Recap of Cryptographic Applications

Summary

In this chapter, we examined several cryptographic applications. Each of these applications varied in terms of the cryptographic services it required and the constraints within which it operated. For each application we identified the cryptographic requirements, detailed the cryptography deployed, and discussed the appropriate key management. We examined these applications in a fairly consistent manner, the idea being that this same methodology could be used to analyze the cryptographic design of other applications not covered in this chapter.

Hopefully, this examination of some important cryptography applications has provided a useful illustration of the fundamental principles outlined in the earlier chapters. Of particular importance are the following general issues that we have aimed to make clear during our analysis:

• Applications tend to aim for ‘sufficient’ security rather than ‘best’ security. The use of cryptography often represents both a computational and/or usability overhead, and hence it should not be needlessly deployed to provide security services that are not required.

• As we have seen throughout our discussions, security and efficiency often have to be traded off against one another. Getting the right balance is not always easy. The development of several of the applications we have examined shows that designers are often forced to readjust this balance over time. Naturally enough, the tendency is (to err) towards efficiency in early versions of cryptographic applications.

• Application constraints play an important role in cryptographic design. They often dictate both the cryptography deployed and how keys are managed.

• The use of proprietary cryptographic algorithms comes with a degree of risk. While many applications initially adopted proprietary cryptographic algorithms for legitimate reasons, the underlying primitives were reverse-engineered and found to contain flaws in several high-profile cases. These early versions have been replaced by systems using publicly known algorithms in most cases.

• Despite the wide variety of cryptographic algorithms designed and made publicly available, only a very select few are deployed in real applications.

• Symmetric cryptography remains the preferred choice for most applications. Public-key cryptography is selectively deployed only when the key management requirements of symmetric cryptography cannot be easily supported, which tends to be the case for applications in open environments. Even then, its use tends to be restricted to essential operations.

• Key management is critical to the security of a cryptographic application. Key management is relatively straightforward in some applications but much more complex in others. Indeed, key management issues can often dictate what kind of cryptography is used in an application.