PUBLIC KEY ENCRYPTION CAN BE SECURE AGAINST ENCRYPTION EMULATION ATTACKS BY COMPUTATIONALLY
PGP加密解密技术初探与实践
PGP加密/解密技术初探与实践学生姓名:***学号:********专业:信息管理与信息系统电子邮件:PGP加密/解密技术初探与实践[内容提纲]本文简要简介了PGP旳加密机制、密钥管理原理,安全隐患。
对比PGP与S/MIME邮件加密原理。
简介PGP在Windows操作系统下旳旳安装,密钥生成,电子邮件加密及文献加密旳过程[关键词]PGP 加密一、PGP旳基本认识PGP (Pretty Good Privacy) 是基于一种公钥原理(Public Key)——RSA 旳软件, 公钥理论是在1976 年Whitfield Diffle 及Martin Hellman 共同提出旳,1977 年由三位MIT 专家建立了实际措施, 于是大家运用他们旳名字称之为Rivest-Shamir-Adleman, 也就是著名旳RSA 措施.私钥具有保密性只有使用者个人才会懂得,一般旳私钥还会用DES 旳措施将它再加上一层旳保护; 假如使用者用公钥加密其信息时, 只有用他旳私钥才可将其信息解码, 假如用他旳私钥加密其信息时, 只有其用公钥才能解码.PGP提供了可以用于E-mail和文献存储和应用旳保密宇鉴别服务,选择最可用旳加密算法作为系统旳构造模块,且将这些算法集成到一种通用旳应用程序中,该程序独立于操作系统和处理器,且基于一种使用以便旳小命令集. PGP程序和文档在Internet上公开,由于其免费,可用于多平台,使用生命力和安全性都为公众承认旳算法等等旳特点,使PGP在全世界范围内,各个领域均有广泛旳应用,根据《财富》旳排名,十大商业银行中90%,十大制药企业中80%,十大健康机构中旳80%,十大能源机构中70%,前15位宇航及防御系统有关企业中73%,前20位电信企业旳75%,前20位汽车有关制造企业中70%,都在使用PGP进行电子邮件及其他重要数据旳加密。
二、PGP旳加密机制RSA公钥体系满足保密性(privacy)和公证性(authentication)。
智能IC卡及智能密码钥匙密码检测规范
智能 IC 卡及智能密码钥匙 密码检测规范
1 / 22
智能 IC 卡及智能密码钥匙检测规范
目录
1 适用范围 ................................................................................................................................................................. 4 2 规范性引用文件 ..................................................................................................................................................... 4 3 术语 ......................................................................................................................................................................... 4
6.1.1 外部认证测试 ................................................................................................................................... 7 6.1.2 内部认证测试 ................................................................................................................................... 7 6.1.3 PIN 认证测试..................................................................................................................................... 7 6.1.4 PIN 修改测试..................................................................................................................................... 8 6.1.5 PIN 重装测试..................................................................................................................................... 8 6.1.6 PIN 解锁测试..................................................................................................................................... 8 6.1.7 应用锁定测试 ................................................................................................................................... 9 6.1.8 应用解锁测试 ................................................................................................................................... 9 6.1.9 卡锁定测试 ....................................................................................................................................... 9 6.1.10 对称密钥密码算法的加密和解密测试 ....................................................................................... 10 6.1.11 非对称密钥生成测试 ................................................................................................................... 10 6.1.12 非对称密钥公钥导入和导出测试 ............................................................................................... 10 6.1.13 非对称密钥私钥导入和导出测试 ............................................................................................... 10 6.1.14 非对称密钥密码算法加密测试 ................................................................................................... 11 6.1.15 非对称密钥密码算法解密测试 ................................................................................................... 11 6.1.16 非对称密钥密码算法签名测试 ................................................................................................... 11 6.1.17 非对称密钥密码算法签名验证测试 ........................................................................................... 11 6.1.18 非对称密钥密码算法产生数字信封测试 ................................................................................... 12 6.1.19 非对称密钥密码算法打开数字信封测试 ................................................................................... 12 6.1.20 杂凑算法的数据压缩测试 ........................................................................................................... 12 6.1.21 密钥分散测试 ............................................................................................................................... 12 6.2 COS 安全机制检测..................................................................................................................................... 13 6.2.1 报文安全传送测试 ......................................................................................................................... 13
publickey,gssapi-with-mic意思
publickey,gssapi-with-mic意思公钥(public key)是用于加密和解密数据的密码学中的一种非对称密钥。
在公钥加密中,加密和解密使用不同的密钥。
公钥可以自由传播,任何人都可以使用公钥将消息加密。
但是,只有私钥持有人可以解密消息。
这种加密方式被广泛应用于互联网通信中的安全机制。
GSSAPI是一种通用安全服务应用程序接口(Generic Security Services Application Program Interface),其目标是为各种客户端/服务器应用程序提供可扩展且可重用的安全服务。
该接口定义了通用的安全交互协议,以便各种安全机制(例如Kerberos,Public Key Infrastructure(PKI)等)可以无缝地集成到应用程序中。
GSSAPI-with-Mic(Message Integrity Check)是GSSAPI的一个扩展,用于为传输的数据提供保密性和完整性。
MIC是一种验证机制,用于检查消息在传输过程中被篡改的可能性。
此机制允许通信实体验证其对等通信实体真正发送了消息,以便防止恶意攻击。
这是以加密和签名的形式完成的。
公钥和GSSAPI-with-Mic是现代通信中非常重要的两个概念。
公钥加密算法提供了一种非常有效的加密技术,可以保证数据的机密性。
同时,GSSAPI-with-Mic提供了完整性保护,以确保通信和数据在传输过程中不受干扰。
在现代通信中,这两个技术被广泛应用于各种应用程序中,使得信息传输更加安全和可靠。
例如,SSL(Security SocketLayer)和SSH(Secure Shell)协议使用了上述技术以确保通信安全。
在SSL中,客户端和服务器之间交换的所有消息都将使用公钥加密算法加密。
这样做可以保证机密性,以防止非法第三方偷听信息。
同时,每个消息将带有一个数字签名,以确保消息的来源和完整性。
这样做可以防止恶意攻击和篡改。
信息安全原理与应用 单词
Chapter 1Computing system 计算系统Principle of easiest penetration 最易渗透原则Hardware 硬件Software 软件Data 数据Vulnerability 脆弱性Threat 攻击Attack 威胁Control 控制Interruption 中断Interception 截取Modification 篡改Fabrication 伪造Method 方法Opportunity 机会Motive 动机Security secure 安全措施Confidentiality 保密性/机密性Integrity 完整性Availability 可用性Secrecy 保密性Privacy 私密性Configuration management 配置管理Logic bomb 逻辑炸弹Trojan horse 特洛伊木马Virus 病毒Trapdoor 陷门Information leak 信息泄露Principle of adequate protection 适度保护原则Salami attack 香肠攻击Replay 重放Cracker 破译者Prevention 预防方法Deterrence 障碍Deflection 偏差Detection 检测Recovery 恢复Encryption 加密Protocol 协议Policy 策略Procedure 规程Physical control 物理控制Principle of effectiveness 有效性原则Overlapping control 重叠控制Layered defense 分层防御Principle of weakest link 最弱环节原则Administrative control 管理控制Chapter 2Sender 发送者Recipient 接受者Transmission medium 传输中介Interceptor 截取者Intruder 入侵者Encryption 加密Decryption 解密Encode 编码Decode 解码Encipher 编密码Decipher 译密码Cryptosystem 密码体制Plaintext 明文Ciphertext 密文Algorithm 算法Key 密钥Symmetric 对称的Asymmetric 非对称的Keyless cipher 无密钥密码Cryptography 密码编码学Cryptanalyst 密码分析学Cryptology 密码学Break an encryption 破译加密Substitution 替换Transposition 置换Substitution 替换密码monoalphabetic substitution 单字符替换法Simple substitution 简单替换法Caesar cipher 恺撒密码Permutation 排列One-time pad 一次性密码本Vigenere tableau 维吉尼亚表Vernam cipher 弗纳母密码Book cipher 密码本Columnar Transposition 列置换Digram 双字母组Trigram 三字母组Product cipher 成绩密码Secure cryptographic system 安全密码体制Amount of secrecy 保密量Error propagation 差错传播Authentication 鉴别Key distribution 密钥分配Key management 密钥管理Stream cipher 流密码Block cipher 块密码Confusion 混乱性Diffusion 扩散性Ciphertext-only attack 唯密文攻击Known plaintext attack 已知明文攻击Probable plaintext attack 可能明文攻击Chosen plaintext attack 选择明文攻击Chosen ciphertext attack 选择密文攻击Data Encryption Standard(DES) 数据加密标准Data Encryption Algorithm-1 数据加密算法-1 Double DES 双重DESTriple DES 三重DESDifferential cryptanalysis 微分密码分析学Advanced Encryption Standard(AES) AES高级加密标准Rijndael 一种对称加密算法Cycle or round 循环Public key encryption 公钥加密Asymmetric encryption system 非对称密码体制Private key 私钥Secret key 密钥Rivest-Shamir-Adelman (RSA) algorithm 一种非对称加密算法Cryptographic hash function 密码哈希函数Message digest 消息摘要Hash 哈希Checksum 检验和One-way function 单向函数MD4,MD5 两种消息摘要算法名称SHA/SHS 安全哈希算法/安全哈希标准Chaining 链接Key exchange 密钥交换Digital signature 数字签名Certificate 证书Certificate authority(CA) 证书管理中心Chapter 3Program 程序Secure program 安全程序Fault 故障Program security flaw 程序安全漏洞Bug bugError 错误Failure 失败Penetrate and patch 渗透和打补丁Cyber attack 计算机攻击Buffer overflow 缓冲区溢出Incomplete mediation 不完全验证Time-of-check to time-of-use 检查时刻到使用时刻Malicious code 恶意代码Rogue program 欺诈程序Virus 病毒Agent 代理Transient virus 瞬时病毒Resident virus 寄生病毒Trojan horse 特洛伊木马Logic bomb 逻辑炸弹Time bomb 时间炸弹Backdoor 后门Trapdoor 陷门Worm 蠕虫Rabbit 野兔Appended virus 挂接性病毒Document virus 文档病毒Bootstrap load引导装在Boot sector virus 引导区病毒Virus signature 病毒特征Polymorphic virus 多态性病毒Encrypting virus 加密病毒Brain virus Brain病毒The Internet worm 互联网蠕虫Code Red红色代码病毒Web bug 网页bugUnit test 单元测试Integration test 集成测试Error checking 错误检查Rootkit rootkitRootkit revealer Rootkit检测器Privilege escalation 权限提升Interface illusion 接口错误Keystroke logger 键盘记录器Man-in-middle attack 中间人攻击Covert channel 隐蔽通道File-lock channel 文件锁通道Storage channel 储存通道Timing channel 时间通道Software engineering 软件工程Encapsulation 封装Information hiding 信息隐藏Modularity 模块化Maintainability 可维护性Understandability 易理解性Reusability 可重用性Correctability 正确性Testability 可测试性Coupling 耦合Cohesion 内聚Mutual suspicion 相互猜疑Confined program 限制程序Peer review 对等复查Program design 程序设计Inspection 检查Walk-through 走查法Review 复查Egoless programming 无我编程Hazard analysis 危险性分析Hazard/interoperability studies 危险/互操作性研究Failure modes and effects analysis 失效模式和后果分析Fault tree analysis 故障树分析Performance test 性能检测Regression test 衰减检测Black-box test 黑盒检测Clear-box test 白盒测试Independents test team 独立测试小组Penetration test 渗透测试Passive fault detection 被动故障检测Active fault detection 主动故障检测Redundancy 冗余Fault tolerance 错误容差Configuration management 配置管理Configuration identification 配置识别Conditional compilation 条件编译Configuration audit 配置审查Proof of program correctness 程序正确性证明Program verification 程序验证Process standard 过程标准Configuration management standards配置管理标准Security audit 安全审计Chapter 4Executive 执行器Monitor 监控器Multiprogrammed system 多道程序系统Protected object 被保护对象Sharable I/O device 可共享的I/O设备Serially reusable I/o device 可连续重用的I/O设备Physical separation 物理分离Temporal separation 时间分离Logical separation 逻辑分离Cryptographic separation 密码分离Isolation 隔离Memory protection 内存保护Fence register 界地址寄存器Relocation 重定位Base/bounds registers 基址/范围寄存器Tagged memory architecture 标记内存结构Segmentation 分段式Segment address table 段地址表Segment address translation 段地址转换Paging 分页Page frame 页帧Page address translation 页地址转换Paged segmentation 段页式Directory 目录Revocation of access 撤销访问Access control list 访问控制列表User-group-world protection 用户/组/全局保护Access control matrix 访问控制矩阵Wildcard designation 通配符指定Capability 访问权能Domain 域Local name space 本地名字空间Kerberos KerberosAuthentication sever 鉴别服务器Ticket-granter sever票据授权服务器Key distribution center 密钥发布中心Procedure-oriented access control 面向程序的访问控制Role-based access control 基于角色的访问控制File protection 文件保护Shared file 共享文件Persistent permission 持久许可Temporary access permission 临时访问许可Set userid permission 设置用户ID许可Per-object protection 每个对象保护Per-subject protection 每个主题保护User authentication by something you know 依据用户知道的事情鉴别User authentication by somthing you have 依据用户拥有的东西鉴别User authentication by somthing you are 根据用户的身体特征鉴别Password 口令Password response 口令响应Multifactor authentication 多因素鉴别Two-factor authentication 两因素鉴别Exhaustive attack on password 对口令的穷举攻击Brute force attack on password 对口令的暴力攻击Probable password 可能的口令Likely password 很可能的口令Social engineer attack 社会工程攻击One-time password 一次性口令Challenge-response system 质询响应系统Single sign-on 单次登陆Login impersonation 假扮演登陆界面Biometric authentication 生物特征鉴别Chapter 5Trust 信任Trusted process 可信进程Trusted product 可信产品Trusted software 可信软件Trusted computing base 可信计算基Trusted system 可信系统Security policy 安全策略Military security policy 军事安全策略Sensitivity level 敏感等级Object 对象Need-to-know rule 须知原则Compartment 分隔项Classification 分类Clearance 许可Dominance 支配Subject 主体Hierarchical security 等级安全Nonhierarchial security 非等级安全Clark-Wilson policy Clark-Wilson策略Well-formed transaction 良构事务Constrained data item 受约束数据项Transformation procedure 转换规程Access triple 访问三元组Separation of duty 职责分离Chinese wall policy 中国墙策略Lattice model 格模型Bell-La Padula model Bell-La Padula模型Simple security property 简单安全特性*-property *-特性Write-down 下写Biba model Biba模型Simple integrity policy 简单完整性策略Integrity *-property 完整性*-特性Graham-Denning model Graham-Denning模型Harrison-Ruzzo-Ullman model Harrison-Ruzzo-Ullman 模型Command 命令Condition 条件Primitive operation 原语操作Protection system 保护系统Take-grant system 获取/授予系统Least privilege 最少特权Economy of mechanism 机制经济型Open design 开放设计Complete mediation 完全检查Permission-based access 基于许可的访问Separation of privilege 特权分离Least common mechanism 最小公共机制Ease of use 易用User authentication 用户鉴别Memory protection 内存保护Object access control 对象访问控制Enforced sharing 强制共享Fair service 公平服务Interprocess communication 进程间通信Synchronization 同步Protected control data 保护控制数据User identification and authentication 用户识别和鉴别Mandatory access control 强制访问控制Discretionary access control 自主访问控制Object reuse 对象重用Magnetic remanence 磁记忆Trusted path 可信路径Audit 审计Accountability 责任认定Audit log reduction 审计日志精简Intrusion detection 入侵检测Kernel 内核Nucleus 核Core 核心Security kernel 安全内核Reference monitor 引用监视器Reference monitor properties:引用监视器特性:Tamperproof 抗干扰Unbypassable 不可绕过Analyzable 可分析Trusted computing base(TCB)可信计算基Process activation 进程激活Execution domain switching 执行域转换Memory protection 内存保护Virtualization 虚拟化Virtual machine 虚拟机Virtual memory 虚拟内存Layering 分层Hierarchically structured operation system 层次结构的操作系统Assurance 保证Flaw exploitation 缺陷利用User interface processing flaw I/O处理缺陷Access ambiguity flaw 访问二义性缺陷Incomplete mediation flaw 不完全检查缺陷Generality flaw 普遍性缺陷Time-of-check to time-of-use flaw 检查时刻到使用时刻缺陷Testing 测试Penetration testing 渗透测试Tiger team analysis 攻击队测试Ethical hacking 黑客攻击Formal verification 形式化验证Proof of correctness 正确性证明Theorem prover定理证明器validation证实Requirements checking 需求检查Design and code review 设计和代码审查Module and system testing 模块和系统测试Open source 开放源代码Evaluation 评估Orange Book(TCSEC)橙皮书(TESEC)D,C1,C2,B1,B2,B3,A1 rating D,C1,C2,B1,B2,B3,A1等级German Green Book德国绿皮书Functionality class 功能类Assurance level保证等级British evaluation criteria 英国评估准则Claims language 生命语言Action phrase 行为短语Target phrase 目标短语CLEF CLEFComparable evaluation 可比较评估Transferable evaluation 可转移评估ITSEC ITSECEffectiveness 有效性Target of evaluation 评估目标Security-enforcing function 安全强制功能Mechanism 机制Strength of mechanism 机制强度Target evaluation level 目标评估等级Suitability of functionality 功能适宜性Binding of functionality 功能绑定Combined Federal Criteria 联合联邦准则Protection profile 保护轮廓Security target 安全目标Common Criteria 通用准则Extensibility 可扩展性Granularity 粒度Speed 速度Thoroughness 全面Objectivity 客观性Portability 可移植性Emphatic assertion 强调申明Chapter 7Single point of failure 单一故障点Resilience 弹回Fault tolerance 容错Server 服务器Client 客户机Node 节点Host 主机Link 链路Workstation 工作站Topology 拓扑结构Network boundary 网络周界Network ownership 网络拥有关系Network control 网络控制Digital 数字Analog 模拟Modem 调制解调器Twisted pair 双绞线Unshielded twisted pair 无屏蔽双绞线Bandwidth 带宽Coaxial cable 同轴电缆Ethernet 以太网Repeater 中继器Amplifier 放大器Optical fiber 光纤Wireless LAN 无线局域网802.11 802.11协议标准Microwave 微波Infrared 红外线Satellite 卫星Geosynchronous orbit 覆盖范围Transponder 地球同步轨道Footprint 异频应答器Protocol 协议Protocol stack 协议栈ISO reference model ISO参考模型OSI model OSI模型Application layer 应用层Presentation layer 表示层Session layer 会话层Transport layer 传输层Network layer 网络层Datalink layer 数据链路层Physical layer 物理层Peer 对等层Router 路由器Packet 包Network interface card 网络接口卡MAC address Mac地址Frame 帧Session header 会话头部Logical connection 逻辑连接Sequencing 排序TCP TCPIP IPUDP UDPPort 端口SMTP SMTPHTTP HTTPFTP FTPSNMP SNMP IP address IP地址Domain 域Top-level domain 顶级域名Local area network 局域网LAN LANWide area network 广域网Internet Society 互联网社会Anonymity 匿名性Motivation for attack 攻击的动机Challenge 挑战Fame 名声Money 金钱Espionage 间谍Organized crime 组织犯罪Ideology 意识形态Hactivism 激进主义Cyberterrorism 网络恐怖主义Reconnaissance 侦察Intelligence 情报收集Port scan 端口扫描Social engineering 社会工程学Fingerprinting 指纹Eavesdrop 偷听War driving 战争驱动Passive wiretap 被动窃听Active wiretap 主动窃听Packet sniffer 包嗅探器Inductance 自感器Impedance 阻抗Multiplexed signals 多重信号Interception 截取Theft of service 骗取服务RFC(request for comments) 请求注解Impersonation 假冒Authentication 鉴别Guessing authentication 猜测鉴别Eavesdropping authentication 偷听鉴别Avoiding authentication 避开鉴别Nonexistent authentication 不存在的鉴别Well-known authentication 众所周知的鉴别Trusted authentication 可信任鉴别Spoof 欺骗Masquerade 伪装Phishing 钓鱼欺诈Session hijacking 会话劫持Man-in-middle attack 中间人攻击Misdelivery 误传Message exposure 消息暴露Interception 侦听Traffic flow analysis 流量分析Message falsification 伪造消息Message replay 重放消息Message fabrication 编造消息Noise 噪声Interference 干涉Protocol flaw 协议缺陷Web site defacement 网站被黑Buffer overflow 缓冲区溢出Dot-dot attack ".."攻击Address resolution 地址解析Application code attack 应用代码攻击Server-side include 服务端包含Denial-of-service attack 拒绝服务攻击Transmission failure 传输失败Connection flooding 连接洪泛Echo 响应Chargen 索取Ping of death 死亡之PingSmurf Smurf攻击Syn flood 同步洪泛Teardrop attack teardrop攻击Distributed denial of service 分布式拒绝服务Active code 活动代码Mobile code 移动代码Cookie 脚本Escape-character attack ESC字符攻击Active server page 活动服务器页Java code Java代码Sandbox 沙漏Java virtual machine Java虚拟机Hostile applet 有敌意的appletScript kiddie 脚本小子Building block attack 积木攻击Network segmentation 网络分段Redundancy 冗余Failover mode 失效修复模式Link encryption链路加密End-to-end encryption 端到端加密Virtual private network 虚拟专有网络Encrypted tunnel 加密隧道Certificate 证书Certificate authority 证书管理中心Transport layer security 传输层安全性Security association 安全关联Security parameter index 安全参数索引Authentication header 鉴别报头Encapsulated security payload 封装的安全负载Signed code 签名代码Content integrity 内容完整Error detection 错误检测Error correction code 错误校正码Parity 校验Even parity 奇校验Odd parity 偶校验Hash code 哈希码Huffman code 霍夫曼编码Cryptographic checksum密码校验和Message digest 消息摘要Strong authentication 强鉴别Password token口令令牌Challenge-response system 质询-响应系统Digital Distributed Authentication 分布式数字鉴别Ticket-granting server 票据授权服务器Ticket 票据Router ACL 路由器ACLService Set Identifier 服务区标识符Wired equivalent privacy 无线等效保密Temporal Key Integrity Program 暂时密钥集成程序Honeypot 蜜罐Traffic flow security 通信流量安全Onion routing 洋葱型路由算法Firewall 防火墙Reference monitor 引用监视器Packet filtering gateway 包过滤网关Screening router 屏蔽路由器Stateful inspection 状态检查Application proxy 应用代理Bastion host 保垒主机Guard 门卫Personal firewall 个人防火墙Layered protection 分层保护Defense in depth 纵深防御Intrusion detection system 入侵检测系统Network-based IDS 基于网络的IDSHost-based IDS 基于主机的IDSSignature-based IDS基于签名的IDSAnomaly detection 异常检测Heuristic intrusion detection 启发式入侵检测Misuse detection 误用检测Stealth mode 秘密模式Scanner 扫描仪IDS alarm IDS警告False positive 漏报False negative 误报Secure e-mail 安全电子邮件Message confidentiality 消息机密性Message integrity check 消息完整性检查Sender authenticity 发送者的真实性Sender nonrepudiation 发送者的不可否认Key management 密钥管理Key ring 钥匙环。
加密有哪些安全要求呢英文
Encryption Security RequirementsEncryption is a widely used security technique used for protecting sensitive information from unauthorized access. In today’s digital world, encryption has become a critical tool for ensuring data security. However, encryption alone is not enough to guarantee data security. There are several security requirements that must be met to ensure the effectiveness of encryption. In this document, we will discuss the security requirements of encryption.Key ManagementOne of the critical security requirements for encryption is key management. Encryption keys are used to secure the data, and it is essential to protect them. The keys should be stored securely, and only authorized personnel should have access to them. Additionally, keys should be rotated periodically, and the old keys should be securely deleted.AuthenticationAnother essential security requirement for encryption is authentication. Authentication ensures that only authorized individuals can access the encrypted data. This can be achieved through various authentication techniques such as passwords, biometrics, smart cards, or tokens. Authentication is essential to prevent unauthorized access to sensitive information.IntegrityEncryption should also ensure the integrity of the data. The integrity of the data refers to the accuracy and consistency of the information. The encrypted data should remain unchanged during transit or storage. To guarantee data integrity, encryption algorithms that support integrity checks such as HMAC (Hash Message Authentication Code) should be used.AvailabilityAnother critical security requirement for encryption is availability. Availability ensures that the encrypted data is accessible when needed. It is essential to maintain the availability of the data by using appropriate redundancy techniques, such as backup and replication. Additionally, encryption should not cause a significant impact on data availability.ComplianceCompliance is another essential security requirement for encryption. Compliance means adherence to the security policies, regulations, and laws. The useof encryption should comply with the relevant data security regulations in the region. Failure to comply with data security regulations could result in severe legal and financial consequences.ConclusionIn conclusion, encryption is a powerful tool for protecting sensitive data. However, to ensure the effectiveness of encryption, several security requirements should be met. These requirements include key management, authentication, integrity, availability, and compliance. By meeting these requirements, organizations can ensure that their encrypted data is secure and inaccessible to unauthorized individuals.。
datasource的public-key用法
datasource的public-key用法
在数据源(datasource)中,public-key(公钥)用于加密和解
密敏感数据。
公钥加密是一种加密技术,其中使用公钥对数据进行加密,而需要私钥才能解密。
公钥是由非对称加密算法(如RSA)生成的一对密钥之一。
公钥用于加密数据,并可被任何人访问和使用。
另一对密钥是私钥,只有数据源的所有者可以访问和使用它来解密被加密的数据。
使用数据源的公钥来加密敏感数据具有以下优点:
1. 安全性:公钥加密技术提供了很高的安全性,因为只有拥有私钥的人才能解密数据。
2. 隐私保护:通过使用公钥加密,数据源可以保护用户的隐私,确保敏感数据不会被未经授权的人访问。
3. 数据完整性:公钥加密还可以用于验证数据的完整性,因为只有使用私钥才能对被加密的数据进行解密。
在数据源中,公钥通常存储在安全的位置,并用于加密与该数据源关联的敏感数据。
只有具有私钥的人才能解密由公钥加密的数据。
公钥加密也可以与数字签名相结合,以确保数据的完整性和身份验证。
数字签名使用私钥生成,可以与公钥一起使用来验证数据的真实性和完整性。
总而言之,数据源的公钥用于加密敏感数据,提供了安全性、隐私保护和数据完整性等优点。
Public-key cryptosystems based on composite degree residuosity classes
Gemplus Card International, Cryptography Department 34 rue Guynemer, 92447 Issy-les-Moulineaux, France pascal.paillier@ 2 ENST, Computer Science Department 46 rue Barrault, 75634 Paris Cedex 13 paillier@inf.enst.fr
2
Pascal Paillier
Other proposed mechanisms generally suffer from inefficiency, inherent security weaknesses or insufficient public scrutiny: McEliece’s cryptosystem [15] based on error correcting codes, Ajtai-Dwork’s scheme based on lattice problems (cryptanalyzed by Nguyen and Stern in [18]), additive and multiplicative knapsack-type systems including Merkle-Hellman [13], Chor-Rivest (broken by Vaudenay in [29]) and Naccache-Stern [17] ; finally, Matsumoto-Imai and Goubin-Patarin cryptosystems, based on multivariate polynomials, were successively cryptanalyzed in [11] and [21]. We believe, however, that the cryptographic research had unnoticeably witnessed the progressive emergence of a third class of trapdoor techniques: firstly identified as trapdoors in the discrete log, they actually arise from the common algebraic setting of high degree residuosity classes. After Goldwasser-Micali’s scheme [9] based on quadratic residuosity, Benaloh’s homomorphic encryption function, originally designed for electronic voting and relying on prime residuosity, prefigured the first attempt to exploit the plain resources of this theory. Later, Naccache and Stern [16], and independently Okamoto and Uchiyama [19] significantly extended the encryption rate by investigating two different approaches: ∗ residuosity of smooth degree in Z∗ pq and residuosity of prime degree p in Zp2 q respectively. In the meantime, other schemes like Vanstone-Zuccherato [28] on elliptic curves or Park-Won [20] explored the use of high degree residues in other settings. In this paper, we propose a new trapdoor mechanism belonging to this family. By contrast to prime residuosity, our technique is based on composite residuosity classes i.e. of degree set to a hard-to-factor number n = pq where p and q are two large prime numbers. Easy to understand, we believe that our trapdoor provides a new cryptographic building-block for conceiving public-key cryptosystems. In sections 2 and 3, we introduce our number-theoretic framework and investigate in this context a new computational problem (the Composite Residuosity Class Problem), which intractability will be our main assumption. Further, we derive three homomorphic encryption schemes based on this problem, including a new trapdoor permutation. Probabilistic schemes will be proven semantically secure under appropriate intractability assumptions. All our polynomial reductions are simple and stand in the standard model. Notations. We set n = pq where p and q are large primes: as usual, we will denote by φ(n) Euler’s totient function and by λ(n) Carmichael’s function1 taken on n, i.e. φ(n) = (p − 1)(q − 1) and λ(n) = lcm(p − 1, q − 1) in the present case. 2 ∗ Recall that |Z∗ n2 | = φ(n ) = nφ(n) and that for any w ∈ Zn2 , wλ = 1 mod n wnλ = 1 mod n2 , which are due to Carmichael’s theorem. We denote by RSA [n, e] the (conventionally thought intractable) problem of extracting e-th roots modulo n where n = pq is of unknown factorisation. The relation P1 ⇐ P2 (resp. P1 ≡ P2 )
专业英语翻译 (6)
New technique of the computer networkAbstractThe 21 century is an ages of the information economy, being the computer network technique of representative techniques this ages, will be at very fast speed develop soon in continuously creatively, and will go deep into the people's work, life and study. Therefore, control this technique and then seem to be more to deliver the importance. Now I mainly introduce the new technique of a few networks in actuality live of application.Keywords:Internet ; Digital Certificates ; Digital Wallets ;Grid Storage1. ForewordInternet turns 36, still a work in progressThirty-six years after computer scientists at UCLA linked two bulky computers using a 15-foot gray cable, testing a new way for exchanging data over networks, what would ultimately become the Internet remains a work in progress.University researchers are experimenting with ways to increase its capacity and speed. Programmers are trying to imbue Web pages with intelligence. And work is underway to re-engineer the network to reduce spam(junk mail) and security troubles.All the while threats loom: Critics warn that commercial, legal and political pressures could hinder the types of innovations that made the Internet what it is today.Stephen Crocker and Vinton Cerf were among the graduate students who joined UCLA professor Len Kleinrock in an engineering lab on Sept. 2, 1969, as bits of meaningless test data flowed silently between the two computers. By January, three other "nodes" joined the fledgling network.Then came e-mail a few years later, a core communications protocol called TCP/IP in the late 70s, the domain name system in the 80s and the World Wide Web - nowthe second most popular application behind e-mail - in 1990. The Internet expanded beyond its initial military and educational domain into businesses and homes around the world.Today, Crocker continues work on the Internet, designing better tools for collaboration. And as security chairman for the Internet's key oversight body, he is trying to defend the core addressing system from outside threats.He acknowledges the Internet he helped build is far from finished, and changes are in store to meet growing demands for multimedia. Network providers now make only "best efforts" at delivering data packets, and Crocker said better guarantees are needed to prevent the skips and stutters now common with video.Cerf, now at MCI Inc., said he wished he could have designed the Internet with security built-in. Microsoft Corp., Yahoo Inc. and America Online Inc., among others, are currently trying to retrofit the network so e-mail senders can be authenticated - a way to cut down on junk messages sent using spoofed addresses.Many features being developed today wouldn't have been possible at birth given the slower computing speeds and narrower Internet pipes, or bandwidth, Cerf said.2.Digital CertificatesDigital certificates are data files used to establish the identity of people and electronic assets on the Internet. They allow for secure, encrypted online communication and are often used to protect online transactions.Digital certificates are issued by a trusted third party known as a certification authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it hasn‟t been forged or altered in any way.New Uses For Digital CertificatesDigital certificates are now being used to provide security and validation for wireless connections, and hardware manufacturers are one of the latest groups to use them. Not long ago, VeriSign Inc. announced its Cable Modem Authentication Services, which allow hardware manufacturers to embed digital certificates into cable modems to help prevent the pirating of broadband services through device cloning.Using VeriSign software, hardware makers can generate cryptographic keys and corresponding digital certificates that manufacturers or cable service providers can use to automatically identify individual modems.This …ast-mile‟authentication not o nly protects the value of existing content and services but also positions cable system operators to bring a broad new range of content, applications and value-added services to market.When a certificate is digitally signed by a CA, its owner can use it as an electronic passport to prove his identity. It can be presented to Web sites, networks or individuals that require secure access.Identifying information embedded in the certificate includes the holder‟ s name and e-mail address, the name of the CA, a serial number and any activation or expiration data for the certificate. When a user‟s identity is verified by the CA, the certificate uses the holder‟s public encryption key to protect this data.Public keys are also employed by certificates that a Web server uses to confirm the authenticity of a Web site for a user‟s browser. When a user wants to send confidential information to a Web server, such as a credit-card number for an online transaction, the browser will access the public key in the server‟s digital certificate to verify its identity.Role of Public-Key CryptographyThe public key is one half of a pair of keys used in public-key cryptography, which provides the foundation for digital certificates.Public-key cryptography uses matched public and private keys for encryption and decryption. These keys have a numerical value that‟s used by an algorithm to scramble information and make it readable only to users with the corresponding decryption key.A person‟s public key is used by others to enc rypt information meant only for that person. When he receives the information, he uses his corresponding private key, which is kept secret, to decrypt the data. A person's public key can be distributed without damaging the private key. A Web server using a digital certificate can use itsprivate key to make sure that only it can decrypt confidential information sent to it over the Internet.The Web server‟s certificate is validated by a self-signed CA certificate that identifies the issuing CA. CA certificates are preinstalled on most major Web browsers, including Microsoft Internet Explorer and Netscape Navigator.The CA certificate tells users whether they can trust the Web server certificate when it‟s presented to the browser. If the validity of the Web server certificate is affirmed, the certificate‟s public key is used to secure information for the server using Secure Sockets Layer (SSL) technology.Digital certificates are used by the SSL security protocol to create a secure “pipe” between two parties that seek confidential communication. SSL is used in most major Web browsers and commercial Web servers.3. Digital WalletsA digital wallet is software that enables users to pay for goods on the Web .It holds credit-card numbers and other personal information such as a shipping address .Once entered,the data automatically populates order fields at merchant sites .When using a digital wallet,consumers don‟t need to fill out order forms on each site when they purchase an item because the information has already been stored and is automatically updated and entered into the order fields across merchantsites .Consumers also benefit when using digital wallets because their information is encrypted or protected by a private software code .And merchants benefit by receiving protection against fraud .Digital wallets are available to consumers free of charge,and they‟re fairly easy to obtain .For example,when a consumer makes a purchase at a merchant site th at‟s set up to handle server-side digital wallets,he types his name and payment and shipping information into the merchant‟s own form .At the end of the purchase,one consumer is asked to sign up for a wallet of his choice by entering a user name and password for future purchases .Users can also acquire wallets at a wallet vendor‟s site .Although a wallet is free for consumers,vendors charge merchants for wallets .Digital wallets come in two main types:client-side and server- side .Within those divisions are wallets that work only on specific merchant sites and those that are merchant agnostic .Client-based digital wallets,the older of the two types,are falling by the wayside,according to analysts,because they require users to download and install software .A user downloads the wallet application and inputs payment and mailinginformation .At that point,the information is secured and encrypted on the user‟s hard drive .The user retains control of his credit card and personal information locally .With a server-based wallet,a user fills out his personal information,and a cookie is automatically downloaded .(A cookie is a text file that contains information about the user .)In this scenario,the consumer information resides on the server of a financial inst itution or a digital wallet vendor rather than on the user‟s PC .Server-side wallets provide assurance against merchant fraud because they use certificates to verify the identity of all parties .When a party makes a transaction,it presents its certificate to the other parties involved .A certificate is an attachment to an electronic message used to verify the identity of the party and to provide the receiver with the means to encode a reply .Furthermore,the cardholder‟s sensitive data is typically house d at a financial institution,so there‟s an extra sense of security because financial environments generally provide the highest degree of security .But even though wallets provide easy shopping online,adoption hasn‟t been widespread .Standards are pivotal to the success of digital wallets .Last month,major vendors,including Microsoft Corp .,Sun Microsystems Inc .and America Online Inc .announced their endorsement of a new standard called EMCL,or E-Commerce Modeling Language,to give Web merchants a standardized way to collect electronic data for shipping,billing and payment .4. Grid StorageDefinition: Grid storage, analogous to grid computing, is a new model for deploying and managing storage distributed across multiple systems and networks, making efficient use of available storage capacity without requiring a large, centralized switching system.A grid is, in fact, a meshed network in which no single centralized switch or hub controls routing. Grids offer almost unlimited scalability in size and performance because they aren‟t constrained by the need for ever-larger central switches. Grid networks thus reduce component costs and produce a reliable and resilient structure.Applying the grid concept to a computer network lets us harness available but unused resources by dynamically allocating and deallocating capacity, bandwidth and processing among numerous distributed computers. A computing grid can span locations, organizations, machine architectures and software boundaries, offering power, collaboration and information access to connected users. Universities and research facilities are using grids to build what amounts to supercomputer capability from PCs, Macintoshes and Linux boxes.After grid computing came into being, it was only a matter of time before a similar model would emerge for making use of distributed data storage. Most storage networks are built in star configurations, where all servers and storage devices are connected to a single central switch. In contrast, grid topology is built with a network of interconnected smaller switches that can scale as bandwidth increases and continue to deliver improved reliability and higher performance and connectivity.What Is Grid Storage?Based on current and proposed products, it appears that a grid storage system should include the following:Modular storage arrays: These systems are connected across a storage network using serial ATA disks. The systems can be block-oriented storage arrays or network-attached storage gateways and servers.Common virtualization layer: Storage must be organized as a single logical pool of resources available to users.Data redundancy and availability: Multiple copies of data should exist across nodes in the grid, creating redundant data access and availability in case of a component failure.Common management: A single level of management across all nodes should cover the areas of data security, mobility and migration, capacity on demand, and provisioning.Simplified platform/management architecture: Because common management is so important, the tasks involved in administration should be organized in modular fashion, allowing the autodiscovery of new nodes in the grid and automating volume and file management.Three Basic BenefitsApplying grid topology to a storage network provides several benefits, including the following:Reliability. A well-designed grid network is extremely resilient. Rather than providing just two paths between any two nodes, the grid offers multiple paths between each storage node. This makes it easy to service and replace components in case of failure, with minimal impact on system availability or downtime.Performance. The same factors that lead to reliability also can improve performance. Not requiring a centralized switch with many ports eliminates a potential performance bottleneck, and applying load-balancing techniques to the multiple paths available offers consistent performance for the entire network.Scalability. It‟s easy to expand a grid network using inexpensive switches with low port counts to accommodate additional servers for increased performance, bandwidth and capacity. In essence, grid storage is a way to scale out rather than up, using relatively inexpensive storage building blocks.中文翻译新技术的计算机网络摘要:21世纪是信息经济的时代,作为这个时代的代表技术,计算机网络技术,将在非常快的速度发展很快,不断创造性地将进入人们的工作,学习和生活中深。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
PUBLIC KEY ENCRYPTION CAN BE SECURE AGAINST ENCRYPTION EMULATION ATTACKS BY COMPUTATIONALLY UNBOUNDEDADVERSARYDENIS OSIN AND VLADIMIR SHPILRAINAbstract.The main purpose of this paper is to show why,contrary to a prevalent opinion,publickey encryption can be secure against“encryption emulation”attacks by computationally unboundedadversary,with one reservation:a legitimate party decrypts correctly with probability that can bemade arbitrarily close to1,but not equal to1.1.IntroductionThis paper was prompted,in part,by several discussions,mostly informal,related to an earlier paper[5],where,for thefirst time,a cryptographic protocol based on non-recursiveness of a decision problem rather than on computational hardness of a search problem was suggested.(The protocol of Magyarik and Wagner[2]is not based on non-recursiveness of a decision problem,contrary to what the title of their paper may suggest;this was recently pointed out in[1].)Most readers of[5] were perplexed already by the abstract,where it was claimed that“decision problems may be useful when one addresses the ultimate challenge of public key cryptography:to design a cryptosystem that would be secure against“brute force”attacks by computationally unbounded adversary”.The following statement made by one of the reviewers is typical:...key generations can be performed over and over again,each time with fresh ran-domness,until the public key to be attacked is obtained–this will happen eventuallywith overwhelming probability!Already the correctness(no matter if perfect or onlywith overwhelming probability)of the scheme guarantees now that the correspond-ing secret key(as obtained by the adversary performing key generation)allows todecrypt illegitimately.This statement actually consists of two separate claims,in two separate sentences.We note that thefirst one is correct,whereas the second one is not.The crucial point is that it does matter whether the correctness of the scheme is perfect or only with overwhelming probability.If the correctness was perfect,then the quoted claim would be valid indeed.However,if there is a gap, no matter how small(it can be easily made on the order of10−200,see[5]),between1and the probability of correct decryption by a legitimate party,then this gap can be very substantially“am-plified”for the adversary,thus making the probability of correct illegitimate decryption anything but overwhelming.We explain this phenomenon in our Section2,trying to keep the group-theoretic background to a minimum.One of the problems with the paper[5]is that it is somewhat too heavy on combinatorial group theory,at least for a non-expert.Most of that group theory is needed to separate the receiver (Alice)and the adversary(Eve)in power.This is,indeed,a very non-trivial problem that opens several interesting research avenues.It appears,however,that the main point of perplexity for most Research of thefirst author was partially supported by the NSF grant DMS-0605093.Research of the second author was partially supported by the NSF grant DMS-0405105.1cryptographers was the fact that encryption by the sender(Bob)can be secure against“encryption emulation”attacks by a computationally unbounded adversary.To explain how and why this is possible,we do not really need to introduce any serious group theory.We also note,in passing,that the problem of security of the sender’s encryption algorithms is of independent interest.Of course,in applications to,say,Internet shopping or banking,both the sender’s and the receiver’s algorithms are assumed to be known to the adversary,and the receiver’s decryption algorithms(or algorithms for obtaining public keys)are usually more vulner-able to attacks.However,in some other applications,say,to electronic signatures(not to mention non-commercial,itary applications),decryption algorithms need not be public,whereas en-cryption algorithms always are.It is therefore important to have a consensus in the cryptographic community on the security claim in the abstract of the present paper.The arrangement of the paper is as follows.In Section2,we briefly describe one of the principal ideas behind our scheme(s),and then present a public key encryption protocol which is secure against the“encryption emulation”attack by a computationally unbounded adversary who does not know the encrypter’s hardware computational limitations.Then,in Section3,building on these ideas and combining them with a simple yet subtle trick,we present another protocol which is secure against the“encryption emulation”attack by a computationally unbounded adversary who has complete information on the algorithm(s)and hardware that the sender uses for encryption. More precisely,in our protocol the sender transmits his private bit sequence by encrypting one bit at a time,and the receiver decrypts each bit correctly with probability that can be made arbitrarily close to1,but not equal to1.At the same time,the(computationally unbounded)adversary decrypts each bit(by emulating the sender’s encryption algorithm)correctly with probability atmost34.There are essentially no requirements on the sender’s computational abilities;in fact,encryption can be done by hand,which can be a big advantage in some situations;for example,afield operative can receive a public key and transmit encrypted information over the phone,without using a computer.2.Encryption:beta versionWe assume that the sender(Bob)is given a presentationΓ(published by Alice)of a group G by generators and defining relators:Γ= x1,x2,...,x n|r1,r2,... .No further information about the group G is available to Bob.Bob is instructed to transmit his private binary sequence to Alice by transmitting a word u= u(x1,...,x n)equal to1in G in place of“1”and a word v=v(x1,...,x n)not equal to1in G in place of“0”.Now we have to specify the algorithms that Bob should use to select his words.Algorithm“0”(for selecting a word v=v(x1,...,x n)not equal to1in G)is quite simple:Bob just selects a random word by building it letter-by-letter,selecting each letter uniformly from the set X={x1,...,x n,x−11,...,x−1n}.The length of such a word should be a random integer from an interval that Bob selects up front,based on his computational abilities.Algorithm“1”(for selecting a word u=u(x1,...,x n)equal to1in G)is slightly more complex. It amounts to applying a random sequence of operations of the following two kinds,starting with the empty word:(1)Inserting into a random place in the current word a pair hh−1for a random word h.(2)Inserting into a random place in the current word a random conjugate g−1r i g of a randomdefining relator r i.The length of the resulting word should be in the same range as the length of the output of Algorithm“0”.We do not go into more details here because they are irrelevant to the main Section 3of the present paper,i.e.,all claims of Section3remain valid no matter what algorithm for producing words equal to1is chosen,as long as it does not return the empty word.However, we note in passing that for more practical protocols like the one suggested in[5],Algorithm“1”matters a lot,and it definitely deserves further investigation.Anyway,this is it for Bob;now it is Eve’s turn to work.According to the reviewer’s recipe quoted in our Introduction,if she wants to use the“encryption emulation”attack,she has to ...perform key generations over and over again,each time with fresh randomness,until the public key to be attacked is obtained.Thus,Eve is building up two lists,corresponding to two algorithms above.Ourfirst observation is that the list that corresponds to the Algorithm“0”is useless to Eve because it is eventually going to contain all words in the alphabet X={x1,...,x n,x−11,...,x−1n}.Therefore,Eve may just as well forget about this list and concentrate on the other one,that corresponds to the Algorithm “1”.Now the situation boils down to the following:if a word w transmitted by Bob appears on the list,then it is equal to1in G.If not,then not.The only problem is:how can Eve possibly conclude that w does not appear on the list if the list is infinite?Here our opponent should say“Well,there is no infinity in real life,so the list is actuallyfinite because of Bob’s computational limitations”. Indeed,whether or not the list in question isfinite or infinite is irrelevant to the problem at hand. What matters is that,in theory,Eve does not know a bound on the size of the list.Well,then,the opponent might say,Already the correctness(no matter if perfect or only with overwhelming probability)of the scheme guarantees now that the corresponding secret key(as obtained by theadversary performing key generation)allows to decrypt illegitimately.In other words,our opponent suggests that Eve can stop at some point and conclude that w=1 with overwhelming probability,just like Alice does.The point however is that this probability may not at all be as“overwhelming”as the probability of the correct decryption by pare:(1)For Alice to decrypt correctly“with overwhelming probability”,the probability P1(N)fora random word w of length N not to be equal to1should converge to1(reasonably fast)as N goes to infinity.(2)For Eve to decrypt correctly“with overwhelming probability”,the probability P2(N,f(N))for a random word w of length N produced by the Algorithm“1”to have a proof of length ≤f(N)verifying that w=1,should converge to1as N goes to infinity.Here f(N) represents Eve’s computational capabilities;this function can be arbitrary,butfixed.We see that the functions P1(N)and P2(N)are of very different nature,and any correlation between them is unlikely.We note that the function P1(N)is generally well understood,and in particular,it is known that in any infinite group G,P1(N)indeed converges to1as N goes to infinity;see Section5of[5]for more details on this convergence.On the other hand,functions P2(N,f(N))are more complex;note also that they may depend on a particular algorithm used by Bob to produce words equal to1.The Algorithm“1”described in this section is very straightforward;there are more delicate algorithms that will be discussed in another paper.Anyway,functions P2(N,f(N))are currently subject of active research,and in particular,it appears likely that there are groups in which P2(N,f(N))does not converge to1at all,if an algorithm used to produce words equal to1is chosen intelligently.We also note in passing that if in a group G the word problem is recursively unsolvable,then the length of a proof verifying that w=1in G is not bounded by any recursive function of the length of w.Of course,in real life,Eve may know a bound on the size of the list based on a general idea of what kind of hardware may be available to Bob;but then again,in real life Eve would be computationally bounded herself.Here we note(again,in passing)that there are groups G with efficiently solvable word problem and words w of length n equal to1in G,such that the length of a proof verifying that w=1in G is not bounded by any tower of exponents in n,see[4].Thus,the bottom line is:in theory,Eve cannot positively identify the bit that Bob has encrypted by a word w if she just uses the“encryption emulation”attack.In fact,such an identification would be equivalent to solving the word problem in G,which would contradict the well-known fact that there are(finitely presented)groups with recursively unsolvable word problem.It would be nice,of course,if Eve was unable to positively decrypt using“encryption emulation”attacks even if she did know Bob’s computational limitations.This,too,can be arranged,see the next section.3.Encryption:trick and treatBuilding on the ideas from the previous section and combining them with a simple yet subtle trick,we describe here an encryption protocol with the following features:(F1)Bob encrypts his private binary sequence by words in a public alphabet X.(F2)Alice(the receiver)decrypts Bob’s transmission correctly with probability that can be made arbitrarily close to1,but not equal to1.(F3)The adversary,Eve,is assumed to have no bound on the speed of computation or on the storage space.(F4)Eve is assumed to have complete information on the algorithm(s)and hardware that Bob uses for encryption.However,Eve cannot predict outputs of Bob’s random numbers gen-erator(the latter could be just coin tossing,say).(F5)Eve cannot decrypt correctly any bit of Bob’s binary sequence with probability>34byemulating Bob’s encryption algorithm.This leaves Eve with the only hope:to attack Alice’s decryption algorithm or her algorithm for obtaining public keys,but this subject is outside of the scope of the present paper.Here we only discuss the“encryption emulation”attack.We also have to say up front that the encryption protocol that will be presented in this section is probably not very suitable for commercial applications(such as Internet shopping or banking)due to a large amount of work required from Alice to receive just one bit from Bob.For a commercial implementation of the ideas presented in the previous section,we can recommend the protocol de-scribed(with specific parameters)in[5].That protocol has encryption with a fairly large expansion factor(on the order of150),but not to the point of being impractical,especially given that the encryption amounts primarily to generating random words of reasonable length,which can be done quite efficiently.Now we are getting to the protocol description.In one round of this protocol,Bob transmits a single bit,i.e.,Alice generates a new public key for each bit transmission.(P0)Alice publishes two presentations:Γ1= x1,x2,...,x n|r1,r2,...Γ2= x1,x2,...,x n|s1,s2,... .One of them defines the trivial group,whereas the other one defines an infinite group,but only Alice knows which one is which.Bob is instructed to transmit his private bit to Alice as follows:(P1)In place of“1”,Bob transmits a pair of words(w1,w2)in the alphabetX={x1,x2,...,x n,x−11,...,x−1n},where w1is selected randomly,while w2is selected to be equal to1in the group G2defined byΓ2(see Algorithm“1”in the previous section). (P2)In place of“0”,Bob transmits a pair of words(w1,w2),where w2is selected randomly, while w1is selected to be equal to1in the group G1defined byΓ1.Under our assumptions(F3),(F4)Eve can identify the word(s)in the transmitted pair which is/are equal to1in the corresponding presentation(s),as well as the word,if any,which is not equal to1.There are the following possibilities:(1)w1=1in G1,w2=1in G2;(2)w1=1in G1,w2=1in G2;(3)w1=1in G1,w2=1in G2.It is easy to see that the possibility(1)occurs with probability12(when Bob wants to transmit“1”and G1is trivial,or when Bob wants to transmit“0”and G2is trivial).If this possibilityoccurs,Eve cannot decrypt Bob’s bit correctly with probability>12.Indeed,the only way for Eveto decrypt in this case would be tofind out which presentationΓi defines the trivial group,i.e.,she would have to attack Alice’s algorithm for obtaining a public key,which is outside of the scope of the present paper.Here we just note,in passing,that there are many different ways to construct presentations of the trivial group,some of them involving a lot of random choices.See e.g.[3]for a survey on the subject.In any case,our claim(F5)was that Eve cannot decrypt Bob’s bit correctly with probability>34by emulating Bob’s encryption algorithm,which is obviously true in this scheme since theprobability for Eve to decrypt correctly is,in fact,precisely12·12+12·1=34.(Note that Evedecrypts correctly with probability1if either of the possibilities(2)or(3)above occurs.)Our abrasive opponent may say that34is a rather high probability of illegitimate decryption,even though this is just for one bit.Recall however that we are dealing with computationally unbounded adversary,while Bob can essentially do his encryption by hand!All he needs is a generator of uniformly distributed random integers in the interval between1and2n(the latter is the cardinality of the alphabet X).Besides,note that with the probability of correctly decryptingone bit equal to34,the probability to correctly decrypt,say,a credit card number of16decimaldigits would be on the order of10−7,which is comparable to the chance of winning the jackpot in a lottery.Of course,there are many tricks that can make this probability much smaller,but we think we better stop here because,as we have pointed out before,our focus here is on the new paradigm itself.References[1]J.-C.Birget,S.Magliveras,M.Sramka,On public-key cryptosystems based on combinatorial group theory,preprint./2005/070[2]M.R.Magyarik,N.R.Wagner,A Public Key Cryptosystem Based on the Word Problem.CRYPTO1984,19–36,Lecture Notes in Comput.Sci.196,Springer,Berlin,1985.[3]A.D.Myasnikov,A.G.Myasnikov,V.Shpilrain,On the Andrews-Curtis equivalence,Contemp.Math.,Amer.Math.Soc.296(2002),183–198.[4]A.N.Platonov,An isoparametric function of the Baumslag-Gersten group.(Russian)Vestnik Moskov.Univ.Ser.I Mat.Mekh.2004,no.3,12–17;translation in Moscow Univ.Math.Bull.59(2004),no.3,12–17(2005).[5]V.Shpilrain and G.Zapata,Using decision problems in public key cryptography,preprint./˜shpil/wppkc.pdfDepartment of Mathematics,The City College of New York,New York,NY10031E-mail address:denis.osin@,shpil@/~shpil。