Cryptography Reference
In-Depth Information
one way and proofs that one-way functions really exist. Furthermore, we would
like to get rid of the random oracle model and be able to prove security properties
of cryptographic systems without having to make the idealized assumption that
cryptographic hash functions behave like random functions. Unfortunately, we are
not there (yet), and it is questionable whether we will ever be there. In either case, it
will be interesting to see where the cryptographic research community is heading to
in the future.
21.2
PRACTICAL VIEWPOINT
From a practical viewpoint, it is unavoidable that standardization and profiling
activities will become more and more important in the future. There are simply
too many and too complex cryptographic systems (i.e., cryptographic algorithms
and protocols) and modes of operation from which to choose. Anybody not actively
working in the field is likely to be overtaxed. The DES is a success story mainly
because its promoters (i.e., the U.S. NIST) realized the need for a standardized
symmetric encryption system in the 1970s. In the late 1990s, the NIST wanted to
repeat (and improve) the success story by standardizing the AES. In a couple of
years from now, people will use products that implement the AES (similar to how
they use products that implement the DES or 3DES today).
There are many complementary standards for cryptographic systems and their
use. Examples include:
•
HMAC for message authentication (see Section 11.2.2);
•
OAEP for asymmetric encryption (see Section 14.3.2);
•
PSS and PSS-R for digital signatures (see Section 15.3).
The more we can prove about the security properties of these standardized
cryptographic systems, the better the odds that they are successful and get widely
deployed. The most we can hope is that the complexity of the cryptographic sys-
tems will be hidden in the reference implementation and programming libraries that
provide some cryptographic application programming interface (API). Examples in-
clude the CryptoAPI and the Base Cryptographic Provider of Microsoft Corporation,
and the Java Cryptography Extension of Sun Microsystems, Inc.
4
In addition to the U.S. NIST, several other (national and international) stan-
dardization bodies, forces, and groups work on cryptography. Examples include the
ANSI, the IEEE, the IETF, and the W3C. Unfortunately, many of these bodies have
4
http://java.sun.com/products/jce
