当前位置：文档库 › 1 Motivations Key Agreement

1 Motivations Key Agreement

Key Agreement

Guilin Wang

School of Computer Science,University of Birmingham

G.Wang@https://www.wendangku.net/doc/5018364505.html,

1Motivations

As we know,symmetric key encryptions are usually much more e?cient than public key en-cryptions,especially in the aspect of computational complexity.Therefore,to send a(large) message M the following diagram is often used.

1.A?→B:Enc P K

(K),E K(M).(1)

Here,A and B are the identities of the two communicating parties,Alice and Bob.Enc P K

B (·)

is the public key encryption algorithm with respect to Bob’s public key P K B,while E K(·)de-notes a symmetric encryption algorithm associated with a session key K.After receiving the

expected information from Alice,Bob?rst decrypts Enc P K

B (K)to get the session key K

using his private key SK B,and then derives the message M from E K(M)using K.

The above scheme looks good,but it has some limitations in practice.

(a)If the receiver Bob does not have a public key at all,do we have any other approaches that

allow Alice and Bob to agree on a session key K?For example,most of ordinary Internet users have no any certi?ed public key nowadays.

(b)If the sender Alice wants to send a message to a group of n receivers,is there any more

e?cient solution,instead of encrypting the same session key to each receiver individually? 2Introduction

Our topic today is key agreement,or key establishment,a little wider concept.Let us?rst give some basic de?nitions.

De?nition1[5].Key establishment is a process or protocol that enables two or more parties to share a secret session key,which can be used for subsequent secure communications.

Roughly speaking,key establishment schemes can be classi?ed into key transport and key agreement,according to whether the key is determined by one party or all parties.

De?nition2[5].A key transport protocol or mechanism is a key establishment technique where one party creates or obtains a secret key,and then securely transfers it to the other(s). De?nition3[5].A key agreement protocol or mechanism is a key establishment tech-nique in which a shared secret key is derived by two(or more)parties as a function of in-formation contributed by,or associated with,each of these,(ideally)such that no party can predetermine the resulting value.

2The School of Computer Science,University of Birmingham

2.1The Di?e-Hellman Protocol

The?rst solution of key agreement is the Di?e-Hellman(DH)protocol[3],also called expo-nential key exchange.This protocol allows two parties to agree on a shared session key by exchanging two messages over a public(so insecure)network,though they may never know each other before or share any secret in advance.

To run the protocol,it is assumed that a large prime p has been properly chosen and published,together with a generator g of large prime order q modulo p.That is,q is the least positive integer such that g q=1mod p,g∈Z?p.In practice,we may select primes p and q such that|p|=1024and|q|=160.

1.A?→B:K x=g x mod p

2.B?→A:K y=g y mod p

(2)

Output:K xy=(K x)y mod p=(K y)x mod p=g xy mod p.

Here is the detailed description of the above protocol.To negotiate with Bob for a session key Alice?rs picks a random number x∈[1,p?2],and sends value K x=g x mod p to Bob.Then,Bob similarly selects a random number y∈[1,p?2]and returns Alice the value of K y=g y mod p.Finally,Alice derives the session key as K xy=(K y)x mod p,while Bob obtains the same key by computing K xy=(K x)y mod p.Note that sometimes we may just treat K xy a raw keying material,from which a real session key is derived.For example,let session key sk=H(K xy||A||B),where H is a secure hash function.

The security of Di?e-Hellman protocol relies on the following computational assumption. De?nition4(Computational Di?e-Hellman Assumption)(for short,CDH assump-tion).For properly chosen p,g and q,it is computationally infeasible to derive g xy mod p from values g x mod p and g y mod p,where x and y are random secrets.

Remark1:A related problem is the discrete logarithm assumption(DL assumption).Namely, for properly chosen p,g and q,it is computationally infeasible to derive x from values g x mod p, where x is a random secret.Moreover,it is easy to know that CDH assumption is at least as strong as than DL assumption,since you can break CDH assumption if you already know an algorithm to break DL assumption.However,it is an open problem how to break DL assumption if you can break CDH assumption.

CDH assumption looks nice and intractable,but the Di?e-Hellman protocol is not secure in practice,because it is vulnerable to an attack known as Man-in-the-Middle attack.

2.2Man-in-the-Middle Attack

For a third party Cindy,who can control the communications between Alice and Bob,the Man-in-the-Middle Attack(MITM attack)(illustrated in Eq.(4))can be mounted against the Di?e-Hellman protocol.When Alice initializes a protocol instance by sending K x to Bob, Cindy intercepts this value and impersonates Bob by replying K a to Alice.At the same time, Cindy pretends to be Alice and sends Bob the value K b to initialize another protocol run,and then intercepts the respondence value K y from Bob.The result is that Cindy and Alice share K xa=g xa mod p,Cindy and Bob share K yb=g yb mod p,but Alice and Bob might mistakenly believe that they have successfully agreed on a shared key.

Key Agreement:A Guest Lecture,12Nov.20073

1.A?→(B)C:K x=g x mod p

2.C(B)?→A:K a=g a mod p

(3)

1 .C(A)?→B:K b=g b mod p

2 .B?→(A)C:K y=g y mod p

The MITM attack may cause severe consequence,since Cindy can“unwrap”and“re-wrap”all secure“envelopes”for the coming communications between Alice and Bob such that they still think everything is ok.

So,we want to know why the Di?e-Hellman protocol is not secure,especially without breaking the underlying CDH assumption?The reason is that it does not encompass any authentication mechanism,i.e.,no party is sure whether the other communicating party is really the party claimed to be.

2.3Station-to-Station Protocol

To repair the security?aw in the Di?e-Hellman protocol,the following station-to-station(STS) protocol is proposed by Di?e,van Oorschot and Wiener in1992.For simplicity,all modulo p operations have been omitted.

1.A?→B:g x

2.B?→A:g y,E K(Sig B(g y,g x))

3.A?→B:E K(Sig A(g x,g y))

(4)

Output:K xy=(g x)y=(g y)x=g xy.

To add authentication,the STS protocol requires that both parties have a pair of public keys for signature generation and veri?cation,and know a publicly released symmetric key encryption.In contrast,note that the Di?e-Hellman protocol do not have these assumptions.

The?rst step of STS protocol is the same as in the the Di?e-Hellman protocol.Upon receiving g x,Bob derives the session key by K=(g x)y by selecting randomness y,and then sends Alice back g y together with his encrypted signature E K(Sig B(g y,g x))on mes-sage(g y,g x).In step3,Alice?rst computes the session key K=(g y)x,decrypts Sig B(g y,g x) from E K(Sig B(g y,g x))by using K,and?nally checks whether Sig B(g y,g x)is Bob’s valid sig-nature on message(g y,g x).If the answer is no,Alice could terminate the protocol execution. Otherwise,Alice sends Bob her encrypted signature E K(Sig A(g x,g y))on message(g x,g y). Once E K(Sig A(g x,g y))is received correctly,Bob knows that Alice has already obtained the secret key K.

According to the above description,we can see that in the STS protocol,signatures are used to authenticate a communicating party’s identity,while the symmetric encryption associated with the just established session key K is employed to show the knowledge of this session key by encrypting the signatures.

3More Concepts and Protocols

To understand what kinds of threats key agreement protocols in open channels may be subject to,we need to discuss what are the security requirements,and what are the allowed behaviours for an attacker,whose goal is to break one ore more of the security requirements.The following are the main security requirements of key agreement protocols.

4The School of Computer Science,University of Birmingham

De?nition5[5].We say a key agreement protocol satis?es key authentication,if one party is assured that other than speci?cally identi?ed parties(including identi?ed trusted parties,if any)it is infeasible for anyone else to derive a particular secret key.

Note that key authentication does not guarantee that all parities involved actually pos-sess the secret key.Due to this reason,key authentication is sometimes called implicit key authentication,more precisely.

De?nition6[5].We say a key agreement protocol satis?es key con?rmation,if one party is assured that all other parties(possibly unidenti?ed)actually have possession of a particular secret key.

De?nition7[5].We say a key agreement protocol satis?es explicit key authentication,if both(implicit)key authentication and key con?rmation hold,i.e.,only all identi?ed parties actually have possession of a particular secret key.

When designing and analyzing security protocols,we assume that all underlying cryp-tographic mechanisms used are secure.These basic building blocks are usually encryption algorithms,digital signatures,hash functions and so on.Such an assumption is quite reason-able,since one cannot expect a protocol is secure if its underlying cryptographic primitives are?awed.Consequently,the main target of an attacker or adversary against a security pro-tocol is trying to subvert the protocol,instead of cryptanalyzing the underlying cryptographic algorithms.

Attackers could be passive or active.A passive attacker attempts to defeat the security requirements of a security protocol by just simply eavesdropping,recording,and then analyzing the data among communicating parties.In contrast,an active attacker has the ability to completely control the communication channel,so it is able to“record,alter,delete,insert, redirect,reorder,and reuse past or current messages,and inject new messages”[5].Ideally,we expect a protocol is e?cient and secure against active attacks under weakest assumptions. 3.1Authenticated Key Exchange Protocol

In1994,Bellare and Rogaway proposed a key agreement protocol,called AKEP2(Authenti-cated Key Exchange Protocol2).By assuming that the two parties Alice and Bob share two

long-term secret keys k and k ,this protocol uses two keyed hash functions H k(·)and H

k (·)

to realize key agreement.

1.A?→B:N a

2.B?→A:B,A,N a,N b,H k(B,A,N a,N b)

3.A?→B:A,N b,H k(A,N b)

Output:K=H

k (N b).

(5)

Here,N a and N b are nonces generated by Alice and Bob respectively.Both parties can

deduce the?nal session key as K=H

k (N b).AKEP2provides mutual entity authentication

and(implicit)key authentication.

AKEP2is interesting,but it requires two parties share some secrets in advance.However, this assumption does no hold in some scenarios.For instance,two parties never having commu-nications before want to exchange data someday.In addition,if one user has communications with a lot of people,he/she has to maintain a table for the secrets shared with those people. To avoid these two limitations,the solution is to introduce a trusted sever S by requiring each party to share a distinct secret with the server.

Key Agreement:A Guest Lecture,12Nov.20075 3.2The Needham-Schroeder Protocol

The Needham-Schroeder(NS)protocol,proposed in1978,is essentially a key transport pro-tocol,since the session key is totally selected by a trusted server,or called authentication server.Besides the trusted sever S,the NS protocol also supposes that there is a secure and publicly known symmetric encryption algorithm E for the session key transport and message authentication.

1.A?→S:A,B,N a

2.S?→A:E K

as (N a,B,K,E K

(K,A))

3.A?→B:E K

bs (K,A)

4.B?→A:E K(N b)

5.A?→B:E K(N b?1)

Output:K(Session key).

(6)

Here,N a and N b are nonces.K as and K bs are the long-term secret keys shared by Alice and the server,and Bob and the server,respectively,while K is the session key generated by the sever for Alice and Bob.In the?rst three steps,Alice gets the session key K from the server and forwards it to Bob.And the last two messages allow Bob to check whether Alice is currently using the same session key K.

The NS protocol is vulnerable to a replay attack,identi?ed by Denning and Sacco in 1981,in which an attacker Cindy can impersonate Alice to cheat Bob by using a compromised old session key K between Alice and Bob.Here is the attack:

3 .C(A)?→B:E K

bs (K,A)

4 .B?→(A)C:E K(N

b )

5 .C(A)?→B:E K(N

b ?1)

(7)

The Denning-Sacco attack implies that in the viewpoint of Bob,the NS protocol does not provide key freshness.A key is called fresh,if it is guaranteed to be a newly generated key, from the view point of one party involved in the protocol.To provide key freshness for the NS protocol,the sever can insert a timestamp T into the key certi?cate for Bob,i.e.,replacing

E K

bs (K,A)by E K

(K,T,A).

Remark2:In fact,there are two NS protocols.The above discussed is the symmetric NS protocol,which has been extended to Kerberos,a system developed at MIT within the project Athena in the1980s.The public key NS protocol is also interesting,especially due to an attack by Gavin Lowe after17years of publication of the NS protocol.This is also a good example showing that security protocols are notoriously error prone.

3.3Password-based Protocols

In the NS protocol,both parties are required to share long-term secrets with the server.If these parties are human beings,who need to access the server via some untrusted terminals from time to time,such as accessing on-line bank service,long secret keys are not easy to memorize.One naive approach is to let each party sharing a short password with the server, and set this password as the long-term key or derive the long-term key from the password. However,people tend to pick easily-guessable passwords,i.e.,passwords are short strings with low entropy.Consequently,the above simple approach su?ers the so called o?-line dictionary attack.For example,if the K bs in the NS protocol is substituted by a password P bs shared by Bob and the server,even a passive attacker can deduce the session key K without too

6The School of Computer Science,University of Birmingham

much e?ort.The reason is that by eavesdropping message E P

bs (K,A),the attacker can try all

possible passwords P to decrypt ciphertext E P

bs (K,A).Once the resulting plaintext contains

the su?x A,the identity of Alice,P is likely the correct password P bs and the rest of plaintext is likely the session key.

The following Encrypted Key Exchange(EKE)protocol,proposed by Bellovin and Merritt in1992,avoids the above weakness.

1.A?→B:E P(P K)

2.B?→A:E P(Enc P K(K))

Output:K(Session key).

(8)

Here,P is the password shared between Alice and Bob,while P K is an ephemeral public key generated by Alice so she also holds the corresponding private key.In the step1,Alice sends this temporary public key P K to Bob encrypted under password P.Then,in step2,Bob selects a session key K and forwards it to Alice by using double encryptions E P(Enc P K(K)). Namely,K is?rst encrypted under public key P K and then symmetrically encrypted under password P.Upon receiving E P(Enc P K(K)),Alice can then derive K by using the password P and the private key corresponding to P K.

In the literature,there are a lot of password-based protocols,for example,referring to reference[1].

3.4Group Key Agreement Protocols

In the above,only two-party key agreement protocols,perhaps involving an additional trusted third party,are discussed.Now,we introduce a group key agreement protocol,proposed Burmester and Desmedt[2],which enables a group of parties e?ciently establishing a session key.Essentially,the Burmester-Desmedt(BD)protocol is an extension of the Di?e-Hellmann https://www.wendangku.net/doc/5018364505.html,ing the same system parameters as in Section2.1,the BD protocol for n parties (n>2)can be brie?y reviewed as follows.

Step1.Each party U i(i=1,2,···)selects a random number x i and broadcasts k i=g x i mod p.

Step2.Each party U i broadcasts K i=(k i+1/k i?1)x i mod p,where the index are taken in a cycle.

Step3.Now,each party U i computes the session key K by

K=k nx i

i?1·K n?1

·K n?2

i+1

···K i?2mod p.(9)

It is easy to know that if all parties follow the above protocol then all of them will obtain the same session key from Eq.(9),which is

K=g x1x2+x2x3+···+x n x1mod p.(10) The Burmester-Desmedt protocol is secure against passive attacker under the assumption that the computational Di?e-Hellmann problem is intractable,i.e.,the CDH assumption holds.

4Summary

In this handout,we brie?y introduced the basic concepts and mechanisms for key agreement, which is a protocol or mechanism that allows two or multiple parties to agree on a shared secret

Key Agreement:A Guest Lecture,12Nov.20077 key e?ciently and securely.A number of well-know protocols were reviewed and discussed by pointing out their security features and weaknesses.In particular,we illustrated the man-in-the-middle-attack,replay attack,and o?-line dictionary attack.

References

1.Colin Boyd and Anish Mathuria.Protocols for Authentication and Key Establishment.Springer-Verlag,

2003.

2.Mike Burmester and Yvo Desmedt.A Secure and Scalable Group Key Exchange https://www.wendangku.net/doc/5018364505.html,rmation

Process Letter,2005,94(3):137-143.Original version appears in the proceedings of EUROCRYPT’94, LNCS950,pp.275-286.

3.Whit?eld Di?e and Martin E.Hellman.New Directions in Cryptography.IEEE Transaction on Information

Theory,November1976,22(6):644-654.

4.Dieter https://www.wendangku.net/doc/5018364505.html,puter Security,2nd Edition,chapter12:Authentication in Distributed System.John

Wiley&Sons,Ltd,2006.

5.Alfred J.Menezes,Paul C.van Oorschot,and Scott A.Vanstone.Handbook of Applied Cryptography,chapter

12:Key Establishment Protocols.CRC Press,1997.

6.Key-agreement Protocol.https://www.wendangku.net/doc/5018364505.html,/wiki/Key-agreement?protocol.

基础乐理第三讲-半音与全音的关系

第三讲半音与全音要判断两个音是全音还是半音关系，当然非常简单，只需要把所给的两个音放在键盘上，然后看看它们是相临的琴键还是隔开的琴键就可以了。比如： F和降G是什么关系？我们把这两个音放在键盘上，哦，原来它们是相临的两个琴键，那么，它们就一定是半音关系了！再看E和升F，它们隔着F这个琴键，那么它们俩一定是全音关系了。（第二讲中有详细的解释）。但是，半音和全音又分为两类：自然关系和变化关系，什么叫自然关系呢？相临的音级构成的关系就是自然关系。不相临的音级构成的关系就是变化关系。（我特别强调一下，上面说的是相临的音级！！！）我们一共有7个基本音级，比如C和D两个音级上构成的所有关系都是自然关系。（我还需要解释一下：C的所有变化形式都属于C音级，也就是说：不管是C还是升C或重升C、降C、重降C都是属于C音级的音）举个例子：C和D是全音关系，又是相临的音级，那么他们就是自然全音关系。升C和D是半音关系也是相临的音级，那么就是自然半音关系。

这个定义不是很好理解，如果不太明白再看下面的例子：我们来看E和F这两个琴键，如果我说它们是E和F，那么我们看，相临的琴键一定是半音关系，E和F又是相临的音级，那么我们说这是自然半音关系。再看，还是这两个琴键，我不说它是E和F，而说他们是E和重降G，那么，它们仍然是半音关系，没错吧，因为它们还是相临的琴键，可是，重降G这个音，是G音级上的音，E和G这两个音级是不相临的。所以，E 和重降G是变化半音关系。如果还是不明白，那么请你把上一节的内容再好好看看吧！呵呵~~~ 如果想偷懒的话，我来教你一招，我们可以机械的认为，相临的音级就是相临的字母！给我们两个音以后，我们先在键盘上确定它们是全音还是半音，再看看表示这两个音的字母是什么，如果字母是相临的，那么就是自然关系，不相临就是变化关系。举例如下： B和升C，是全音关系，两个字母相临，----自然全音升D和E，是半音关系，字母相临，----自然半音。 B和重降D，是半音关系，字母不相临，----变化半音。 E和是升E，是半音关系，字母不相临，----变化半音。（两个字母都是E

什么是半音和全音

什么是半音和全音 (十二平均律） 2010年01月03日星期日 11:09 什么是半音和全音在音乐中，相邻的两个音之间最小的距离叫半音，两个半音距离构成一个全音。把C D E F G A B 这一组音的距离分成十二个等分，每一个等分叫一个“半音”。两个音之间的距离有两个“半音”的，就叫“全音” 。在钢琴、电子琴等键盘乐器上，C-D,D-E,F-G,G-A,A-B,两音之间隔着一个黑键，它们之间的距离就是全音；E－F，B－C，两音之间没有黑键相隔，它们之间的距离就是半音。半音和全音的种类在乐音体系中，任何两个相邻音级之间的半音关系从音高来看都是一样的。但由不同名称的音构成的半音则有不同的意义。如c到 bd之间和c到#c 之间的半音，从音高来看没有什么区别，尤其在十二平均律中是完全一样的。但由于名称不同，所以这两种半音是完全不同的两种类型：前者是自然半音，后者则是变化半音。仅从音高来看，我们目前所接触到的音的关系只有半音和全音两种，但是由于名称的不同，它们又各自分为自然和变化两类。这样就形成了自然半音、自然全音、变化半音和变化全音四种类型。在不考虑升降号的前提下，音的名称相邻的半音和全音就是自然半音和自然全音。否则就是变化半音和变化全音。我们用表格来说明这些关系：下面是一些实例。自然半音e-f，#e-#f，#g-a，g-ba，xg-#a，bg-bba 自然全音c-d，#c-#d，e-#f，be-f，#e- xf，bbe-bf

变化半音c-#c，#c- xc，bbd-bd，#d- bf，xc-be，#c- bbe 变化全音c-xc，bbd-d，bd-#d，#c-be，xc-e，c-bbe 从上面的实例可以看出，在变化半音和变化全音里音的名称不相邻——当然不考虑升降号，而且这些例子又可以分成两类：前三例都是由同一名称加不同的升降号构成的半音或全音，后三例则都是由隔一个名称加升降号构成的半音或全音。由本节的内容我们可以看出，音的名称和音的高低是同一事物的两个不同侧面，虽然它们针对的都是同一个对象，但又是截然不同的两个概念，二者之间既有不可分割的必然联系，又有性质不同的根本区别。传统乐理的相当篇幅就在于在分清它们区别的前提下加强它们的联系。什么是变化音—— 将标准的音符升高或降低得来的音，就是变化音。将音符升高半音，叫升音。用“#”（升号）表示。标准的音降低半音，用“ b "(降号）表示。基本音升高全音叫重升音，用“x"(重升）表示。基本音降低全音叫重降音。用“ bb”（重降）表示。将已经升高（包括重升）或降低（包括重降）的音，要变成原始的音，则用还原记号表示。附点就是记在音符右边的小圆点,表示增加前面音符时值的一半，带附点的音符叫附点音符。什么叫全音？什么叫半音？把C D E F G A B 这一组音的距离分成十二个等分，每一个等分叫一个“半音”。两个音之间的距离有两个“半音”的，就叫“全音”。在钢琴、电子琴等键盘乐器上，C-D,D-E,F-G,G-A,A-B,两音之间隔着一个黑键，它们之间的距离就是全音；E－F，B－C，两音之间没有黑键相隔，它们之间的距离就是半音。什么是小二度大二度？ 2009-09-21 15:29 音程其实很好记有两个要素，一是两音的度数，比如12是二度的，13是三度的，而是音程中的音数，说白了就是两个音度数的大小，比如13由两个全音构成，就是大三度，24由一个全音和一个半音构成，就是小三度。音数其实不用记，当你熟练了以后，即引述反而会成为累赘。

十二孔陶笛完整指法表(包括所有半音全音)

A 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 #A 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 B #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 C 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #C #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 D 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 #D #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 E 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 F 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #F #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 7 G 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 #6 #G #1 2 #2 3 4 #4 5 #5 6 #6 7 1 #1 2 #2 3 4 #4 5 #5 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 调 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? 2013 Xianbo Liu, QQ:412494756 注：为了表的简洁，全部用升音表示 (e.g. #4=b 5, #D=b E)

音阶就是以全音

音阶就是以全音、半音以及其他音程顺次排列的一串音。基本音阶为C调大音阶，在钢琴上弹奏时全用白键。音阶分为“大音阶”和“小音阶”，即“大调式”和“小调式”。大音阶由7个音组成，其中第3、4音之间和第7、8音之间是半音程，其他音之间是全音程。小音阶第2、3音之间和5、6音之间为半音程。大调式为西方传统调式之一，共有三种。 1、自然大调式。音阶结构为1 2 3 4 5 6 7 1，各音级间的关系为大二度、大二度、小二度、大二度、大二度、大二度、小二度。 2、和声大调式。和声大调式的结构是在自然大调的基础上6级降半音，即1 2 3 4 5 b6 7 1，各音级间的关系为大二度、大二度、小二度、大二度、小二度、增二度、小二度。 3、旋律大调式。旋律大调式是在自然大调的基础上6、7级降半音，即1 2 3 4 5 b6 b7 1，各音级间的关系为大二度、大二度、小二度、大二度、小二度、大二度、大二度。自然大调来源于西方中世纪的教会调式之一伊奥尼亚调式（Ionian），经过之后的数百年发展，出现了和声大调与旋律大调的变种。其变化方式为：自然大调渗入自然小调的因素，即降6、7级。小调式为西方传统调式之一，共有三种。 1、自然小调式。音阶结构为6 7 1 2 3 4 5 6，各音级间的关系为大二度、小二度、大二度、大二度、小二度、大二度、大二度。 2、和声小调式。和声小调式的结构是在自然小调的基础上升高7级音，即6 7 1 2 3 4 #5 6，各音级间的关系为大二度、小二度、大二度、大二度、小二度、增二度、小二度。 3、旋律小调式。旋律小调式是在自然小调的基础上升高6、7级音，即6 7 1 2 3 #4 #5 6，各音级间的关系为大二度、小二度、大二度、大二度、大二度、大二度、小二度。自然小调来源于西方中世纪的教会调式之一爱奥利亚调式（Aeolian），经过之后的数百年发展，出现了和声小调与旋律小调的变种。其变化方式为：自然小调渗入自然大调的因素，即升6、7级。五声调式是以纯五度的音程关系来排列的，是由五个音所构成的调式的。由于这种调式是我国特有的，也可以称为民族调式。这五个音的名称分别是：C 宫、 D 商、 E 角、 G 徵、 A 羽。五声调式的特点是： 1.缺少半音和三整音这类音程的尖锐倾向，宫角之间形成五声调式中唯一的大三度（小六度）。

高中音乐特长生自然半音和自然全音教学设计说明

高中音乐特长生《自然半音与自然全音》教学设计基本信息名称自然半音与自然全音执教者建伟课时1课时所属教材目录《基本乐理考前必练》（建伟主编）教材分析这是《基本乐理考前必练》（我主编）第一部分《乐音体系》第五节《半音与全音的类别》里的第一小节。本小节在音乐理论中占有非常重要的地位，在1993年至2013年21年的省理论考试里都有所体现。出题形式主要有三种：1填空、2判断、3选择。以填空形式出现的几率多。由于概念性比较强，所以我重点从概念上进行讲解，通过以前省高考题的例题，来帮助同学们理解和掌握，通过举例，也让学生了解高考题是如何考查这个知识点的。学情分析此次教学的对象是高中一年级的音乐特长生，由于大部分学生都是零起点，第一次接触，比较抽象，没有兴趣，他们通常不会喜欢这类的音乐知识，但是他们却具备天生的好奇心。所以本节课成败的关键在于能否抓住学生的好奇心制造兴奋点。教学目标知识与能力目标通过本课的学习，让学生识记自然半音与自然全音的含义。