Cryptography Reference
In-Depth Information
authenticated-encryption primitive, such as those discussed in Section 6.3.6.
This goal is thus also met.
Mutual key establishment
: At the end of the protocol Alice and Bob have
established
K
AB
, so this goal is met.
Key confidentiality
: The key
K
AB
can only be accessed by an entity who has
knowledge of either
K
AT
,
K
BT
or
K
AB
. This means either the TTP (who is
trusted), Alice or Bob. So this goal is met.
Key freshness
: This goal is met so long as the TTP generates a fresh key
K
AB
.
Again, we are
trusting
that the TTP will do this.
Mutual key confirmation
: Both Alice and Bob demonstrate that they know
K
AB
by using it to encrypt plaintexts (Alice in the fourth protocol message; Bob in
the last protocol message). Thus both confirm knowledge of the shared key.
Unbiased key control
: This is provided because
K
AB
is generated by the TTP.
Thus we conclude that all the goals of Section 9.4.1 are provided. A similar AKE
protocol is used by the widely deployed
Kerberos
protocol.
In this chapter we discussed cryptographic protocols, which provide a means for
cryptographic primitives to be combined in ways that allow complex sets of security
goals to be tailored to particular application environments. We focussed on a simple,
but artificial, application in order to demonstrate that there aremany different ways in
which a cryptographic protocol can be designed, and also how sensitive the security
of cryptographic protocols can be. We then looked at the important family of AKE
protocols.
Perhaps the most important objective of this chapter was to provide an
introduction into the art of designing and analysing cryptographic protocols. Two
important caveats apply:
1. We do not recommend that anyone other than an expert attempts to design
their own cryptographic protocols. Unless there are no alternatives, standard
cryptographic protocols should be used. It is notoriously hard to design a
secure cryptographic protocol since even minor changes to a secure protocol
can result in an insecure protocol, as we have seen.
2. All our protocol analysis has been informal. There are a number of available
techniques for attempting to formally prove the security of cryptographic
protocols. While these need to be associated with some caveats of their own
(see Section 3.2.5), their use is nonetheless preferable to the rather informal
type of analysis that we have conducted in this chapter. Of course, as we have
seen, informal analysis is often sufficient for establishing the insecurity of a
cryptographic protocol.
