[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SOI QUESTIONS: 2.6 Formal proofs of security
> In many cases, the cryptographic primitives used by security protocols
> do not have formal proofs of security either. In particular,
> IKEv2 [0] includes PKCS-1 by reference for digital signature. There
> are no good formal proofs of security for PKCS-1 signature mode. Does
> this mean we should cut over to one of the provably secure signature
> schemes such as PSS? [1] I suspect that similar comments apply
> the the key expansion prfs used by IKEv2.
I think that the two issues are separable. Any proof of security
properties for the protocol should start from certain assumptions
about the algorithms used.
I think that the proof of correctness of the algorithm should be
separated from the protocol. It is likely that the proof techniques
used will be completely different.
However I would also suggest that as a matter of good practice any
introduction of an incompatible protocol change is a good time
to deprecate or eliminate obsolete algorithms from the cipher suites.
IP issues being equal I would say nuke PKCS#1 and select a single
wrapping algorithm that provides the best security we know of today.
Phill