q. , , , , .
- ,
,
. ,
, .
, -

308

16. . II

g x x,
.
DH , . , , x g x . ,
, DH
. , , -
.

16.1.3

RSA

RSA , . -
, ,
, .
,

RSA. , RSA
c = m5 mod n, m , c .
, c1/5 mod n
m.
( , ). , ,
RSA .
, z , c z 5 = (m z)5 mod n.
: c = m5 z 5 , , (mz)5 c z 5 . .
z,
.
RSA ,
.

16.1.4

RSA

RSA . , , -

16.2.

309

.
.
RSA , . .

16.1.5

. ,
, .
,
,
.
,
, .
. ;
, . , , ,
.

16.2


, . [67]. ,
. [25].
(x mod n),
x n. x , n. : x 2. x ,
x 2, .
x , n (, , x n),
2. ( n. , n. ,
n.) n k , x
(n 1)2 , k 2. -

310

16. . II

0, . . . , 2n 1,
n.
- ! 2,
. (x mod n),
x/2k mod n k. , 2k . , .
, 2k . , .
,
. ,
. (, ,
, .) 2k
.
, , . x x 2k .
x y,
. ,
x 2k y 2k , x 2k y 2k n
2k .
x y 2k ,
xy. , , , ( 2k )

( 2k ). x (22k mod n). ,
, , x y 2k k , 2k .
n,
, 2n 1. (
) n.
, . , w . x z,
x + zn . -

16.3.

311

, z
x -,
n. x + zn
, 2w ,
. , .

16.3

-
9.5. , , .
-.
, . ,
,
, . , , . ,
, ,
.
, .
IDEA [60, 61] MARS [13].
, .
( RC6 [77] MARS)
( RC6 RC5), , .
-. , ,
,
.

-. ,
,
. , .
, , .
Web- . -

312

16. . II

SSL
RSA, .
, RSA . ,
, .
, , A ,
B, ,
.
.
A B .
,
, , ,
. , ,
A B.
,
.
.
, , [55].

16.3.1

-.
,
. , . ,
, , .
, . -, ,
, , , . ,
, .
.
- . , ,
, , -

16.3.

313

. , (, ),
. , -,
, , , .
, , -, . .
- . d,
. t, ,
t + d.
, - . ,
- .
, , , , , t + d.
, , -
. , ,
. -,
Internet.
, -
, [55].
.
- .
, .
, ,
.
.
. ,
, .
,

314

16. . II

, , .
t, t + C,
C . , ,
,
t + C.
, , .

16.4

.
.
, . (
), .

.
, , .

16.4.1

. , ,
.
, () .
, . (-
Kerberos.)
, , .
, .
,
.

16.4.

315

. , ,
. ,

.
, .
,
.

16.4.2

, . , . .
.
. .
. , . , .
.
.
.
, . , , TCP,
. ,

. ,
,

, .
, , . ,
n 1
n.

316

16. . II

n, ,
. .
, ?
n n 1, , .
, , . .
n 1, , n . ,
. , .
, n 1
n1, . ,
.
. , n. ,
n,
.

, .
? .
,
.
.
.
,
, .

. , , . ,
n 1 , . n 1,
. ,
, . ,
n 1 .
, n 1, -

16.4.

317

. ,
, ,
, , .

16.4.3

.
, .
.
, ?
. , , ,
.
.
, ,
. .

(SYN flood attack). ,
, .
, .
. , , Internet,
.
,
. ;
, 15 ,
.
20 , .

III

17

,
: .
. , ,
.

17.1

.
. ,
,
.
.

17.1.1

. , , , .

. , ,
, .
.

17.1.2

320

17.1.

321

. . , ,
. ,
.
. .
. , ,
.
, 10, . ,
. 128 , 256- .
. ,
.
.

17.1.3

, , , . .
,
,
, . , ,
,
.

.
. -
,
.
; , ,
.
( ) ,

, .

322

17.1.4

17.

. , , .
, . , . A B , ,
, .

.
, , ,
.
. , : ,
. , . ,
2020 .
:
. ,

2020 ,
,
. , , , .

17.2


.
. , ,
. ?
, .
,
, .
, . , -

17.3.

323

, , . , .
, , ,
. 10
. ,
, ,
. .
1980 . ,
, -
2028 .
,
. -
. , . , .

17.3

17.3.1

, -
.
. , .
, -
, .
, , .
, - . ,
.
. , ,
, .
,
.

324

17.

. , 23:55
(11:55 p.m.) , .
.
,
.
, , .
, , .
,
,
? .

17.3.2

, .
, . , , . ,
, . , .
, , .
,
.
,
. , . 10
. - .
. , , .

. , .
.
-

17.3.

325

, . , , . ,
, ,
. , , .
, : , . !

17.3.3

, . . , ,
. Internet,
.
eBay . eBay ,

.
. - 30 . , 30 .
, , . ,
.
,
.
, .
. , ,
- ,
.

326

17.4

17.

.
.
, .

, .
,
- .
, . , , .
, ,
.
( )
. , . , .
, .
, .
. 1980 , , , - . ,
. , , .
,
, 1 . ,
.
.
, Internet intranet.
, ,
NTP [65] SNTP [66].
1

OK,
, ,
, .

17.5.

327


, . , . , ,
, .

(PKI). , 19, PKI: ,
PKI , . , , .

,
.

17.5

,
.
-.
, , ,
, (, ), , , .
.
, , , .
. ,
. ,
.
,
.
.
, .
, ,
. - : -

328

17.


. , ,
, . , (,
).
.
, .
, . , , . ,
. ,
. .

. ,
, . , , . ,
.
.
.
, ? , . , ,
, . -
, 10 !

. ,
, : - ,
. , .
, - .

17.6.

329

, .
, .
,
.
.
. . . ,
, .

, . . , .
, ,
, ,
.
, .

17.6

, , . : .
, ,
.
. :
,
.
. , .
,
. ,
. ,

330

17.

, , .
UTC.
, ,
.
UTC
.
UTC (leap seconds). UTC
, .
: , 61 . .
. ,
. , . -
, , ,
. , 60 .
UTC,
.
,
. ,
.
,

. ,
.
, , UTC, GMT, TAI
UT1, Internet.

17.7

, . , , .
. !

18


. , , . .
, , .
, Internet. ,
.
,
, .
, . .
, , ,
, ,
, , , , ,
, , .
-, .
, .
,
.
(key server).

331

332

18.1

18.

, , .
,
. , KA ,
. KB , .
.
, . ,
, .
, , .
, . ,
. ,
KAB , .

18.2

Kerberos

Kerberos ,
[57]. Kerberos
(NeedhamSchroeder) [75].
Kerberos .
, .
KAB , KAB ,
KB .
KA , . KAB ,
KB , , KAB . KAB ,
( , , ).
Kerberos , ,
Kerberos
(Key Distribution Center KDC),
. , , . , -

18.3.

333

, .
, . ,
. ,
, .
, ,
Kerberos, .
, . , , .
,
. . , Kerberos.
.

18.3

Kerberos .
. , . ,
1 . .
,
. ,
. ,
, Kerberos.
, . 100 000
:
1 , 100 . ,
,
, .
, . ,
1
(ticket) , .
Kerberos.

334

18.

. , : .
,
.
. , , ,
.
,
.
, ,
, 2 .
, . ,

.

18.3.1

. ,
KA .
, 15, . (
KA , , (. 15.12). , ,
.)
0 .
KA
,
.
0 KA
(. 8, ). , . , , .
.
.
2

- - ,
.

18.3.

18.3.2

335

, .
, ;
. , .
. , KAB
. , ,
.
:
,
. , .

18.3.3

0 .
, KA
,
(
0 .
KA ), KA
,
.
,
. , .
KA ( ), .
, ,
. , ,
( ,
) .

336

18.3.4

18.

, , Kerberos,
. . ,
.

. KA ,
0 , ,
KA
,
, .

.
,
. ,
, - .
,
. , , , , . , , ,
.

18.4

,
Kerberos. .
, Kerberos , , . ,
, , , .
, .

19

PKI:

(PKI) , . , ,
. ,
,
. , ,
.

19.1

(Public-Key Infrastructure PKI)


, ,
. .
, (Certificate Authority CA). - (, RSA)
. , .
,
.
, - . , PKA
: , , 337

338

19. PKI:

PKA . ,
, ,
: PKA . (certificate). ,
.
, ,
.
,
. , , PKA
.
,
,
.
. , ,
,
.
,
.
,
. .
.

19.2

, .

19.2.1

, .. ( ),
. ,
, .
( , ),
.

19.2.

339

, , .
.

19.2.2

,
(virtual private network VPN).
, , .
VPN ,
, . IT-
. , VPN .

19.2.3


Web- . , , .
.

19.2.4

.
, , , . , , , , . ,
,
. ,
, .

,
, .

340

19.2.5

19. PKI:


. . , , ,
, . ,
. ,
,
. ,
.

19.3

, PKI
.

19.3.1

.
,
. . .
. PKX X . . : , , ,
. (certificate chain)
.

. ,
. PKI . ,
,
, , , -

19.3.

341

. , , , , , .
, , , ,
. ,
. , .
, . ,
. . .
, . ,
. . Web Internet PKI,
.
. ,
Web-! ,
, Microsoft. ,
, .
. . . ,
. , , , nastyattacker.com ,
amazon.com. Microsoft Internet Explorer ,
. Amazon,
nastyattacker.com, Web- Amazon. : ,
,
- ! ,
Microsoft ( , ).
, -

342

19. PKI:

. , ,
.

19.3.2

; .
, . , , , , . . ,
.
.

. .
.
. ,
.
, , ..
, .
X.509 v3,
.
, (Peter Guttmann) [39]. , X.509 v3 .
- X.509 v3
.

19.3.3

. . ,
. IT; .
.

. -

19.4.

343

, .
, ,
. , ,
,
.

. ,
, , (Registration Authority
RA). , 100
. . ,
.
, ,
. , ,
. .
IT-, ,
. , ,
, , .
, ,
, , , .
IT- .
, .
, , , ,
.

19.4

, , , .
-

344

19. PKI:

.
-
, . , ,
, , .
, ,
. . .

20

PKI:
.
. ,
, ,
. , . ,
, .

20.1

. . ?
. . ,
, . ,
, ,
. ,
. ,
.
,
, , . ,
, , . (
), .
345

346

20. PKI:

, , .
, .
. , . , .
, . ,
. ,

. ,
. ,
.
, ,
,
.
,
. ,
. ,
.
, ,
!
.
, , ,
. ,
, .
.
Internet. . Internet?
: .
. , jsmith533@
yahoo.com. , , ,
, .. , . ,
, - .
, . , Internet
, ,
. ,
.
. ( , , .)

20.1.

347

,
. , ,
.
, . , , . ,
,
, .

; ,
, . , ,
1 .
,
. , ,
. , , , ,
, .
, , , , . - . - , . ,
. , ,
,
.
(Social Security
number SSN) SoFi .
,
.
, .
,
. ,
,
.
1

, .

348

20. PKI:

. . , . , , , , - SSN
SoFi. .

? , . ,
, .
,
. .
, , , , .

20.2

, ?
? , , ,
, , ?
. , ,
. .
, .
, ,
.
.
, ,
. ,
. ,
, .
, -

20.3.

349

.
.

20.3

,
. , , ,
. , , . , ,
.

, .
-, , , ?
?
, ?
? ?
. ,
,
- Web-. . .
. , . ,
- . , ;
. ,
, , -
, .
.
.
,
. , . ,
. . ; , -

350

20. PKI:

, ,
.
. .
, , .
: ,
,
.

20.4

PKI. , .
, ;
.
, . ,
.

(access control list ACL). , ,
. (, :
/usr/bob, , ),
(,
). ,
.
, : , - . ,
, , . ,
, . ,
[27].
-, .

20.5.

351

, . , .
, , . ,
, , ,
?
?
, ,
.
.
. ,
. ,
.

20.5

,
. ;
[27].
,
, , .
,
.
.

, . ,
. - , , ,
. ,
. -, , ,
. , , , . ,

352

20. PKI:

, , ,

. ,
, .
, , ?
- . ,
.. , ,
,
. ,
. , ,
, .
- . , , , . .
, , . , , , ,
. ,
.
, ,
.

20.6

,
. , .
(credential) . ,
,

. , , : PKB X ,
PKA .
X, , , -

20.6.

353

, X
.
. ,
, . ,

X 2 .
.
.
-, , .
- ,
.
-, . ,
,
. , , . ,
, , ,
. ,
, .
, ( ) ,
- , .
-, ,
.
, . ,
,
, . .
, 2
, ,
.
- ,
. , ,
, , .
.

354

20. PKI:

.
, -
,
.
, , , .
.
, , ,
. , . , ,
. ,
, .
. ,
.
PIN-. ,
. , .
. , , - .
, ,
.
, !
, , . ,
.
, , , .
. -
, . , , .
. -

20.7.

355

,
.
. , .

20.7

, , .
,
PKI.
.
.
.
.
.

.
,
. ,
, .
, , , .

. , .
, . , ,
. ,
! , ( ),
.

356

20. PKI:

20.8

(revocation) . , ,
. ,
, ,
. , .
, . . ,
. 10
PGP. , , 3 .
.

, ,
.
, .
.
?
. ,
? ?
. ?
:
.

20.8.1

(certificate revocation list CRL) , .


3

PGP , PKI (web of trust).


,
.

20.8.

357

, ,
, .
. , . ,
. , ,
.
, . PKI
,
. , (single point
of failure): , -
. ,
PKI , . , ,
, .
. ,
, ,
. ,
,
. : .

.
STU-III (Secure Telephone Unit, Third Generation
). ,

. .
(, )
Web- .
, . , . ,
, .
, 50 . , .

358

20. PKI:

, .
, , .. ,
.

20.8.2

. .
( 10 24 ).
, , .
. ,
10 .
.
, . , ,
. , PKI .
,
.
, ,
.

20.8.3

, . .
.
- .
, , , .
,

20.9.

359

. , ,
.
, , .

20.9

, ,
.
, , ,
.
( )
.
.
.
, . . ,
, ,
. . , , .
, ,
.
, 18, .
.
,
. ,
. .
.
, .
, , ,
. , , . -

360

20. PKI:
.
, .
,
.
-
. .
. , . , .
,
, .
. . ,
.

. : , . . , ,
, . , ,
,
.
, , ,
.
PKI . ,
,
, . , . ,
, . , , ,

, .

20.10.

361

, ,
.
. , , .

20.10

? ? ,
.

. . ,
.
. , .
. , , , .
,
.
.
, , ,
. ,
.
, .
(logical framework).
, , . ,
, , , .

21

PKI
,
. , , . ,
. ,
. , .

21.1

, X.509. ? [39].
. .
, .
:
, ,
. XML, ,
, - ,
.

21.1.1

(, , ) ,

362

21.1.

363

. , ,
, , , . , ,
,
. , , . , PKI. , ,
, . ,
, .

21.1.2

- , - . . (, ) .
, . -
:
. (self-certification), .
, -
. .
. , ,
. , ,
.. , , , .
, . , ,
(root certificate) .
. , .

364

21. PKI


, .
, Web-, ,
.
, , . ,
. , , .
!
, .
.
.

, .
,
. , ,
.
,
.
.
, ( ) (
,
). , .

21.2

. .
. ,

21.2.

365

.
.
.
. -
.
. .
, . ,
.
. ,
, . , , ,

.

.
.
,
, ,
.
, , . . , . , , , , , .
. .
.
.
,
,
. ; .
-.

366

21. PKI
, , .
.
.

? . , ,
. ,
,
.
.
,
. , , , . ,
, .
,

. ,
. , , .
, .
.
,
.

. ,
,
.
.
- , , , , .
, 13.7. -

21.3.

367

.
, ,
.

21.3

, , ?
.
, .
.
, . . - ,
. , . ,
.
, .
, ,
. , . -
, . :

, 1 .
, , .
, , . , .
, . , - 1
, ,
.
: A,
. ,
,
.

368

21. PKI

- .
. (
, , .
.)
, . ,
.
, .
, ,
, ,
.
? . ,
. , 10 , : 10
, .
, , , 2 . ,
,
, ,
, .
, , , .
. .

21.4

, , , , ,
.
, , .
, , ,
. , ,
, . , .
2

,
(, ).

22


9.3 , , . ,
? . -,
. -, (..
) .

22.1

,
. , ,
, . ( ), ,
.
. , ,
- , , , !
,
. , .
, ?
; .
, (),
369

370

22.

, , . (
,
, .)
, , , . , , ? , , ,
- . .
, . ,
RSA .
,
, .

22.2

.
, .
, . , Web-,
, .
. , . , : .
, ,
; , , .
, , , .
. , .
.
( ,
), 19 .
, , ,
1,5-2 .

22.2.

371

, 128- 256- .
256- .
(
), .
256 ,
, , 128 1 .
2 ,
128 64 . . .
, 64 ?
.
2 , ,
32 .
. 6-8 .
. , - ,
, 7193275827429946905186?
, , aoekjk3ncmakwe?
, . (
, , ,
.)
- (passphrase).
, . ,
. , :
.
- : .
, . ,
38 , 57-76 .
: , 52 ,

78-104 .
, , , , 1
: , ,
128 .

372

22.

. ,
, .
.
, -. , , ,?. , , .
:
, ? 2 ,
. ,
, ? - , .
, .

,
,
. , , . ,
-
.
, , . ,
. ,
, 128 .

22.2.1

, . . ,
, . .
2

. . . .

22.2.

373

, (salt).
, , . , 256- .
(stretching) .
.
p , s .
h, :
x0 := 0,
xi := h(xi1 k p k s) i = 1, . . . , r,
K := xr .
K
. r , ,
. (, ,
xi K 256 .)
.
s , K, K, . p, K,
, . , p
. p, r
. r, .

. , , . , , , 200 . r: r , K(s, p) 200 1000
.
, r .
r ,
, r s. (
, r .)
? r = 220 ( ), 220 . 260
280 , r = 220 -

374

22.

20 . r,
.
. r
,
r. (Moores law), . 10 , ,
.
,
.
, , .
, ,
. 10
. , , , , ,
.
( - ), ,
10 .
,
. , .
,
. ,
:
p, K
K. ,
, .
, . ,
.
,
-.
, .
?
. , 128- -

22.3.

375

( ,
), ?
, 256-
.
, , . ,
. , , -
,
, . ,
. ,
r, , , r .

22.3

- .
, .
Web-.
( )
, - ,
, .
, . , ,
.

, .
, -
. ,
.
. -, ,
. , , 256- ,
. -

376

22.

, . , , ,
.

22.4

( ) , (secure token). , .
- ( )
iButton, USB- PCMCIA.
(.. , ) .

, .
, , ,
- . ,
.
, , . , . - ,
.
,
. ;
, .
, - .
,
, .
3 .
3

,
. ;
, .

22.5.

377


.
,
.
. ,
.
, ,
.
, .
. ,
- ,
- -
, ,
50 . , . , , .
, . , , ,
.
.
, , .

22.5

,
. ,
, . ,
, , , , . ,

, .

378

22.

, . (, , PIN) ,
.
PIN- . , PIN-
, .
, .
, , ,
. , . , , ,
.
, , . , , , PIN-.
. , ,
, .
, ,
PIN-. , .
. , (,
Palm).
,
, , ,
.
.
, .
, . ,
, , , .
,

22.6.

379

, ,
, .

22.6

, , . - .
.
, , , . 2002 (Tsutomu Matsumoto)
,
, [63].
,
( , )
.
, , , . , ,
. , .
( !),
. : , , ,
.
, .
, , . ,
,
. , ,
PIN- .
, . , ,
, . ,
,
.

380

22.

. , ,
. ,
, ,
. .
,
. ,
.
, .
,
. -
?
, ,
, . ,
, . 10 , ,
.

22.7

, . (single sign-on
SSO). , , , ,
, .
. , , ,
. . , ,
. ,

22.8.

381

, .
, ,
.
,
,
.
Password Safe,
. , , , . ,
, .
, .

22.8

, ?

? .

.
, ,
, . ,
, . !
,
.
. , , ,
. - ,
, . ,
?
,
. , , . ,
, :
.

382

22.9

22.

, .
, . .
, .
(secret sharing), , ,
. . ,
. , ,
, .
. ,
.

.
. k n ( , , k )
(n k ). ,
, : ,
, .

, . , ,
, .
, . ,
,
. ,
,
. ,
, , -
. , .

22.10.

383

, , , . ,
, , - IT. , .
- , ? .
, ,
. ,
, -
. , , -
.
, , -,
, -,
.

22.10

, . ,
, . 9.3.
.
, , : , ,
, , EPROM, EEPROM, - RAM, .

, , .

22.10.1

, , . , .

384

22.

,
, .

22.10.2

.
.
, , [38],
, , .
. ,
. ,
. , , , . /,
, ,
. , .
.
, -
.
/ , , , .

/,
, .
, , . .
.
, , ,
, . ,
.

22.10.

385

, , . ,
,
, .
, , .
,
, , .
, , . ,
.
,
, . ,
, - . (
, .) ,
50 100
.
. , , . ,
,
.
,

, - . , , , .
( ),
. , ,
,
.
,
.

386

22.10.3

22.

, , EPROM, EEPROM -. .
(. 9.3.4).
,
.
, .

IV

23

.
.
. , , ,
.

23.1

, , , . - ,
, Internet (Internet Engineering Task Force IETF), (Institute of Electrical and Electronics
Engineers IEEE), (International Organization for Standardization ISO)
(European Committee for Standardization CEN).
, . -: , - . ,
. , , . ,
. , , , . ,
(
388

23.1.

389

, ..). ,
.
.
.
, .. ,
. , .
, .
? , . , .
. . ,
. ,
. , .
, ,

. , , .
,
. ,
.
, . , - , , , . ,
.
.
, , , . -

390

23.

,
.
.
. . ,
. ,
, , ..
, , .
.
,
,
. , ,
- . , ,
,
.
, , ,
. .

23.1.1

,
. , , ,
, , . ,
, . , , .
,
,
.

23.1.2

,
.

23.1.

391

, -.
, , , , , . ,
,
, .
. , ,
, , ,
. , .
, .
,
, , . HTML-
,
, ,
. ,
.

. , , ,
,
.

23.1.3

, . , .
, ,
, .
, . , .

- ,
. ,
.

392

23.

, , :
. . . , , . . . , . . . , , . . . , . . . .. , .
, , , : ,
, .
(.. )
, , ,
, , . , , . , , ,
, . , , ,
. ,
, .
, ,
. , - , ,
.

, . , .
- . . .

23.2

SSL

, Web- Web-. ,
, SSL 2,
. SSL SSL 3 [36]. -

23.3. AES:

393

- . SSL 3 .
: SSL , , , , . Web- SSL
(PKI), PKI, , ,
. 108 35
. , ,
35 ,
, Web.
SSL -.
Netscape -. SSL ( TLS)
IETF. TLS.
TLS SSL ,
, TLS - SSL 3. ,
IETF , , IPSec [32], ,
.

23.3

AES:

AES , . AES
.
. ,
.
.
.
,
. ,
. , - .
, ,
. -

394

23.

.
.
, , ,
. ;
, . ,
- , .

(NIST) AES, . 15 ,
. - . ,
; , , ,
.
,
, , , . , , , ,
.
, , . ,
, . -
(
), , , .
,
, , .

24

, . ;
, . (
, , .) ,
, , ,
. , ,
.
, .

24.1

, ,
. , , , (prior art). ,
, ,
. 2001 , ,
[51]. ,
. , .
, , .
,
,
.
395

396

24.

,
, . ;
. ,
. ,

- , ,
. . , ,
. ,
,
: 10 .

24.2

. , , , . ? ; ,
. ,
(disclosure document), . ,
.
. , ,
.
, , ,
- . ,
. ,
, ,
.
, .

24.3.

397

. ,
;
.

24.3

,
, , .
. 20-
.
, , .
,
.
, ,
. ,
, ,
, ? , ! , , .
, .

, .

24.4

: ! , , , . ,
. , , , ,
.
, (
), . ,
.
: , , , ,
, .
, , .
, . , ,

398

24.

, , . ,
, .
, .
,
.

24.5

, , .
.
.
-
. .
. ,
.
, , -. 80-
, RSA DH
,
.
.
, .
, .

. ,
, - ,
.
XCBC, IACBC OCB.
, . ,
-
. ,
, ,

24.5.

399

.
( ), , , , . , XCBC
,

, .
, , , OCB,
,
. (, , ). ,
. ,
. , , .
, ( , )
. , ,
,
, .
,
. . , , ,
.
, XCBC, IACBC
OCB, CCM (. 8.5).
CCM , . , .

, . . . ,
.

400

24.6

24.


, . , .
, , ,
. - .
, , ( ).
, -. ,
, .

24.7


. , . ,
,
. , . 20 , IT- . ,
. IT- ,
.
, , ,
, . ,
, ,
.
, . ! , , . -
. .
,
.
,

24.8.

401

. , , ,
.
.
, , , ,
.
, IT- ,
. ,
, , . , .
. ,
, - . ,

, .
, ,
, .
, , . ,
,
.
, . ,
. , , ,
,
. ,
, - , .

24.8

. .
. ,
, ,
.
!

25


: , , .

. -, ,
. , - , - , . , , , ,
,
.
, Applied Cryptography [86, 87],
, .
. ,
, .
802.11.
, WEP (wired equivalent privacy ) .
, .
. RC4, , , .
RC4 , . WEP ,

. , , ,
402

403
.
RC4 ,
. , :
, RC4, [35]. CRC (cyclic redundancy check
), ,
, ( ) ,
. , .
- .
, . ,
.
WEP ; .
WEP , . :
. WPA (wireless protected access
) .
WEP . , ,
- 802.11, .
: , ,
Applied Cryptography.
, ,
.
. , , ,
.
, .
, 70%. ,
, 90%. . , .
, . ,
.

404

25.

,
? , ,
, - ,
.
,
. , . , , ,

. , ,
, .
, . ,
.
- , :

. - , . .
,
.
, , .

, , .
. , , . , .

, .
. , ?
, . , ;
, . , ,
;
, .

405
, . . , , , , . 1020 .
. ,
. ,
,
, ,
.
, .
. ,
. , , , . ,
,
. ,
.
, , , .
; . , , . , - . DigiCash 1990- .
. , , .
, .
Secrets and Lies [88] :
, . ,
. , .
-

406

25.

,
. , ,
. , , , .
,
, .
, .
, , .


, . ,
. , . ,
, ,
, .
(Beth Friedman), , (Denise
Dick), , . ,
. Internet.
(Carol Long) Wiley .
, ,
.

407

1. Anderson R.J. Security Engineering: A Guide to Building Dependable Distributed Systems. ? John Wiley & Sons, Inc., 2001 (ISBN 0-471-38922-6).
2. Anderson R., Biham E. and Knudsen L. Serpent: A proposal for the Advanced Encryption Standard. ? In: National Institute of Standards and
Technology, August 1998 (. http://www.cl.cam.ac.uk/~rja14/serpent.
html http://www.nist.gov/aes).
3. Bellare M., Canetti R. and Krawczyk H. Keying Hash Functions for Message
Authentication. ? In: Koblitz N. (ed.). Advances in Cryptology CRYPTO
96. Lecture Notes in Computer Science. Springer-Verlag, 1996, vol. 1109,
. 115.
4. Bellare M., Killian J. and Rogaway P. The Security of Cipher Block Chaining. ? In: Desmedt Y.G. (ed). Advances in Cryptology CRYPTO 94.
Lecture Notes in Computer Science. Springer-Verlag, 1994, vol. 839, . 341
358.
5. Bennett C.H. and Brassard G. An update on quantum cryptography. ? In:
Blackley G.R. and Chaum D. (ed). Advances in Cryptology, Proceedings of
CRYPTO 84. Lecture Notes in Computer Science. Springer-Verlag, 1984,
vol. 196, p. 475480.
6. Biham E., Dunkelman O. and Keller N. The Rectangle Attack Rectangling
the Serpent. ? In: Pfitzmann B. (ed). Advances in Cryptology EUROCRYPT 2001. Lecture Notes in Computer Science. Springer-Verlag, 2001,
vol. 2045, p. 340357.
7. Biham E. New Types of Cryptoanalytic Attacks Using Related Keys. ? In:
Helleseth T. (ed). Advances in Cryptology EUROCRYPT 93. Lecture
Notes in Computer Science. Springer-Verlag, 1993, vol. 765, p. 398409.
8. Black J., Halevi S., Krawczyk H., Krovetz T. and Rogaway P. UMAC: Fast
and Secure Message Authentication. ? In: Michael Wiener (ed). Advances in
Cryptology CRYPTO 99. Lecture Notes in Computer Science. SpringerVerlag, 1999, vol. 1666, p. 216233.
408

409

9. Bos J. Booting problems with the JEC computer. ? Personal Communications, 1983.
10. Bos J. Practical Privacy. ? PhD thesis : Eindhoven University of Technology,
1992 (. http://www.macfergus.com/niels/lib/bosphd.html).
11. Brassard G. and Crepeau C. Quantum Bit Commitment and Coin-Tossing
Protocols. ? In: Menezes A.J. and Vanstone S.A. (ed). Advances in Cryptology CRYPTO 90. Lecture Notes in Computer Science. Springer-Verlag,
1990, vol. 537 p. 4961.
12. Brincat K. and Mitchell C.J. New CBC-MAC forgery attacks. ? In: Varadharajan V. and Mu Y. (ed). Information Security and Privacy, ACISP 2001.
Lecture Notes in Computer Science. Springer-Verlag, 2001, vol. 2119, p. 3
14.
13. Burwick C., Coppersmith D., DAvignon E., Gennaro R., Halevi S., Jutla C.,
Matyas S.M. Jr., OConnor L., Peyravian M., Safford D., Zunic N. MARS
a candidate cipher for AES. ? In: National Institute of Standards and Technology, August 1998 (. http://www.research.ibm.com/security/mars.
html http://www.nist.gov/aes).
14. Cachin C. Entropy Measures and Unconditional Security in Cryptography. ?
PhD thesis, ETH : Swiss Federal Institute of Technology (Zurich, 1997)
(. ftp://ftp.inf.ethz.ch/pub/publications/dissertations/th12187.
ps.gz).
15. Carroll L. The Hunting of the Snark: an Agony, in Eight Fits. ? London :
Macmillan and Co., 1876.
16. Chabaud F. and Joux A. Differential Collisions in SHA-0. ? In: Krawczyk H.
(ed). Advances in Cryptology CRYPTO 98. Lecture Notes in Computer
Science. Springer-Verlag, 1998, vol. 1462, p. 5671.
17. Courtois N. and Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined
Systems of Equations. ? Cryptology ePrint Archive, Report 2002/044, 2002
(. http://eprint.iacr.org/).
18. Daemen J. and Rijmen V. AES Proposal: Rijndael. ? In: National Institute of
Standards and Technology, August 1998 (. http://www.esat.kuleuven.
ac.be/~rijmen/rijndael http://www.nist.gov/aes).
19. Davis D., Ihaka R. and Fenstermacher P. Cryptographic Randomness from
Air Turbulence in Disk Drives. ? In: Desmedt Y.G. (ed). Advances in Cryptology CRYPTO 94. Lecture Notes in Computer Science. Springer-Verlag,
1994, vol. 839, p. 114120.
20. Den Boer B. and Bosselaers A. Collisions for the compression function of
MD5. ? In: Helleseth T. (ed). Advances in Cryptology EUROCRYPT 93.

410


Lecture Notes in Computer Science. Springer-Verlag, 1993, vol. 765, p. 293
304.

21. Diffie W. and Hellman M.E. New Directions in Cryptography // IEEE


Transactions on Information Theory. 1976. IT-22(6). . 644654.
22. Dijkstra E.W. The Humble Programmer // Comm. of the ACM. 1972.
15(10). . 859866. ( EWD340, http://www.cs.utexas.
edu/users/EWD/ewd03xx/EWD340.PDF.)
23. Di Crescenzo G., Ferguson N., Impagliazzo R. and Jakobsson M. How To
Forget a Secret. ? In: Meinel C. and Tison S. (ed). STACS 99. Lecture Notes
in Computer Science. Springer-Verlag, 1999, vol. 1563, p. 500509.
24. Dobbertin H. Cryptanalysis of MD4 // J. Cryptology. 1998. 11(4).
. 253271.
25. Dusse S.R. and Kaliski B.S. Jr. A Cryptographic Library for the Motorola
DSP56000. ? In: Damg
ard I.B. (ed). Advances in Cryptology EUROCRYPT 90. Lecture Notes in Computer Science. Springer-Verlag, 1990,
vol. 473, p. 230244.
26. Dworkin M. Recommendation for Block Cipher Modes of Operation Methods and Techniques. ? National Institute of Standards and Technology,
December 2001 (. http://csrc.nist.gov/publications/nistpubs/
800-38a/sp800-38a.pdf).
27. Ellison C. Improvements on Conventional PKI Wisdom. ? In: Smith S.
(ed). 1st Annual PKI Research Workshop Proceedings. 2002, p. 165175
(. http://www.cs.dartmouth.edu/~pki02/Ellison/).
28. Evertse J.-H. and Van Heyst E. Which New RSA-Signatures Can Be Computed from Certain Given RSA-Signatures? // J. Cryptology. 1992.
5(1). . 4152.
29. Feistel H., Notz W.A. and Smith J.L. Some Cryptographic Techniques for
machine-to-Machine Data Communications // Proc. of the IEEE. 1975.
63(11). . 15451554.
30. Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D., Whiting
D. Improved Cryptanalysis of Rijndael. ? In: Schneier B. (ed). Fast Software Encryption, 7th International Workshop, FSE 2000. Lecture Notes in
Computer Science. Springer-Verlag, 2000, vol. 1978, p. 213230.
31. Ferguson N., Kelsey J., Schneier B. and Whiting D. A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish. ? Twofish Technical Report 6, Counterpane Systems, February 2000 (. http://www.
counterpane.com/twofish.html).

411

32. Ferguson N. and Schneier B. A Cryptographic Evaluation of IPsec, 1999 (.


http://www.counterpane.com/ipsec.html).
33. Ferguson N., Schroeppel R. and Whiting D. A simple algebraic representation of Rijndael. ? In: Vaudenay S. And Youssef A.M. (ed). Selected Areas
in Cryptography, 8th Annual International Workshop, SAC 2001. Lecture
Notes in Computer Science. Springer-Verlag, 2001, vol. 2259.
34. Ferguson N. Collision attacks on OCB. ? Comments to NIST, February 11,
2002 (. http://csrc.nist.gov/CryptoToolkit/modes/ http://csrc.
nist.gov/CryptoToolkit/modes/comments/Ferguson.pdf).
35. Fluhrer S., Mantin I. and Shamir A. Weaknesses in the Key Schedule Algorithm of RC4. ? In: Vaudenay S. and Youssef A.M. (ed). Selected Areas
in Cryptography, 8th Annual International Workshop, SAC 2001. Lecture
Notes in Computer Science. Springer-Verlag, 2001, vol. 2259.
36. Freier A.O., Karlton P. and Kocher P.C. The SSL Protocol, Version 3.0. ?
Internet draft, Transport Layer Security Working Group, November 18, 1996
(. http://home.netscape.com/eng/ssl3/).
37. Goldberg I. and Wagner D. Randomness and the Netscape Browser //
Dr. Dobbs Journal. January 1996. P. 6670 (. www.cs.berkeley.
edu/~daw/papers/ddj-netscape.html).
38. Gutmann P. Secure Deletion of Data from Magnetic and Solid-State Memory. ? In: USENIX Security Symposium Proceedings, 1996 (. http://www.
auckland.ac.nz/~pgut001).
39. Gutmann P. X.509 Style Guide, October 2000 (. http://www.cs.auckland.
ac.nz/~pgut001/pubs/x509guide.txt).
40. Harkins D. and Carrel D. The Internet Key Exchange (IKE). ? RFC 2409,
November 1998.
41. Intel. Intel 82802 Firmware Hub: Random Number Generator, Programmers
Reference Manual, December 1999 (. Web- Intel http://www.
intel.com).
42. International Telecommunication Union. X.680-X.683: Abstract Syntax Notation One (ASN.1). ? X.690-X.693: ASN.1 encoding rules, 2002 (. www.
itu.int/ITU-T/studygroups/com17/languages/x680-x693_0702.pdf).
43. Jonsson J. On the Security of CTR+CBC-MAC. ? In: Selected Areas in
Cryptography, 9th Annual International Workshop, SAC 2002, 2002 (.
http://csrc.nist.gov/encryption/modes/proposedmodes/ccm/ccm-ad.
pdf).
44. Jueneman R.R. Analysis of Certain Aspects of Output Feedback Mode. ? In:
Chaum D., Rivest R.L., and Sherman A.T. (ed). Advances in Cryptology,
Proceedings of Crypto 82. Plenum Press, 1982, p. 99-128.

412

45. Kahn D. The Codebreakers, The Story of Secret Writing. ? New York :
Macmillan Publishing Co., 1967.
46. Kelsey J., Schneier B. and Ferguson N. Yarrow-160: Notes on the Design
and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator. ? In: Heys H. and Adams C. (ed). Selected Areas in Cryptography,
6th Annual International Workshop, SAC 99. Lecture Notes in Computer
Science. Springer-Verlag, 1999, vol. 1758.
47. Kelsey J., Schneier B., Wagner D. and Hall C. Cryptanalytic Attacks on
Pseudorandom Number Generators. ? In: Vaudenay S. (ed). Fast Software
Encryption, 5th International Workshop, FSE 98. Lecture Notes in Computer Science. Springer-Verlag, 1998, vol. 1372, p. 168188.
48. Kelsey J., Schneier B., Wagner D. and Hall C. Side Channel Cryptanalysis
of Product Ciphers // Journal of Computer Security. 2000. 8(2-3). .
141158 (. http://www.counterpane.com/side_channel.html).
49. Kelsey J., Schneier B. and Wagner D. Key-Schedule Cryptanalysis of IDEA,
G-DES, GOST, SAFER, and Triple-DES. ? In: Koblitz N. (ed). Advances in
Cryptology CRYPTO 96. Lecture Notes in Computer Science. SpringerVerlag, 1996, vol. 1109, p. 237251.
50. Kent S. and Atkinson R. Security Architecture for the Internet Protocol. ?
RFC 2401, November 1998.
51. Granted Innovation Patent No. AU2001100012 A4. Circular transportation facilitation device. Keogh J. Australian Patent Office, August 2001
(. http://www.ipmenu.com/archive/AUI_2001100012.pdf).
52. Killian J. and Rogaway P. How to Protect DES Against Exhaustive Key
Search. ? In: Koblitz N. (ed). Advances in Cryptology CRYPTO 96.
Lecture Notes in Computer Science. Springer-Verlag, 1996, vol. 1109, p.
252267.
53. Knudsen L.R. and Rijmen V. Two Rights Sometimes Make a Wrong. ? In:
Workshop on Selected Areas in Cryptography (SAC 97). 1997, p. 213223
(. http://adonis.ee.queensu.ca:8000/sac/sac97/papers.html).
54. Knuth D.E. Seminumerical Algorithms. Vol. 2 of The Art of Computer Programming. ? Addison-Wesley, 1981. ( . . . 2. , 3- .: . . ? . : .
, 2000.)
55. Kocher P.C. Timing Attacks on Implementations of Diffie-Hellman, RSA,
DSS, and Other Systems. ? In: Koblitz N. (ed). Advances in Cryptology
CRYPTO 96. Lecture Notes in Computer Science. Springer-Verlag, 1996,
vol. 1109, p. 104113.

413

56. Kocher P., Jaffe J. and Jun B. Differential Power Analysis. ? In: Wiener M.
(ed). Advances in Cryptology CRYPTO 99. Lecture Notes in Computer
Science. Springer-Verlag, 1999, vol. 1666, p. 388397.
57. Kohl J. and Neuman C. The Kerberos Network Authentication Service (V5). ?
RFC 1510, September 1993.
58. Krawczyk H., Bellare M. and Canetti R. HMAC: Keyed-Hashing for Message
Authentication. ? RFC 2104, February 1997.
59. Krovetz T., Black J., Halevi S., Hevia A., Krawczyk H. and Rogaway P.
UMAC: Message Authentication Code using Universal Hashing. ? RFC
draft draft-krovetz-umac-01.txt, 2000 (. http://www.cs.ucdavis.edu/
~rogaway/umac/).
60. Lai X. and Massey J.L. A Proposal for a New Block Encryption Standard. ?
In: Damg
ard I.B. (ed). Advances in Cryptology EUROCRYPT 90. Lecture Notes in Computer Science. Springer-Verlag, 1990, vol. 473, p. 389404.
61. Lai X., Massey J.L. and Murphy S. Markov Ciphers and Differential Cryptanalysis. ? In: Davies D.W. (ed). Advances in Cryptology EUROCRYPT
91. Lecture Notes in Computer Science. Springer-Verlag, 1991, vol. 547,
p. 1738.
62. Lenstra A.K. and Verheul E.R. Selecting Cryptographic Key Sizes // J. Cryptology. 2001. 14(4). . 255293.
63. Matsumoto T., Matsumoto H., Yamada K. and Hoshino S. Impact of Artificial Gummy Fingers on Fingerprint Systems. In: Proc. of SPIE,
Vol #4677, Optical Security and Counterfeit Deterrence Techniques IV
(. www.itu.int/itudoc/itu-t/workshop/security/present/
s5p4.pdf).
64. Menezes A.J., Van Oorschot P.C. and Vanstone S.A. Handbook of Applied
Cryptography. ? CRC Press, 1996 (ISBN 0-8493-8523-7).
65. Mills D.L. Network Time Protocol (Version 3). ? RFC 1305, March 1992.
66. Mills D. Simple Network Time Protocol (SNTP) Version 4. ? RFC 2030,
October 1996.
67. Montgomery P. Modular Multiplication without Trial Division // Mathematics of Computation. 1985. 44(170). . 519521.
68. National Institute of Standards and Technology. DES Modes of Operation. FIPS PUB 81, December 1980 (. http://www.itl.nist.gov/
fipspubs/).
69. National Institute of Standards and Technology. Data Encryption Standard
(DES). FIPS PUB 46-2, December 1993 (. http://www.itl.nist.
gov/fipspubs/).

414

70. National Institute of Standards and Technology. Secure Hash Standard.


FIPS PUB 180-1, April 1995 (. http://www.itl.nist.gov/fipspubs/).
71. National Institute of Standards and Technology. AES Round 1 Technical Evaluation, CD-1: Documentation, August 1998 (. http://www.itl.
nist.gov/aes).
72. National Institute of Standards and Technology. Data Encryption Standard
(DES). DRAFT FIPS PUB 46-3, 1999 (. http://csrc.ncsl.nist.
gov/fips/).
73. National Institute of Standards and Technology. Proc. 3rd AES candidate
conference, April 2000.
74. National Institute of Standards and Technology. Secure Hash Standard
(draft). DRAFT FIPS PUB 180-2, 2001 (. http://csrc.nist.gov/
encryption/shs/dfips-180-2.pdf).
75. Needham R.M. and Schroeder M.D. Using Encryption for Authentication in
Large Networks of Computers // Comm. of the ACM. 1978. 21(12).
. 993999.
76. Preneel B. and Van Oorschot P.C. On the Security of Two MAC Algorithms. ? In: Maurer U. (ed). Advances in Cryptology EUROCRYPT 96.
Lecture Notes in Computer Science. Springer-Verlag, 1996, vol. 1070, p. 19
32.
77. Rivest R.L., Robshaw M.J.B., Sidney R. And Yin Y.L. The RC6 Block
Cipher. ? In: National Institute of Standards and Technology, August 1998
(. http://www.rsasecurity.com/rsalabs/rc6/ http://nist.gov/
aes).
78. Rivest R.L. The MD4 Message Digest Algorithm. ? In: Menezes A.J. and
Vanstone S.A. (ed). Advances in Cryptology CRYPTO 90. Lecture Notes
in Computer Science. Springer-Verlag, 1991, vol. 547, p. 1738.
79. Rivest R.L. The RC5 Encryption Algorithm. ? In: Preneel B. (ed). Fast Software Encryption, Second International Workshop, FSE 94. Lecture Notes
in Computer Science. Springer-Verlag, 1995, vol. 1008, p. 8696.
80. Rivest R., Shamir A. and Adleman L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems // Comm. of the ACM. 1978.
21. . 120126.
81. Rivest R. The MD5 Message-Digest Algorithm. ? RFC 1321, April 1992.
82. Rogaway P., Bellare M., Black J. and Krovetz T. OCB: A Block-Cipher Mode
of Operation for Efficient Authenticated Encryption. ? In: Eighth ACM Conference on Computer and Communications Security (CCS-8). ACM Press,
2001, p. 196205.

415

83. Rogaway P., Bellare M., Black J. and Krovetz T. OCB: A Block-Cipher
Mode of Operation for Efficient Authenticated Encryption, September 2001
(. http://www.cs.ucdavis.edu/~rogaway).
84. RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard, January
2001 (. http://www.rsasecurity.com/rsalabs/pkcs).
85. Schneier B., Kelsey J., Whiting D., Wagner D., Hall C., Ferguson N. The
Twofish Encryption Algorithm, A 128-bit Block Cipher. ? Wiley, 1999.
86. Schneier B. Applied Cryptography, Protocols, Algorithms, and Source Code
in C. ? John Wiley & Sons, Inc., 1994 (ISBN 0-471-59756-2).
87. Schneier B. Applied Cryptography, Second Edition, Protocols, Algorithms,
and Source Code in C. ? John Wiley & Sons, Inc., 1996; ISBN 0-471-12845-7.
( . , 2- : , , . ? . : , 2002.)
88. Schneier B. Secrets and Lies, Digital Security in a Networked World. ?
John Wiley & Sons, Inc., 2000. ISBN 0-471-25311-1. ( .
. . ? . : , 2003.)
89. Dr. Seuss. Horton Hears a Who! ? Random House, 1954.
90. Shannon C.E. A Mathematical Theory of Communication // The Bell Systems Technical Journal. 1948. 27. . 370423; 623656 (. http:
//cm.bell-labs.com/cm/ms/what/shannonday/paper.html).
91. Wagner D., Ferguson N. and Schneier B. Cryptanalysis of FROG. ? In:
Proc. 2nd AES candidate conference. National Institute of Standards and
Technology, March 1999, p. 175181.
92. Wagner D. and Schneier B. Analysis of the SSL 3.0 protocol. ? In: Proc. of
the Second USENIX Workshop on Electronic Commerce. USENIX Press,
November 1996, p. 2940 ( . http://www.
counterpane.com).
93. Whiting D., Housley R. and Ferguson N. Counter with CBC-MAC
(CCM), June 2002 (. http://csrc.nist.gov/encryption/modes/
proposedmodes/ccm/ccm.pdf).
94. Wiener M.J. Cryptanalysis of short RSA secret exponents // IEEE Transactions on Information Theory. 1990. 36(3). . 553558.
95. Winternitz R.S. Producing a One-way Hash Function from DES. ? In:
Chaum D. (ed). Advances in Cryptology, Proceedings of Crypto 83. Plenum
Press, 1983, p. 203207.
96. Wu T. The Secure Remote Password Protocol. ? In: Proc. of the 1998 Network and Distributed System Security (NDSS 98) Symposium, March 1998.


A
Access Control List (ACL), 350
Advanced Encryption Standard (AES), 74
ASN.1, 276

MD4, 108
MD5, 108
Message Authentication Code (MAC), 42;
118

B
Boojum, 164

N
National Security Agency (NSA), 109

C
CBC-MAC, 120
Certificate Authority (CA), 47; 337
Certificate Revocation List (CRL), 356
Chinese Remainder Theorem (CRT), 246
Cipher Block Chaining (CBC), 90

D
Data Encryption Standard (DES), 71
Dynamic RAM (DRAM), 163

P
Pseudorandom Number Generator
(PRNG), 172; 179
Public Key Infrastructure (PKI), 47; 337

R
Random Number Generator (RNG), 176
RC6, 82
Registration Authority (RA), 343
RSA, 245

E
Electronic Codebook (ECB), 89
European Committee for Standardization
(CEN), 388

H
HMAC, 122

I
Institute of Electrical and Electronics
Engineers (IEEE), 388
International Organization for
Standardization (ISO), 388
Internet Engineering Task Force (IETF),
388

S
Secure Electronic Transaction (SET), 33
Secure Hash Algorithm (SHA), 109
Serpent, 78
SHA-1, 109
SHA-256, 111
SHA-384, 111
SHA-512, 111
Single Sign-On (SSO), 380
Static RAM (SRAM), 163

T
TagLengthValue (TLV), 276
Twofish, 79

K
Kerberos, 332
Key Distribution Center (KDC), 332

M
MARS, 82

U
UMAC, 125

V
Virtual Private Network (VPN), 339

416

W
Wired Equivalent Privacy (WEP), 402

X
XML, 276

, 166

CBC-MAC, 120
HMAC, 122
RSA, 245
UMAC, 125
, 231

MD5, 108
SHA, 109

AES, 74
DES, 71
MARS, 82
RC6, 82
Serpent, 78
Twofish, 79
, 135

, 53
, 173
, 66
, 53
, 106
, 233
, 52
, 64
, 51

, 51
, 49

, 173; 311
, 283

, 49
, 285
, 82
, 69
, 317

417
, 64
, 42; 140

, 90
, 303


(PRNG), 179
(RNG), 176
, 216

, 28
, 232
, 396
, 88; 258
, 330

, 376
, 371

(PKI), 47; 337

, 246
(MAC),
42; 118
, 52
, 246
, 215
, 363
, 25

, 352
, 309
, 33
, 169

, 236
(),
217
(), 217

418

, 179

, 230
(OFB), 93
, 357
(SSO), 380
, 92
, 356
, 40

, 53

, 395
, 171
, 63
, 279
, 216
, 72
, 231

, 41
, 130; 275
, 29
, 266; 314
SET, 33
SSL, 392
, 180
, 180
,
229
, 282
, 395
, 295

, 62
, 70

, 363
, 331
, 47; 338
, 275
, 24; 58; 168

-
, 276
, 382
, 350
, 356
, 166
(CBC),
90
, 95

-, 173; 313
, 172

, 170

, 247
,
211

, 258
, 245
, 184
, 104
, 106
, 105
, 105

, 166
(),
332
(), 343
(CA), 47
, 48
(), 337
, 340
, 46; 47

, 320

, 209
, 209

, 62
, 65
, 87
, 93
, 39; 141; 259
, 45

419
, 44; 45
, 46
, 45
, 40


(ECB), 89
, 176

..
..
..
.. ,
.. ,
..


101509, . , . , . 43, . 1
. . 090230 23.06.99

19.11.2004. 70x100/16
Times.
. . . 21,9. .-. . 24,8
3000 .


,

197110, .-, ., 15