link encryption: 只有sender和receiver才加解密 每兩兩個node之間都有unique key可以解密 advantage:保護traffic pattern disadvantage: 每經過一個node就要解密一次去讀adress 且每個點在加解密時都可以看得到內容 end to end encryption 在sender和receiver兩端加解密 advantage:能保護message 的內容 同時可以有認證的功能(authentication) 只有sender和receiver才有revelant key disadvantage: traffic pattern會被看到 link 和end to end encryption更用可互補 traffic analysis attack: identity of partners how frequently communication message pattern,length... special conversation with particular partners key distribution 1.a to b physically 2.a to b by c physically 3.a to b by that using old key encrypted the new key 4.a to b throught c, and a and b each has an encrypted connection to c end to end encryption的加解密在ip level和aoolication level Key distribution advantage 1.reducing the problem of key distibution 2.size of master key is small KDC(Key Distribution Center)對每一個node都有相對應的master key 1.node a向KDC送出request(含nonce) 2.KDC用a和KDC的master key加密 {session key(a與b傳訊時使用),request,nonce(確定是剛node送出的message), 用b與KDC的master key加密的session key和a的ID} (四樣) 3.把b與KDC的master key加密的部分傳給b 4.b用session key傳nonce給a 確定a有session key 5.a也回傳nonce給b 至此確定兩方的session key相同 nonce 用來辨別每個訊息是否被replay attack (之前的message被router保存下來 然後再發送給其他node 簽名相同 無法辨別 加上類似timestamp之類的方式辨識) -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 220.135.222.145