登录   |   注册
    准考证打印   论文投票   报考指南   论文辅导   软考培训   郑重申明  
您现在的位置:  首页 > 软考学苑 > 信息安全工程师 > 信安上午综合知识 > 信息安全基础 >> 正文
正文
九、信息安全专业英语
来源: 作者: 时间;2017-11-21 15:43:53 点击数: 尚大软考交流群:376154208
九、信息安全专业英语(1)Public—key cryptography Symmetric—key cryptosystems use the same key for encryption and decryption of a message,though a message or group of messages may have a different key than others、A significant disadvantage of symmetric

 

九、信息安全专业英语

1Publickey cryptography

    Symmetric—key cryptosystems use the same key for encryption and decryption of a messagethough a message or group of messages may have a different key than othersA significant disadvantage of symmetric ciphers is the key management necessary to use them securelyEach distinct pair of communicating parties mustideallyshare a different keyand perhaps each ciphertext exchanged as wellThe number of keys required increases as the square of the number of network memberswhich very quickly requires complex key management schemes to keep them all straight and secretThe difficulty of securely establishing a secret key between two communicating partieswhen a secure channel doesn’t already exist between themalso presents a chicken—and—egg problem which is a considerable pratical obstacle for cryptography users in the real world

Public—key algorithms are most often based on the computational complexity of “hard”problemsoften from number theoryFor examplethe hardness of RSA is related to the integer factorization problemwhile Difie—Hellman and DSA are related to the discrete logarithm problemMore recently,elliptic curve cryptography has develophy in which security is based on number theoretic prolems involving elliptic curvesBecause of the difficulty of the underlying problems,most public-key algorithms involve operations such as modular multiplication and exponentiation,which are much more computationally expensive than the techniques used in most block ciphers,especially with typical key sizes As a result, public-key cryptosystems are commonly hybrid cryptosystems,in which a fast high-quality symmetric-key encryption algorthm is used for the message itself,while the relevant symmetric key is sent with the message,but encrypted using a public-key algorithmSimilarly,hybrid signature schemes are often used,in which a cryptographic hash function is computed,and only the resulting hash is digitally signed

2Cryptanalysis

There are a wide variety of creptanalytic attacks,and they can be classified in any of several waysA commom distinction turns on what an attacker knows and what capbilities are availableIn a ciphertext-only attach,the cryptanalyst has access only to the ciphertext(good modern cryptosystems are usually effectively immune to ciphertext-only attacks)In a known-plaintext attack,the cryptanalyst has access to a ciphertext and its corresponding plaintext(or to many such pairs)In a chosen-plaintext attack, the cryptanalyst may choose a plaintext and learn its corresponding ciphertext(perhaps many times);an example is gardening used by the British during WWIIFinally,in a chosen-ciphertext attack,the cryptanalyst may be able to choose ciphertexts and learn their corresponding plaintextsAlso important,often overwhelmingly so,are mistakes(generally in the design or use of one of the protocols involved;see Cryptanalysis of the Enigma for some historical examples of this)

Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipherFor example,a simple brute force attack against DES requires one know plaintext and 225 decryptions,trying approximately half of the possible keys,to reach a point at which chances are better than even the key sought will have been foundBut this may not be enough assurance;a linear cryptanalysis attack against DES requires 243 known plaintexts and approximately 243 DES operationsThis is a considerable improvement on brute force attacks

Public-key algorithms are based on the computational difficulty of various problemsThe most famous of these is factorization(eg,the RSA algorithm is based on a problem related to integer factoring),but the disrete logarithm problem is also importantMuch public-key cryptanalysis concerns numerical algorithms for solving these computational problems,or some of them,efficiently(ie,in a practical time)For instance,the best known algorithms for soliving the elliptic curve-based version of discrete logarithm are much more time-consuming than the best known algorithms for factoring,an least for prolems of more or less equivalent sizeThus,other things being equal,to achieve an equivalent strength of attack resistance,factoring-based encryption techniques must be larger keys than elliptic curve techniquesFor this reason,public-key cryptosystems based on elliptic curves have become popular since their onvention in the mid-1990s

3Network Security

Attributes of a secure network

Network security starts from authenticating any user,most likely a username and a passwordOnce authenticated,a atateful firewall enfouces access policies such as what sercices are allowed too be accessed be the network usersThough effective to prevent unauthorized access,this component fails to check potentially harmful contents such as computer worms being transmitted over the networkAn intrusion prevention system(IPS)helps detect and prevent such malwareIPS also monitors for suspicious network traffic for contents,volume and anomalies to protect the network from attacks such as denial of serviveCommunication between two hosts using the network could be encrypted to maintain privacyIndividual events occurring on the network could be tracked for audit purposes and for a later high level analysis

4Application Security

Security testing for applications

Security testing techniques scour for vulnerabilities or security holes in applicationsThese vulnerabities leave applications open to exploritationIdeally,security testing is implemented throughout the entire software development life cycle(SDLC)so that vulnerabilities may be addressed in a timely and thorough mannerUnfortunately,testing is often conducted as an afterthought at the end of the development cycle

Vulnerability scanners,and more specifically web application scanners,otherwise known as penetration testing tools(ie ethical hacking tools)have been historically used by security organizations within corparations and security consultants to automate the security testing of http request/responses;however,this is not a substitute for the need for actual source code reviewPhysical code reviews of an applications source code can be accomplished manually or in an automated fashionGiven the common size of individual programs(often 500K Lines of Code or more),the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability pointsThe human brain is suited more for filtering,interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to the root cause level vulnerabilities

The two types of automated tools associated with application vulnerability detection(application vulnerability scanners)are Penetration Testing Tools(otherwise known as Black Box Testing Tools)and Source Code Analysis Tools(otherwise known an White Box Testing Tools)Tools in the Black Box Testing arena include Devfense,Watchfire,HP(through the acquisition of SPI Dynamics),Cenzic,Nikto(open source),Grendel-Scan(open source),N-Stalker and Sandcat(freeware)Tools in the White Box Testing arena include Armorize Technologies,Fortify Software and Ounce Labs

Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of toolsIt is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application securityTypically sited,Black Box testing(meaning Penetration Testing tools)are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchyPenetration testing tools are executed on the already deployed applicationWhite Box testing(meaning Source Code Analysis tools)are used by either the application security groups or application development groups Typically introduced into a company through the application security organization,the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployedVulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP taxonomy for software coding errorsWhite Box testing vendors have recently introduced dynamic versions of their source code analysis methods;which operates on deployed applicantionsGiven that the White Box testing tools have dynamic versions similar to the Black Box testing tools,both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company

 
   各省软考办 
 
来顶一下
返回首页
返回首页
上一篇:八、信息安全标准化知识
下一篇:中华人民共和国网络安全法
 相关文章
 
 
跟贴共
笔 名 :   验证码:
网友评论仅供其表达个人看法,并不表明尚大教育同意其观点或证实其描述
距离2020年5月23日软考考试还有
尚大软考交流群:376154208
软考各地考务机构
历年真题汇总




各省市软考报名简章