Cryptography Reference
In-Depth Information
SPECIFYING THE PROTOCOL
Designing a cryptographic protocol that meets the specified goals can be a very
difficult task. This difficulty often comes as a surprise to system designers without
cryptographic expertise, who may be tempted to design their own cryptographic
protocols. Even if strong cryptographic primitives are used, an insecure protocol
will not meet the intended security objectives.
This is true even for the most basic security goals. In Section 9.4 we will discuss
cryptographic protocols that are designed to meet the relatively straightforward
security goals of mutual entity authentication and key establishment. Hundreds
of cryptographic protocols have been proposed to meet these security goals, but
many contain design flaws.
The simple message here is that, just as for the design of cryptographic
primitives, all three of the design stages (but most importantly the last one) are
best left to experts. Indeed, even among such experts, the process of designing
cryptographic protocols that can be
proven
to implement specified cryptographic
goals remains a challenging one (see Section 3.2.5).
STANDARDS FOR CRYPTOGRAPHIC PROTOCOLS
In the light of the difficulties just discussed about designing cryptographic
protocols, one sensible strategy would be to only use cryptographic protocols
that have been adopted in relevant standards. For example:
• the PKCS standards include some cryptographic protocols for implementing
public-key cryptography;
• ISO/IEC 11770 specifies a suite of cryptographic protocols for mutual entity
authentication and key establishment;
• SSL/TLS specifies a protocol for setting up a secure communication channel
(see Section 12.1).
The adoption of standardised cryptographic protocols is highly recommended,
however, there are two potential issues:
Application complexity
. Many applications have sufficiently complex security
goals that there may not be an already approved cryptographic protocol that
meets the precise application security goals. For major applications it may
be necessary to design an entirely new dedicated standard. For example, the
Trusted Computing Group
have had to design and standardise their own set of
cryptographic protocols for the implementation of trusted computing. Indeed,
unusually, this process required the design of a new cryptographic primitive as
well as cryptographic protocols.
Precision of fit
. If a standardised protocol is considered for use then it must be
the case that the application security goals are precisely those of the standard
protocol. If a standard protocol needs to be even slightly changed then it may be
the case that the protocol no longer meets its original security goals. This issue
