国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

      加密和解密使用同一個密鑰的算法，稱為對稱加密算法；加密和解密使用的是不同的密鑰，稱為非對稱加密算法，公鑰系統(tǒng)即屬于非對稱加密算法。對于對稱加密而言，需要著重保護(hù)的是對稱密鑰，對于公鑰算法而言，需要著重保護(hù)的是私鑰。

       公鑰加密算法，以及衍生出的數(shù)字簽名、數(shù)字證書技術(shù)，不僅廣泛應(yīng)用于Internet通訊中，例如HTTPS協(xié)議中的SSL/TLS，在單機(jī)系統(tǒng)中也越來越受到重視，例如Windows XP的設(shè)備驅(qū)動程序、.NET的GAC assembly都要求數(shù)字簽名。微軟從Windows98/NT4起即提供了Cryptograph API，支持DES，RC2，RC4，IDEA等對稱加密算法和RSA公鑰系統(tǒng)等非對稱密算法，以及MD5，SHA，MAC等摘要（Digest，也稱為Hash，散列）算法。

       本文譯自：

    http://developer.netscape.com/tech/security/ssl/howitworks.html

       這是一篇生動淺顯的文章，對了解公鑰系統(tǒng)的工作原理很有幫助，CSDN上已有一篇譯文：
  
    http://www.csdn.net/Develop/article/27/27524.shtm

       但本人認(rèn)為上文的關(guān)鍵地方不夠準(zhǔn)確，欠通順。本譯文在上篇譯文的基礎(chǔ)上，關(guān)鍵的術(shù)語采用了通用譯法，少數(shù)地方采用了意譯，而且附有英文原文，有翻譯不當(dāng)?shù)牡胤酱蠹铱梢詫φ赵摹?/p>

       希望能對公鑰系統(tǒng)有興趣的朋友們有所幫助。

       BTW：上面提到的所有對稱加密和非對稱加密，它們的加解密算法都是公開的，只要不知道密鑰，算法的設(shè)計者有信心使加密結(jié)果不會被輕易破解，這點與WAPI截然不同：） 。

       以下是中英文對照的譯文：

       Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.

       公鑰加密是使用一對非對稱的密鑰加密或解密的技術(shù)。每一對密鑰由公鑰和私鑰組成。公鑰被廣泛發(fā)布。私鑰是隱密的，不公開。

       Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful.

       用公鑰加密的數(shù)據(jù)只能夠被私鑰解密。反過來，使用私鑰加密的數(shù)據(jù)只能用公鑰解密。這個非對稱的特性使得公鑰加密很有用。

       USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION

       使用公鑰加密法認(rèn)證

       Authentication is the process of verifying identity so that one entity can be sure that another entity is who it claims to be. In the following example involving Alice and Bob, public key cryptography is easily used to verify identity. The notation {something}key means that something has been encrypted or decrypted using key.

       驗證是一個核實身份的過程，以便一方能確認(rèn)另一方的確是其所聲稱的那個身份。在下列例子中包括甲和乙，公鑰加密會輕松地校驗身份。符號{數(shù)據(jù)} key意味著"數(shù)據(jù)"已經(jīng)使用key加密或解密。

       Suppose Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses to Alice his public key (the way he does this is discussed later). Alice then generates a random message and sends it to Bob:

       A->B      random-message

       Bob uses his private key to encrypt the message and returns the encrypted version to Alice:

       B->A      {random-message}bobs-private-key

       Alice receives this message and decrypts it by using Bob's previously published public key. She compares the decrypted message with the one she originally sent to Bob; if they match, she knows she's talking to Bob. An imposter presumably wouldn't know Bob's private key and would therefore be unable to properly encrypt the random message for Alice to check.

       假如甲想校驗乙的身份。乙有一對密鑰，一個是公開的，另一個是私有的。乙透露給甲他的公鑰。甲產(chǎn)生一個隨機(jī)信息發(fā)送給乙。

       甲——〉乙：random message

       乙使用他的私鑰加密信息，把加密后的信息返回甲。

       乙——〉甲：{random-message}乙的私鑰
  
       甲收到這個信息然后使用乙的前面公開的公鑰解密。他比較解密后的信息與他原先發(fā)給乙的信息。如果它們完全一致，就會知道在與乙說話。任意一個中間人不會知道乙的私鑰，也不能正確加密甲檢查的隨機(jī)信息。

       BUT WAIT, THERE'S MORE

       等一下，事情還沒有完

       Unless you know exactly what you are encrypting, it is never a good idea to encrypt something with your private key and then send it to somebody else. This is because the encrypted value can be used against you (remember, only you could have done the encryption because only you have the private key).

       用私鑰加密某些信息，然后發(fā)送給其他人不是一個好主意，除非你清楚知道這個信息的含義。因為加密后的信息可能被用來對付你（記住，別人知道該信息是你加密的，因為只有你有加密用的私鑰）。

       So, instead of encrypting the original message sent by Alice, Bob constructs a message digest and encrypts that. A message digest is derived from the random message in a way that has the following useful properties:

       The digest is difficult to reverse. Someone trying to impersonate Bob couldn't get the original message back from the digest.

       An impersonator would have a hard time finding a different message that computed to the same digest value.

       所以，取代直接加密甲發(fā)來的原始信息，乙創(chuàng)建一個信息摘要并且加密該摘要。信息摘要由任意信息運(yùn)算而來，并具有以下有用的特性：

       1. 從這個摘要值難以還原出原始信息。任何人即使偽裝成乙，也不能從摘要值得到原始信息；

       2. 不同的信息很難計算出相同的摘要值；

       By using a digest, Bob can protect himself. He computes the digest of the random message sent by Alice and then encrypts the result. He sends the encrypted digest back to Alice. Alice can compute the same digest and authenticate Bob by decrypting Bob's message and comparing values.

       使用摘要，乙能夠保護(hù)自己。他計算甲發(fā)出的任意信息的摘要，加密摘要值，然后發(fā)送加密的摘要值給甲。甲能夠計算出相同的摘要值并且解密乙的信息，最終認(rèn)證乙。

       （譯者注：摘要（Digest）算法又稱為散列(Hash)算法）

       GETTING CLOSER

       進(jìn)一步的討論

       The technique just described is known as a digital signature. Bob has signed a message generated by Alice, and in doing so he has taken a step that is just about as dangerous as encrypting a random value originated by Alice. Consequently, our authentication protocol needs one more twist: some (or all) of the data needs to be originated by Bob.

       A->B     hello, are you bob?

       B->A       Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

       When he uses this protocol, Bob knows what message he is sending to Alice, and he doesn't mind signing it. He sends the unencrypted version of the message first, "Alice, This Is Bob." Then he sends the digested-encrypted version second. Alice can easily verify that Bob is Bob, and Bob hasn't signed anything he doesn't want to.

       剛剛討論的技術(shù)稱為數(shù)字簽名。乙直接在甲產(chǎn)生的信息上簽名，這樣做和加密甲產(chǎn)生的任意信息是同樣危險的。因此我們的驗證協(xié)議還需要加一些技巧：某些或全部信息需要由乙產(chǎn)生：

       甲——〉乙：你好，你是乙么?

       乙——〉甲：甲，我是乙 {摘要[甲，我是乙] } 乙的私鑰

       使用這個協(xié)議，乙知道他發(fā)送給甲的信息的內(nèi)容，他不介意在上面簽名。他先發(fā)送不加密的信息，"甲，我是乙"，然后發(fā)送該信息的加密后的摘要。甲可以非常方便地核實乙就是乙，同時，乙還沒有在他不想簽名的信息上簽名。

       HANDING OUT PUBLIC KEYS

       分發(fā)公鑰

       How does Bob hand out his public key in a trustworthy way? Let's say the authentication protocol looks like this:

       A->B      hello

       B->A     Hi, I'm Bob, bobs-public-key

       A->B prove it

       B->A Alice, This Is bob     { digest[Alice, This Is Bob] } bobs-private-key

       那么，乙怎樣以可信的方式提交他的公鑰呢？看看如下所示的驗證協(xié)議：

       甲——〉乙：你好

       乙——〉甲：嗨，我是乙，乙的公鑰

       甲——〉乙：請證明

       乙——〉甲：甲，我是乙 {摘要[甲，我是乙] } 乙的私鑰

       With this protocol, anybody can be Bob. All you need is a public and private key. You lie to Alice and say you are Bob, and then you provide your public key instead of Bob's. Then you prove it by encrypting something with the private key you have, and Alice can't tell you're not Bob.

       使用這個協(xié)議，任何人都能夠成為"乙"。只要你有一對公鑰和私鑰。你欺騙甲說你就是乙，只要提供你的公鑰，而不是乙的公鑰。然后，你發(fā)送用你的私鑰加密的信息，證明你的身份。甲并不能發(fā)覺你并不是乙。

       To solve this problem, the standards community has invented an object called a certificate. A certificate has the following content:

       The certificate issuer's name

       The entity for whom the certificate is being issued (aka the subject)