Crypto protocols held back by legacy, says ENISA
EU takes the microscope to security
The EU Agency for Network Information and Security (ENISA) has updated its 2013 crypto guidelines, designed to help developers protect personal information in line with EU law, and has sternly told crypto designers they're doing it wrong, in two reports released late last week.
At the protocol level, cryptography suffers from the tyranny of the installed base, the group writes in Study on cryptographic protocols (PDF here).
The report states that “cryptographic protocols suffer more from legacy issues than the underlying cryptographic components”, and notes that even when a protocol meets the demands of formal proofs, it can easily be broken by a developer with an eye to improving things:
“Designers and implementers should refrain from “optimising” well studied protocols to achieve some specific application need; unless they are prepared to revisit and re-evaluate the above security proofs. Small insignificant changes in protocols can result in invalidating the guarantees of such proofs”, the study notes.
Its second report, Algorithms, key size and parameters (PDF), adds consideration of side-channel attacks (both in hardware and software) and presents some suggestions for countermeasures.
Among the kinds of side-channel attacks ENISA suggests designers take into account are:
- Timing attacks – designers need to make sure that execution time isn't dependent on the private key;
- Power consumption observations – “the instantaneous power consumption signal not only leaks the execution time of the algorithm, but also its level of activity”, the paper notes, so designers of hardware crypto should use balanced circuits to reduce the leakage;
- Designers should avoid data-dependent branching, and similarly shy away from lookups that are data dependent, because both of these can reveal information about key processing; and
- The document also recommends devs use techniques to mask the correlations between data elements and secrets.
There are also long discussions of random number generation and key life-cycle management. ®