📄 rsa-faq.txt
字号:
Answers To
FREQUENTLY ASKED QUESTIONS
About Today's Cryptography
Paul Fahn
RSA Laboratories
100 Marine Parkway
Redwood City, CA 94065
Copyright (c) 1993 RSA Laboratories, a division of RSA Data Security,
Inc. All rights reserved.
Version 2.0, draft 2f
Last update: September 20, 1993
------------------------------------------------------------------------
Table of Contents
1 General
1.1 What is encryption?
1.2 What is authentication? What is a digital signature?
1.3 What is public-key cryptography?
1.4 What are the advantages and disadvantages of public-key
cryptography over secret-key cryptography?
1.5 Is cryptography patentable in the U.S.?
1.6 Is cryptography exportable from the U.S.?
2 RSA
2.1 What is RSA?
2.2 Why use RSA rather than DES?
2.3 How fast is RSA?
2.4 How much extra message length is caused by using RSA?
2.5 What would it take to break RSA?
2.6 Are strong primes necessary in RSA?
2.7 How large a modulus (key) should be used in RSA?
2.8 How large should the primes be?
2.9 How does one find random numbers for keys?
2.10 What if users of RSA run out of distinct primes?
2.11 How do you know if a number is prime?
2.12 How is RSA used for encryption in practice?
2.13 How is RSA used for authentication in practice?
2.14 Does RSA help detect altered documents and transmission errors?
2.15 What are alternatives to RSA?
2.16 Is RSA currently in use today?
2.17 Is RSA an official standard today?
2.18 Is RSA a de facto standard? Why is a de facto standard important?
2.19 Is RSA patented?
2.20 Can RSA be exported from the U.S.?
3 Key Management
3.1 What key management issues are involved in public-key
cryptography?
3.2 Who needs a key?
3.3 How does one get a key pair?
3.4 Should a public key or private key be shared among users?
3.5 What are certificates?
3.6 How are certificates used?
3.7 Who issues certificates and how?
3.8 What is a CSU, or, How do certifying authorities store their
private keys?
3.9 Are certifying authorities susceptible to attack?
3.10 What if the certifying authority's key is lost or compromised?
3.11 What are Certificate Revocation Lists (CRLs)?
3.12 What happens when a key expires?
3.13 What happens if I lose my private key?
3.14 What happens if my private key is compromised?
3.15 How should I store my private key?
3.16 How do I find someone else's public key?
3.17 How can signatures remain valid beyond the expiration dates of
their keys, or, How do you verify a 20-year-old signature?
3.18 What is a digital time-stamping service?
4 Factoring and Discrete Log
4.1 What is a one-way function?
4.2 What is the significance of one-way functions for cryptography?
4.3 What is the factoring problem?
4.4 What is the significance of factoring in cryptography?
4.5 Has factoring been getting easier?
4.6 What are the best factoring methods in use today?
4.7 What are the prospects for theoretical factoring breakthroughs?
4.8 What is the RSA Factoring Challenge?
4.9 What is the discrete log problem?
4.10 Which is easier, factoring or discrete log?
5 DES
5.1 What is DES?
5.2 Has DES been broken?
5.3 How does one use DES securely?
5.4 Can DES be exported from the U.S.?
5.5 What are the alternatives to DES?
5.6 Is DES a group?
6 Capstone, Clipper, and DSS
6.1 What is Capstone?
6.2 What is Clipper?
6.3 How does the Clipper chip work?
6.4 Who are the escrow agencies?
6.5 What is Skipjack?
6.6 Why is Clipper controversial?
6.7 What is the current status of Clipper?
6.8 What is DSS?
6.9 Is DSS secure?
6.10 Is use of DSS covered by any patents?
6.11 What is the current status of DSS?
7 NIST and NSA
7.1 What is NIST?
7.2 What role does NIST play in cryptography?
7.3 What is the NSA?
7.4 What role does the NSA play in commercial cryptography?
8 Miscellaneous
8.1 What is the legal status of documents signed with digital
signatures?
8.2 What is a hash function? What is a message digest?
8.3 What are MD2, MD4 and MD5?
8.4 What is SHS?
8.5 What is Kerberos?
8.6 What are RC2 and RC4?
8.7 What is PEM?
8.8 What is RIPEM?
8.9 What is PKCS?
8.10 What is RSAREF?
--------------------------------------------------------------------
1 General
1.1 What is encryption?
Encryption is the transformation of data into a form unreadable by anyone
without a secret decryption key. Its purpose is to ensure privacy by
keeping the information hidden from anyone for whom it is not intended,
even those who can see the encrypted data. For example, one may wish to
encrypt files on a hard disk to prevent an intruder from reading them.
In a multi-user setting, encryption allows secure communication over an
insecure channel. The general scenario is as follows: Alice wishes to
send a message to Bob so that no one else besides Bob can read it. Alice
encrypts the message, which is called the plaintext, with an encryption
key; the encrypted message, called the ciphertext, is sent to Bob. Bob
decrypts the ciphertext with the decryption key and reads the message. An
attacker, Charlie, may either try to obtain the secret key or to recover
the plaintext without using the secret key. In a secure cryptosystem, the
plaintext cannot be recovered from the ciphertext except by using the
decryption key. In a symmetric cryptosystem, a single key serves as both
the encryption and decryption keys.
Cryptography has been around for millennia; see Kahn [37] for a
good history of cryptography; see Rivest [69] and Brassard
[10] for an introduction to modern cryptography.
1.2 What is authentication? What is a digital signature?
Authentication in a digital setting is a process whereby the receiver of a
digital message can be confident of the identity of the sender and/or the
integrity of the message. Authentication protocols can be based on either
conventional secret-key cryptosystems like DES or on public-key systems
like RSA; authentication in public-key systems uses digital signatures.
In this document, authentication will generally refer to the use of digital
signatures, which play a function for digital documents similar to that
played by handwritten signatures for printed documents: the signature is an
unforgeable piece of data asserting that a named person wrote or otherwise
agreed to the document to which the signature is attached. The recipient, as
well as a third party, can verify both that the document did indeed originate
from the person whose signature is attached and that the document has not
been altered since it was signed. A secure digital signature system thus
consists of two parts: a method of signing a document such that forgery is
infeasible, and a method of verifying that a signature was actually generated
by whomever it represents. Furthermore, secure digital signatures cannot be
repudiated; i.e., the signer of a document cannot later disown it by claiming
it was forged.
Unlike encryption, digital signatures are a recent development, the
need for which has arisen with the proliferation of digital communications.
1.3 What is public-key cryptography?
Traditional cryptography is based on the sender and receiver of a message
knowing and using the same secret key: the sender uses the secret key to
encrypt the message, and the receiver uses the same secret key to decrypt
the message. This method is known as secret-key cryptography. The main
problem is getting the sender and receiver to agree on the secret key
without anyone else finding out. If they are in separate physical locations,
they must trust a courier, or a phone system, or some other transmission
system to not disclose the secret key being communicated. Anyone who
overhears or intercepts the key in transit can later read all messages
encrypted using that key. The generation, transmission and storage of keys
is called key management; all cryptosystems must deal with key management
issues. Secret-key cryptography often has difficulty providing secure key
management.
Public-key cryptography was invented in 1976 by Whitfield Diffie and
Martin Hellman [29] in order to solve the key management problem. In the
new system, each person gets a pair of keys, called the public key and
the private key. Each person's public key is published while the private
key is kept secret. The need for sender and receiver to share secret
information is eliminated: all communications involve only public keys,
and no private key is ever transmitted or shared. No longer is it necessary
to trust some communications channel to be secure against eavesdropping
or betrayal. Anyone can send a confidential message just using public
information, but it can only be decrypted with a private key that is in
the sole possession of the intended recipient. Furthermore, public-key
cryptography can be used for authentication (digital signatures) as well as
for privacy (encryption).
Here's how it works for encryption: when Alice wishes to send a message to
Bob, she looks up Bob's public key in a directory, uses it to encrypt the
message and sends it off. Bob then uses his private key to decrypt the
message and read it. No one listening in can decrypt the message. Anyone
can send an encrypted message to Bob but only Bob can read it. Clearly, one
requirement is that no one can figure out the private key from the
corresponding public key.
Here's how it works for authentication: Alice, to sign a message, does
a computation involving both her private key and the message itself; the
output is called the digital signature and is attached to the message,
which is then sent. Bob, to verify the signature, does some computation
involving the message, the purported signature, and Alice's public key. If
the results properly hold in a simple mathematical relation, the signature
is verified as genuine; otherwise, the signature may be fraudulent or the
message altered, and they are discarded.
A good history of public-key cryptography, by one of its inventors, is
given by Diffie [27].
1.4 What are the advantages and disadvantages of public-key cryptography
over secret-key cryptography?}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -