A cryptographic protocol is an abstract or concrete protocol that performs a

security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...

-related function and applies

cryptographic Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adversarial behavior. More gen ...

methods, often as sequences of

cryptographic primitive Cryptographic primitives are well-established, low-level cryptography, cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash fun ...

s. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program. Cryptographic protocols are widely used for secure application-level data transport. A cryptographic protocol usually incorporates at least some of these aspects: *

Key agreement In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic Key (cryptography), key as a function of information provided by each honest party so that no party can predetermine the resulting value ...

or establishment * Entity

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

* Symmetric

encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

and message authentication material construction * Secured application-level data transport * Non-repudiation methods *

Secret sharing Secret sharing (also called secret splitting) refers to methods for distributing a secrecy, secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals c ...

methods * Secure multi-party computation For example,

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over ...

(TLS) is a cryptographic protocol that is used to secure web (

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...

) connections. It has an entity authentication mechanism, based on the X.509 system; a key setup phase, where a symmetric encryption key is formed by employing public-key cryptography; and an application-level data transport function. These three aspects have important interconnections. Standard TLS does not have non-repudiation support. There are other types of cryptographic protocols as well, and even the term itself has various readings; Cryptographic ''application'' protocols often use one or more underlying key agreement methods, which are also sometimes themselves referred to as "cryptographic protocols". For instance, TLS employs what is known as the

Diffie–Hellman key exchange Diffie–Hellman (DH) key exchangeSynonyms of Diffie–Hellman key exchange include: * Diffie–Hellman–Merkle key exchange * Diffie–Hellman key agreement * Diffie–Hellman key establishment * Diffie–Hellman key negotiation * Exponential ke ...

, which although it is only a part of TLS ''per se'', Diffie–Hellman may be seen as a complete cryptographic protocol in itself for other applications.

Advanced cryptographic protocols

A wide variety of cryptographic protocols go beyond the traditional goals of data confidentiality, integrity, and authentication to also secure a variety of other desired characteristics of computer-mediated collaboration. Blind signatures can be used for

digital cash Digital currency (digital money, electronic money or electronic currency) is any currency, money, or money-like asset that is primarily managed, stored or exchanged on digital computer systems, especially over the internet. Types of digital cu ...

and digital credentials to prove that a person holds an attribute or right without revealing that person's identity or the identities of parties that person transacted with. Secure digital timestamping can be used to prove that data (even if confidential) existed at a certain time. Secure multiparty computation can be used to compute answers (such as determining the highest bid in an auction) based on confidential data (such as private bids), so that when the protocol is complete the participants know only their own input and the answer.

End-to-end auditable voting systems End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems use cryptographic techniques to provide voters with receipts that allow them to ...

provide sets of desirable privacy and auditability properties for conducting

e-voting Electronic voting is voting that uses electronic means to either aid or handle casting and counting ballots including voting time. Depending on the particular implementation, e-voting may use standalone '' electronic voting machines'' (also ...

Undeniable signature An undeniable signature is a digital signature scheme which allows the signer to be selective to whom they allow to verify signatures. The scheme adds explicit signature repudiation, preventing a signer later refusing to verify a signature by omiss ...

s include interactive protocols that allow the signer to prove a forgery and limit who can verify the signature.

Deniable encryption In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists. The use ...

augments standard encryption by making it impossible for an attacker to mathematically prove the existence of a plain text message. Digital mixes create hard-to-trace communications.

Formal verification

Cryptographic protocols can sometimes be verified formally on an abstract level. When it is done, there is a necessity to formalize the environment in which the protocol operates in order to identify threats. This is frequently done through the Dolev-Yao model. Logics, concepts and calculi used for formal reasoning of security protocols: * Burrows–Abadi–Needham logic (BAN logic) *

Dolev–Yao model The Dolev–Yao model, named after its authors Danny Dolev and Andrew Yao, is a formal model used to prove properties of interactive cryptographic protocols. The network The network is represented by a set of abstract machines that can excha ...

π-calculus In theoretical computer science, the -calculus (or pi-calculus) is a process calculus. The -calculus allows channel names to be communicated along the channels themselves, and in this matter, it is able to describe concurrent computations whose ...

* Protocol composition logic (PCL) * Strand space Research projects and tools used for formal verification of security protocols: * Automated Validation of Internet Security Protocols and Applications (AVISPA) and follow-up project AVANTSSAR. ** Constraint Logic-based Attack Searcher (CL-AtSe) ** Open-Source Fixed-Point Model-Checker (OFMC) ** SAT-based Model-Checker (SATMC) * Casper * CryptoVerif * Cryptographic Protocol Shapes Analyzer (CPSA) * Knowledge In Security protocolS (KISS) * Maude-NRL Protocol Analyzer (Maude-NPA) * ProVerif * Scyther * Tamarin Prover * SquirrelSquirrel Prover
/ref>

Notion of abstract protocol

To formally verify a protocol it is often abstracted and modelled using Alice & Bob notation. A simple example is the following: :

A\rightarrow B:\_

This states that

Alice Alice may refer to: * Alice (name), most often a feminine given name, but also used as a surname Literature * Alice (''Alice's Adventures in Wonderland''), a character in books by Lewis Carroll * ''Alice'' series, children's and teen books by ...

A

intends a message for Bob

B

consisting of a message

X

encrypted under shared key

K_

Examples

* Internet Key Exchange * IPsec * Kerberos *

Off-the-Record Messaging Off-the-record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of Advanced Encryption Standard, AES symmetric-key algorithm with 128 bits key length, the Diffie–Hel ...

* Point to Point Protocol *

Secure Shell The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH was designed for ...

(SSH) * Signal Protocol *

ZRTP ZRTP (composed of Z and Real-time Transport Protocol) is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over IP (VoIP) phone telephony call based on the Real-time Transport Protocol ...

Advanced cryptographic protocols

Formal verification

Notion of abstract protocol

Examples

See also

References

Further reading