Beruflich Dokumente
Kultur Dokumente
Key
Alice
Key
Verify MAC
Create MAC
Eve
Bob
Signature vs MAC
Only the authorised entities can check a MAC, and all who
can check can also change the data
Digital signatures
Public
verification
key
Create
signature
Verify
signature
Eve
Anyone
Digital signatures
RSA signatures
ElGamal signatures
I
DSA signatures
I
ElGamal signatures
I
DSA signatures
I
k=
a=
s1 m2 s2 m1
(s2 s1 )r
Key length
Key length
Table 7.4: Security levels (symmetric equivalent)
Security
(bits)
32
64
72
80
96
Protection
Comment
Real-time, individuals
Very short-term, small org
Short-term, medium org
Medium-term, small org
Very short-term, agencies
Long-term, small org
112
Medium-term protection
128
Long-term protection
256
Foreseeable future
Smallest general-purpose
< 4 years protection
(E.g., use of 2-key 3DES,
< 240 plaintext/ciphertexts)
2-key 3DES restricted to 106 plaintext/ciphertexts,
10 years protection
20 years protection
(E.g., 3-key 3DES)
Good, generic application-indep.
Recommendation, 30 years
Good protection against quantum computers unless Shors algorithm applies.
Key length
Table 7.4: Security levels (symmetric equivalent)
Security
(bits)
32
64
72
80
96
Protection
Comment
Real-time, individuals
Very short-term, small org
Short-term, medium org
Medium-term, small org
Very short-term, agencies
Long-term, small org
112
Medium-term protection
128
Long-term protection
256
Foreseeable future
Smallest general-purpose
< 4 years protection
(E.g., use of 2-key 3DES,
< 240 plaintext/ciphertexts)
2-key 3DES restricted to 106 plaintext/ciphertexts,
10 years protection
20 years protection
(E.g., 3-key 3DES)
Good, generic application-indep.
Recommendation, 30 years
Good protection against quantum computers unless Shors algorithm applies.
x y = x y mod p
x+ay = x
+ay 0
mod p
x + ay = x 0 + ay 0 mod p 1
x x 0 = a(y 0 y ) mod p 1 = 2q
(
x x 0 = a(y 0 y ) mod 2
x x 0 = a(y 0 y ) mod q
There are at most two solutions (this occurs when x x 0 = 0 mod 2),
but it is easy to check which solution a that gives = a
You could still use a secret parameter, but this means you
restrict the group of people that can verify to the group
that knows the secret
Block 1
Block 2
..
.
..
.
Block t
Block 1
Block 2
..
.
..
.
Block t
100...0
Block 1
Block 2
..
.
..
.
Block t
I
100...0
double hashing
concatenating hashes
XORing the results
...
MD5
I
128-bit hash
Very widespread
(SSL/TLS, IPsec, . . . )
but not secure (X.509
collisions, rouge CA, ...)
(B C ) (B D)
(B D) (C D)
F (B, C , D) =
B C D
C (B D)
(round
(round
(round
(round
1 16)
17 32)
33 48)
49 64)
SHA-1
I
160-bit hash
Very widespread
(B C ) (B D)
B C D
F (B, C , D) =
(B C ) (B D) (C D)
B C D
(round
(round
(round
(round
1 20)
21 40)
41 60)
61 80)
SHA-2
I
Widespread?
(Likely to be. . . )
SHA-3 contest
SHA-3
I
a0,0
a0,1
a1,0
a1,1
..
.
a0,2
..
In total 56 bits
Weaknesses
I
Dictionary attacks
Dictionary attacks
I
I
Method
MD5
Blowfish (not in mainline glibc; in some Linuxes, NetBSD)
SHA-256 (since glibc 2.7)
SHA-512 (since glibc 2.7)