【作者】 张华；

【导师】 温巧燕；

【作者基本信息】 北京邮电大学 ， 密码学， 2008， 博士

【摘要】 随着计算机和通信网络逐渐深入人们的生活,越来越多的人开始关注信息的安全。密钥协商协议在通信系统中为通信的参与者提供身份认证,并为参与者生成一个用来加密传递消息的临时会话密钥。密钥协商协议要用到的密码学原语有加密算法、Hash算法、MAC、签名算法等。根据参与者数目的不同,密钥协商协议分为两方密钥协商协议、三方密钥协商协议和组密钥协商协议。除了隐含的密钥认证和密钥确认,密钥协商协议还应该具备如下一些性质:已知会话密钥安全、前向安全、没有密钥泄漏模仿、没有未知密钥共享攻击、没有密钥控制。在效率方面,密钥协商协议应该考虑通信复杂度和计算复杂度,其中通信复杂度包括:轮复杂度和传输的数据量。本文从两方密钥协商协议、三方密钥协商协议、组密钥协商协议及应用等方面对密钥协商协议进行深入研究,得到如下研究结果:1.指出只要做一个简单的认证,Chien等提出的对Chang等的数字签名方案的伪造攻击就是无效的。同时,对Chang等的签名方案提出了一个新的伪造攻击,并给出了改进方案(ZYWPC方案)。在没有随机Oracle的情况下,证明了ZYWPC方案具有存在性不可伪造的安全性。2.Harn的协议是一个没有单向Hash函数的认证多密钥协商协议。由于它不提供用户认证而容易受到重放攻击、未知密钥共享攻击和DoS攻击。Zhou等对Harn的协议进行了攻击,并给出了修改的协议。本文指出Zhou等的协议易受级联攻击,并提出了一个改进的多密钥协商协议,此协议比Harn的协议更安全,更高效。本文的这个协议提供了用户认证和共享密钥认证,可以避免级联攻击。本文的协议需要传递3次消息,运行一次该协议,参与者可以得到四个密钥;如果A和B希望共享n~2个密钥,那么每个参与者必须传递n个临时公钥。3.提出了一个两方密钥协商协议,这个协议用ZYWPC签名方案提供认证,并在没有随机Oracle的情况下证明了协议的安全性。4.提出了一个不使用Hash函数的基于DDH问题的组密钥协商协议,并利用Bresson等的安全模型分析了协议的安全性。这个协议在通信和计算上都是高效的,协议需要的轮数为2,每个用户需要发送的消息数为6。5.为了满足远程控制主机的需要,微软公司设计了远程桌面协议(RDP)。RDP协议虽然方便了用户对远程主机的操作,但是也带来了一些安全问题。一些研究者指出,RDP协议容易受到中间人攻击。本文针对这一问题,提出了一个新的可以增强认证性的密码套件RDP-SKE,并在随机Oracle模型下证明了其安全性。RDP-SKE能够使RDP协议避免中间人攻击,同时也能避免恶意或粗心CA带来的安全危害。如果不考虑helper的加入,RDP-SKE没有增加客户端和服务器的交互次数。更多还原

【Abstract】 With the wide usage of computers and communication network in our lives, more and more people concern the security of information. An authenticated key agreement protocol is used to provide authentication in communication systems, and produces a short-time key that can encrypt the transferred information.The encryption algorithms, Hash functions, MAC algorithms and digital signature schemes are the primitives which are used in the key agreement protocols. There are three kind of key agreement protocols: two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols. Besides key authentication and key confirmation, a number of desirable security attributes have been identified for key agreement protocols: known-session key security, forward secrecy, no key-compromise impersonation, no unknown key-share, no key control. In addition to the security, we must consider the efficiency which includes communication cost and computation complexity. This paper researches two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols and the applications. Main achievements in this paper are summarized as follows:1. The paper point out that Chien et al’s attack on Chang et al’s digital signature scheme will not work by a simple verification. Then we show another forgery attack on it and propose an improved scheme (ZYWPC), which is secure against existential forgery attacks.2. Harn’s protocol is an authenticated multiple-key agreement protocol without using a Hash function. But, it doesn’t provide user authentication, so isn’t against replay attack, resource-exhaustion, unknown key-share attack and DOS attack. Zhou et al. give an attack on Harn’s protocol, and give an improved protocol. This paper points out that Zhou’s protocol is vulnerable to a concatenation attack, and proposes an improved authenticated multi-key agreement protocol which is more secure and efficient than Harn’s protocol. The protocol provides both user authentication and shared-key authentication, so it can escape the concatenation attack. Our protocol must pass three times. The entities can get 4 keys by run our protocol. If two users want to share n~2 keys, each entity must transmit n short-term public keys.3. This paper proposes a two party key agreement protocol by modifying ZYWPC and proves the security without random oracle.4. This paper proposes a group key agreement protocol without using Hash functions based on DDH problem. The protocol achieves efficiency in both communication and computation aspects. We analyze its security in the security model formalized by Bresson et al. The number of rounds required is 2, and the number of messages sent per participant is 6.5. Remote Desktop Protocol (RDP) was designed for remote controlling the hosts by Microsoft. RDP brought the convenience and the risk to users. Many researchers showed that it was vulnerable by man-in-middle attack. In this paper, a new ciphersuite (RDP-SKE) was proposed, which can offer strong authentication. It is shown that RDP-SKE is provably secure in random oracle model. RDP can escape man-in-middle attack and the damage that results from a malicious or careless Certification Authority (CA) by adopting RDP-SKE. Without considering the helper, RDP-SKE doesn’t increate the passes between the client and the server.更多还原