密码学第一原则:不要自己造轮子
- You Should Never “Roll Your Own” Cryptography
- 使用 TLS / HTTPS / OpenSSL / IPSec / AES 等标准加密方案、类库和算法。
- 使用 sha256 或 sha512 作为 hash 算法。
From Phil Zimmermann's (PGP creator) Introduction to Cryptography (Page 54):
When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. I felt so smug about my achievement.
Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.
From this humbling experience I learned how easy it is to fall into a false sense of security when devising an encryption algorithm. Most people don’t realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent.PGP 创始人的一段话(机翻)
「当我在 70 年代初上大学时,我设计了一个我认为是绝妙的加密方案。一个简单的伪随机数流被添加到明文流中以创建密文。这似乎会阻碍对密文的任何频率分析,...,我对自己的成就感到非常自鸣得意。
多年后,我在几本介绍性的密码学文本和教程论文中发现了同样的方案。多好。其他密码学家也想到了同样的方案。不幸的是,该方案是作为一项关于如何使用基本密码分析技术轻松破解它的简单家庭作业而提出的。我的绝妙计划到此为止。
从这次令人羞愧的经历中,我了解到在设计加密算法时很容易陷入错误的安全感。大多数人都没有意识到设计一种能够承受足智多谋的对手长期而坚决的攻击的加密算法是多么困难。」加密 / 认证模式
参考资料:
加密(encryption)
MAC (message authentication code):也可称作认证(Authenticate) ,对数据签名生成hash以保证完整性(integrity)。
- Encrypt then Mac (EtM): used in IPsec。message = encrypt(plaintext) + mac(encrypt(plaintext))
- Mac then Encrypt (MtE) used in SSL / TLS; message = encrypt(plaintext + mac(plaintext))
- TLS extension 22 encrypt_then_mac 允许使用 EtM 模式。
- Encrypt and Mac (E&M) used in SSH. message = encrypt(plaintext) + mac(plaintext)
一般认为 EtM 安全性最好。
MtE : 理论上如果加密算法有问题,攻击者有可能修改密文内容使 mac 仍然合法。
E&M : 理论上 MAC 有可能泄露明文信息。
MtE 和 E&M 均必须先解密才能验证 mac。理论上可能受到 chosen-ciphertext 攻击。