[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTIONS: 2.6 Formal proofs of security

To: EKR <ekr@rtfm.com>, "Theodore Ts'o" <tytso@mit.edu>
Subject: RE: SOI QUESTIONS: 2.6 Formal proofs of security
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Mon, 24 Jun 2002 11:50:08 -0700
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> In many cases, the cryptographic primitives used by security protocols
> do not have formal proofs of security either. In particular, 
> IKEv2 [0] includes PKCS-1 by reference for digital signature. There
> are no good formal proofs of security for PKCS-1 signature mode. Does
> this mean we should cut over to one of the provably secure signature
> schemes such as PSS? [1] I suspect that similar comments apply
> the the key expansion prfs used by IKEv2.

I think that the two issues are separable. Any proof of security
properties for the protocol should start from certain assumptions 
about the algorithms used.

I think that the proof of correctness of the algorithm should be
separated from the protocol. It is likely that the proof techniques
used will be completely different.


However I would also suggest that as a matter of good practice any
introduction of an incompatible protocol change is a good time
to deprecate or eliminate obsolete algorithms from the cipher suites.

IP issues being equal I would say nuke PKCS#1 and select a single
wrapping algorithm that provides the best security we know of today.


	Phill

Prev by Date: RE: SOI QUESTION: 3.1 DoS protection
Next by Date: RE: SOI QUESTION: 3.1 DoS protection
Prev by thread: RE: SOI QUESTIONS: 2.6 Formal proofs of security
Next by thread: RE: SOI QUESTIONS: 2.6 Formal proofs of security
Index(es):
- Date
- Thread