密码应用安全的技术体系探讨

摘要/Abstract

摘要： 密码学是网络空间安全技术的重要组成，发挥了基础性的核心作用.在计算机和网络系统中应用密码学原理，设计和实现安全服务，极大地提高了网络空间的安全性.在网络空间中应用密码算法和密码协议，需要从计算机和网络系统的角度来考虑密码技术，在严谨而抽象的密码学与复杂而具体的信息系统之间建立联系.从数据、系统、实体等之间关系的角度出发，初次尝试探讨密码应用安全的技术体系；即在密码学理论已经完备的前提下，在计算机和网络系统中应用密码学原理，应该重点解决哪些方面的技术问题，列出了密码应用安全研究中需要完成的工作：1)选择合适的密码算法、工作模式和密码协议；2)维护合理的密钥参数；3)产生安全的随机数；4)以正确的方式实现和使用密码协议；5)绑定密钥与实体；6)确保密钥安全；7)实施密码计算的使用控制.结合已有的公开研究成果，详细论述了每一方面研究的问题和内容.

关键词: 应用密码学, 网络安全, 系统安全, 网络空间安全, 密钥安全

Abstract: Cryptography plays an important fundamental role in cyber security. Applying cryptography in computer and network systems to implement security services has improved the security of cyber space. The application of cryptography in cyber space, requires the consideration of the view of cryptography from the point of view of computer and network security, to establish the relationship between rigorous but abstract cryptography and complex but concrete information systems. This paper discusses the taxonomy of the secure application of cryptography, by analyzing the influences among data, systems, and entities. We attempt to answer the question: when cryptography theory is ready, which technical issues shall be solved towards the secure application of cryptography in computer and network systems? We list the following issues: 1) choose suitable cryptographic algorithms, work modes and cryptographic protocols, 2) maintain reasonable cryptographic keys, 3) generate secure random numbers, 4) implement and deploy cryptographic protocols correctly, 5) bind cryptographic keys to entities, 6) ensure the security of cryptographic keys, and 7) enforce the use control of cryptographic computations. Based on the related works, we describe each of these technical issues detailedly.

Key words: applied cryptography, network security, system security, cyber security, cryptographic key security

林璟锵荆继武. 密码应用安全的技术体系探讨[J]. 信息安全研究, 2019, 5(1): 14-22.

参考文献

[1] Wang X, Yu H. How to Break MD5 and Other Hash Functions[G] // LNCS 3494: Advances in Cryptology – EUROCRYPT. Berlin: Springer, 2005:19-35 [2] Wang X, Yin Y L, Yu H. Finding Collisions in the Full SHA-1[G] // LNCS 3621: Advances in Cryptology – CRYPTO. Berlin: Springer, 2005:17-36 [3] Holz R, Braun L, Kammenhuber N, et al. The SSL landscape:a thorough analysis of the x.509 PKI using active and passive measurements[C] //Proc of the 11th ACM SIGCOMM Internet Measurement Conf. New York: ACM, 2011:427-444 [4] Holz R, Amann J, Mehani O, et al. TLS in the wild: an Internet-wide analysis of TLS-based protocols for electronic communication[C]. Proc of the 23rd Annual Network and Distributed System Security Symp, Virginia: ISOC, 2016 [5] Knockel J, Ristenpart T, Crandall J. When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions of Users[EB/OL]. [2018-02-09]. https://arxiv.org/abs/1802.03367 [6] Aviram N, Schinzel S, Somorovsky J,et al. DROWN: Breaking TLS using SSLv2[C] //Proc of the 25th USENIX Security Symp. Berkeley : USENIX, 2016 [7] Ball M V, Guyot C, Hughes J P, et al. The XTS-AES Disk Encryption Algorithm and the Security of Ciphertext Stealing.[J]. Cryptologia, 2012, 36(1):70-79 [8] Adrian D, Bhargavan K, Durumeric Z, et al. Imperfect Forward Secrecy:How Diffie-Hellman Fails in Practice[C] //Proc of the ACM Conference on Computer and Communications Security 2015. New York:ACM, 2015:5-17 [9] Arjen K. Lenstra, Eric R. Verheul. Selecting Cryptographic Key Sizes[J]. Cryptology, 2001, 14(4):446-465 [10] NESSIE Consortium. Portfolio of recommended cryptographic primitives[EB/OL]. [2003-03-27].http://cgi.di.uoa.gr/~halatsis/Crypto/Bibliografia/Systems&Standards/Nessie/decision-final.pdf [11] Kaliski B. TWIRL and RSA Key Size[EB/OL]. [2003-05-06], http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.77.4447&rep=rep1&type=pdf [12] Orman H, Hoffman P. IETF RFC 3766: Determining strengths for public keys used for exchanging symmetric keys[DB/OL]. https://tools.ietf.org/html/rfc3766 [13] Barker E, Barker W, Burr W, et al. Recommendation for key management part 1: General (revision 3)[R]. Gaithersburg:NIST special publication, 2012 [14] Goldberg I, Wagner D. Randomness and the Netscape browser[J]. Dr Dobb's Journal-Software Tools for the Professional Programmer, 1996, 21(1): 66-71 [15] Gutmann P. Software Generation of Practically Strong Random Numbers[C] //Proc of the 7th USENIX Security Symp, Berkeley:USENIX, 1998:243-257 [16] Dorrendorf L, Gutterman Z, Pinkas B. Cryptanalysis of the windows random number generator[C] //Proc of the ACM Conf on Computer and Communications Security. New York:ACM, 2007:476-485 [17] Barker E B, Kelsey J M. Recommendation for random number generation using deterministic random bit generators (revised)[EB/OL].[2015-06-24]. https://www.nist.gov/publications/recommendation-random-number-generation-using-deterministic-random-bit-generators-2 [18] Rukhin A, Soto J, Nechvatal J, et al. A statistical test suite for random and pseudorandom number generators for cryptographic applications[DB/OL]. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-22r1a.pdf [19] Checkoway S, Fredrikson M, Niederhagen R, et al. On the Practical Exploitability of Dual EC DRBG in TLS Implementations[C] //Proc of the 23rd USENIX Security Symp. Berkeley:USENIX, 2014:319-335 [20] Kelsey J, Schneier B, Wagner D, et al. Cryptanalytic Attacks on Pseudorandom Number Generators[C] //Proc of the International Workshop on Fast Software Encryption. Berlin: Springer, 1998:168-188 [21] Zhu S, Ma Y, Lin J, et al. More Powerful and Reliable Second-Level Statistical Randomness Tests for NIST SP 800-22[C] //Proc of the Int Conf on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2016:307-329 [22] Zhu S, Ma Y, Chen T, et al. Analysis and Improvement of Entropy Estimators in NIST SP 800-90B for Non-IID Entropy Sources[J]. IACR Trans on Symmetric Cryptology, 2017(3): 151-168 [23] Lenstra A K, Hughes J P, Augier M, et al. Public Keys[M] //Berlin: Springer, 2012:626-642 [24] Heninger N, Durumeric Z, Wustrow E, et al. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices[C] //Proc of the 21st USENIX Security Symp. Berkeley : USENIX, 2012, 8: 1 [25] Fahl S, Acar Y, Perl H, et al. Why eve and mallory (also) love webmasters:a study on the root causes of SSL misconfigurations[C] //Proc of the 9th ACM Symp on Information, Computer and Communications Security. New York: ACM, 2014:507-512 [26] Krombholz K, Mayer W, Schmiedecker M, Weippl E. I Have No Idea What I’m Doing - On the Usability of Deploying HTTPS[C]// Proc of the USENIX Security Symp. Berkeley:USENIX, 2017:1339-1356 [27] de Carnavalet X C, Mannan M. Killed by proxy: Analyzing client-end TLS interception software[C] //Proc of the Network and Distributed System Security Symp. Virginia: ISOC, 2016 [28] Somorovsky J, Mayer A, Schwenk J, et al. On Breaking SAML: Be Whoever You Want to Be[C] //Proc of the 21st USENIX Security Symp. Berkeley : USENIX, 2012 [29] Li W, Mitchell C J. Analysing the security of Google’s implementation of OpenID Connect[C] //Proc of the Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin:Springer, 2016: 357-376 [30] Zhou Y, Evans D. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities[C] //Proc of the 23rd Usenix Security Symp, Berkeley : USENIX, 2014 [31] R. Wang, S. Chen, X. Wang. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services[C] //Proc of the IEEE Symp on Security and Privacy, Piscataway, IEEE, 2012 [32] Wang H, Zhang Y, Li J, et al. Vulnerability Assessment of OAuth Implementations in Android Applications[C] //Proc of the 31st Annual Computer Security Applications Conf. New York: ACM, 2015:61-70 [33] Georgiev M, Iyengar S, Jana S, et al. The most dangerous code in the world:validating SSL certificates in non-browser software[C] //Proc of the ACM Conf on Computer and Communications Security. New York: ACM, 2012:38-49 [34] Fahl S, Harbach M, Muders T, et al. Why eve and mallory love android:an analysis of android SSL (in)security[C] //Proc of the ACM Conf on Computer and Communications Security. New York: ACM, 2012:50-61 [35] Brubaker C, Jana S, Ray B, et al. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations[C] //Proc of the 2014 IEEE Symp on Security and Privacy. Piscataway: IEEE, 2014:114-129 [36] Chau S Y, Chowdhury O, Hoque E, et al. SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations[C] //Proc of the 2017 IEEE Symp on Security and Privacy. Piscataway: IEEE, 2017:503-520 [37] Chen C, Tian C, Duan Z, et al. RFC-directed differential testing of certificate validation in SSL/TLS implementations[C] //Proc of the 40th Int Conf on Software Engineering. New York: ACM, 2018: 859-870 [38] Evans C, Palmer C, Sleevi R. IETF RFC 7469: Public key pinning extension for HTTP. [DB/OL]. https://tools.ietf.org/html/rfc7469 [39] Dukhovni V, Hardaker W. IETF RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance[DB/OL]. https://tools.ietf.org/html/rfc7671 [40] Szalachowski P, Matsumoto S, Perrig A. PoliCert: Secure and Flexible TLS Certificate Management[J]. Proc of the 2014 ACM SIGSAC Conf on Computer and Communications Security , New York: ACM, 2014:406-417 [41] Laurie B, Langley A, Kasper E. Certificate transparency[DB/OL] .https://www.certificate-transparency.org/ [42] Basin D, Cremers C, Kim H J, et al. ARPKI: Attack Resilient Public-Key Infrastructure[C] //Proc of the 2014 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2014:382-393 [43] Wendlandt D, Andersen D, Perrig A. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing[C] //Proc of the 2008 USENIX Annual Technical Conf, Berkeley: USENIX, 2009:321-334 [44] Kasten J, Wustrow E, Halderman J A. CAge: Taming Certificate Authorities by Inferring Restricted Scopes[G] //LNCS:7859: Proc of the Int Conf on Financial Cryptography and Data Security. Berlin: Springer, 2013 [45] Soghoian C, Stamm S. Certified lies: Detecting and defeating government interception attacks against SSL (short paper)[C] //Proc of the Int Conf on Financial Cryptography and Data Security. Berlin: Springer, 2011: 250-259 [46] Gullasch D, Bangerter E, Krenn S. Cache games--Bringing access-based cache attacks on AES to practice[C] //Proc of the Security and Privacy , Piscataway: IEEE, 2011: 490-505 [47] Yarom Y, Falkner K. FLUSH+ RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack[C] //Proc of the USENIX Security Symp. Berkeley : USENIX , 2014, 1: 22-25 [48] Liu F, Yarom Y, Ge Q, et al. Last-Level Cache Side-Channel Attacks are Practical[C] //Proc of the IEEE Symp on Security and Privacy. New York, IEEE, 2015:605-622 [49] Zhang Y, Juels A, Reiter M K, et al. Cross-VM side channels and their use to extract private keys[C] //Proc of the ACM Conf on Computer and Communications Security. New York:ACM2012, 2012:305-316 [50] C. Disselkoen, D. Kohlbrenner, L. Porter, D. Tullsen. Prime+Abort: A Timer-free High-precision L3 Cache Attack using Intel TSX[C]. //Proc of 2017 USENIX Security. Berkeley : USENIX, 2017 [51] Genkin D, Pachmanov L, Pipman I, et al. ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels[C] //Proc of the 2016 ACM SIGSAC Conf on Computer and Communications Security. New York:ACM, 2016:1626-1638 [52] Genkin D, Pachmanov L, Pipman I, et al. Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation[C] //Proc of the Int Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015:207-228 [53] Genkin D, Pipman I, Tromer E. Get your hands off my laptop: physical side-channel key-extraction attacks on PCs[J]. Journal of Cryptographic Engineering, 2015, 5(2):95-112 [54] Genkin D, Shamir A, Tromer E. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis[C] //Proc of the 34th Annual Cryptology Conf. Berlin: Springer, 2014:444-461 [55] Halderman J A, Schoen S D, Heninger N, et al. Lest we remember: cold-boot attacks on encryption keys[J]. Communications of the ACM, 2009, 52(5): 91-98 [56] Stewin P, Bystrov I. Understanding DMA Malware[C] //LNCS 7591: Proc of the Detection of Intrusions and Malware, and Vulnerability Assessment - 9th Int Conf. Berlin: Springer, 2013:21-41 [57] Blass E O, Robertson W. TRESOR-HUNT:attacking CPU-bound encryption[C] //Proc of the 28th Annual Computer Security Applications Conf. New York: ACM 2012, 2012:71-78 [58] Harrison K, Xu S. Protecting cryptographic keys from memory disclosure attacks[C] //Proc of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Piscataway: IEEE. 2007: 137-143 [59] Chow J, Pfaff B, Garfinkel T, et al. Understanding data lifetime via whole system simulation[C] //Proc of the USENIX Security Symp. Berkeley : USENIX , 2004: 321-336 [60] Intel I. Software Guard Extensions Programming Reference, Revision 2[DB/OL]. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf [61] Müller U. Software Grand Exposure:SGX Cache Attacks Are Practical[C] //Proc of the 11th USENIX Workshop on Offensive Technologies. Berkeley:USENIX, 2017 [62] Xu Y, Cui W, Peinado M. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems[C] //Proc of the 36th IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2015:640-656 [63] Shinde S, Chua Z L, Narayanan V, et al. Preventing your faults from telling your secrets: Defenses against pigeonhole attacks[DB/OL]. https://arxiv.org/abs/1506.04832 [64] Lee J, Jang J, Jang Y, et al. Hacking in Darkness: Return-oriented Programming against Secure Enclaves[C] //Proc of 26th USENIX Security Symp, Berkeley:USENIX, 2017 [65] Weichbrodt N , Kurmus A , Pietzuch P , et al. AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves[G] //LNCS 9878:Proc of the European Symp on Research in Computer Security. Berlin: Springer, 2016 [66] Lipp M, Schwarz M, Gruss D, et al. Meltdown[EB/OL]. https://arxiv.org/abs/1801.01207 [67] Kocher P, Genkin D, Gruss D, et al. Spectre Attacks: Exploiting Speculative Execution[EB/OL]. https://arxiv.org/abs/1801.01203 [68] Dan B, Ding X, Tsudik G, et al. A method for fast revocation of public key certificates and security capabilities[C] //Proc of the 10th USENIX Security Symp. Berkeley:USENIX, 2001:22 [69] Ding X, Mozzacchi D, Tsudik G. Experimenting with server-aided signatures[C] //Proc of the Network and Distributed System Security Symp, NDSS 2002, Virginia:ISOC, 2002 [70] 林璟锵, 马原, 荆继武. 适用于云计算的基于SM2算法的签名及解密方法和系统. 中国发明专利ZL2014104375995[P], 2017.11.03 [71] Jiang F, Cai Q, Guan L, et al. Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection[C] //Proc of the Information Security - 21st International Conference. Berlin: Springer, 2018:213-230 [72] Perrig A, Perrig A, Perrig A. CASTLE: CA signing in a touch-less environment[C] //Proc of the 32nd Annual Conf on Computer Security Applications. New York:ACM, 2016:546-557