九、信息安全专业英语

（1）Public—key cryptography

    Symmetric—key cryptosystems use the same key for encryption and decryption of a message，though a message or group of messages may have a different key than others、A significant disadvantage of symmetric ciphers is the key management necessary to use them securely、Each distinct pair of communicating parties must，ideally，share a different key，and perhaps each ciphertext exchanged as well、The number of keys required increases as the square of the number of network members，which very quickly requires complex key management schemes to keep them all straight and secret、The difficulty of securely establishing a secret key between two communicating parties，when a secure channel doesn’t already exist between them，also presents a chicken—and—egg problem which is a considerable pratical obstacle for cryptography users in the real world、

Public—key algorithms are most often based on the computational complexity of “hard”problems，often from number theory、For example，the hardness of RSA is related to the integer factorization problem，while Difie—Hellman and DSA are related to the discrete logarithm problem、More recently,elliptic curve cryptography has develophy in which security is based on number theoretic prolems involving elliptic curves、Because of the difficulty of the underlying problems,most public-key algorithms involve operations such as modular multiplication and exponentiation,which are much more computationally expensive than the techniques used in most block ciphers,especially with typical key sizes、 As a result, public-key cryptosystems are commonly hybrid cryptosystems,in which a fast high-quality symmetric-key encryption algorthm is used for the message itself,while the relevant symmetric key is sent with the message,but encrypted using a public-key algorithm、Similarly,hybrid signature schemes are often used,in which a cryptographic hash function is computed,and only the resulting hash is digitally signed、

（2）Cryptanalysis

There are a wide variety of creptanalytic attacks,and they can be classified in any of several ways、A commom distinction turns on what an attacker knows and what capbilities are available、In a ciphertext-only attach,the cryptanalyst has access only to the ciphertext(good modern cryptosystems are usually effectively immune to ciphertext-only attacks)、In a known-plaintext attack,the cryptanalyst has access to a ciphertext and its corresponding plaintext(or to many such pairs)、In a chosen-plaintext attack, the cryptanalyst may choose a plaintext and learn its corresponding ciphertext(perhaps many times);an example is gardening used by the British during WWII、Finally,in a chosen-ciphertext attack,the cryptanalyst may be able to choose ciphertexts and learn their corresponding plaintexts、Also important,often overwhelmingly so,are mistakes(generally in the design or use of one of the protocols involved;see Cryptanalysis of the Enigma for some historical examples of this)、

Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher、For example,a simple brute force attack against DES requires one know plaintext and 225 decryptions,trying approximately half of the possible keys,to reach a point at which chances are better than even the key sought will have been found、But this may not be enough assurance;a linear cryptanalysis attack against DES requires 243 known plaintexts and approximately 243 DES operations、This is a considerable improvement on brute force attacks、

Public-key algorithms are based on the computational difficulty of various problems、The most famous of these is factorization(e、g、,the RSA algorithm is based on a problem related to integer factoring),but the disrete logarithm problem is also important、Much public-key cryptanalysis concerns numerical algorithms for solving these computational problems,or some of them,efficiently(ie,in a practical time)、For instance,the best known algorithms for soliving the elliptic curve-based version of discrete logarithm are much more time-consuming than the best known algorithms for factoring,an least for prolems of more or less equivalent size、Thus,other things being equal,to achieve an equivalent strength of attack resistance,factoring-based encryption techniques must be larger keys than elliptic curve techniques、For this reason,public-key cryptosystems based on elliptic curves have become popular since their onvention in the mid-1990s、

（3）Network Security

Attributes of a secure network

Network security starts from authenticating any user,most likely a username and a password、Once authenticated,a atateful firewall enfouces access policies such as what sercices are allowed too be accessed be the network users、Though effective to prevent unauthorized access,this component fails to check potentially harmful contents such as computer worms being transmitted over the network、An intrusion prevention system(IPS)helps detect and prevent such malware、IPS also monitors for suspicious network traffic for contents,volume and anomalies to protect the network from attacks such as denial of servive、Communication between two hosts using the network could be encrypted to maintain privacy、Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis、

（4）Application Security

Security testing for applications

Security testing techniques scour for vulnerabilities or security holes in applications、These vulnerabities leave applications open to exploritation、Ideally,security testing is implemented throughout the entire software development life cycle(SDLC)so that vulnerabilities may be addressed in a timely and thorough manner、Unfortunately,testing is often conducted as an afterthought at the end of the development cycle、

Vulnerability scanners,and more specifically web application scanners,otherwise known as penetration testing tools(i、e、 ethical hacking tools)have been historically used by security organizations within corparations and security consultants to automate the security testing of http request/responses;however,this is not a substitute for the need for actual source code review、Physical code reviews of an application’s source code can be accomplished manually or in an automated fashion、Given the common size of individual programs(often 500K Lines of Code or more),the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points、The human brain is suited more for filtering,interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to the root cause level vulnerabilities、

The two types of automated tools associated with application vulnerability detection(application vulnerability scanners)are Penetration Testing Tools(otherwise known as Black Box Testing Tools)and Source Code Analysis Tools(otherwise known an White Box Testing Tools)、Tools in the Black Box Testing arena include Devfense,Watchfire,HP(through the acquisition of SPI Dynamics),Cenzic,Nikto(open source),Grendel-Scan(open source),N-Stalker and Sandcat(freeware)、Tools in the White Box Testing arena include Armorize Technologies,Fortify Software and Ounce Labs、

Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools、It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security、Typically sited,Black Box testing(meaning Penetration Testing tools)are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy、Penetration testing tools are executed on the already deployed application、White Box testing(meaning Source Code Analysis tools)are used by either the application security groups or application development groups、 Typically introduced into a company through the application security organization,the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed、Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP taxonomy for software coding errors、White Box testing vendors have recently introduced dynamic versions of their source code analysis methods;which operates on deployed applicantions、Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools,both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company、