From Phil Zimmermann's (PGP creator) Introduction to Cryptography (Page 54):

When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. I felt so smug about my achievement.

Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.

From this humbling experience I learned how easy it is to fall into a false sense of security when devising an encryption algorithm. Most people don’t realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent.

PGP 创始人的一段话(机翻)

「当我在 70 年代初上大学时,我设计了一个我认为是绝妙的加密方案。一个简单的伪随机数流被添加到明文流中以创建密文。这似乎会阻碍对密文的任何频率分析,...,我对自己的成就感到非常自鸣得意。



加密 / 认证模式



MAC (message authentication code):也可称作认证(Authenticate) ,对数据签名生成hash以保证完整性(integrity)。

  • Encrypt then Mac (EtM): used in IPsec。message = encrypt(plaintext) + mac(encrypt(plaintext))
  • Mac then Encrypt (MtE) used in SSL / TLS; message = encrypt(plaintext + mac(plaintext))
    • TLS extension 22 encrypt_then_mac 允许使用 EtM 模式。
  • Encrypt and Mac (E&M) used in SSH. message = encrypt(plaintext) + mac(plaintext)

一般认为 EtM 安全性最好。

MtE : 理论上如果加密算法有问题,攻击者有可能修改密文内容使 mac 仍然合法。

E&M : 理论上 MAC 有可能泄露明文信息。

MtE 和 E&M 均必须先解密才能验证 mac。理论上可能受到 chosen-ciphertext 攻击。

Last update: 2023-05-24 03:18:51 UTC