Ross Anderson

Security Engineering


Скачать книгу

alt="g Superscript x upper A x upper B"/>, and uses this to encrypt the message to Bob. On receiving it, Bob looks up Alice's public key y Subscript upper A and forms y upper A Superscript x upper B which is also equal to g Superscript x upper A x upper B, so he can decrypt her message.

      Alice and Bob can now use the session key g Superscript upper R Super Subscript upper A Superscript upper R Super Subscript upper B to encrypt a conversation. If they used transient keys, rather than long-lived ones, they have managed to create a shared secret ‘out of nothing’. Even if an opponent had inspected both their machines before this protocol was started, and knew all their stored private keys, then provided some basic conditions were met (e.g., that their random number generators were not predictable and no malware was left behind) the opponent could still not eavesdrop on their traffic. This is the strong version of the forward security property to which I referred in section 5.6.2. The opponent can't work forward from knowledge of previous keys, however it was obtained. Provided that Alice and Bob both destroy the shared secret after use, they will also have backward security: an opponent who gets access to their equipment later cannot work backward to break their old traffic. In what follows, we may write the Diffie-Hellman key derived from upper R Subscript upper A and upper R Subscript upper B as upper D upper H left-parenthesis upper R Subscript upper A Baseline comma upper R Subscript upper B Baseline right-parenthesis when we don't have to be explicit about which group we're working in, and don't need to write out explicitly which is the private key upper R Subscript upper A and which is the public key g Superscript upper R Super Subscript upper A.

upper A right-arrow upper B colon g Superscript upper R Super Subscript upper A Baseline left-parenthesis mod p right-parenthesis
upper B right-arrow upper A colon g Superscript upper R Super Subscript upper B Baseline left-parenthesis mod p right-parenthesis
upper A right-arrow upper B colon StartSet upper M EndSet Subscript g Sub Superscript upper R Sub Super Subscript upper A Sub Superscript upper R Sub Super Subscript upper B

      Slightly more work is needed to provide a full solution. Some care is needed when choosing the parameters p and g; we can infer from the Snowden disclosures, for example, that the NSA can solve the discrete logarithm problem for commonly-used 1024-bit prime numbers6. And there are several other details which depend on whether we want properties such as forward security.

      But this protocol has a small problem: although Alice and Bob end up with a session key, neither of them has any real idea who they share it with.

      Suppose that in our padlock protocol Caesar had just ordered his slave to bring the box to him instead, and placed his own padlock on it next to Anthony's. The slave takes the box back to Anthony, who removes his padlock, and brings the box back to Caesar who opens it. Caesar can even run two instances of the protocol, pretending to Anthony that he's Brutus and to Brutus that he's Anthony. One fix is for Anthony and Brutus to apply their seals to their locks.