IT Baseline Protection Manual S 2.164 Selection of a suitable cryptographic procedure
S 2.164 Selection of a suitable cryptographic procedure
Initiation responsibility: IT Security Management
Implementation responsibility: IT Security Management
The selection of a cryptographic procedure is divided into two subsidiary tasks:
Selection of the cryptographic algorithm
Selection of a means of technical implementation
Before users commit themselves to a particular procedure, they should have a precise conception of their requirements in terms of the confidentiality and authenticity of the processed data at every point of the information-processing system.
Selection of cryptographic algorithms
When selecting cryptographic algorithms it is first necessary to clarify which type of cryptographic procedures are required, in other words symmetrical, asymmetrical or hybrid procedures, and then to select suitable algorithms, i.e. those with the requisite mechanism strength.
Encryption techniques
Symmetrical encryption: The advantages and disadvantages of symmetrical techniques are described in S 3.23 . Suitable algorithms include triple DES, IDEA and RC 5 for example; in the case of RC 5 the key length should be at least 80 bits.
Asymmetrical encryption: The advantages and disadvantages of asymmetrical techniques are described in S 3.23 . Suitable algorithms include RSA, for example, or encryption techniques based on elliptical curves (see below for key length).
Authentication techniques
Authentication of messages
Various techniques can be used for the authentication of messages, such as a message authentication code (MAC) or a digital signature procedure. It is advantageous to use a MAC if extremely high throughput rates are required (or if only low computing capacity is available) and the risk of key disclosure is very low at both ends. It is advantageous to use a digital signature procedure if the risk of (signature) key disclosure is considerably higher at one end than it is at the other; generally it is imperative if non-repudiation services are required. It should be noted once again that an infrastructure of trusted third parties must be in place for a non-repudiation service.
The best known MAC algorithm is the encryption of a message with DES or another block encryption technique in CBC or CFB mode. This involves appending the last encrypted block to the message as the MAC. Variants such as these are specified in the ANSI X9.9, ANSI X9.19, ISO 8731-1 or ISO 9797 standards, for example.
Suitable algorithms for digital signatures include RSA, DSA (digital signature algorithm) or DSA variants based on elliptical curves, for example ISO/IEC 15946-2, IEEE standard P1363, Section 5.3.3 (Nyberg-Rueppel version) or IEEE standard P1363, Section 5.3.4 (DSA version).
Authentication of users or components
One simple method of authentication is the use of a password prompt. However, if the passwords are sent across a network without being encrypted, it is relatively easy to read them. Better techniques should therefore be used in this case. Examples of suitable techniques include:
One-time passwords (see also S 5.34 Use of one-time passwords), which can be generated with software or hardware support. Preference should be given to hardware-based authentication methods in this case, because they require less organisational work and offer greater security.
Authentication by means of PAP, or preferably CHAP, which are used in conjunction with the point-to-point protocol (see S 5.50 ).
Authentication by means of CLIP/COLP, which is used for communication via ISDN (see S 5.48 ).
One other familiar procedure is the authentication protocol Kerberos, which was developed at MIT (Massachusetts Institute of Technology). It is used in networks for the mutual authentication of users/clients and servers. The central authority in Kerberos is the ticket-granting server, which issues tickets by means of which clients and servers can authenticate themselves to each other. Once authentication has been completed, users can request session keys for a wide variety of services with the aid of these tickets.
Hash techniques
Suitable algorithms include MD5, SHA-1 and RIPEMD-160, for example.
Selection criteria
Mechanism strength / key length
One major criterion for the selection of cryptographic procedures is their mechanism strength. With symmetrical procedures a particular requirement is that the key length should be sufficiently large. The larger the key length used with a cryptographic procedure, the longer it takes to calculate it by a brute force attack, for example. On the other hand, the procedures become slower when longer keys are used, so it is always necessary to consider which key length is appropriate with regard to benefit/performance factors. As a rule of thumb for good procedures (triple DES, IDEA, RC5,...) and average protection requirements, it is currently thought that the keys used should be at least 80 bits long. When block ciphers are used, relatively large, structured quantities of data should not be encrypted in ECB mode. CBC mode or CFB mode should be used for this instead. At least one of these operating modes should therefore be implemented.
In the case of asymmetrical procedures, the chosen mechanism strength should be such that solving the underlying mathematical problems requires an unjustifiably high or practically impossible amount of computation (the mechanism strength that should be chosen is therefore dependent on the present state of algorithm development and of computing technology). Currently it can be assumed that you will be "on the safe side" with:
module lengths of 768 bits with RSA or
subgroup orders of the order of magnitude of 160 bits in the case of ElGamal procedures on a suitable elliptical curve
.
No "unknown" algorithms should be used, i.e. the algorithms that are used should be ones which have been published, have been intensively investigated by a broad spectrum of experts and which are not known to have any security weaknesses. Vendors frequently offer security products with new algorithms which are supposedly "even more secure and even faster" than other algorithms. However, great caution must be exercised when using unknown algorithms from sources whose cryptographic competence is not sufficiently proven.
Symmetrical or hybrid procedures?
For performance reasons, no implementations based solely on public key techniques are used for encryption purposes. All common implementations of public key cryptography use hybrid procedures (see S 3.23 ).
In applications with large or open user groups it is usually advisable to use a hybrid procedure (because of the advantages for key management). Where user groups are small and closed (and in particular of course in the case of a single user), it is possible to keep to symmetrical procedures. If hybrid procedures are used, it makes sense to tailor the symmetrical and asymmetrical parts to work together. With the asymmetrical procedure it is generally the case that before a key change many keys for the symmetrical procedure are encrypted, so therefore the asymmetrical algorithm should normally be somewhat stronger.
Feasibility of technical requirements
The enciphering algorithms must be designed such that the technical requirements, in particular the required performance, can be fulfilled if a suitable implementation is put in place. These include requirements relating to error propagation (for example if data is sent via very noisy channels), but also requirements as to synchronisation overhead and time delay (for example if "real-time" encryption of large quantities of data is required).
Example: Voice encryption with ISDN
When a communication network is being planned, a range of parameters have to be taken into account which have an influence on the expected speech quality and which become noticeable in the form of noise, clicking, crosstalk or singing. Such influencing factors include the encryption procedures, for example. In order to be able to achieve satisfactory speech quality, all of the equipment along a transmission path has to be examined and assessed. Although looking at a single component in isolation should not be considered justified on account of the coupling of all relevant individual effects, it is nevertheless important to be aware of the influencing factors applying to each component (such as the crypto component). The basic conditions for both implementation and selection can be derived from this knowledge. The behaviour of an encryption component is mainly characterised by the following factors:
The period of time elapsing during encryption of a data block (generally results in delays)
The control information inserted additionally into the data stream for synchronisation purposes (may result in fluctuations)
The maximum data throughput to be achieved by the crypto component (also results in fluctuations if buffer storage is necessary)
The error propagation resulting from encryption (generally results in an increase in the error rate)
In the case of voice encryption (real-time service), in particular, the above influencing factors have a negative effect in the form of an increase in end-to-end propagation time, fluctuations in propagation time and a higher error rate, i.e. in a reduction in quality which can be measured and can be attributed to the crypto component.
Other influencing factors
Some cryptographic algorithms (such as IDEA) are patented; licence fees may have to be paid to enable them to be used in commercial applications (to which the field of government agencies etc. also belongs). This must be noted in particular when using methods such as PGP, of which there are also implementations which can otherwise be used as public domain software.