From Phil Zimmermann's (PGP creator) Introduction to Cryptography (Page 54):

When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. I felt so smug about my achievement.

Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.

From this humbling experience I learned how easy it is to fall into a false sense of security when devising an encryption algorithm. Most people don’t realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent.

PGP 创始人的一段话(机翻)

「当我在 70 年代初上大学时,我设计了一个我认为是绝妙的加密方案。一个简单的伪随机数流被添加到明文流中以创建密文。这似乎会阻碍对密文的任何频率分析,...,我对自己的成就感到非常自鸣得意。



加密 / 认证模式



MAC (message authentication code):也可称作认证(Authenticate) ,对数据签名生成hash以保证完整性(integrity)。


  • Encrypt-then-Mac (EtM): message = encrypt(plaintext) + mac(encrypt(plaintext))
    • 最安全的方式。没有已知的安全弱点。
  • Mac-then-Encrypt (MtE): message = encrypt(plaintext + mac(plaintext))
    • 理论上存在安全弱点:如果加密算法有问题,攻击者有可能修改密文内容使 mac 仍然合法;必须先解密才能验证 mac。理论上可能受到 chosen-ciphertext 攻击。
    • TLS extension 22 encrypt_then_mac 允许使用 EtM 模式。
  • Encrypt-and-Mac (E&M): message = encrypt(plaintext) + mac(plaintext)
    • 理论上存在安全弱点:MAC 有可能泄露明文信息;同样必须先解密才能验证 mac。理论上可能受到 chosen-ciphertext 攻击。

MtE 和 E&M 的安全弱点都是理论上的,已公开的信息中,没有发生过针对性利用这些弱点的有效攻击。

常见安全协议的加密 / 认证模式:

  • IPsec : EtM。
  • SSL / TLS : MtE。
  • ssh : 旧版使用 E&M。OpenSSH Server 6.2+ 开始支持配置为使用 EtM。


At one billion attempts per second:

  • 40-bit will be broken in about 9 minutes.
  • 56-bit will be broken in about a year.
  • 128-bit will be broken in about 5,783,128,169,837,158,197,871 years.
  • 256-bit will never be broken, for all practical purposes.

Last update: 2024-02-04 03:29:16 UTC