BibTex RIS Cite

Challenges in standardising cryptography

Year 2016, Volume: 5 Issue: 2, 29 - 38, 01.06.2016

Chris J Mitchell

Abstract

A series of challenges that face effective standardisation of cryptographic techniques are discussed. In many cases these challenges are illustrated with case studies, primarily focussing on experience within ISO/IEC JTC 1/SC 27/WG 2, the international standards committee responsible for developing standards for cryptographic methods. Priorities for improving the effectiveness of the standards-making process are also highlighted.

Keywords

Cryptographic standards information security

References

  • A. W. Dent and C. J. Mitchell, User’s Guide to Cryptography and Standards.
  • National Bureau of Standards (NBS) Federal Information Processing Standards (FIPS) Publication 46—Data Encryp- tion Standard (DES), National Technical Information Service, Springfield, Va., April 1977.
  • National Bureau of Standards (NBS) Federal Information Pro- cessing Standards (FIPS) Publication 81—DES modes of oper- ation, National Technical Information Service, Springfield, Va., December 1980.
  • ANSI X9.19, Financial institution retail message authentication, American Bankers Association, Washington, DC, August 1986.
  • ANSI X9.9–1986 (revised), Financial institution message au- thentication (wholesale), American Bankers Association, Wash- ington, DC, April 1986.
  • ANSI X3.92–1981, Data Encryption Algorithm, American Na- tional Standards Institute, New York, 1981.
  • ANSI X3.106–1983, Data Encryption Algorithm—Modes of operation, American National Standards Institute, New York, 1983.
  • ANSI X9.52–1998, Triple Data Encryption Algorithm — Modes of operation, American National Standards Institute, New York, 1998.
  • ISO 8372: 1987, Information Processing — Modes of operation for a 64-bit block cipher algorithm, International Organization for Standardization, Gen`eve, Switzerland, 1987.
  • ISO/IEC 9797: 1989, Data cryptographic techniques—Data integrity mechanism using a cryptographic check function em- ploying a block cipher algorithm, International Organization for Standardization, Gen`eve, Switzerland, December 1989.
  • ISO/IEC 18033-4:2011, Information technology — Security techniques — Encryption Algorithms — Part 4: Stream Ciphers, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, 2011.
  • ISO/IEC 18033-3:2010, Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, 2010.
  • ISO/IEC 10116: 2006, Information technology — Security techniques — Modes of operation for ann-bit block cipher, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, 2006.
  • ISO/IEC 9797–1, Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mecha- nisms using a block cipher, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, 2011.
  • ISO/IEC 9797-2:2011, Information technology — Security tech- niques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-function, 2nd ed., Interna- tional Organization for Standardization, Gen`eve, Switzerland, May 2011.
  • ISO/IEC 9797-3:2011, Information technology — Security tech- niques — Message Authentication Codes (MACs) — Part 3: Mechanisms using a universal hash-function, International Or- ganization for Standardization, Gen`eve, Switzerland, 2011.
  • ISO/IEC 10118-1:2000, Information technology — Security techniques — Hash-functions — Part 1: General, 2nd ed., Inter- national Organization for Standardization, Gen`eve, Switzerland, June 2000.
  • ISO/IEC 10118-2:2010, Information technology — Security techniques — Hash-functions — Part 2: Hash-functions using ann-bit block cipher, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, October 2010.
  • ISO/IEC 10118–3, Information technology — Security tech- niques — Hash-functions — Part 3: Dedicated hash-functions, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, 2004.
  • ISO/IEC 10118-4:1998, Information technology — Security techniques — Hash-functions — Part 4: Hash-functions using modular arithmetic, International Organization for Standardiza- tion, Gen`eve, Switzerland, December 1998.
  • ISO/IEC 9796-2:2010, Information technology — Security tech- niques — Digital signature schemes giving message recovery — Part 2: Integer factorization based mechanisms, 3rd ed., Inter- national Organization for Standardization, Gen`eve, Switzerland, December 2010.
  • ISO/IEC 9796-3:2006, Information technology — Security tech- niques — Digital signature schemes giving message recovery — Part 3: Discrete logarithm based mechanisms, 2nd ed., Inter- national Organization for Standardization, Gen`eve, Switzerland, September 2006.
  • ISO/IEC 14888-1:2008, Information technology — Security techniques — Digital signatures with appendix — Part 1: Gen- eral, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, April 2008.
  • ISO/IEC 14888-2:2008, Information technology — Security techniques — — Digital signatures with appendix — Part 2: Integer factorization based mechanisms, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, April 2008.
  • ISO/IEC 14888-3:2016, Information technology — Security techniques — — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, March 2016.
  • ISO/IEC 3rd CD 19772, Information technology — Security techniques — Authenticated encryption mechanisms, Interna- tional Organization for Standardization, Gen`eve, Switzerland, June 2007.
  • ISO/IEC 9798-1:2010, Information technology — Security techniques — — Entity authentication — Part 1: General, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, June 2010.
  • ISO/IEC 9798-2:2008, Information technology — Security tech- niques — — Entity authentication — Part 2: Mechanisms using symmetric encipherment algorithms, 3rd ed., International Or- ganization for Standardization, Gen`eve, Switzerland, December 2008.
  • ISO/IEC 9798-3:1998, Information technology — Security tech- niques — Entity authentication — Part 3: Mechanisms using digital signature algorithms, 2nd ed., International Organization for Standardization, Gen`eve, Switzerland, 1998.
  • ISO/IEC 9798–4:1999, Information technology — Security tech- niques — Entity authentication — Part 4: Mechanisms using a cryptographic check function, 2nd ed., International Organiza- tion for Standardization, Gen`eve, Switzerland, 1999.
  • ISO/IEC 9798-5:2009, Information technology — Security tech- niques — — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques, 3rd ed., International Organization for Standardization, Gen`eve, Switzerland, December 2009.
  • ISO/IEC 11770–4:2006, Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets, International Organization for Standardization, Gen`eve, Switzerland, 2006.
  • ISO/IEC 18031:2011, Information technology — Security tech- niques — Random bit generation, 2nd ed., International Orga- nization for Standardization, Gen`eve, Switzerland, 2011.
  • ISO/IEC 18032:2005, Information technology — Security tech- niques — — Prime number generation, International Organiza- tion for Standardization, Gen`eve, Switzerland, January 2005.
  • ISO/IEC 29192-1:2012, Information technology — Security techniques — Lightweight cryptography — Part 1: General, In- ternational Organization for Standardization, Gen`eve, Switzer- land, 2012.
  • ISO/IEC 29192-2:2012, Information technology — Security techniques — Lightweight cryptography — Part 2: Block ci- phers, International Organization for Standardization, Gen`eve, Switzerland, 2012.
  • ISO/IEC 29192-3:2012, Information technology — Security techniques — Lightweight cryptography — Part 3: Stream ciphers, International Organization for Standardization, Gen`eve, Switzerland, September 2012.
  • ISO/IEC 29192-4:2013, Information technology — Security techniques — Lightweight cryptography — Part 4: Mechanisms using asymmetric techniques, International Organization for Standardization, Gen`eve, Switzerland, May 2013.
  • ISO/IEC 20008-1:2013, Information technology — Security techniques — Anonymous digital signatures — Part 1: Gen- eral, International Organization for Standardization, Gen`eve, Switzerland, December 2013.
  • ISO/IEC 20008-2:2013, Information technology — Security techniques — Anonymous digital signatures — Part 2: Mecha- nisms using a group public key, International Organization for Standardization, Gen`eve, Switzerland, November 2013.
  • ISO/IEC 20009-1:2013, Information technology — Security techniques — Anonymous entity authentication — Part 1: Gen- eral, International Organization for Standardization, Gen`eve, Switzerland, July 2013.
  • ISO/IEC 20009-2:2013, Information technology — Security techniques — Anonymous entity authentication — Part 2: Mech- anisms based on signatures using a group public key, Interna- tional Organization for Standardization, Gen`eve, Switzerland, November 2013.
  • L. Chen and C. J. Mitchell, “Parsing ambiguities in authenti- cation and key establishment protocols,” Journal of Electronic Security and Digital Forensics, vol. 3, pp. 82–94, 2010.
  • C. Namprempre, P. Rogaway, and T. Shrimpton, “Reconsidering generic composition,” in Advances in Cryptology — EURO- CRYPT 2014 — 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copen- hagen, Denmark, May 11–15, 2014. Proceedings, ser. Lecture Notes in Computer Science, P. Q. Nguyen and E. Oswald, Eds., vol. 8441. Springer-Verlag, Berlin, 2014, pp. 257–274.
  • ISO/IEC 19772:2009/Cor 1:2014, Information technology — Security techniques — Authenticated encryption mechanisms — Corrigendum 1, International Organization for Standardization, Gen`eve, Switzerland, September 2014.
  • R. L. Rivest, RFC 1320, The MD4 Message-Digest Algorithm, Internet Engineering Task Force, April 1992.
  • ——, RFC 1321, The MD5 Message-Digest Algorithm, Internet Engineering Task Force, April 1992.
  • Federal Information Processing Standard Publication 180 (FIPS PUB 180): Secure Hash Standard (SHS), U.S. De- partment of Commerce / National Institute of Standards and Technology (NIST), Gaithersburg, MD, October 1993.
  • ISO/IEC 10118–3, Information technology — Security tech- niques functions, Gen`eve, Switzerland, 1998. — Part 3: for Organization Standardization,
  • ISO/IEC FDIS 11770-6, Information technology — Security techniques — Key management — Part 1: Key derivation, Inter- national Organization for Standardization, Gen`eve, Switzerland, May 2016.
  • A. S. Tanenbaum, Computer networks, 2nd ed. Prentice-Hall, Upper Saddle River, NJ, 1988.
  • C. J. Mitchell, “Choosing algorithms to standardise,” Depart- ment of Mathematics, Royal Holloway, University of London, Tech. Rep. RHUL-MA-2012-14, June 2012, available at http: //www.ma.rhul.ac.uk/techreports.
  • ISO/IEC JTC 1/SC 27 N14020: SC 27/WG 2 Standing Docu- ment 5 — Process for inclusion and deletion of Cryptographic Mechanisms, International Organization for Standardization, Gen`eve, Switzerland, April 2014, available at http://www.din. de/en/meta/jtc1sc27/downloads.
  • K. Munro, “Deconstructing Flame: the limitations of traditional defences,” Computer Fraud & Security, vol. 2012, pp. 8–11, 2012.
  • J. P. Degabriele and K. G. Paterson, “Attacking the IPsec standards in encryption-only configurations,” in Proceedings: 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20–23 May 2007, Oakland, California, USA. Society Press, Los Alamitos, California, 2007, pp. 335–349.
  • S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumg¨artner, and B. Freisleben, “Why Eve and Mallory love Android: An analysis of Android SSL (in)security,” in ACM Conference on Computer and Communications Security, CCS ’12, Raleigh, NC, USA, October 16–18, 2012, T. Yu, G. Danezis, and V. D. Gligor, Eds.
  • ACM, 2012, pp. 50–61.
  • M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, “The most dangerous code in the world: Vali- dating SSL certificates in non-browser software,” in ACM Con- ference on Computer and Communications Security, CCS ’12, Raleigh, NC, USA, October 16–18, 2012, T. Yu, G. Danezis, and V. D. Gligor, Eds.
  • ACM, 2012, pp. 38–49.
  • S. Landau, “Making sense from Snowden: What’s significant in the NSA surveillance revelations,” IEEE Security & Privacy, vol. 11, no. 4, pp. 54–63, 2013.
  • ——, “Highlights from making sense of Snowden, Part II: What’s significant in the NSA revelations,” IEEE Security & Privacy, vol. 12, no. 1, pp. 62–64, 2014.
  • ISO/IEC 18031:2011/Cor 1:2014, Information technology — Security techniques — Random bit generation — Corrigen- dum 1, International Organization for Standardization, Gen`eve, Switzerland, September 2014.
  • C. J. Mitchell, “On the security of 2-key triple DES,” Febru- ary 2016, arXiv:1602.062298 [cs.CR], http://arxiv.org/abs/1602. 06229.
There are 63 citations in total.

Details

Primary Language English
Journal Section Research Article
Authors

Chris J Mitchell This is me

Publication Date June 1, 2016
Published in Issue Year 2016 Volume: 5 Issue: 2

Cite

IEEE C. J. Mitchell, “Challenges in standardising cryptography”, IJISS, vol. 5, no. 2, pp. 29–38, 2016.