ENISA guidelines on cryptographic solutions
ENISA published two reports. “Algorithms, key size and parameters” is a reference document providing a set of guidelines to decision makers, in particular specialists designing and implementing cryptographic solutions for personal data protection. The “Study on cryptographic protocols” provides an implementation perspective, covering guidelines regarding protocols required to protect commercial online communications containing personal data.
Algorithms, key size and parameters
This report provides a set of proposals in an easy to use form, with a focus on commercial online services that collect, store and process the personal data of EU citizens. It provides an update of the 2013 cryptographic guidelines report on security measures required to protect personal data in online systems.
Compared with the 2013 edition, the report has been extended to include a section on hardware and software side-channels, random number generation, and key life cycle management, while the part on protocols, for 2014 is extended and is a stand-alone study on cryptographic protocols.
The report explains two aspects of cryptographic mechanisms:
- Whether a given primitive or scheme can be considered for use today if it is already deployed
- Whether a primitive or scheme is suitable for deployment in new or future systems.
- Long term data retention issues are analysed along with a number of general issues related to the deployment of cryptographic primitives and schemes. All the mechanisms discussed in the report are standardised to some extent, and have either been deployed, or are planned to be deployed, in real systems.
Study on cryptographic protocols
The second report focuses on the current status in cryptographic protocols and encourages further research. A quick overview is presented on protocols which are used in relatively restricted application areas, such as wireless, mobile communications or banking (Bluetooth, WPA/WEP, UMTS/LTE, ZigBee, EMV) and specific environments focusing on Cloud computing.
The main emphasis of the report is on guidelines to researchers and organisations in the field, which include:
- Cryptographic and security protocols to be designed by cryptographic protocol experts rather than networking and protocol experts to date. Additionally, researchers need to simplify the analysis and enable automated tools to provide strong computational guarantees.
- More attention is required to automated verification so the implementation of a protocol can meet given security goals, and examine how automated tools can guarantee correct implementation of a protocol design.
- Small insignificant changes in protocols can result in invalidating the guarantee proofs.
- Future protocols should be designed using solid and well-established engineering principles, ease of formal security analysis, and in conjunction with the development of formal security proofs, designed in cryptanalysis of their constituent primitives.
- Future protocols should not be any more complex than they need to be.
- More work needs to be performed on verifying APIs for application protocols.