Protocol Basics

Let’s look at two different but related reasons why people need cryptographic protocols.

Operational motivation for protocols

It’s rare to deploy a cryptographic primitive in isolation to provide a single security service for a single piece of data. There are several reasons for this. Many applications:

• Have complex security requirements: For example, if we wish to transmit some sensitive information across an insecure network, then it is likely we’ll want confidentiality and data origin authentication guarantees.

• Involve different data items with different security requirements: Most applications involve different pieces of data, each of which may have different security requirements. For example, an application processing an online transaction may require the purchase details (product, cost) to be authenticated but not encrypted so that this information is widely available. However, the payment details (card number, expiration date) are likely to be required to be kept confidential.

  It’s also possible that different requirements of this type arise for efficiency reasons since all cryptographic computations (particularly public-key computations) have an associated efficiency cost. It can therefore be desirable to apply cryptographic primitives only to those data items that strictly require a particular type of protection.

• Involve information flowing between more than one entity: It’s rare for a cryptographic application to involve just one entity, such as when a user encrypts a file for storage on their local machine. Most applications involve at least two entities exchanging data. For example, a card payment scheme may involve a client, a merchant, the client’s bank, and the merchant’s bank (and possibly other entities).

• Consist of a sequence of logical (conditional) events: Real applications normally involve multiple operations that need to be conducted in a specific order, each of which may have security requirements. For example, it does not make any sense to provide confidentiality protection for the deduction of a sum from a client’s account and issue some money from a cash machine until entity authentication of the client has been conducted.

We thus require a process for specifying precisely how to apply cryptographic primitives during the exchange of data between entities so that the necessary security goals are met.

Environmental motivation for protocols

An alternative reason for cryptographic protocols comes from the environments that are likely to be deployed.

The idea of a protocol should be quite familiar. We engage in protocols in many aspects of daily life. For example, most cultures have established protocols that run when two people who have not met before are introduced to one another (such as smiling, shaking hands, then exchanging business cards). Diplomatic protocols are an example of a more formally documented class of protocols. These are procedures designed to achieve diplomatic goals, independent of the culture and language of the participating countries and diplomats.

Indeed, it is for the very reason that countries, languages, and diplomats are all different that diplomatic protocols are necessary. Another possibly familiar example of a protocol is the sequence of procedural and legal processes involved in selling or purchasing a property within a particular legal jurisdiction.