Cryptography Reference
In-Depth Information
(b) Give three different examples of things that might go wrong if an
organisation fails to govern key management properly.
(c) For each of your chosen examples, indicate how appropriate key manage-
ment governance might help to prevent the stated problem arising in the
first place.
13
. Suppose three users, Alice, Bob and Charlie, wish to use symmetric cryptog-
raphy to protect files that are transferred between their personal computers.
They decide:
• not to use any standard secure file transfer package;
• to encrypt files directly using an encryption algorithm implemented on their
local machines;
• send the encrypted files over any appropriate insecure channel (there is no
need to consider what type of channel is used).
Design a suitable key management system (including all phases of the key
lifecycle) for supporting this application.
14
. Cryptographic Application Programming Interfaces (APIs) provide services that
allow developers to build secure applications based on cryptography.
(a) What are the most popular cryptographic APIs in use today?
(b) For a cryptographic API of your choice, write a short summary of the main
services provided by the API, including the range of cryptographic primitives
and algorithms that it supports.
(c) What vulnerabilities might arise from potential misuse of a cryptographic
API? (You might choose to illustrate this answer by providing examples of
potential attacks, of which there are several that have been reported in the
media.)
15
. A payment card organisation has a key management system in place tomanage
the PINs that their customers use. It has the following features:
• All PINs are generated using a PINgeneration key
PGK
, which is a single length
DES key.
•
PGK
is generated from three components
PGK
A
,
PGK
B
and
PGK
C
, all of which
are stored on smart cards held in a single safe.
• The components
PGK
A
and
PGK
B
are backed up, but
PGK
C
is not.
• When
PGK
is established from its components, the key generation ceremony
specifies that the holders of each of the components must pass the smart
card with their component to the internal auditor after they have installed it.
• Some of the retail systems supporting the card payment system store
PGK
is
software.
• Customers are permitted to change their PIN using a telephone-based
interactive voice recognition service.
(a) What problems can you identify with this key management system?
(b) Propose some changes to the key management system in order to
overcome these problems.
