论文标题:会话密钥建立关键技术研究
Research on Key Techniques of Session Key Establishment
论文作者
论文导师 王育民,论文学位 博士,论文专业 密码学
论文单位 西安电子科技大学,点击次数 613,论文页数 106页File Size5796K
2006-06-01论文网 http://www.lw23.com/lunwen_24102572/
Session key ; Multiple trust domains interoperability ; Cryptographic algrithoms ;Protocol proof and analysis
本文对会话密钥建立关键技术进行了深入研究,内容包括不同公钥基础设施信任域间互操作、公钥加密算法和签名算法、认证协议符号化形式证明的可靠性论证、特定系统中认证协议分析。主要成果有: 1、在公钥基础设施信任域间互操作方面,给出一种新的域间互操作模型,虚拟桥证书机构模型。该模型保持了信任终端对本地证书机构的信任,把信任路径构造的过程严格限制在单个公钥基础设施信任域内,并且从技术上提供域间互操作的民主决策机会。该模型适用于具有利益冲突的单位之间,在原有公钥基础设施的基础上,扩大公钥基础设施的服务范围。 2、在公钥加密算法和签名算法方面,给出一种新的公钥加密算法,并证明该算法在标准模型中具有抗不可区分自适应选择密文攻击的安全性;给出新的困难问题,并证明Schnorr签名体制在标准模型中具有抗选择消息攻击的安全性。新的公钥加密算法基于Cramer-Shoup公钥加密体制,比Cramer-Shoup加密体制产生的密文长度小,计算效率高,节省了带宽和计算资源。新的困难问题基于Schnorr提出的多变量契合问题,我们把该问题正式提出,并给出了与该问题相关的系列困难问题,证明了Schnorr签名体制在标准模型中的安全性。 3、在认证协议形式化证明可靠性论证方面,给出形式化攻击者能力描述的可靠性证明。统一处理密钥杂凑函数和签名算法,给出仅包括这两种算法和串联运算的符号化形式分析系统,证明该系统中定义的攻击者闭集具有计算可靠性。给出可容纳多种操作的混合模型,并以包含加解密操作和串联操作的符号化形式分析系统为例,展示了混合模型的定义和推理方法,论证了在使用强安全加密算法时,真实协议攻击者不能完成某些操作。 4、在特定系统中认证协议分析方面,给出了配置点(POD)拷贝保护系统中认证密钥交换协议和重新认证协议的安全分析;给出了数字电视拷贝保护规范中的完全认证协议的安全分析。指出配置点拷贝保护系统中的重新认证协议不能抵抗简单的重放攻击,其中的认证密钥交换协议具有实现上不受欢迎的安全属性;指出数字电视拷贝保护规范中的完全认证协议具有发送者失配或者接收者失配属性,这些属性会威胁该规范的完整性目标,并影响该规范可能的应用场景。
An investigation of crucial techniques of session key establishment is taken in this thesis, including interoperability of different public key infrastructure (PKI) trust domains, public key encryption algorithm and signature algorithm, the soundness justification of authentication protocol formal proof methods, and analysis of authentication protocols in special systems. The main contributions follow below.1. The first aspect is about interoperability of different PKI trust domain. A new model was given out for the interoperability, namely vitual bridge certificate authority (VBCA) model. The model enjoys local CA autonomy property, limits the trust path construction process in a single PKI domain, and technically provides a chance for democratic decision about interoperability operations. The new model is suitable for competitive units to expand PKI service ranges based on their original PKIs.2. The second aspect is about public key encryption algrithom and signature algrithom. A new public key encryption algrithom was given out with an indistinguishable adaptive chosen ciphertext attack (IND-CCA2) proof in the standard model. New hard problomes were given out, based on which the Schnorr signature scheme was proved satisfying chosen message attack (CMA) in standard model. The new public key encryption was derived from Cramer-Shoup public key encryption scheme, which was small in cipher size and efficient in computation, a save of bandwidth and computaion resources. The new hard problems were based on the multivariant congruence problem which was proposed informally by Schnorr. We formalized the multivariant congruence problem, and gave out a series of hard problems, based on which the Schnorr signature scheme was proved CMA secure.3. The third aspect is about justification of symbol formal proof methods on authentication protocols. A soundness proof was given out for formal attacker ability description. We uniformly processed the key indexed hash functions and signature algorithms as Goldreich did, gave out a symbol formal system including only the two algorithms and concatenation operation, and proved the attacker closure set definiftion in the system sound. A hybrid model was given out where many operations can be expressed. The definition and deduction method in the hybrid model were shown by an example system including encryption, decryption and concatenation operations. A conclusion about disabilities of a practical protocol attacker was given out when the used encryption scheme had a strong security level.4. The fourth aspect is about authentication protocols analysis in special systems. We gave out the security analysis of AKE protocol and reauthentication protocol in the POD copy protection specification. We also gave out the security analysis of AKE protocols in DTCP specification. The reauthentication protocol in POD copy protectionspecification can not defend the protocol against a simplest replay attack. The AKE protocol in the specification has unwelcome security attributes on implementation. The AKE protocol in DTCP specification has the sender mismatching or receiver mismatching attributes, which can threat the integrity goal of DTCP system and may affect possible application scenarios.
|
