AES加密如何传输IV
我知道独特的 IV 在加密中非常重要,可以防止频率分析等攻击。问题:对于 AES CBC 加密,重要性是什么? IV? 有一个非常明确的答案解释了 IV 的重要性。
以明文形式发送 IV 会存在安全漏洞吗?或者是否需要使用用于发送对称密钥的相同公钥/私钥进行加密?
如果 IV 需要加密发送,那么为什么不每次生成一个新的对称密钥并将 IV 视为密钥的一部分呢?是不是生成对称密钥成本太高?或者是为了最大限度地减少传输的数据量?
秘密与非秘密初始化向量的最佳答案指出:
典型的密钥建立协议将导致双方都计算一段他们(但只有他们)都知道的数据。使用 Diffie-Hellman(或其任何椭圆曲线变体),所述共享数据片段具有固定长度,并且它们无法控制其值(它们只是都获得相同的看似随机的位序列)。
两个实体如何在没有共享信息的情况下得出“相同的看似随机的位序列”?假设共享信息是加密发送的吗?而且,如果共享信息是加密发送的,为什么不只加密发送 IV 呢?
由于应用程序需要安全地传输对称密钥,因此将 IV 与密钥本身分开似乎本质上是一种优化。或者我错过了什么?
I understand that unique IV is important in encrypting to prevent attacks like frequency analysis. The question: For AES CBC encryption, whats the importance of the IV? has a pretty clear answer explaining the importance of the IV.
Would there be any security holes in sending the IV in clear text? Or would it need to be encrypted with the same public/private key that was used to send the symmetric key?
If the IV needs to be sent encrypted, then why not generate a new symmetric key each time and consider the IV as part of the key? Is it that generating a symmetric key is too costly? Or is it to minimize the amount of data transported?
The top answer to Secret vs. Non-secret Initialization Vector states:
A typical key establishment protocol will result in both involve parties computing a piece of data which they, but only they, both know. With Diffie-Hellman (or any Elliptic Curve variant thereof), the said shared piece of data has a fixed length and they have no control over its value (they just both get the same seemingly random sequence of bits).
How do two entities derive the "same seemingly random sequence of bits" without having a shared piece of information? Is the assumption that the shared information was sent encrypted? And, if the shared information is sent encrypted, why not just send the IV encrypted?
Because an application needs to transport the symmetric key securely, it would seem that separating the IV from the key itself is essentially an optimization. Or am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
以明文形式发送 IV 不存在安全漏洞 - 这类似于以明文形式存储哈希值的盐:只要攻击者无法控制 IV/盐,并且只要它是随机的,就不会存在安全漏洞。问题。
There is no security hole by sending the IV in cleartext - this is similar to storing the salt for a hash in plaintext: As long as the attacker has no control over the IV/salt, and as long as it is random, there is no problem.
初始化向量和密钥之间的主要区别是,密钥必须保密,而 IV 则不必保密——攻击者可以读取它,而不会对系统的安全造成任何危险。有问题的加密方案。
这个想法是,您可以对多个消息使用相同的密钥,仅对每个消息使用不同的(随机)初始化向量,因此纯文本之间的关系不会显示在相应的密文中。
也就是说,如果您使用像 Diffie-Hellman 这样的密钥协商方案,无论如何它都会为每个会话提供一个新的共享秘密,您也可以使用它来生成第一个初始化向量。与直接选择初始化向量并与消息一起发送相比,这并没有真正提供太多的安全优势,但可以节省一些带宽,以及来自随机源的一些熵。如果其中一个合作伙伴的随机性源不好,它会使 IV 变得更加随机(尽管 DH 在这种情况下也不是真正安全)。
Diffie-Hellman 基于群论问题:Eve 知道一个(循环)群
G和生成器g并看到两个值g^a< /code>(从Alice传输到Bob)和g^b(从Bob传输到Alice),其中a和b是随机大的Alice 和 Bob 选择的整数,而 Eve 不知道甚至其他合作伙伴)。那么共享秘密就是(g^a)^b = g^(a·b) = (g^b)^a。显然,Bob(知道b)可以将秘密计算为(g^a)^b,而 Alice(知道a)可以计算<代码>(g^b)^a。 Eve 需要以某种方式导出这个秘密来破解协议。在某些组中,这(称为计算 Diffie-Hellman 问题)似乎是一个难题,我们正在密码学中使用这些组。 (在原始 DH 中,我们使用某个大型有限素数域的乘法群的素数阶子群,在椭圆曲线 DH 中,我们使用有限域上的椭圆曲线群。其他群也可以工作(但其中一些是弱,例如,在一个字段的加性群中,解决起来很简单)。)
然后,Alice 和 Bob 都使用密钥导出函数来导出实际的密钥材料(即两个方向的加密密钥、MAC 密钥和起始密钥)。 IV)。
The main difference between initialization vector and key is that the key has to be kept secret, while the IV doesn't have to be - it can be readable by an attacker without any danger to the security of the encryption scheme in question.
The idea is that you can use the same key for several messages, only using different (random) initialization vectors for each, so relations between the plain texts don't show in the corresponding ciphertexts.
That said, if you are using a key agreement scheme like Diffie-Hellman, which gives you a new shared secret for each session anyways, you can also use it to generate the first initialization vector. This does not really give much security advantages compared to choosing the initialization vector directly and sending it with the message, but saves some bits of bandwith, and some bits of entropy from your random source. And it makes the IV a bit more random in case that one of the partners has a bad randomness source (though DH is not really secure in this case, too).
Diffie-Hellman is based on a group-theoretic problem: Eve knows a (cyclic) group
Gwith generatorgand sees the the two valuesg^a(transmitted from Alice to Bob) andg^b(transmitted from Bob to Alice), whereaandbare random large integers chosen by Alice and Bob, and unknown to Eve and even the other partner). The shared secret is then(g^a)^b = g^(a·b) = (g^b)^a. Obviously Bob (who knowsb) can calculate the secret as(g^a)^b, while Alice (who knowsa) can calculate(g^b)^a. Eve somehow needs to derive this secret to crack the protocol.In some groups this (known as the computational Diffie-Hellman problem) seems to be a hard problem, and we are using these groups in Cryptography. (In the original DH, we use a subgroup of prime order of the multiplicative group of some large finite prime field, in Elliptic Curve DH we use an elliptic curve group over a finite field. Other groups work, too (but some of them are weak, e.g. in the additive group of a field it is trivial to solve).)
Then both Alice and Bob use a key derivation function to derive the actual keying material (i.e. encryption keys for both directions, MAC keys, and the starting IVs).