您的位置:首页 > PPT课件 > 安全教育PPT > 信息安全基础4(密码编码学与网络安全)ppt课件

信息安全基础4(密码编码学与网络安全)ppt课件下载

素材编号:
430740
素材软件:
PowerPoint
素材格式:
.ppt
素材上传:
yangyiner
上传时间:
2020-11-21
素材大小:
1 MB
素材类别:
安全教育PPT
网友评分:

素材预览

信息安全基础4(密码编码学与网络安全)ppt课件

信息安全基础4(密码编码学与网络安全)ppt课件免费下载是由PPT宝藏(www.pptbz.com)会员yangyiner上传推荐的安全教育PPT, 更新时间为2020-11-21,素材编号430740。

这是信息安全基础4(密码编码学与网络安全)ppt课件,包括了Principle,Key Management for Symmetric Cipher,Key Management for Asymmetric Cipher等内容,欢迎点击下载。

Chapter 4 Key Management
Key Management
  Manage all stages of keys in the whole lifecycle, including the generation, storage, distribution, organization, employment, suspension, update & destruction(产生、存储、分配、组织、使用、停用、更换、销毁)
Overview
1 Principle
All-around Security 全程安全
Minimal Right 最小权利
Responsibility Separation 责任分离
Key Classification 密钥分级
Key Replacement 密钥更换
Enough Length 足够长度
Different cryptosystem, different management policy 针对不同密码体制采取不同管理策略
2 Key Management for Symmetric Cipher
  Centralization, KDC distributes session key for every session and tends to be the bottleneck and the attacking aim
Key Organization
Classification
– Elementary Key初级密钥: used for encrypting & decrypting data
Kc (for communication), Ks (for session), Kf (for file)
– Secondary Key二级密钥: used for protecting EK
KNC, KNS, KNF (N----node)
– Master Key主密钥: the topmost level
KM
Elementary Key
Key for encryption & decryption, Kc for communication, Ks for session, Kf for file storage
Generated by hardware or software of the system, can also be specified by user
Kc & Ks is one-time pad, while the lifecycle of Kf is as long as the file
K is protected by KN during its lifecycle
Secondary Key
Key to protect elementary key, KNC for Kc, KNS for Ks, KNF for Kf
Generated by hardware or software
Lifecycle is long
KN is protected by KM during its lifecycle
Master Key
The maximal key in key management system
Generated by hardware and installed/distributed by security experts
Have the longest lifecycle
Key Generation
Different strategies for different level keys
Randomicity: long-period, non-linear, equal-probability, uncertain
High-level key: real-randomicity
Low-level key: pseudo-randomicity
Generation of Master Key
Real-randomicity sequences with high quality
Means: transform the random simulation signals from the nature into digitals, based on the mechanics noise source or the electronics noise source
Generation of Secondary Key
Encrypt the random numbers
KN=E(E(E(E(i,RN1),RN2),RN1),RN3), i is a ordinal number, RN1 & RN2 is real-random, RN3 is pseudo-random
Generation of Elementary Key
Decrypt pseudo-random numbers by KN
Kc=D(RN1,KNC), Ks=D(RN2,KNS), Kf=D(RN3,KNF)
Very fast
Key Distribution
Master Key: by manpower, not practical for large network
Secondary Key: encrypted by master key, then transform the ciphertext via the network
Elementary Key: transform the generated random number directly, recovery the key by decrypting the number using the secondary key
Key Distribution for Secondary Key
Key Distribution for Elementary Key
Diffie-Hellman Key Exchange
By Diffie & Hellman in 1976 along with the exposition of public key concepts
A practical method for public exchange of a secret key, used in a number of commercial products
Mathematical basis
  – based on exponentiation in a finite field (modulo a prime) – easy
  – security relies on the difficulty of computing discrete logarithms 离散对数 (similar to factoring) – hard
Steps
Analysis of Diffie-Hellman
Cannot be used to exchange an arbitrary message as session key but a power
Known only to the two participants
Value of key depends on the participants (their private and public information)
Attacker needs an x, must solve discrete log problem
Diffie-Hellman Example
Middle-man Attack against Diffie-Hellman
The attacker Darth generates two random private-information :XD1,XD2, and computes the corresponding public-information :YD1,YD2
Alice transforms her YA to Bob
Darth intercepts YA and transform YD1 to Bob, and calculates K2=(YA)XD2 mod q
Bob receives YD1, and calculates K1=(YD1)XB mod q
Bob transforms YB to Alice
Darth intercepts YB and transform YD2 to Alice, and calculates K1=(YB)XD1 mod q
Alice receives YD2, and calculates K2=(YD2)XA mod q
Result: Bob & Darth share K1, Alice & Darth share K2
To counter such an attack, end-to-end authentication (the use of digital signatures or public-key certificates) is required
Key Storage & Backup
Principle: plaintexts of keys are forbidden out of the key management equipments
Physical assurance: reliable storage medium
Managing assurance: secure access-control 访问控制 mechanism
Key Storage
Master Key: store the plaintext in the appropriative 专用的 cipher equipments, or store the portions discretely in several equipments even in different places (Minimal Right )
Secondary Key: store the ciphertext in the memorizer存储器
Elementary Key: store the ciphertext of Kf in the memorizer, store the ciphertext of Kc & Ks in the memory 内存
Key Backup
Backup is also a storage in different equipments & different places
The backuped keys are as secure as the original keys
The low-class keys should be protected by high-class keys in ciphertext
The high-class keys in plaintext storage should be separated in portions
The backup should be recovered conveniently
Log日志 recorded for audit审计
Key Update
Master Key: all descendants 后代 ---secondary & elementary keys should be updated
Secondary Key: all descendants --- correlative elementary keys should be updated
Elementary Key
for Kc & Ks, one-time pad, no extra operation
for Kf, decrypt with former key, encrypt with renewed key
Key Suspension停用 & Destruction
Keys should be securely stored & protected after suspension to manage the information encrypted by them until their destruction
Destruction includes the backuped keys
3 Key Management for Asymmetric Cipher
PU---public: integrity & authenticity
PR---secret: confidentiality, integrity & authenticity
The corresponding relation of PU & user’s identity is protected by signature
Key Generation
 Not random number, meet given algorithm
Key Distribution
Ensure the authenticity & integrity of PU in PKDB by digital signature
Certificate: the signature of the user’s identifier and his PU by a trusted entity
CA(Certification Authority, 认证中心): the trusted entity who subscribes the signatures of PU
X.509 Authentication Service
Defines framework for authentication services
– directory may store public-key certificates
– includes public key of user
– signed by certification authority with its PR
Uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
Public-key certificate is the trusted carrier of PU and distribute PU securely, used in E-commerce & E-government
X.509 Certificates
Issued by a Certification Authority 认证中心 (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA): identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA name)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (subscribe hash of all fields in certificate)
CA<<A>> denotes certificate for A signed by CA
Obtaining a Certificate
Any user with access to CA can get any certificate from it
Only the CA can modify a certificate
Because cannot be forged, certificates can be placed in a public directory
Verifying a Certificate
A user obtain CA’s public key in CA’s certificate, then can verify the security of other users’ public keys in certificates
CA’s certificate is subscribed by itself or its parent CA
CA Hierarchy 层次结构
If both users share a common CA then they are assumed to know CA’s certificate, otherwise CAs must form a hierarchy
Use certificates linking members of hierarchy to validate other CAs' certificates
Each client trusts parents certificates, trust between CAs depends on their certificates for each other
Example
Given X1<<A>>, X2<<B>>, for A&B how to authenticate each other?
  – X1X2 subscribe the other side
  – for A, certificates linking X1<<X2>>X2<<B>>
  – for B, certificates linking X2<<X1>>X1<<A>>
Certificate Revocation 撤销
Certificates have a period of validity
May need to revoke before expiry到期, eg:
– user's private key is compromised
– user is no longer certified by this CA
– CA's certificate is compromised
CA maintains list of revoked certificates by signature
– the Certificate Revocation List (CRL)
Users should update CRL periodically and check
 every certificate with CA’s CRL before use
Cache缓存 CRL for speed reason
PKI (Public Key Infrastructure) 公钥基础设施
A system consists of hardware, software, people, strategy and corresponding disposal, which create, manage, store, distribute & revoke the digital certificate (PU)
Goal: distribute PU
The trust is transformed via certificates
PKIX Components
Endpoint entity
CA
RA (Register Authority,注册机构, optional)
Distributing point of CRL (optional)
Storage of certificates (certificates & CRL)
PKIX Tasks
User registry
User initialization
Key pair generation & distribution
Authentication
Certificates generation
Backup & recovery of public-private key pair
For encryption, store both PU & PR
For signature, store only PU
Automatic key pair update
Request of certificate revocation
Cross-authentication交叉认证
A CA subscribes a certificate for another CA
Thank you…
 

上一页:夏季消防安全知识(1)ppt课件 下一页:返回列表

第九讲信息安全审计ppt课件:这是第九讲信息安全审计ppt课件,包括了概述,安全审计系统的体系结构,安全审计的一般流程,安全审计的分析方法,安全审计的数据源,信息安全审计与标准,计算机取证等内容,欢迎点击下载。

一轮复习地理信息技术的应用课件ppt:这是一轮复习地理信息技术的应用课件ppt,包括了地理信息技术的应用,遥感(RS),全球定位系统(GPS)等内容,欢迎点击下载。

信息安全基础4(密码编码学与网络安全)ppt课件

下载地址

信息安全基础4(密码编码学与网络安全)ppt课件

优秀PPT

Copyright:2009-2019 pptbz.com Corporation,All Rights Reserved PPT宝藏 版权所有

免责声明:本网站内容由用户自行上传,如权利人发现存在误传其他作品情形,请及时与本站联系

PPT模板下载 粤ICP备13028522号

举报