As mentioned before, a cryptographic protocol is a distributed algorithm defined by a sequence of steps precisely specifying the actions required of two
or more entities to achieve a specific security objective. The following notation is used in this book to describe cryptographic protocols:
w Capital letters, such as A, B, C,. . ., are used to refer to principals. Note
that many publications on cryptography and cryptographic protocols use names, such as Alice and Bob, to refer to principals. This is a convenient way of making things unambiguous with relatively few words, because the pronoun ‘‘she’’ can be used for Alice, and ‘‘he’’ can be used for Bob. However, the advantages and disadvantages of this naming scheme are controversial, and we are not going to use it in this book.
w K is used to refer to a secret key. A secret key is basically a key of a
secret key cryptosystem.
w The pairðk;k1Þis used to refer to a public key pair, whereaskis used
to refer to the public key andk1is used to refer to the corresponding private key.
In either case, key subscripts are used to indicate principals. In general, capital letter subscripts are used for long-term keys, and small letter subscripts are used for short-term keys. For example, KA is used to refer
to A’s long-term secret key, whereaskb is used to refer to B’s short-term
public key.
w The termfMgKis used to refer to a messageMthat is encrypted with
the secret key K. Since the same key K is used for decryption,
ffMgKgK equals M. If K is used to compute and verify a message authentication code (MAC) for message M, then the term hMiK is used to refer to the MAC.
w Similarly, the term fMgk is used to refer to a message M that is
encrypted with the public keyk. The message can only be decrypted with the corresponding private keyk1. If a public key cryptosystem is used to digitally sign messages, the private key is used for signing, and the corresponding public key is used for verifying signatures. Referring to the terminology of the OSI security architecture, the term fMgk1 is used to refer to a digital signature giving message recovery, and hMik1 is used to refer to a digital signature with
appendix. Note that in the second case, hMik1 in fact abbreviates M;fhðMÞgk1, withhbeing an OWHF or CRHF.
Finally, the termXpYqis used to refer to a public key certificate that has been issued by X for Y’s public key. It implies that X has verified Y’s identity and certified the binding of Y’s long-term public key kY with its
identity.
References
[1] Koblitz, N.I.,A Course in Number Theory and Cryptography, 2nd ed., New York: Springer-Verlag, 1994.
[2] Stinson, D., Cryptography Theory and Practice, Boca Raton, FL: CRC Press, 1995.
[3] Schneier, B.,Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed., New York: John Wiley & Sons, 1996.
[4] Menezes, A., P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, Boca Raton, FL: CRC Press, 1996.
[5] Mollin, R.A.,An Introduction to Cryptography, Boca Raton, FL: CRC Press, 2000.
[6] Buchmann, J.,Introduction to Cryptography, New York: Springer, 2000.
[7] Goldreich, O., Foundations of Cryptography: Basic Tools, Cambridge, UK: Cambridge University Press, 2001.
[8] Shannon, C. E., ‘‘A Mathematical Theory of Communication,’’ Bell System Technical Journal, Vol. 27, No. 3/4, July/October 1948, pp. 379–423/ 623–656.
[9] Shannon, C. E., ‘‘Communication Theory of Secrecy Systems,’’ Bell System Technical Journal, Vol. 28, No. 4, October 1949, pp. 656–715.
[10] Shor, P. W., ‘‘Algorithms for Quantum Computation: Discrete Logarithms and Factoring,’’ Proc. IEEE 35th Annual Symposium Foundations Computer Science, 1994, pp. 124–134.
[11] Shor, P. W., ‘‘Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,’’ SIAM Journal of Computing, October 1997, pp. 1484–1509.
[12] Adleman, L. M., ‘‘Molecular Computation of Solutions to Combinatorial Problems,’’Science, November 1994, pp. 1021–1024.
[13] Paun, G., G. Rozenberg, and A. Salomaa, DNA Computing: New Computing Paradigms, New York: Springer-Verlag, 1998.
[14] Bennett, C. H., G. Brassard, and A. K. Ekert, ‘‘Quantum Cryptography,’’ Scientific American, October 1992, pp. 50–57.
[15] Kaliski, B., ‘‘The MD2 Message-Digest Algorithm,’’ Request for Comments 1319, April 1992.
[16] Rivest, R. L., ‘‘The MD4 Message-Digest Algorithm,’’ Request for Comments 1320, April 1992.
[17] Rivest, R. L., and S. Dusse, ‘‘The MD5 Message-Digest Algorithm,’’ Request for Comments 1321, April 1992.
[18] U.S. National Institute of Standards and Technology (NIST), ‘‘Secure Hash Standard (SHS),’’ FIPS PUB 180-1, April 1995.
[19] Dobbertin, H., A. Bosselaers, and B. Preneel, ‘‘RIPEMD-160: A Strengthened Version of RIPEMD,’’ Proceedings of Fast Software Encryption Workshop, 1996, pp. 71–82.
[20] U.S. National Institute of Standards and Technology (NIST), ‘‘Data Encryption Standard,’’ FIPS PUB 46, January 1977.
[21] Lai, X.,On the Design and Security of Block Ciphers, Ph.D. thesis, ETH No. 9752, ETH Zu¨rich, Switzerland, 1992.
[22] Massey, J. L., ‘‘SAFER K-64: A Byte-Oriented Block Ciphering Algorithm,’’ Proceedings of Fast Software Encryption Workshop, 1994, pp. 1–17.
[23] Schneier, B., ‘‘Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),’’Proceedings of Fast Software Encryption Workshop, 1994, pp. 191–204.
[24] Adams, C., ‘‘The CAST-128 Encryption Algorithm,’’ Request for Comments 2144, May 1997.
[25] U.S. National Institute of Standards and Technology (NIST), ‘‘Advanced Encryption Standard (AES),’’ FIPS PUB 197, November 2001.
[26] Diffie, W., and M. E. Hellman, ‘‘New Directions in Cryptography,’’ IEEE Transactions on Information Theory, IT-22(6), 1976, pp. 644–654.
[27] Pfitzmann, B., Digital Signature Schemes, Berlin, Germany: Springer-Verlag, 1996.
[28] Rivest, R. L., A. Shamir, and L. Adleman, ‘‘A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,’’Communications of the ACM, 21(2), February 1978, pp. 120–126.
[29] ElGamal, T., ‘‘Cryptography and Logarithms over Finite Fields,’’ Ph.D. thesis, Stanford University, 1984.
[30] ElGamal, T., ‘‘A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithm,’’IEEE Transactions on Information Theory, IT-31(4), 1985, pp. 469–472.
[31] U.S. National Institute of Standards and Technology (NIST),Digital Signature Standard (DSS), FIPS PUB 186, May 1994.
[32] Hoover, D. N., and B. N. Kausik, ‘‘Software Smart Cards via Cryptographic Camouflage,’’Proceedings of IEEE Symposium on Security and Privacy, 1999.
[33] Eastlake, D., S. Crocker, and J. Schiller, ‘‘Randomness Recommendations for Security,’’ Request for Comments 1750, December 1994.
[34] Baker, S. A., and P. R. Hurst,The Limits of Trust: Cryptography, Governments, and Electronic Commerce, Cambridge, MA: Kluwer Law International, 1998.
[35] Diffie, W., and S. Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, Cambridge, MA: MIT Press, 1998.
TEAM
FLY
Internet Security Protocols
I
n this chapter, we overview and briefly discuss some cryptographic security protocols that have been proposed, specified, and partly implemented for the Internet and that can also be used on the WWW. In particular, we introduce the topic in Section 5.1, address security protocols for the network access, Internet, transport, and application layers in Sections 5.2 to 5.5, and draw some conclusions in Section 5.6.5.1
Introduction
There is a strong consensus that providing security services in computer networks and distributed systems requires the use of cryptographic techniques, and that these techniques must be integrated into security protocols accordingly. This is also true for the Internet and the WWW. Consequently, many crypto- graphic security protocols have been proposed, specified, implemented, and deployed on the Internet and the WWW in the past. Some of these protocols have been successful, whereas others have not found their market shares and have dis- appeared accordingly.
In the case of TCP/IP-based networks, cryptographic security protocols can operate at any layer of the corresponding communications protocol suite. Consequently, there are pro- posals for providing security services at the network access, Internet, transport, and application layers. There are even some proposals to provide security services above the application layer. All of these possibilities are overviewed and briefly
117
C H A P T E R
5
Contents
5.1 Introduction1 5.2 Network access layer
security protocols2 5.3 Internet layer security
protocols8
5.4 Transport layer security protocols24
5.5 Application layer security protocols25
5.6 Conclusions28 References
discussed in the sequel. Keep in mind, however, that the treatment in this book is rather short, and that a more detailed overview and discussion can be found in Part III of [1]. Also, the chapter provides a long list of references for further study.