RSA公钥加密在计算机产业中被广泛使用在认证和加密。可以从RSA Data Security Inc.获得的RSA公钥加密许可证。公钥加密是使用一对非对称的密码加密或解密的方法。每一对密码由公钥和私钥组成。公钥被广泛发布。私钥是隐密的,不公开。用公钥加密的数据只能够被私钥解密。反过来,使用私钥加密的数据只能用公钥解密。这个非对称的特性使得公钥密很有用。

使用公钥加密法认证

认证是一个身份认证的过程。在下列例子中包括甲和乙,公钥加密会非常轻松地校验身份。符号{数据} key意味着"数据"已经使用密码加密或解密。假如甲想校验乙的身份。乙有一对密码,一个是公开的,另一个是私有的。乙透露给甲他的公钥。甲产生一个随机信息发送给乙。 甲——〉乙:random-message

乙使用他的私钥加密消息,返回甲加密后的消息。 乙——〉甲:{random-message}乙的私钥

甲收到这个消息然后使用乙的以前公开过的公钥解密。他比较解密后的消息与他原先发给乙的消息。如果它们完全一致,就会知道在与乙说话。任意一个中间人不会知道乙的私钥,也不能正确加密甲检查的随机消息。

除非你清楚知道你加密的消息。用私钥加密消息,然后发送给其他人不是一个好主意。因为加密值可能被用来对付你,需要注意的是:因为只有你才有私钥,所以只有你才能加密消息。所以,代替加密甲发来的原始消息,乙创建了一个信息段并且加密。信息段取自随机消息(random-message)并具有以下有用的特性:

1.这个信息段难以还原。任何人即使伪装成乙,也不能从信息段中得到原始消息;
2.假冒者将发现不同的消息计算出相同的信息段值;
3.使用信息段,乙能够保护自己。他计算甲发出的随机信息段,并且加密结果,并发送加密信息段返回甲。甲能够计算出相同的信息段并且解密乙的消息认证乙。

这个技术仅仅描绘了数字签名。通过加密甲产生的随机消息,乙已经在甲产生的消息签名。因此我们的认证协议还需要一次加密。一些消息由乙产生:

甲——〉乙:你好,你是乙么?
乙——〉甲:甲,我是乙
{信息段[甲,我是乙] } 乙的私钥

当你使用这个协议,乙知道他发送给乙的消息,他不介意在上面签名。他先发送不加密的信息,"甲,我是乙。",然后发送信息段加密的消息版本。甲可以非常方便地校验乙就是乙,同时,乙还没有在他不想要的信息上签名。

提交公钥

那么,乙怎样以可信的方式提交他的公钥呢?看看认证协议如下所示:

甲——〉乙:你好
乙——〉甲:嗨,我是乙,乙的公钥
甲——〉乙:prove it
乙——〉甲:甲,我是乙 {信息段[甲,我是乙] } 乙的私钥

在这个协议下,任何人都能够成为"乙"。所有你所要的只是公钥和私钥。你发送给甲说你就是乙,这样你的公钥就代替了乙的密码。然后,你发送用你的私钥加密的消息,证明你的身份。甲却不能发觉你并不是乙。 为了解决这个问题,标准组织已经发明了证书。一个证书有以下的内容:

* 证书的发行者姓名

* 发行证书的组织

* 标题的公钥

* 邮戳

证书使用发行者的私钥加密。每一个人都知道证书发行者的公钥(这样,每个证书的发行者拥有一个证书)。证书是一个把公钥与姓名绑定的协议。通过使用证书技术,每一个人都可以检查乙的证书,判断是否被假冒。假设乙控制好他的私钥,并且他确实是得到证书的乙,就万事大吉了。

这些是修订后的协议:

甲——〉乙:你好
乙——〉甲:嗨,我是乙,乙的校验
甲——〉乙:prove it
乙——〉甲:甲,我是乙 {信息段[甲, 我是乙] } 乙的私钥

现在当甲收到乙的第一个消息,他能检查证书,签名(如上所述,使用信息段和公钥解密),然后检查标题(乙的姓名),确定是乙。他就能相信公钥就是乙的公钥和要求乙证明自己的身份。乙通过上面的过程,制作一个信息段,用一个签名版本答复甲。可以校验乙的信息段通过使用从证书上得到的公钥并检查结果。

如果一个黑客,叫H

甲——〉H:你好
H——〉不能建立一个令甲相信的从乙的消息。
交换密码(secret)
一旦甲已经验证乙后,他可以发送给乙一个只有乙可以解密、阅读的消息:
甲——〉乙:{secret}乙的公钥

唯一找到密码的方法只有使用乙的私钥解码上述的信息。交换密码是另一个有效使用密码加密的方法。即使在甲和乙之间的通讯被侦听,只有乙才能得到密码。

使用密码作为另一个secret-key增强了网络的安全性,但是这次这是一个对称的加密算法(例如DES、RC4、IDE甲)。因为甲在发送给乙之前产生了密码,所以甲知道密码。乙知道密码因为乙有私钥,能够解密甲的信息。但他们都知道密码,他们都能够初始化一个对称密码算法,而且开始发送加密后的信息。这儿是修定后的协议:

甲——〉乙:你好
乙——〉甲:嗨,我是乙,乙的校验

甲——〉乙:prove it
乙——〉甲:甲,我是乙 {信息段[甲,我是乙] }乙的私钥
甲——〉乙:ok 乙,here is a secret {secret}乙的公钥

乙——〉甲:{some message}secret-key
黑 客 窃 听


那么如果有一个恶意的黑客H在甲和乙中间,虽然不能发现甲和乙已经交换的密码,但能干扰他们的交谈。他可以放过大部分信息,选择破坏一定的信息(这是非常简单的,因为他知道甲和乙通话采用的协议)。

甲——〉H:你好
H——〉乙:你好
乙——〉H:嗨,我是乙,乙的校验
H——〉甲:嗨,我是乙,乙的校验
甲——〉H:prove it
H——〉乙:prove it
乙——〉H:甲,我是乙 {信息段[甲,我是乙] }乙的私钥
H——〉甲:甲,我是乙 {信息段[甲,我是乙] }乙的私钥
甲——〉H:ok 乙,here is a secret {secret} 乙的公钥
H——〉乙:ok 乙,here is a secret {secret} 乙的公钥
乙——〉H:{some message}secret-key
H——〉甲:Garble[{some message}secret-key ]

H忽略一些数据不修改,直到甲和乙交换密码。然后H干扰乙给甲的信息。在这一点上,甲相信乙,所以他可能相信已经被干扰的消息并且尽力解密。

需要注意的是,H不知道密码,他所能做的就是毁坏使用秘钥加密后的数据。基于协议,H可能不能产生一个有效的消息。但下一次呢?

为了阻止这种破坏,甲和乙在他们的协议中产生一个校验码消息(messageauthentication code)。一个校验码消息(MAC)是一部分由密码和一些传输消息产生的数据。信息段算法描述的上述特性正是它们抵御H的功能:

MAC= Digest[some message,secret ]

因为H不知道密码,他不能得出正确的值。即使H随机干扰消息,只要数据量大,他成功的机会微乎其微。例如,使用HD5(一个RSA发明的好的加密算法),甲和乙能够发送128位MAC值和他们的消息。H猜测正确的MAC的几率将近1/18,446,744,073,709,551,616约等于零。

这是又一次修改后的协议:

甲——〉乙:你好
乙——〉甲:嗨,我是乙,乙的校验
甲——〉乙:prove it
乙——〉甲:嗨,我是乙,乙的校验

甲,我是乙
{信息段[甲,我是乙] } 乙的私钥
ok 乙,here is a secret {secret} 乙的公钥
{some message,MAC}secret-key

现在H已经无技可施了。他干扰了得到的所有消息,但MAC计算机能够发现他。甲和乙能够发现伪造的MAC值并且停止交谈。H不再能与乙通讯。


一 SSL验证
为了便于更好的认识和理解 SSL 协议,这里着重介绍 SSL 协议的握手协议。SSL 协议既用到了公钥加密技术又用到了对称加密技术,对称加密技术虽然比公钥加密技术的速度快,可是公钥加密技术提供了更好的身份认证技术。SSL 的握手协议非常有效的让客户和服务器之间完成相互之间的身份认证,其主要过程如下:
  ① 客户端的浏览器向服务器传送客户端 SSL 协议的版本号,加密算法的种类,产生的随机数,以及其他服务器和客户端之间通讯所需要的各种信息。
  ② 服务器向客户端传送 SSL 协议的版本号,加密算法的种类,随机数以及其他相关信息,同时服务器还将向客户端传送自己的证书。
  ③ 客户利用服务器传过来的信息验证服务器的合法性,服务器的合法性包括:证书是否过期,发行服务器证书的 CA 是否可靠,发行者证书的公钥能否正确解开服务器证书的“发行者的数字签名”,服务器证书上的域名是否和服务器的实际域名相匹配。如果合法性验证没有通过,通讯将断开;如果合法性验证通过,将继续进行第四步。
  ④ 用户端随机产生一个用于后面通讯的“对称密码”,然后用服务器的公钥(服务器的公钥从步骤②中的服务器的证书中获得)对其加密,然后将加密后的“预主密码”传给服务器。
  ⑤ 如果服务器要求客户的身份认证(在握手过程中为可选),用户可以建立一个随机数然后对其进行数据签名,将这个含有签名的随机数和客户自己的证书以及加密过的“预主密码”一起传给服务器。
  ⑥ 如果服务器要求客户的身份认证,服务器必须检验客户证书和签名随机数的合法性,具体的合法性验证过程包括:客户的证书使用日期是否有效,为客户提供证书的 CA 是否可靠,发行 CA 的公钥能否正确解开客户证书的发行 CA 的数字签名,检查客户的证书是否在证书废止列表(CRL)中。检验如果没有通过,通讯立刻中断;如果验证通过,服务器将用自己的私钥解开加密的“预主密码”,然后执行一系列步骤来产生主通讯密码(客户端也将通过同样的方法产生相同的主通讯密码)。
  ⑦ 服务器和客户端用相同的主密码即“通话密码”,一个对称密钥用于 SSL 协议的安全数据通讯的加解密通讯。同时在 SSL 通讯过程中还要完成数据通讯的完整性,防止数据通讯中的任何变化。
  ⑧ 客户端向服务器端发出信息,指明后面的数据通讯将使用的步骤⑦中的主密码为对称密钥,同时通知服务器客户端的握手过程结束。
  ⑨ 服务器向客户端发出信息,指明后面的数据通讯将使用的步骤⑦中的主密码为对称密钥,同时通知客户端服务器端的握手过程结束。
  ⑩ SSL 的握手部分结束,SSL 安全通道的数据通讯开始,客户和服务器开始使用相同的对称密钥进行数据通讯,同时进行通讯完整性的检验。

二 双向SSL握手认证
  双向认证 SSL 协议的具体过程
  ① 浏览器发送一个连接请求给安全服务器。
  ② 服务器将自己的证书,以及同证书相关的信息发送给客户浏览器。
  ③ 客户浏览器检查服务器送过来的证书是否是由自己信赖的 CA 中心所签发的。如果是,就继续执行协议;如果不是,客户浏览器就给客户一个警告消息:警告客户这个证书不是可以信赖的,询问客户是否需要继续。
  ④ 接着客户浏览器比较证书里的消息,例如域名和公钥,与服务器刚刚发送的相关消息是否一致,如果是一致的,客户浏览器认可这个服务器的合法身份。
  ⑤ 服务器要求客户发送客户自己的证书。收到后,服务器验证客户的证书,如果没有通过验证,拒绝连接;如果通过验证,服务器获得用户的公钥。
  ⑥ 客户浏览器告诉服务器自己所能够支持的通讯对称密码方案。
  ⑦ 服务器从客户发送过来的密码方案中,选择一种加密程度最高的密码方案,用客户的公钥加过密后通知浏览器。
  ⑧ 浏览器针对这个密码方案,选择一个通话密钥,接着用服务器的公钥加过密后发送给服务器。
  ⑨ 服务器接收到浏览器送过来的消息,用自己的私钥解密,获得通话密钥。
  ⑩ 服务器、浏览器接下来的通讯都是用对称密码方案,对称密钥是加过密的。
  上面所述的是双向认证 SSL 协议的具体通讯过程,这种情况要求服务器和用户双方都有证书。单向认证 SSL 协议不需要客户拥有 CA 证书,具体的过程相对于上面的步骤,只需将服务器端验证客户证书的过程去掉,以及在协商对称密码方案,对称通话密钥时,服务器发送给客户的是没有加过密的(这并不影响 SSL 过程的安全性)密码方案。 这样,双方具体的通讯内容,就是加过密的数据,如果有第三方攻击,获得的只是加密的数据,第三方要获得有用的信息,就需要对加密的数据进行解密,这时候的安全就依赖于密码方案的安全。而幸运的是,目前所用的密码方案,只要通讯密钥长度足够的长,就足够的安全。这也是我们强调要求使用 128 位加密通讯的原因。

三 证书结构
  证书各部分的含义
  Version ,证书版本号,不同版本的证书格式不同
  Serial Number, 序列号,同一身份验证机构签发的证书序列号唯一
  Algorithm Identifier, 签名算法,包括必要的参数 Issuer 身份验证机构的标识信息
  Period of Validity, 有效期
  Subject, 证书持有人的标识信息
  Subject’s Public Key, 证书持有人的公钥
  Signature, 身份验证机构对证书的签名


  证书的格式
  认证中心所发放的证书均遵循 X.509 V3 标准,其基本格式如下:
  证书版本号(Certificate Format Version) 含义:用来指定证书格式采用的 X.509 版本号。
  证书序列号(Certificate Serial Number) 含义:用来指定证书的唯一序列号,以标识 CA 发出的所有公钥证书。
  签名(Signature) 算法标识(Algorithm Identifier) 含义:用来指定 CA 签发证书所用的签名算法。   签发此证书的 CA 名称(Issuer ) 含义:用来指定签发证书的 CA 的 X.500 唯一名称(DN, Distinguished Name)。
  证书有效期(Validity Period) 起始日期(notBefore) 终止日期(notAfter) 含义:用来指定证书起始日期和终止日期。
  用户名称(Subject) 含义:用来指定证书用户的 X.500 唯一名称(DN,Distinguished Name)。
  用户公钥信息(Subject Public Key Information)
  算法(algorithm)
  算法标识(Algorithm Identifier)
  用户公钥(subject Public Key) 含义:用来标识公钥使用的算法,并包含公钥本身。
  证书扩充部分(扩展域)(Extensions) 含义:用来指定额外信息。
 
  X.509 V3 证书的扩充部分(扩展域)及实现方法
  CA 的公钥标识(Authority Key Identifier)
  公钥标识(SET 未使用)(Key Identifier)
  签发证书者证书的签发者的甄别名(Certificate Issuer)
  签发证书者证书的序列号(Certificate Serial Number)

  X.509 V3 证书的扩充部分(扩展域)及实现
  CA 的公钥标识(Authority Key Identifier)
  公钥标识(SET 未使用)(Key Identifier)
  签发证书者证书的签发者的甄别名(Certificat
  签发证书者证书的序列号(Certificate Serial N含义:CA 签名证书所用的密钥对的唯一标识
  用户的公钥标识(Subject Key Identifier) 含义:用来标识与证书中公钥相关的特定密钥进行解密。
  证书中的公钥用途(Key Usage) 含义:用来指定公钥用途。
  用户的私钥有效期(Private Key Usage Period)
  起始日期(Note Before)
  终止日期(Note After) 含义:用来指定用户签名私钥的起始日期和终止日期。
  CA 承认的证书政策列表(Certificate Policies) 含义:用来指定用户证书所适用的政策,证书政策可由对象标识符表示。
  用户的代用名(Substitutional Name) 含义:用来指定用户的代用名。
  CA 的代用名(Issuer Alt Name) 含义:用来指定 CA 的代用名。
  基本制约(Basic Constraints) 含义:用来表明证书用户是最终用户还是 CA。
  在 SET 系统中有一些私有扩充部分(扩展域)Hashed Root Key 含义:只在根证书中使用,用于证书更新时进行回溯。
  证书类型(Certificate Type) 含义:用来区别不同的实体。该项是必选的。
  商户数据(Merchant Data) 含义:包含支付网关需要的所有商户信息。
  持卡人证书需求(Card Cert Required) 含义:显示支付网关是否支持与没有证书的持卡人进行交易。
  SET 扩展(SETExtensions) 含义:列出支付网关支持的支付命令的 SET 信息扩展。
  CRL 数据定义版本(Version) 含义:显示 CRL 的版本号。
  CRL 的签发者(Issuer) 含义:指明签发 CRL 的 CA 的甄别名。
  CRL 发布时间(this Update)
  预计下一个 CRL 更新时间(Next Update)
  撤销证书信息目录(Revoked Certificates)
  CRL 扩展(CRL Extension)
  CA 的公钥标识(Authority Key Identifier)
  CRL 号(CRL Number)


English Version


How SSL Works

AN INTRODUCTION TO KEY CRYPTOGRAPHY

This document explains how Netscape uses RSA public key cryptography for Internet security. Netscape's implementation of the Secure Sockets Layer (SSL) protocol employs the techniques discussed in this document.

RSA public key cryptography is widely used for authentication and encryption in the computer industry. Netscape has licensed RSA public key cryptography from RSA Data Security Inc. for use in its products, specifically for authentication.

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.

Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful.

USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION

Authentication is the process of verifying identity so that one entity can be sure that another entity is who it claims to be. In the following example involving Alice and Bob, public key cryptography is easily used to verify identity. The notation {something}key means that something has been encrypted or decrypted using key.

Suppose Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses to Alice his public key (the way he does this is discussed later). Alice then generates a random message and sends it to Bob:

A->B random-message
Bob uses his private key to encrypt the message and returns the encrypted version to Alice:

B->A {random-message}bobs-private-key
Alice receives this message and decrypts it by using Bob's previously published public key. She compares the decrypted message with the one she originally sent to Bob; if they match, she knows she's talking to Bob. An imposter presumably wouldn't know Bob's private key and would therefore be unable to properly encrypt the random message for Alice to check.

BUT WAIT, THERE'S MORE

Unless you know exactly what you are encrypting, it is never a good idea to encrypt something with your private key and then send it to somebody else. This is because the encrypted value can be used against you (remember, only you could have done the encryption because only you have the private key).

So, instead of encrypting the original message sent by Alice, Bob constructs a message digest and encrypts that. A message digest is derived from the random message in a way that has the following useful properties:

The digest is difficult to reverse. Someone trying to impersonate Bob couldn't get the original message back from the digest.
An impersonator would have a hard time finding a different message that computed to the same digest value.
By using a digest, Bob can protect himself. He computes the digest of the random message sent by Alice and then encrypts the result. He sends the encrypted digest back to Alice. Alice can compute the same digest and authenticate Bob by decrypting Bob's message and comparing values.
GETTING CLOSER

The technique just described is known as a digital signature. Bob has signed a message generated by Alice, and in doing so he has taken a step that is just about as dangerous as encrypting a random value originated by Alice. Consequently, our authentication protocol needs one more twist: some (or all) of the data needs to be originated by Bob.

A->B
B->A hello, are you bob?
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
When he uses this protocol, Bob knows what message he is sending to Alice, and he doesn't mind signing it. He sends the unencrypted version of the message first, "Alice, This Is Bob." Then he sends the digested-encrypted version second. Alice can easily verify that Bob is Bob, and Bob hasn't signed anything he doesn't want to.

HANDING OUT PUBLIC KEYS

How does Bob hand out his public key in a trustworthy way? Let's say the authentication protocol looks like this:

A->B
B->A
A->B
B->A hello
Hi, I'm Bob, bobs-public-key
prove it
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
With this protocol, anybody can be Bob. All you need is a public and private key. You lie to Alice and say you are Bob, and then you provide your public key instead of Bob's. Then you prove it by encrypting something with the private key you have, and Alice can't tell you're not Bob.

To solve this problem, the standards community has invented an object called a certificate. A certificate has the following content:

The certificate issuer's name
The entity for whom the certificate is being issued (aka the subject)
The public key of the subject
Some time stamps
The certificate is signed using the certificate issuer's private key. Everybody knows the certificate issuer's public key (that is, the certificate issuer has a certificate, and so on...). Certificates are a standard way of binding a public key to a name.
By using this certificate technology, everybody can examine Bob's certificate to see whether it's been forged. Assuming that Bob keeps tight control of his private key and that it really is Bob who gets the certificate, then all is well. Here is the amended protocol:

A->B
B->A
A->B
B->A hello
Hi, I'm Bob, bobs-certificate
prove it
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
Now when Alice receives Bob's first message, she can examine the certificate, check the signature (as above, using a digest and public key decryption), and then check the subject (that is, Bob's name) and see that it is indeed Bob. She can then trust that the public key is Bob's public key and request Bob to prove his identity. Bob goes through the same process as before, making a message digest of his design and then responding to Alice with a signed version of it. Alice can verify Bob's message digest by using the public key taken from the certificate and checking the result.

A bad guy - let's call him Mallet - can do the following:

A->M
M->A
A->M
M->A hello
Hi, I'm Bob, bobs-certificate
prove it
????
But Mallet can't satisfy Alice in the final message. Mallet doesn't have Bob's private key, so he can't construct a message that Alice will believe came from Bob.

EXCHANGING A SECRET

Once Alice has authenticated Bob, she can do another thing - she can send Bob a message that only Bob can decode:

A->B {secret}bobs-public-key
The only way to find the secret is by decrypting the above message with Bob's private key. Exchanging a secret is another powerful way of using public key cryptography. Even if the communication between Alice and Bob is being observed, nobody but Bob can get the secret.

This technique strengthens Internet security by using the secret as another key, but this time it's a key to a symmetric cryptographic algorithm (such as DES, RC4, or IDEA). Alice knows the secret because she generated it before sending it to Bob. Bob knows the secret because Bob has the private key and can decrypt Alice's message. Because they both know the secret, they can both initialize a symmetric cipher algorithm and then start sending messages encrypted with it. Here is a revised protocol:

A->B
B->A
A->B
B->A
A->B
B->A

hello
Hi, I'm Bob, bobs-certificate
prove it
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
ok bob, here is a secret {secret} bobs-public-key
{some message}secret-key
How secret-key is computed is up to the protocol being defined, but it could simply be a copy of secret.

YOU SAID WHAT?

Mallet's bag contains a few more tricks. Although Mallet can't discover the secret that Alice and Bob have exchanged, he can interfere in their conversation by damaging it. For example, if Mallet is sitting between Alice and Bob, he can choose to pass most information back and forth unchanged but mangle certain messages (easy for him to do because he knows the protocol that Alice and Bob are speaking):

A->M
M->B
B->M
M->A

A->M
M->B

B->M

M->A


A->M
M->B

B->M
M->A

hello
hello
Hi, I'm Bob, bobs-certificate
Hi, I'm Bob, bobs-certificate

prove it
prove it

Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key

ok bob, here is a secret {secret} bobs-public-key
ok bob, here is a secret {secret} bobs-public-key

{some message}secret-key
Garble[ {some message}secret-key ]

Mallet passes the data through without modification until Alice and Bob share a secret. Then Mallet gets in the way by garbling Bob's message to Alice. By this point Alice trusts Bob, so she may believe the garbled message and try to act on it. Note that Mallet doesn't know the secret - all he can do is damage the data encrypted with the secret key. Depending on the protocol, Mallet may not produce a valid message. Then again, he may get lucky.

To prevent this kind of damage, Alice and Bob can introduce a message authentication code (MAC) into their protocol. A MAC is a piece of data that is computed by using a secret and some transmitted data. The digest algorithm described above has just the right properties for building a MAC function that can defend against Mallet:

MAC := Digest[ some message, secret ]
Because Mallet doesn't know the secret, he can't compute the right value for the digest. Even if Mallet randomly garbles messages, his chance of success is small if the digest data is large. For example, by using MD5 (a good cryptographic digest algorithm invented by RSA), Alice and Bob can send 128-bit MAC values with their messages. The odds of Mallet's guessing the right MAC are approximately 1 in 18,446,744,073,709,551,616 - for all practical purposes, never.

Here is the sample protocol, revised yet again:

A->B
B->A
A->B
B->A hello
Hi, I'm Bob, bobs-certificate
prove it
Alice, This Is bob
{ digest[Alice, This Is Bob] } bobs-private-key
ok bob, here is a secret {secret} bobs-public-key
{some message,MAC}secret-key
Mallet is in trouble now. He can garble messages all he wants, but the MAC computations will reveal him for the fraud he is. Alice or Bob can discover the bogus MAC value and stop talking. Mallet can no longer put words in Bob's mouth.

WHEN WAS THAT SAID?

Last but not least to protect against is Mallet the Parrot. If Mallet is recording conversations, he may not understand them but he can replay them. In fact, Mallet can do some really nasty things sitting between Alice and Bob. The solution is to introduce random elements from both sides of the conversation.