数据加密外文翻译

信息安全工程师 /rk/safe/index.html信息安全专业英语1、cryptography:密码；plaintext 明文；ciphertext 密文；concealment 隐藏；cryptology 密码学；2、symmetric‐key 对称密钥；Symmetric‐key cryptography refers to encryption methods in which both the sender and receivershare the same key(or,less commonly,in which their keys are different,but related in an easily computable way).对称密钥加密是指加密方法，在该方法中，发送者和接收者共享相同的密钥3、asymmetric key 非对称密钥；Digita1 signatures 数字签名RSA and DSA are two of the most popular digital signature schemes4、elliptic curve cryptography 椭圆曲线密码5、Cryptanalysis 密码分析；quantum computer 量子计算机；6、Antivirus software 杀毒软件Network-attached storage (NAS,网络附加存储): is file-level computer data storage connected to a computer network providing data access to heterogeneous network clients.7、Penetration Testing Tools 渗透测试工具。

Developing a Database Encryption StrategyI. IntroductionThe networked database is the heart of the enterprise. It is where your most valuable assets reside the information that is the foundation of your business, transaction records, financial data, customer information. Protecting this data is increasingly important and increasingly difficult.This data’s critical business value makes it an obvious target for attackers. Successful attacks can wreak massive damage to company finances and corporate image. The media spotlight falls most often on high-profile cases involving consumer transactions and credit card numbers. Public concerns, fueled by adverse news coverage, are giving rise to new regulations and legislation on data management and privacy.But public-relations problems are not the only risk .Revelations of data gathered from Web-based transactions can damage a company’s credibility and customer relationships. Database attacks can have direct and severe economic consequences. Database attacks are rising and they can result in the loss or compromise of information critical to running your business day-to-day, from inventory and billing data to Customer Relationship Management applications and human-resources information.Consequently, databases are also likely to be holding increasing amounts of sensitive information on behalf of your customers financial records, healthcare histories,order histories, credit card and Social Security numbers.To protect your company’s database assets, there are security measures you should take today. These include encrypting data as it moves across your enterprise networks and as it sits at rest, in storage on database systems. Extra steps and precautions should be taken to carefully control access this data. This paper will focus on how to protect data at rest.Protecting Data with EncryptionWhile laws and regulations interpret “protecting privacy” in a number of ways, any enterprise solution for protecting data especially data at rest must involve two things:secure encryption technology to protect confidential data and careful management of access to the cryptography keys that unlock the encrypted data. Only then has your company done due diligence to protect the privacy of its customers.Where will you perform the data encryption inside or outside of the database? Your answer can affect the data’s security. How do you create a system that minimizes the number of people who have access to the keys? Storing the encryption keys separately from the data they encrypt renders information useless if an attacker found a way into the database through a backdoor in an application. In addition, separating the ability of administers to access or manage encryption keys builds higher layers of trust and control over your confidential information infrastructure.There should be limited access to the means to decrypt sensitive information and this access should be locked down and monitored with suspicious activity logged.II. Planning a Database Encryption StrategyBefore you can begin to design a database encryption strategy that is secure, you need to understand three things:how encryption works, how data flows in your application,and how database protection fits into your company’s overall security policy.Once you’re assessed the security and encryption needs of the sensitive data being gathered in your application, you will need to pick a course of action to ensure it is protected once it reaches the database. There are two strategies you can use —using encryption features of your DBMS, or performing encryption and decryption outside the database. Each of these approaches has its advantages and disadvantages. In this section we will outline the two different strategies for encrypting stored data so you can make the decision that is best for your environment.III. Implementing a Database Encryption StrategyTo effectively secure your databases using encryption, three issues are of primary importance: where to perform the encryption, where to store encryption keys and who has access to encryption keys. The process of encryption can be performed either 1) within the database, if your DBMSsupports the encryption features you need, or 2) outside the DBMS, where encryption processing and key storage is offloaded to centralized Encryption Servers. These two strategies will be covered in more detail below, but first some general comments: DBMS Features and LimitationsWhile encrypting inside the database may be beneficial because it has the least impact on your application environment, there are performance trade-offs and security implications to consider. Depending on the algorithms used and their implementation, some encryption can degradeDBMS performance. If your DBMS includes encryption, it is important to understand what algorithms it uses, the performance and strength of those algorithms, and how much flexibility you have in selecting what data you encrypt.Some general guidelines are DES is insecure, 3DES is slow and any symmetric ciphers should use 128-bit keys at a minimum.An inherent vulnerability of DBMS-based encryption is the encryption key used to encrypt data likely will be stored in a database table inside the database, protected by native DBMS access controls. Frequently, the users who can have access rights to the encrypted data also have access rights to the encryption key. This can create a security vulnerability because the encrypted text is not separated from the meansto decrypt it. Nor does this solution provide adequate tracking or monitoring of suspicious activities.Many enterprise IT managers have found the out-of-the-box encryption features offered by their DBMS have weaknesses of performance and key management sufficiently severe that they decide not to use them.Off-loading Encryption Outside of the DatabaseRSA Security recommends that companies, especially those that need to complywith Gramm-Leach-Bliley or HIPAA,consider database architectures that off-load encryption processing and secure key management to a separate,centralized Encryption Server. The Encryption Server will calculate the computation required by encryption or decryption. This has two benefits. It removes the computational overhead of cryptography from the DBMS or application servers. And perhaps even more importantly, it allows separation of encrypted data from encryption keys. The keys in this architecture never leave the encryption server. Locking down access and monitoring the Encryption Server is important in this scenario as well,but easily achievable.Let’s review each solution in more detail.Solution One: Implementing encryption inside the DBMS If encryption features are available within your DBMS product, you can encrypt and decrypt data within the database and the process will be transparent to your applications. The data is encrypted as soon as it is stored in the database. Any data that enters or leaves the database, though, will be transported as clear text. This is one of the simplest database encryption strategies, but it presents performance trade-offs and security considerations that must be evaluated.Encryption generally is implemented within the database through a “database procedure call” . Some vendors support limited encryption capabilities through database add-ons. Other vendors may only provide all-or-nothing support for encryption either the entire database is encrypted, or nothing is. While this may make sense for protecting your backup copies, encryption of the entire database means additional processing is expended on non-sensitive data an overkill situation resulting in unnecessary performance A major drawback to encrypting inside the database is the extra processing load. Because encryption and decryption are performed within the database, the DBMS is asked to perform additional processing – not only when the data is stored, but each time it is accessed. This additional processing can add up.Encrypting data when it is stored in the database using a database procedure call is shown in the diagram below. The procedure has to locate the stored encryption key and query it. The DBMS must verify the procedure can access the key. The database procedure then uses the keyin the encryption algorithm and returns the encrypted result. Reading the data requires the same procedure in reverse. Consider, for example, an application that does a sorted report based on credit card data and accesses a database containing encrypted card numbers. The database procedure for decrypting an item is executed against each encrypted data item. If it’s a large report, that can add up to a lot of extra processing. On the other hand, applications that depend on indexes built on encrypted data make the process even slower. For performance, it is advisable to architect the data so that encrypted data is not indexed. But, if you mustencrypt indexed data, encrypt the search value before performing the search. This means that the search procedure must be changed, and will require access to the encryption function as well as the encryption key.The strongest argument in favor of encrypting data within the DBMS is that applications are unaffected by the encryption. You can implement DBMS-basedencryption without making any changes in legacy applications, e-commerce applications, or any other applications that usethe data. However, this solution results in some equally compelling negatives: unless you use encrypted communications between the database and your applications, the data will be at risk of exposure while in transit. Also, if encryption keys are stored within the database, or even in other databases managed by the DBMS, the database administrators may have access to them and thus to any of your encrypted data.When evaluating database products, make sure you understand the performance of the encryption ciphers and strength of cipher based on key size. Many databases offer only the DES or 3DES algorithms which are generally regarded as slow performing. Another cipher, AES is preferable from a security perspective, or for higher performance and security evaluate the RC5® block cipher.Encryption keys are based on pseudo random number generation. Thus the security of your data depends on how truly random the base numbers are. You should understand how random keys are generated in your DBMS. What type of pseudo random number generation is used? It may help to talk to outside security experts about random number generation in database products before making a purchase decision. For example, RSA Security’s cryptography products are designed to provide random number generation in both software and hardware.If you do not want to store your keys in a table in the database, plan how you will store keys separately. The strongest key protection is with separate hardware that inter operates with the database. Depending on the level of security required, this often means purchasing a hardware security module (HSM), a device that provides secure storage for encryption keys and, depending on the device, additional features such as a co-processor to perform cryptographic functions and hardware acceleration. HSM are also a great way to back up encryption keys.Solution Two: Applying Encryption Outside the Database If the potential for data exposure in the database or in transit between client and server concerns you, a more secure solution is moving the encryption to the applications that generate the data.When you use client/server application security protocols like SSL, sensitive data is in clear text form for the shortest possible time. Encryption is performed within the application that introduces the data into the system; it travels encrypted and can be stored encrypted at its final destination. This approach can provide good end-to-end data protection, but may require changes to your applications to add or modify encryption and decryption capabilities.This type of a solution and optimize your investment is to build an Encryption Server to provide centralized encryption services for your entire database environment. This simplifies management and provides more control in a multi-application environment using many databases. This server can be optimized to perform cryptographic operations requested by your applications, giving you the flexibility to allow applications to make multiple requests for cryptographic operations, while consolidating and implementing the cryptography in a consistent way. Here is a diagram of an encryption process that includes an encryption server to providecryptography processing and key storageOne great benefit of this solution is it offers one of the best secure key management strategies. This solution separates encryption keys from the encrypted data stored in the database providing another layer of protection for the database. By contrast,Scenario One stores keys in the database with the encrypted data allowing an attacker easy access to both the keys and encrypted data. In Scenario Two outlined by the diagram above, the Encryption Server adds another layer of protection between the database and the attacker. The keys in the Encryption Server must be found before the hacker can decrypt data. The goal is to harden the Encryption ServerIV. RSA Security SolutionsRSA Security offers a full range of security products and services designed to assess the database application, provide strong authentication of users, deliver Web-based access control for end users or administrators, and simplify the art of building high-performing encryption applications.Assessment, Planning and ImplementationRSA Professional Services offers a database assessment service to review application architecture and design a database strategy. The goal is to identify key sensitive data, analyze the flow of data for potential vulnerabilities and threats, and make design recommendations. Further planning and implementation services are available for companies wishing to deploy the recommended solution. Benefits to customers include access to specialized encryption consultants and knowledge transfer or training of staff.AuthenticationRSA Security products are designed to provide the strong authentication required to protect access to the encryption keys stored in the database or on an Encryption Server. Using these authentication products, companies can reduce the threat of external attacks on their database.Access ManagementFor organizations seeking to control access and simplify administration of their Unix environment, RSA Keon® Unix Control software is a simple way to help lock down access to these servers. This is especially important for organizations who want to deploy a Unix Encryption Server in front of their database. RSA Keon Unix Control software employs a unique, non-intrusive architecture to help centrally manage a UNIX environment. RSA Keon Unix Control software is designed to perform the following functions. It hardens the Encryption Server against intrusion. It can centrally manage the identification and authentication of users , and establish access control while also providing data privacy and integrity monitoring of the entire process. It simplifies administration by propagating changes such as deleted or added user accounts across the entire UNIX enterprise in a single step. In short, RSA Keon Unix Control software helps simplify UNIX management while enforcing a strict enterprise-wide security policy without limiting productivity. Other features include file integrity checking and operating system vulnerability testing. In addition, RSA Keon Unix Control software is designed to proactively log changes to securityparameters, access attempts, and administrative activities to create a complete audit trail.V. ConclusionDatabase attacks are on the rise even as the risks of data disclosure are increasing. Already the financial services and health care industries must deal with legislation and regulation on data privacy. Consumer concerns about data disclosure and misuse will inevitably expand the responsibility of your enterprise to secure customer information. Failure could expose you to legal liability, negative publicity, lost public trust, as well as cost you money and lost productivity. In this environment, your security planning must include a strategy for protecting sensitive databases against attack or misuse by encrypting key data elements. Whether you decide to implement encryption inside or outside the database, RSA Security recommends:• Encrypted inform ation should be stored separately from encryption keys.• Strong authentication should be used to identify users before they decrypt sensitive information.• Access to keys should be monitored, audited and logged.• Sensitive data should be encrypted end-to-end —while in transit in the application and while in storage in enterprise databases.。

目录1前言3 2SAFEGUARD ENTERPRISE 主要功能和模块4 SafeGuard Enterprise 功能4 SafeGuard Enterprise Device Encryption设备加密模块功能说明4 SafeGuard Enterprise Data Exchange数据交换模块功能说明4 SafeGuard Enterprise Configuration Protection设备保护和控制模块功能说明5 3系统架构6系統架构和要求6设备控制与管理(Port Control-SGN CP)9移动存储加密11全硬盘加密12中央集中管理15附件 A: 部署计划18附件 B: 支持智能卡和令牌列表201前言随着信息化的高速发展，内网安全得到越来越多来自社会各界人士的关注和重视。

在计算机广泛使用的今天，计算机的丢失会给用户带来很大的麻烦，除物质损失外，电脑中存储的涉密资料或个人隐私的泄密会成为另一个潜在的威胁，有可能给用户带来无可挽回的损失。

如何能够保证在电脑丢失的情况下，电脑中存储的资料不被泄密。

如何能够保证在使用者使用移动存储能够安全的使用，移动存储不会因为丢失而造成数据外泄。

Utimaco 提供了一个完整与有效的的解决方案。

Utimaco 是数据保护的领先厂家，连续三年为Gartner推荐领先产品。

Utimaco SafeGuard 同时也获得多种国际上的认证，如：FIPS ， Common Criteria certified 。

本方案书说明了 Utimaco SafeGuard Enterprise的方案、核心、集中管理等功能. Utimaco SafeGuard 有以下几个模块：▪SafeGuard Management Center:管理中心实施和强制策略管理，中央控管各种不同的策略与混合的IT 网络环境.▪SafeGuard Device Encryption:设备加密透明的加密在笔记本、台式机、移动存储，保护使用者的设备因移失或失窃所造成的安全问题.▪SafeGuard Data Exchange:数据交换模块确保安全数据交换介由移动存储，即便客户端没有安装 Safeugard 安全软件还是可以读取加密的数据.▪SafeGuard Configuration Protection:设备保护和控制管理和控制外设设备，限制某一些品牌或是某一些序号的移动存储才能在局网的计算机使用，因为外设设备移失所造成的安全问题。

crypto-前缀全文共四篇示例，供读者参考第一篇示例：【Crypto-前缀】一词源自希腊语，意为隐藏、秘密。

在当今数字时代，它通常被用来指代密码学、加密货币等与安全保密相关的概念。

随着信息技术的高速发展，人们的生活已经离不开各种新型的数字化产品和服务，而加密技术作为一种基础保障手段，已经成为保护信息安全的重要手段之一。

在计算机领域，【Crypto-前缀】常被用来形容各种与加密相关的技术和方法。

例如，加密算法、数字签名、密钥管理等等，都涉及到【Crypto-前缀】。

加密技术的发展不仅让信息传输更加安全，还为人们提供了更多的数字化服务，如电子支付、在线银行等。

另外一个热门话题就是加密货币，比特币、以太坊等数字货币的出现，不仅改变了人们的支付方式，还为投资者提供了新的投资渠道。

加密货币的市场波动大、投资门槛低，吸引了大批投资者的加入。

不过，也有人担忧加密货币的泡沫风险和安全问题，尤其是金融监管机构一直在加强对加密货币市场的监管力度。

在开启数字化生活的今天，人们越来越离不开【Crypto-前缀】技术的应用。

保护个人隐私、加密通信、数字支付等等，都需要依赖加密技术和方法。

同时，加密技术的研究和创新也成为当今计算机领域的热门议题，不仅需要专业技术人员的支持，还需要广大用户的理解和支持。

在未来，随着信息技术的发展，【Crypto-前缀】技术将会在各个领域得到更广泛、深入的应用。

同时，我们也需要更加关注加密技术的安全性，防止黑客攻击和信息泄露。

加密技术已经成为数字时代的重要保障，只有不断提高技术水平，不断创新和完善加密技术，才能更好地保护我们的个人信息和数字资产。

【Crypto-前缀】虽然是一个看似晦涩的术语，但其背后的意义和应用前景却是无比广阔和重要的。

希望我们能够共同关注和支持加密技术的发展，努力创造一个更加安全、便捷的数字生活。

第二篇示例：Crypto-前缀，在当今数字世界中变得越来越流行。

它是来自希腊语kryptós，意为“隐藏”的前缀。

Cryptography is the practice and study of hiding information. In modern times, cryptography is considered a branch of both mathematics and computer science, and is affiliated closely with information theory，computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords，and electronic commerce, which all depend on cryptography.密码学是信息隐藏的实践与研究。

现代密码学被认为是数学和计算机科学的一个分支，它与信息论、计算机安全和工程密切相关。

密码技术被应用于技术先进的社会中，例如A TM卡、计算机密码和电子商务的安全，这些都依赖于密码学。

(1 )TerminologyUntil modem times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext). Decryption is the reverse, moving from unintelligible ciphertext to plaintext. A cipher (or cypher) is a pair of algorithms which creates the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and, in each instance, by a key. This is a secret parameter (ideal以known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption, without additional procedures such as authentication or integrity checks.直到近代，加密提到几乎完全加密，普通的转换过程的信息（明文）到不知所云胡言乱语（即密文）。

外文文献：1.IntroductionCryptography is the science of keeping secrets secret.Assume a sender referred to here and in what follows as Alice(as is commonly used)wants tosend a message m to a receiver referred to as Bob. She uses an insecure communication channel.For example,the channel could be a computer network or a telephone line.There is a problem if the message contains confidential information. The message could be intercepted and read by an eavesdropper.Or,even worse,the adversary,as usual referred to here as Eve,might be able to modify the message during transmission in such a way that the legitimate recipient Bob does not detect the manipulation.One objective of cryptography is to provide methods for preventing such attacks.Other objectives are discussed in Section 1.2.1.1 Encryption and SecrecyThe fundamental and classical task of cryptography is to provide confidentiality by encryption methods.The message to be transmitted–it can be some text,numerical data,an executable program or any other kind of information–is called the plaintext.Alice encrypts the plaintext m and obtains the ciphertext c.The ciphertext c is transmitted to Bob.Bob turns the ciphertext back into the plaintext by decryption.To decrypt,Bob needs some secret information,a secret decryption key. Adversary Eve still may intercept the ciphertext.However,the encryption should guarantee secrecy and prevent her from deriving any information about the plaintext from the observed ciphertext.Encryption is very old.For example,Caesar’s shift cipher was introduced more than 2000 years ago.Every encryption method provides an encryption algorithm E and a decryption algorithm D.In classical encryption schemes,both algorithms depend on the same secret key k.This key k is used for both encryption and decryption.These encryption methods are therefore called symmetric.For example,in Caesar’s cipher the secret key is the offset of the shift.We haveSymmetric encryption and the important examples DES(data encryption standard)and AES (advanced encryption standard)are discussed in Chapter 2.In 1976,W.Diffie and M.E.Hellman published their famous paper,New Directions in Cryptography ([DifHel76]).There they introduced the revolutionary concept of public-key cryptography. They provided a solution to the long standing problem of key exchange and pointed the way to digital signatures.The public-key encryption methods(comprehensively studied in Chapter 3)are asymmetric.Each recipient of messages has his personal key pkk ,consisting of two parts:pk is the encryption key and is made public,sk is the (sk,)decryption key and is kept secret. If Alice wants to send a message m to Bob,she encrypts m by use of Bob’s publicly known encryption key pk.Bob decrypts the ciphertext by use of his decryption key sk,which is known only to him.We haveMathematically speaking,public-key encryption is a so-called one-way function with a trapdoor. Everyone can easily encrypt a plaintext using the public key pk,but the other direction is difficult.It is practically impossible to deduce the plaintext from the ciphertext,without knowing the secret key sk(which is called the trapdoor information).Public-key encryption methods require more complex computations and are less efficient than classical symmetric methods.Thus symmetric methods are used for the encryption of large amounts of data.Before applying symmetric encryption,Alice and Bob have to agree on a key.To keep this key secret,they need a secure communication channel.It is common practice to use public-key encryption for this purpose.1.2 The Objectives of CryptographyProviding confidentiality is not the only objective of cryptography.Cryptography is also used to provide solutions for other problems:1.Data integrity.The receiver of a message should be able to check whether the message was modified during transmission,either accidentally or deliberately.No one should be able to substitute a false message for the original message,or for parts of it.2.Authentication.The receiver of a message should be able to verify its origin.No one should be able to send a message to Bob and pretend to be Alice(data origin authentication).When initiating a communication,Alice and Bob should be able to identify each other(entity authentication).3.Non-repudiation.The sender should not be able to later deny that she sent a message.If messages are written on paper,the medium-paper-provides a certain security against manipulation. Handwritten personal signatures are intended to guarantee authentication and non-repudiation.If electronic media are used,the medium itself provides no security at all,since it is easy to replace some bytes in a message during its transmission over a computer network,and it is particularly easy if the network is publicly accessible,like the Internet.So,while encryption has a long history,the need for techniques providing data integrity and authentication resulted from the rapidly increasing significance of electronic communication.There are symmetric as well as public-key methods to ensure the integrity of messages.Classical symmetric methods require a secret key k that is shared by sender and receiver.The message m is augmented by a message authentication code(MAC).The code is generated by an algorithm and depends on the secret key.The augmented message))km is protected against modifications.The receiver may test the integrity of (mMAC,(,an incoming message(m,m)by checking whetherMessage authentication codes may be implemented by keyed hash functions (see Chapter 3).Digital signatures require public-key methods(see Chapter 3 for examples and details).As with classical handwritten signatures,they are intended to provide authentication and non-repudiation.Note that non-repudiation is an indispensable feature if digital signatures are used to sign contracts.Digital signatures depend on the secret key of the signer-they can be generated only by him.On the other hand,anyone can check whether a signature is valid,by applying a publicly known verification algorithm Verify,which depends on the public key of the signer.If Alice wants to sign the message m,she applies the algorithm Sign with her secret key sk and gets the signature Sign)sk.Bob receives a signature s for message m,and may then(m,check the signature by testing whetherwith Alice’s public key pk.It is common not to sign the message itself,but to apply a cryptographic hash function(seeSection 3.4)first and then sign the hash value.In schemes like the famous RSA(named after its inventors:Rivest,Shamir and Adleman),the decryption algorithm is used to generate signatures and the encryption algorithm is used to verify them.This approach to digital signatures is therefore often referred to as the“hash-then-decrypt”paradigm(see Section3.4.5 for details).More sophisticated signature schemes,like the probabilistic signature scheme(PSS),require more steps.Modifying the hash value by pseudorandom sequences turns signing into a probabilistic procedure(seeSection 3.4.5).Digital signatures depend on the message.Distinct messages yield different signatures.Thus,like classical message authentication codes,digital signatures can also be used to guarantee the integrity of messages.1.3 AttacksThe primary goal of cryptography is to keep the plaintext secret from eavesdroppers trying to get some information about the plaintext.As discussed before,adversaries may also be active and try to modify the message.Then,cryptography is expected to guarantee the integrity of the messages.Adversaries are assumed to have complete access to the communication channel.Cryptanalysis is the science of studying attacks against cryptographic schemes.Successful attacks may,for example,recover the plaintext(or parts of the plaintext)from the ciphertext,substitute parts of the original message,or forge digital signatures.Cryptography and cryptanalysis are often subsumed by the more general term cryptology.A fundamental assumption in cryptanalysis was first stated by A.Kerkhoff in the nineteenth century.It is usually referred to as Kerkhoff’s Principle.It states that the adversary knows all the details of the cryptosystem,including algorithms and their implementations.According to this principle,the security of a cryptosystem must be entirely based on the secret keys.Attacks on the secrecy of an encryption scheme try to recover plaintexts from ciphertexts,or even more drastically,to recover the secret key.The following survey is restricted to passive attacks.The adversary,as usual we call her Eve,does not try to modify the messages.She monitors the communication channel and the end points of the channel.So she may not only intercept the ciphertext,but(at least from time to time)she may be able to observe the encryption and decryption of messages.She has no information about the key.For example,Eve might be the operator of a bank computer.She sees incoming ciphertexts and sometimes also the correspondingplaintexts.Or she observes the outgoing plaintexts and the generated ciphertexts.Perhaps she manages to let encrypt plaintexts or decrypt ciphertexts of her own choice.The possible attacks depend on the actual resources of the adversary Eve. They are usually classified as follows:1.Ciphertext-only attack.Eve has the ability to obtain ciphertexts.This is likely to be the case in any encryption situation.Even if Eve cannot perform the more sophisticated attacks described below,one must assume that she can get access to encrypted messages.An encryption method that cannot resist a ciphertext-only attack is completely insecure.2.Known-plaintext attack.Eve has the ability to obtain plaintext-ciphertext ing the information from these pairs,she attempts to decrypt a ciphertext for which she does not have the plaintext.At first glance,it might appear that such information would not ordinarily be available to an attacker.However,it very often is available.Messages may be sent in standard formats which Eve knows.3.Chosen-plaintext attack.Eve has the ability to obtain ciphertexts for plaintexts of her choosing.Then she attempts to decrypt a ciphertext for which she does not have the plaintext.While again this may seem unlikely,there are many cases in which Eve can do just this.For example,she sends some interesting information to her intended victim which she is confident he will encrypt and send out.This type of attack assumes that Eve must first obtain whatever plaintext-ciphertext pairs she wants and then do her analysis, without any further interaction.This means that she only needs access to the encrypting device once.4.Adaptively-chosen-plaintext attack.This is the same as the previous attack,except now Eve may do some analysis on the plaintext-ciphertextpairs,and subsequently get more pairs.She may switch between gathering pairs and performing the analysis as often as she likes.This means that she has either lengthy access to the encrypting device or can somehow make repeated use of it.5.Chosen-and adaptively-chosen-ciphertext attack.These two attacks are similar to the above plaintext attacks. Eve can choose ciphertexts and gets the corresponding plaintexts.She has access to the decryption device.1.4 Cryptographic ProtocolsEncryption and decryption algorithms,cryptographic hash functions or pseudorandom generators(see Section 2.1,Chapter 8)are the basic building blocks(also called cryptographicprimitives)for solving problems involving secrecy,authentication or data integrity.In many cases a single building block is not sufficient to solve the given problem:different primitives must be combined.A series of steps must be executed to accomplish a given task.Such a well-defined series of steps is called a cryptographic protocol.As is also common,we add another condition:we require that two or more parties are involved.We only use the term protocol if at least two people are required to complete the task.As a counter example,take a look at digital signature schemes.A typical scheme for generating a digital signature first applies a cryptographic hash function h to the message m and then,in a second step,computes the signature by applying a public-key decryption algorithm to the hash value h(m).Both steps are done by one person.Thus,we do not call it a protocol.Typical examples of protocols are protocols for user identification.There are many situations where the identity of a user Alice has to be verified. Alice wants to log in to a remote computer,for example,or to get access to an account for electronic banking.Passwords or PIN numbers are used for this purpose.This method is not always secure.For example,anyone who observes Alice’s password or PIN when transmitted might be able to impersonate her.We sketch a simple challenge-and-response protocol which prevents this attack(however,it is not perfect;see Section 4.2.1).The protocol is based on a public-key signature scheme,and we assume that Alice has a key)pkk=for this scheme.Now,Alice can prove her identity to Bob in the following way.(sk,1.Bob randomly chooses a“challenge”c and sends it to Alice.2.Alice signs c with her secret key,)Signs=,and sends the“response”s to Bob.sk:c(,3.Bob accepts Alice’s proof of identity,if Verify ok,,()cpk=sOnly Alice can return a valid signature of the challenge c,because only she knows the secret key sk. Thus, Alice proves her identity,without showing her secret.No one can observe Alice’s secret key,not even the verifier Bob.Suppose that an eavesdropper Eve observed the exchanged ter,she wants to impersonate Alice. Since Bob selects his challenge c at random(from a huge set),the probability that he uses the same challenge twice is very small.Therefore,Eve cannot gain any advantage by her observations.The parties in a protocol can be friends or adversaries.Protocols can be attacked.The attacks may be directed against the underlying cryptographic algorithms or against the implementation of the algorithms and protocols.There may also be attacks against a protocol itself.There may be passive attacks performed by an eavesdropper,where the only purpose is to obtain information.An adversary may also try to gain an advantage by actively manipulating the protocol.She might pretend to be someone else,substitute messages or replay old messages.Important protocols for key exchange,electronic elections,digital cash and interactive proofs of identity are discussed in Chapter 4.1.5 Provable SecurityIt is desirable to design cryptosystems that are provably secure.Provably secure means that mathematical proofs show that the cryptosystem resists certain types of attacks.Pioneering work in this field was done by C.E.Shannon.In his information theory,he developed measures for the amount of information associated with a message and the notion of perfect secrecy.A perfectly secret cipher perfectly resists all ciphertext-only attacks.An adversary gets no information at all about the plaintext,even if his resources in computing power and time are unlimited.Vernam’s one-time pad(see Section 2.1),which encrypts a message m by XORing it bitwise with a truly random bit string,is the most famous perfectly secret cipher.It even resists all the passive attacks mentioned.This can be mathematically proven by Shannon’s theory.Classical information-theoretic security is discussed in Section 9.1;an introduction to Shannon’s information theory may be found in Appendix B.Unfortunately,Vernam’s one-time pad and all perfectly secret ciphers are usually impractical.It is not practical in most situations to generate and handle truly random bit sequences of sufficient length as required for perfect secrecy.More recent approaches to provable security therefore abandon the ideal of perfect secrecy and the(unrealistic) assumption of unbounded computing power.The computational complexity of algorithms is taken into account.Only attacks that might be feasible in practice are considered.Feasible means that the attack can be performed by an efficient algorithm.Of course,here the question about the right notion of efficiency arises.Certainly,algorithms with non-polynomial running time are inefficient.Vice versa algorithms with polynomial running time are often considered as the efficient ones.In this book,we also adopt this notion of efficiency.The way a cryptographic scheme is attacked might be influenced by randomevents.Adversary Eve might toss a coin to decide which case she tries next.Therefore,probabilistic algorithms are used to model attackers. Breaking an encryption system,for example by a ciphertext-only attack,means that a probabilistic algorithm with polynomial running time manages to derive information about the plaintext from the ciphertext,with some non-negligible probability.Probabilistic algorithms can toss coins,and their control flow may be at least partially directed by these random events.By using random sources,they can be implemented in practice.They must not be confused with non-deterministic algorithms.The notion of probabilistic(polynomial) algorithms and the underlying probabilistic model are discussed in Chapter 5.The security of a public-key cryptosystem is based on the hardness of some computational problem(there is no efficient algorithm for solving the problem).For example,the secret keys of an RSA scheme could be easily figured out if computing the prime factors of a large integer were possible.However,it is believed that factoring large integers is infeasible.There are no mathematical proofs for the hardness of the computational problems used in public-key systems.Therefore,security proofs for public-key methods are always conditional: they depend on the validity of the underlying assumption.The assumption usually states that a certain function f is one way;i.e.,f can be computed efficiently,but it is infeasible to compute x from )(x f .The assumptions,as well as the notion of a one-way function,can be made very precise by the use of probabilistic polynomial algorithms.The probability of successfully inverting the function by a probabilistic polynomial algorithm is negligibly small,and negligibly small means that it is asymptotically less than any given polynomial bound(see Chapter 6,Definition 6.12).Important examples,like the factoring,discrete logarithm and quadratic residuosity assumptions,are included in this book(see Chapter 6).There are analogies to the classical notions of security.Shannon ’s perfect secrecy has a computational analogy:ciphertext indistinguishability(or semantic security).An encryption is perfectly secret if and only if an adversary cannot distinguish between two plaintexts,even if her computing resources are unlimited:if adversary Eve knows that a ciphertext c is the encryption of either m or 'm ,she has no better chance than 21 of choosing the right one.Ciphertextindistinguishability–also called polynomial-time indistinguishability–means that Eve’s chance of successfully applying a probabilistic polynomial algorithm is at most negligibly greater than1/2(Chapter 9,Definition 9.14).As a typical result,it is proven in Section 9.4 that public-key one-time pads are ciphertext-indistinguishable. This means,for example,that the RSA public-key one-time pad is ciphertext-indistinguishable under the sole assumption that the RSA function is one way.A public-key one-time pad is similar to Vernam’s one-time pad. The difference is that the message m is XORed with a pseudorandom bit sequence which is generated from a short truly random seed,by means of a one-way function.Thus,one-way functions are not only the essential ingredients of public-key encryption and digital signatures. They also yield computationally perfect pseudorandom bit generators(Chapter 8).If f is a one-way function,it is not only impossible to compute x from )(xf,but certain bits(called hard-core bits)of x are equally difficult to deduce.This feature is called the bit security of a one-way function.For example,the least-significant bit is a hard-core bit for the RSA function e xx mod n.Starting with a truly random seed,repeatedly applying f and taking the hard-core bit in each step,you get a pseudorandom bit sequence.These bit sequences cannot be distinguished from truly random bit sequences by an efficient algorithm,or,equivalently (Yao’s Theorem, Section 8.2),it is practically impossible to predict the next bit from the previous ones.So they are really computationally perfect.The bit security of important one-way functions is studied in detail in Chapter 7 including an in-depth analysis of the probabilities involved.Randomness and the security of cryptographic schemes are closely related.There is no security without randomness.An encryption method provides secrecy only if the ciphertexts appear random to the adversary Eve.Vernam’s one-time pad is perfectly secret,because,due to the truly random key string k,the encrypted message km is a truly random bit sequence for Eve.The public-key one-time pad is ciphertext-indistinguishable,because if Eve applies an efficient probabilistic algorithm,she cannot distinguish the pseudorandom key string and,as a consequence,the ciphertext from a truly random sequence.Public-key one-time pads are secure against passive eavesdroppers,who perform aciphertext-only attack(see Section 1.3 above for a classification of attacks).However,active adversaries,who perform adaptively-chosen-ciphertext attacks,can be a real danger in practice–as demonstrated by Bleichenbacher’s 1-Million-Chosen-Ciphertext Attack(Section 3.3.3).Therefore,security against such attacks is also desirable.In Section 9.5,we study two examples of public-key encryption schemes which are secure against adaptively-chosen-ciphertext attacks,and their security proofs.One of the examples,Cramer-Shoup’s public key encryption scheme,was the first practical scheme whose security proof is based solely on a standard number-theoretic assumption and a standard assumption of hash functions(collision-resistance).The ideal cryptographic hash function is a random function.It yields hash values which cannot be distinguished from randomly selected and uniformly distributed values.Such a random function is also called a random oracle.Sometimes,the security of a cryptographic scheme can be proven in the random oracle model.In addition to the assumed hardness of a computational problem,such a proof relies on the assumption that the hash functions used in the scheme are truly random functions.Examples of such schemes include the public-key encryption schemes OAEP(Section 3.3.4)and SAEP(Section9.5.1),the above mentioned signature scheme PSS and full-domain-hash RSA signatures(Section 3.4.5).We give the random-oracle proofs for SAEP and full-domain-hash signatures.Truly random functions can not be implemented,nor even perfectly approximated in practice.Therefore,a proof in the random oracle model can never be a complete security proof.The hash functions used in practice are constructed to be good approximations to the ideal of random functions.However,there were surprising errors in the past(see Section 3.4).We distinguished different types of attacks on an encryption scheme.In a similar way,the attacks on signature schemes can be classified and different levels of security can be defined.We introduce this classification in Chapter 10 and give examples of signature schemes whose security can be proven solely under standard assumptions(like the factoring or the strong RSA assumption).No assumptions on the randomness of a hash function have to be made,in contrast,for example,to schemes like PSS.A typical security proof for the highest level of security is included.For the given signature scheme,we show that not a single signature can be forged,even if the attacker Eve is able to obtain valid signatures from the legitimate signer,formessages she has chosen adaptively.The security proofs for public-key systems are always conditional and depend on(widely believed,but unproven)assumptions.On the other hand,Shannon’s notion of perfect secrecy and,in particular,the perfect secrecy of Vernam’s one-time pad are unconditional.Although perfect unconditional security is not reachable in most practical situations,there are promising attempts to design practical cryptosystems which provably come close to perfect information-theoretic security.The proofs are based on classical information-theoretic methods and do not depend on unproven assumptions.The security relies on the fact that communication channels are noisy or on the limited storage capacity of an adversary.Some results in this approach are reviewed in the chapter on provably secure encryption(Section 9.6).中文译文：密码学介绍说明密码学是一门保守秘密的科学。

总论所有人都会有对其他人的事情与隐藏信息的好奇心。

随着计算机处理能力的出现与数学技术的发展，现在可以编译不出被破译的密码。

被用来加密与解密数据的运算规则有两类：密钥，公钥。

只有一种密钥用来加密或者另外来解密。

现在识别寄件人、证明和认可像信息隐藏一样重要。

这篇文章在密码系统方面阐述的比较详细、明朗。

在这个系列具体的问题较详细地将被审查将来的论文。

常规相对于隐藏个人信息的愿望来说，好奇心是人类一个最重要的特征。

恋人、间谍、军事部门等都用信息隐藏的方式安全地传送信息。

有时会故意包括一些容易令人误解的信息。

隐写术，是一种将信息隐藏于明显没有深刻含义的图片中的机制，可以单独使用或者与其他方法同事使用。

加密术基本上是将信息不规则重组构成的，因而只是重复加密的逆过程是不能轻易解密的。

解密过程依赖于一种特殊的运算规则－众所周知的密码。

重组文本是密码文本，而原始文本毫无疑问是纯文本。

一个文本称为纯文本的充分必要条件是具有可读性。

原始的也可能不会具有明显的含义，例如原文本本身已经被加密过，现在对其再次进行加密。

设计一种输出为可读文本的机制也是可以的，只是可能这些输出与原始未加密的文本没有任何关联。

关键是配合使用面膜加密或者解密文本。

看来关键意义，将此案作为一个字符串作为密码，但是这个转变是无关紧要的－一个关键的功能在于它是一串串比特定绘制文本的密码原文。

直到最近，借助于计算机功能的发展，一种很普遍的加密方法是使用某种形式的替代。

这可能是直截了当的声称隐瞒真实姓名的电脑，2001年，Odyssey空间站在外太空发现的拼音字母出土了可信的结果。

在众多间谍小说系列文字或短语或任意字母取自非相关书籍文件或者用来生成电文，构成密钥，或者创造代换表加密或解密文本。

为什么使用密码出于保护获取信息的安全仍是使用密码的一大原因。

不过，它也日益用于识别个人认证和不可抵赖。

这对于因特网、全球贸易和其他活动的发展十分重要。

身份电子邮件和网民是扯开容易隐藏或伪造，而安全认证可以向那些互相遥控信息对付它们的人，一个信息的权力未获伪造或改变。

加密它：用新的高级加密标准（AES）保持你的数据安全James McCaffrey 摘要AES（The Advanced Encryption Standard）是美国国家标准与技术研究所用于加密电子数据的规范。

它被预期能成为人们公认的加密包括金融、电信和政府数字信息的方法。

本文展示了AES的概貌并解析了它使用的算法。

包括一个完整的C#实现和加密.NET数据的举例。

在读完本文后你将能用AES加密、测试基于AES的软件并能在你的系统中使用AES加密。

美国国家标准与技术研究所(NIST)在2002年5月26日建立了新的高级数据加密标准(AES)规范。

本文中我将提供一个用C#编写的的能运行的AES 实现，并详细解释到底什么是AES 以及编码是如何工作的。

我将向您展示如何用AES 加密数据并扩展本文给出的代码来开发一个商业级质量的AES 类。

我还将解释怎样把AES 结合到你的软件系统中去和为什么要这么做，以及如何测试基于AES 的软件。

AES 是一个新的可以用于保护电子数据的加密算法。

明确地说，AES 是一个迭代的、对称密钥分组的密码，它可以使用128、192 和256 位密钥，并且用128 位（16字节）分组加密和解密数据。

与公共密钥密码使用密钥对不同，对称密钥密码使用相同的密钥加密和解密数据。

通过分组密码返回的加密数据的位数与输入数据相同。

迭代加密使用一个循环结构，在该循环中重复置换（permutations ）和替换(substitutions）输入数据。

Figure 1 显示了AES 用192位密钥对一个16位字节数据块进行加密和解密的情形。

AES算法概述AES 算法是基于置换和代替的。

置换是数据的重新排列，而代替是用一个单元数据替换另一个。

AES 使用了几种不同的技术来实现置换和替换。

为了阐明这些技术，让我们用Figure 1 所示的数据讨论一个具体的AES 加密例子。

下面是你要加密的128位值以及它们对应的索引数组：00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15192位密钥的值是：00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 170 1 2 3 4 5 6 7 8 9 10 1112 13 14 15 16 17 18 19 20 21 22 23Figure 2 S-盒（Sbox ）当AES 的构造函数（constructor）被调用时，用于加密方法的两个表被初始化。