譯者按：
加密和解密使用同一個(gè)密鑰的算法，稱為對稱加密算法；加密和解密使用的是不同的密鑰，稱為非對稱加密算法，公鑰系統(tǒng)即屬于非對稱加密算法。對于對稱加密而言，需要著重保護(hù)的是對稱密鑰，對于公鑰算法而言，需要著重保護(hù)的是私鑰。
公鑰加密算法，以及衍生出的數(shù)字簽名、數(shù)字證書技術(shù)，不僅廣泛應(yīng)用于Internet通訊中，例如HTTPS協(xié)議中的SSL/TLS，在單機(jī)系統(tǒng)中也越來越受到重視，例如Windows XP的設(shè)備驅(qū)動程序、.NET的GAC assembly都要求數(shù)字簽名。微軟從Windows98/NT4起即提供了Cryptograph API，支持DES，RC2，RC4，IDEA等對稱加密算法和RSA公鑰系統(tǒng)等非對稱密算法，以及MD5，SHA，MAC等摘要（Digest，也稱為Hash，散列）算法。
本文譯自：
http://developer.netscape.com/tech/security/ssl/howitworks.html

這是一篇生動淺顯的文章，對了解公鑰系統(tǒng)的工作原理很有幫助，CSDN上已有一篇譯文：

http://www.csdn.net/Develop/article/27/27524.shtm
但本人認(rèn)為上文的關(guān)鍵地方不夠準(zhǔn)確，欠通順。本譯文在上篇譯文的基礎(chǔ)上，關(guān)鍵的術(shù)語采用了通用譯法，少數(shù)地方采用了意譯，而且附有英文原文，有翻譯不當(dāng)?shù)牡胤酱蠹铱梢詫φ赵摹?br />希望能對公鑰系統(tǒng)有興趣的朋友們有所幫助。

BTW：上面提到的所有對稱加密和非對稱加密，它們的加解密算法都是公開的，只要不知道密鑰，算法的設(shè)計(jì)者有信心使加密結(jié)果不會被輕易破解，這點(diǎn)與WAPI截然不同：） 。

以下是中英文對照的譯文：

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.
公鑰加密是使用一對非對稱的密鑰加密或解密的技術(shù)。每一對密鑰由公鑰和私鑰組成。公鑰被廣泛發(fā)布。私鑰是隱密的，不公開。

Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful.
用公鑰加密的數(shù)據(jù)只能夠被私鑰解密。反過來，使用私鑰加密的數(shù)據(jù)只能用公鑰解密。這個(gè)非對稱的特性使得公鑰加密很有用。

USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION
使用公鑰加密法認(rèn)證

Authentication is the process of verifying identity so that one entity can be sure that another entity is who it claims to be. In the following example involving Alice and Bob, public key cryptography is easily used to verify identity. The notation {something}key means that something has been encrypted or decrypted using key.
驗(yàn)證是一個(gè)核實(shí)身份的過程，以便一方能確認(rèn)另一方的確是其所聲稱的那個(gè)身份。在下列例子中包括甲和乙，公鑰加密會輕松地校驗(yàn)身份。符號{數(shù)據(jù)} key意味著"數(shù)據(jù)"已經(jīng)使用key加密或解密。

Suppose Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses to Alice his public key (the way he does this is discussed later). Alice then generates a random message and sends it to Bob:

? A->B?? random-message

Bob uses his private key to encrypt the message and returns the encrypted version to Alice:

B->A?? {random-message}bobs-private-key

Alice receives this message and decrypts it by using Bob's previously published public key. She compares the decrypted message with the one she originally sent to Bob; if they match, she knows she's talking to Bob. An imposter presumably wouldn't know Bob's private key and would therefore be unable to properly encrypt the random message for Alice to check.
假如甲想校驗(yàn)乙的身份。乙有一對密鑰，一個(gè)是公開的，另一個(gè)是私有的。乙透露給甲他的公鑰。甲產(chǎn)生一個(gè)隨機(jī)信息發(fā)送給乙。

甲——〉乙：random message

乙使用他的私鑰加密信息，把加密后的信息返回甲。

乙——〉甲：{random-message}乙的私鑰

甲收到這個(gè)信息然后使用乙的前面公開的公鑰解密。他比較解密后的信息與他原先發(fā)給乙的信息。如果它們完全一致，就會知道在與乙說話。任意一個(gè)中間人不會知道乙的私鑰，也不能正確加密甲檢查的隨機(jī)信息。

BUT WAIT, THERE'S MORE
等一下，事情還沒有完

Unless you know exactly what you are encrypting, it is never a good idea to encrypt something with your private key and then send it to somebody else. This is because the encrypted value can be used against you (remember, only you could have done the encryption because only you have the private key).
用私鑰加密某些信息，然后發(fā)送給其他人不是一個(gè)好主意，除非你清楚知道這個(gè)信息的含義。因?yàn)榧用芎蟮男畔⒖赡鼙挥脕韺Ω赌悖ㄓ涀。瑒e人知道該信息是你加密的，因?yàn)橹挥心阌屑用苡玫乃借€）。

So, instead of encrypting the original message sent by Alice, Bob constructs a message digest and encrypts that. A message digest is derived from the random message in a way that has the following useful properties:

The digest is difficult to reverse. Someone trying to impersonate Bob couldn't get the original message back from the digest.
An impersonator would have a hard time finding a different message that computed to the same digest value.

所以，取代直接加密甲發(fā)來的原始信息，乙創(chuàng)建一個(gè)信息摘要并且加密該摘要。信息摘要由任意信息運(yùn)算而來，并具有以下有用的特性：

1. 從這個(gè)摘要值難以還原出原始信息。任何人即使偽裝成乙，也不能從摘要值得到原始信息；

2. 不同的信息很難計(jì)算出相同的摘要值；

By using a digest, Bob can protect himself. He computes the digest of the random message sent by Alice and then encrypts the result. He sends the encrypted digest back to Alice. Alice can compute the same digest and authenticate Bob by decrypting Bob's message and comparing values.
使用摘要，乙能夠保護(hù)自己。他計(jì)算甲發(fā)出的任意信息的摘要，加密摘要值，然后發(fā)送加密的摘要值給甲。甲能夠計(jì)算出相同的摘要值并且解密乙的信息，最終認(rèn)證乙。
（譯者注：摘要（Digest）算法又稱為散列(Hash)算法）

GETTING CLOSER
進(jìn)一步的討論

The technique just described is known as a digital signature. Bob has signed a message generated by Alice, and in doing so he has taken a step that is just about as dangerous as encrypting a random value originated by Alice. Consequently, our authentication protocol needs one more twist: some (or all) of the data needs to be originated by Bob.

A->B ?hello, are you bob?
B->A??? Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

When he uses this protocol, Bob knows what message he is sending to Alice, and he doesn't mind signing it. He sends the unencrypted version of the message first, "Alice, This Is Bob." Then he sends the digested-encrypted version second. Alice can easily verify that Bob is Bob, and Bob hasn't signed anything he doesn't want to.

剛剛討論的技術(shù)稱為數(shù)字簽名。乙直接在甲產(chǎn)生的信息上簽名，這樣做和加密甲產(chǎn)生的任意信息是同樣危險(xiǎn)的。因此我們的驗(yàn)證協(xié)議還需要加一些技巧：某些或全部信息需要由乙產(chǎn)生：

甲——〉乙：你好，你是乙么?
乙——〉甲：甲，我是乙 {摘要[甲，我是乙] } 乙的私鑰

使用這個(gè)協(xié)議，乙知道他發(fā)送給甲的信息的內(nèi)容，他不介意在上面簽名。他先發(fā)送不加密的信息，"甲，我是乙"，然后發(fā)送該信息的加密后的摘要。甲可以非常方便地核實(shí)乙就是乙，同時(shí)，乙還沒有在他不想簽名的信息上簽名。

HANDING OUT PUBLIC KEYS
分發(fā)公鑰

How does Bob hand out his public key in a trustworthy way? Let's say the authentication protocol looks like this:

A->B? ?hello
B->A ?Hi, I'm Bob, bobs-public-key
A->B?prove it
B->A?Alice, This Is bob? { digest[Alice, This Is Bob] } bobs-private-key

那么，乙怎樣以可信的方式提交他的公鑰呢？看看如下所示的驗(yàn)證協(xié)議：

甲——〉乙：你好
乙——〉甲：嗨，我是乙，乙的公鑰
甲——〉乙：請證明
乙——〉甲：甲，我是乙 {摘要[甲，我是乙] } 乙的私鑰

With this protocol, anybody can be Bob. All you need is a public and private key. You lie to Alice and say you are Bob, and then you provide your public key instead of Bob's. Then you prove it by encrypting something with the private key you have, and Alice can't tell you're not Bob.
使用這個(gè)協(xié)議，任何人都能夠成為"乙"。只要你有一對公鑰和私鑰。你欺騙甲說你就是乙，只要提供你的公鑰，而不是乙的公鑰。然后，你發(fā)送用你的私鑰加密的信息，證明你的身份。甲并不能發(fā)覺你并不是乙。

To solve this problem, the standards community has invented an object called a certificate. A certificate has the following content:

The certificate issuer's name
The entity for whom the certificate is being issued (aka the subject)
The public key of the subject
Some time stamps

The certificate is signed using the certificate issuer's private key. Everybody knows the certificate issuer's public key (that is, the certificate issuer has a certificate, and so on...). Certificates are a standard way of binding a public key to a name.

為了解決這個(gè)問題，標(biāo)準(zhǔn)化組織發(fā)明了證書。一個(gè)證書有以下的內(nèi)容：

?????? 證書發(fā)行者的名稱
?????? 被發(fā)給證書的實(shí)體（也稱為主題）
?????? 主題的公鑰
?????? 一些時(shí)間戳

證書使用發(fā)行者的私鑰加密。每一個(gè)人都知道證書發(fā)行者的公鑰（就是說，每個(gè)證書的發(fā)行者也擁有一個(gè)證書，以此類推）。證書是一個(gè)把公鑰與一個(gè)名稱綁定的標(biāo)準(zhǔn)方式。

By using this certificate technology, everybody can examine Bob's certificate to see whether it's been forged. Assuming that Bob keeps tight control of his private key and that it really is Bob who gets the certificate, then all is well. Here is the amended protocol:

A->B? ?hello
B->A?Hi, I'm Bob, bobs-certificate
A->B?prove it
B->A?Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

Now when Alice receives Bob's first message, she can examine the certificate, check the signature (as above, using a digest and public key decryption), and then check the subject (that is, Bob's name) and see that it is indeed Bob. She can then trust that the public key is Bob's public key and request Bob to prove his identity. Bob goes through the same process as before, making a message digest of his design and then responding to Alice with a signed version of it. Alice can verify Bob's message digest by using the public key taken from the certificate and checking the result.

通過使用證書技術(shù)，每個(gè)人都可以檢查乙的證書，判斷其是否被偽造。假設(shè)乙控制好他的私鑰，并且他確實(shí)是得到證書的乙，就萬事大吉了。下面是修訂后的協(xié)議：

甲——〉乙：你好
乙——〉甲：嗨，我是乙，乙的證書
甲——〉乙：請證明
乙——〉甲：甲，我是乙 {摘要[甲， 我是乙] } 乙的私鑰

現(xiàn)在當(dāng)甲收到乙的第一個(gè)信息，他能檢查證書，核查證書上的簽名（如上所述，使用摘要和公鑰解密），檢查證書中的主題（這里是乙的姓名），確定是乙。他就能相信公鑰就是乙的公鑰，然后要求乙證明自己的身份。乙通過前面描述過的過程，制作一個(gè)信息摘要，用一個(gè)簽名版本答復(fù)甲。甲可以通過使用從證書上得到的公鑰檢驗(yàn)乙的信息摘要，并對比結(jié)果。

A bad guy - let's call him Mallet - can do the following:

A->M?hello
M->A?Hi, I'm Bob, bobs-certificate
A->M?prove it
M->A? ?????

But Mallet can't satisfy Alice in the final message. Mallet doesn't have Bob's private key, so he can't construct a message that Alice will believe came from Bob.

假設(shè)有一個(gè)壞小子，我們稱他為H，他可以這么做：

甲——〉H：你好
H——〉甲：你好，我是乙，乙的證書
甲——〉H：請證明
H——〉甲：？？？

H不能滿足甲的最后一個(gè)信息，他沒有乙的私鑰，因此他不能建立一個(gè)令甲相信是來自乙的信息。

EXCHANGING A SECRET
交換密鑰（secret）

Once Alice has authenticated Bob, she can do another thing - she can send Bob a message that only Bob can decode:

A->B?? {secret}bobs-public-key

The only way to find the secret is by decrypting the above message with Bob's private key. Exchanging a secret is another powerful way of using public key cryptography. Even if the communication between Alice and Bob is being observed, nobody but Bob can get the secret.

一旦甲已經(jīng)驗(yàn)證乙后，他就可以做另外的事情了--發(fā)送給乙一個(gè)只有乙可以解密、閱讀的（另一個(gè)）密鑰：

甲——〉乙：{ secret }乙的公鑰

只有使用乙的私鑰才能解密上述信息，得到secret（另一個(gè)密鑰）。交換（額外的）密鑰是公鑰密碼術(shù)提供的另一個(gè)強(qiáng)有力的手段。即使在甲和乙之間的通訊被偵聽，只有乙才能得到密鑰。

This technique strengthens Internet security by using the secret as another key, but this time it's a key to a symmetric cryptographic algorithm (such as DES, RC4, or IDEA). Alice knows the secret because she generated it before sending it to Bob. Bob knows the secret because Bob has the private key and can decrypt Alice's message. Because they both know the secret, they can both initialize a symmetric cipher algorithm and then start sending messages encrypted with it. Here is a revised protocol:

A->B ?hello
B->A ?Hi, I'm Bob, bobs-certificate
A->B ?prove it
B->A ?Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
A->B?ok bob, here is a secret {secret} bobs-public-key
B->A?some message}secret-key
?
How secret-key is computed is up to the protocol being defined, but it could simply be a copy of secret.

使用secret作為另一個(gè)密鑰增強(qiáng)了網(wǎng)絡(luò)的安全性，但是現(xiàn)在這個(gè)密鑰將用于對稱加密算法的（例如DES、RC4、IDEA）。（譯者注：公鑰算法在加密大信息量時(shí)開銷比較大，所以在加密大信息量時(shí)一般采用對稱加密算法，常規(guī)通訊使用公鑰系統(tǒng)是不堪重負(fù)的。所以本文在身份驗(yàn)證后要利用公鑰系統(tǒng)的可靠性交換一個(gè)對稱加密的密鑰，以后的通訊就采用對稱加密算法進(jìn)行保護(hù)。）因?yàn)槭羌自诎l(fā)送給乙之前產(chǎn)生的密鑰，所以甲知道這個(gè)密鑰。乙也知道密鑰，因?yàn)橐矣兴借€，能夠解密甲的信息。由于他們都知道密鑰，他們就都能夠初始化一個(gè)對稱加密算法，從開始發(fā)送（用對稱加密算法）加密后的信息。下面是修定后的協(xié)議：

甲——〉乙：你好
乙——〉甲：嗨，我是乙，乙的證書
甲——〉乙：請證明
乙——〉甲：甲，我是乙 {摘要[甲，我是乙] }乙的私鑰
甲——〉乙：你好乙，這里是密鑰 {secret}乙的公鑰
乙——〉甲：{some message}secret-key

（對稱密鑰）secret-key是如何計(jì)算出來的，完全由（雙方定義的）通訊協(xié)議自已決定，當(dāng)然可以簡單地就把secret做為secret-key。

YOU SAID WHAT?
你在說什么？

Mallet's bag contains a few more tricks. Although Mallet can't discover the secret that Alice and Bob have exchanged, he can interfere in their conversation by damaging it. For example, if Mallet is sitting between Alice and Bob, he can choose to pass most information back and forth unchanged but mangle certain messages (easy for him to do because he knows the protocol that Alice and Bob are speaking):
H還有其他花招。雖然不知道發(fā)現(xiàn)甲和乙已經(jīng)交換的密鑰，但H能干擾他們的交談。如果黑客H在甲和乙（的通訊鏈路的）中間，他可以放過大部分信息，選擇破壞一定的信息（這是非常簡單的，因?yàn)樗兰缀鸵彝ㄔ挷捎玫膮f(xié)議）：

A->M ?hello
M->B ?hello

B->M ?Hi, I'm Bob, bobs-certificate
M->A ?Hi, I'm Bob, bobs-certificate

A->M ?prove it
M->B ?prove it

B->M ?Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
M->A ?Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

A->M ?ok bob, here is a secret {secret} bobs-public-key
M->B ?ok bob, here is a secret {secret} bobs-public-key

B->M ?{some message}secret-key
M->A ?Garble[ {some message}secret-key ]

Mallet passes the data through without modification until Alice and Bob share a secret. Then Mallet gets in the way by garbling Bob's message to Alice. By this point Alice trusts Bob, so she may believe the garbled message and try to act on it. Note that Mallet doesn't know the secret - all he can do is damage the data encrypted with the secret key. Depending on the protocol, Mallet may not produce a valid message. Then again, he may get lucky.

甲——〉H：你好
H——〉乙：你好

乙——〉H：嗨，我是乙，乙的證書
H——〉甲：嗨，我是乙，乙的證書

甲——〉H：請證明
H——〉乙：請證明

乙——〉H：甲，我是乙 {摘要[甲，我是乙] }乙的私鑰
H——〉甲：甲，我是乙 {摘要[甲，我是乙] }乙的私鑰

甲——〉H：你好，乙，這里是密鑰 {secret} 乙的公鑰
H——〉乙：你好，乙，這里是密鑰 {secret} 乙的公鑰

乙——〉H：{some message}secret-key
H——〉甲：Garble[{s ome message}secret-key ]

H忽略一些數(shù)據(jù)不修改，直到甲和乙交換密鑰。然后H干擾乙給甲的信息。在這時(shí)，甲已經(jīng)信任乙，所以他可能相信已經(jīng)被干擾的信息并且盡力解密。需要注意的是，H不知道密鑰，他所能做的就是毀壞使用密鑰加密后的數(shù)據(jù)。基于協(xié)議，H可能不能產(chǎn)生一個(gè)有效的信息。但下一次呢？

To prevent this kind of damage, Alice and Bob can introduce a message authentication code (MAC) into their protocol. A MAC is a piece of data that is computed by using a secret and some transmitted data. The digest algorithm described above has just the right properties for building a MAC function that can defend against Mallet:

?MAC := Digest[ some message, secret ]??

Because Mallet doesn't know the secret, he can't compute the right value for the digest. Even if Mallet randomly garbles messages, his chance of success is small if the digest data is large. For example, by using MD5 (a good cryptographic digest algorithm invented by RSA), Alice and Bob can send 128-bit MAC values with their messages. The odds of Mallet's guessing the right MAC are approximately 1 in 18,446,744,073,709,551,616 - for all practical purposes, never.

為了阻止這種破壞，甲和乙可以在他們的協(xié)議中引入一個(gè)信息驗(yàn)證碼（message authentication code，以下稱MAC）。MAC是根據(jù)密鑰和被傳輸?shù)男畔⒂?jì)算出的一段數(shù)據(jù)。前面描述的摘要算法的特性在生成MAC時(shí)正好可以派上用場，用來抵御H的攻擊：

MAC= Digest[some message，secret ]

因?yàn)镠不知道密鑰，他不能計(jì)算出正確的摘要值。即使H隨機(jī)干擾信息，只要數(shù)據(jù)量大，他成功的機(jī)會微乎其微。例如，使用MD5（一個(gè)RSA發(fā)明的好的加密摘要算法），甲和乙能夠給他們的信息加上128位MAC值。H猜測正確的MAC的幾率將近1/18，446，744，073，709，551，616，約等于零。

Here is the sample protocol, revised yet again:

A->B?hello
B->A?Hi, I'm Bob, bobs-certificate
A->B?prove it
B->A? ?Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
A->B ?ok bob, here is a secret {secret} bobs-public-key
B->A?{some message, MAC}secret-key

Mallet is in trouble now. He can garble messages all he wants, but the MAC computations will reveal him for the fraud he is. Alice or Bob can discover the bogus MAC value and stop talking. Mallet can no longer put words in Bob's mouth.

下面又一次修改后的協(xié)議：

甲——〉乙：你好
乙——〉甲：嗨，我是乙，乙的證書
甲——〉乙：請證明
乙——〉甲：甲，我是乙 {摘要[甲，我是乙] } 乙的私鑰
甲——〉乙：你好，乙，這是密鑰 {secret} 乙的公鑰
乙——〉甲：{some message，MAC}secret-key

現(xiàn)在H已經(jīng)無技可施了。他可以干擾任何信息，但MAC計(jì)算能夠發(fā)現(xiàn)他的詭計(jì)。甲和乙能夠發(fā)現(xiàn)偽造的MAC值并且停止交談。H不再能假借乙通訊。

WHEN WAS THAT SAID?

Last but not least to protect against is Mallet the Parrot. If Mallet is recording conversations, he may not understand them but he can replay them. In fact, Mallet can do some really nasty things sitting between Alice and Bob. The solution is to introduce random elements from both sides of the conversation.
僅僅防范H的學(xué)舌式攻擊是不夠的。如果H記錄下（甲和乙的）通訊，雖然他不能明白（通訊的）含義，但是他可以重現(xiàn)（通訊）。事實(shí)上，隱藏在甲和乙中間的H可以做一些頗具威助的攻擊。解決方案是在雙方通訊中引入隨機(jī)因素。