STE WILLIAMS

Crypto protocols held back by legacy, says ENISA

Secure remote control for conventional and virtual desktops

The EU Agency for Network Information and Security (ENISA) has updated its 2013 crypto guidelines, designed to help developers protect personal information in line with EU law, and has sternly told crypto designers they’re doing it wrong, in two reports released late last week.

At the protocol level, cryptography suffers from the tyranny of the installed base, the group writes in Study on cryptographic protocols (PDF here).


The report states that “cryptographic protocols suffer more from legacy issues than the underlying cryptographic components”, and notes that even when a protocol meets the demands of formal proofs, it can easily be broken by a developer with an eye to improving things:

“Designers and implementers should refrain from “optimising” well studied protocols to achieve some specific application need; unless they are prepared to revisit and re-evaluate the above security proofs. Small insignificant changes in protocols can result in invalidating the guarantees of such proofs”, the study notes.

Its second report, Algorithms, key size and parameters (PDF), adds consideration of side-channel attacks (both in hardware and software) and presents some suggestions for countermeasures.

Among the kinds of side-channel attacks ENISA suggests designers take into account are:

There are also long discussions of random number generation and key life-cycle management. ®

Secure remote control for conventional and virtual desktops

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/11/24/crypto_protocols_held_back_by_legacy_says_enisa/

Comments are closed.