Ross Anderson

Security Engineering


Скачать книгу

identical-to 3 x 5 identical-to 1 (mod 7)

       5.7.2.1 One-way commutative encryption

      Imagine we're back in ancient Rome, that Anthony wants to send a secret to Brutus, and the only communications channel available is an untrustworthy courier (say, a slave belonging to Caesar). Anthony can take the message, put it in a box, padlock it, and get the courier to take it to Brutus. Brutus could then put his own padlock on it too, and have it taken back to Anthony. He in turn would remove his padlock, and have it taken back to Brutus, who would now at last open it.

      Exactly the same can be done using a suitable encryption function that commutes, that is, has the property that left-brace StartSet upper M EndSet Subscript upper K upper A Baseline right-brace Subscript upper K upper B Baseline equals left-brace StartSet upper M EndSet Subscript upper K upper B Baseline right-brace Subscript upper K upper A. Alice can take the message upper M and encrypt it with her key upper K upper A to get StartSet upper M EndSet Subscript upper K upper A which she sends to Bob. Bob encrypts it again with his key upper K upper B getting left-brace StartSet upper M EndSet Subscript upper K upper A Baseline right-brace Subscript upper K upper B. But the commutativity property means that this is just left-brace StartSet upper M EndSet Subscript upper K upper B Baseline right-brace Subscript upper K upper A, so Alice can decrypt it using her key upper K upper A getting StartSet upper M EndSet Subscript upper K upper B. She sends this to Bob and he can decrypt it with upper K upper B, finally recovering the message upper M.

      How can a suitable commutative encryption be implemented? The one-time pad does indeed commute, but is not suitable here. Suppose Alice chooses a random key x upper A and sends Bob upper M circled-plus x upper A while Bob returns upper M circled-plus x upper B and Alice finally sends him upper M circled-plus x upper A circled-plus x upper B, then an attacker can simply exclusive-or these three messages together; as upper X circled-plus upper X = 0 for all upper X, the two values of x upper A and x upper B both cancel out, leaving the plaintext upper M.

       5.7.2.2 Diffie-Hellman key establishment

      Let's walk through this. The prime p and generator g are common to all users. Alice chooses a secret random number x upper A, calculates y upper A equals g Superscript x upper A and publishes it opposite her name in the company phone book. Bob does the same, choosing a random number x upper B and publishing y upper B equals g Superscript x upper B. In order to communicate with Bob, Alice fetches y upper B from the phone book, forms y upper B Superscript x upper A which is just