Editing Cryptographic protocol

{{short description|Aspect of cryptography}}
A '''cryptographic protocol''' is an abstract or concrete [[Communications protocol|protocol]] that performs a [[information security|security]]-related function and applies [[cryptographic]] methods, often as sequences of [[cryptographic primitive]]s. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.<ref>{{cite web |url= http://www.ccs-labs.org/~dressler/teaching/netzsicherheit-ws0304/07_CryptoProtocols_2on1.pdf |title= Cryptographic Protocol Overview |date= 2015-10-23 |access-date= 2015-10-23 |archive-url= https://web.archive.org/web/20170829004310/http://www.ccs-labs.org/~dressler/teaching/netzsicherheit-ws0304/07_CryptoProtocols_2on1.pdf |archive-date= 2017-08-29 |url-status= dead }}</ref>

Cryptographic protocols are widely used for secure application-level data transport. A cryptographic protocol usually incorporates at least some of these aspects:

* [[Key agreement]] or establishment
* Entity [[authentication]]
* Symmetric [[encryption]] and message authentication [[key (cryptography)| ]] material construction
* Secured application-level data transport
* [[Non-repudiation]] methods
* [[Secret sharing]] methods
* [[Secure multi-party computation]]

For example, [[Transport Layer Security]] (TLS) is a cryptographic protocol that is used to secure web ([[HTTPS]]) connections.<ref>{{Cite journal |last1=Chen |first1=Shan |last2=Jero |first2=Samuel |last3=Jagielski |first3=Matthew |last4=Boldyreva |first4=Alexandra |last5=Nita-Rotaru |first5=Cristina |date=2021-07-01 |title=Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC |journal=Journal of Cryptology |language=en |volume=34 |issue=3 |pages=26 |doi=10.1007/s00145-021-09389-w |s2cid=235174220 |issn=0933-2790|doi-access=free }}</ref> It has an entity authentication mechanism, based on the [[X.509]] system; a key setup phase, where a [[symmetric encryption]] key is formed by employing public-key cryptography; and an application-level data transport function. These three aspects have important interconnections. Standard TLS does not have non-repudiation support.

There are other types of cryptographic protocols as well, and even the term itself has various readings; Cryptographic ''application'' protocols often use one or more underlying [[key agreement|key agreement method]]s, which are also sometimes themselves referred to as "cryptographic protocols". For instance, TLS employs what is known as the [[Diffie–Hellman key exchange]], which although it is only a part of TLS ''per se'', Diffie–Hellman may be seen as a complete cryptographic protocol in itself for other applications.

== Advanced cryptographic protocols ==
A wide variety of cryptographic protocols go beyond the traditional goals of data confidentiality, integrity, and authentication to also secure a variety of other desired characteristics of computer-mediated collaboration.<ref>{{cite web|url=https://berry.win.tue.nl/CryptographicProtocols/LectureNotes.pdf|title=Lecture Notes Cryptographic Protocols|author=Berry Schoenmakers}}</ref> [[Blind signature]]s can be used for [[ecash|digital cash]] and [[digital credential]]s to prove that a person holds an attribute or right without revealing that person's identity or the identities of parties that person transacted with.  [[Trusted timestamping|Secure digital timestamping]] can be used to prove that data (even if confidential) existed at a certain time.  [[Secure multiparty computation]] can be used to compute answers (such as determining the highest bid in an auction) based on confidential data (such as private bids), so that when the protocol is complete the participants know only their own input and the answer. [[End-to-end auditable voting systems]] provide sets of desirable privacy and auditability properties for conducting [[e-voting]].  [[Undeniable signature]]s include interactive protocols that allow the signer to prove a forgery and limit who can verify the signature.  [[Deniable encryption]] augments standard encryption by making it impossible for an attacker to mathematically prove the existence of a plain text message. [[Anonymous re-mailer|Digital mixes]] create hard-to-trace communications.

== Formal verification ==
Cryptographic protocols can sometimes be [[Formal verification|verified formally]] on an abstract level. When it is done, there is a necessity to formalize the environment in which the protocol operates in order to identify threats. This is frequently done through the [[Dolev-Yao]] model.

Logics, concepts and calculi used for formal reasoning of security protocols:
{{Incomplete list|date=October 2016}}
* [[Burrows–Abadi–Needham logic|Burrows–Abadi–Needham logic (BAN logic)]]
* [[Dolev–Yao model]]
* [[π-calculus]]
* [[Protocol composition logic|Protocol composition logic (PCL)]]
* Strand space<ref>{{citation|title=Strand Spaces: Why is a Security Protocol Correct?|author=Fábrega, F. Javier Thayer, Jonathan C. Herzog, and Joshua D. Guttman.}}</ref>

Research projects and tools used for formal verification of security protocols:
{{Incomplete list|date=October 2016}}
* Automated Validation of Internet Security Protocols and Applications (AVISPA) and follow-up project AVANTSSAR.<ref>{{cite web |url=http://avispa-project.org/ |title=Automated Validation of Internet Security Protocols and Applications (AVISPA) |access-date=14 February 2024 |archive-url=https://web.archive.org/web/20160922202730/http://www.avispa-project.org/ |archive-date=22 September 2016 |url-status=live}}</ref><ref name=TAP_1>{{cite book| title=The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures| author1=Armando, A.| author2=Arsac, W| author3=Avanesov, T.| author4=Barletta, M.| author5=Calvi, A.| author6=Cappai, A.| author7=Carbone, R.| author8=Chevalier, Y.| author9=+12 more|  editor1=Flanagan, C.| editor2=König, B.| url=https://link.springer.com/chapter/10.1007/978-3-642-28756-5_19| publisher=LNTCS| volume=7214| pages=267–282| date=2012| access-date=14 February 2024| doi=10.1007/978-3-642-28756-5_19}}</ref>
** Constraint Logic-based Attack Searcher (CL-AtSe)<ref>{{Cite web |url=https://cassis.loria.fr/wiki/Wiki.jsp?page=Cl-Atse |title=Constraint Logic-based Attack Searcher (Cl-AtSe) |access-date=2016-10-17 |archive-date=2017-02-08 |archive-url=https://web.archive.org/web/20170208141835/https://cassis.loria.fr/wiki/Wiki.jsp?page=Cl-Atse |url-status=dead }}</ref>
** Open-Source Fixed-Point Model-Checker (OFMC)<ref>[http://people.compute.dtu.dk/samo/ Open-Source Fixed-Point Model-Checker (OFMC)]</ref>
** SAT-based Model-Checker (SATMC)<ref>{{Cite web |url=http://www.ai-lab.it/satmc/ |title=SAT-based Model-Checker for Security Protocols and Security-sensitive Application (SATMC) |access-date=2016-10-17 |archive-url=https://web.archive.org/web/20151003010538/http://www.ai-lab.it/satmc/ |archive-date=2015-10-03 |url-status=dead }}</ref>
* Casper<ref>[http://www.cs.ox.ac.uk/people/gavin.lowe/Security/Casper/index.html Casper: A Compiler for the Analysis of Security Protocols]</ref>
* [[CryptoVerif]]
* Cryptographic Protocol Shapes Analyzer (CPSA)<ref>[https://hackage.haskell.org/package/cpsa cpsa: Symbolic cryptographic protocol analyzer]</ref>
* Knowledge In Security protocolS (KISS)<ref>{{Cite web |url=http://www.lsv.ens-cachan.fr/~ciobaca/kiss/ |title=Knowledge In Security protocolS (KISS) |access-date=2016-10-07 |archive-url=https://web.archive.org/web/20161010085620/http://www.lsv.ens-cachan.fr/~ciobaca/kiss/ |archive-date=2016-10-10 |url-status=dead }}</ref>
* Maude-NRL Protocol Analyzer (Maude-NPA)<ref>[http://personales.upv.es/sanesro/Maude-NPA_Protocols/ Maude-NRL Protocol Analyzer (Maude-NPA)]</ref>
* [[ProVerif]]
* Scyther<ref>[https://www.cs.ox.ac.uk/people/cas.cremers/scyther/ Scyther]</ref>
* [[Tamarin Prover]]<ref>[https://tamarin-prover.github.io/ Tamarin Prover]</ref>
* Squirrel<ref>[https://squirrel-prover.github.io/ Squirrel Prover]</ref>

=== Notion of abstract protocol ===
{{main|Security protocol notation}}
To formally verify a protocol it is often abstracted and modelled using [[security protocol notation|Alice & Bob notation]]. A simple example is the following:
:<math>A\rightarrow B:\{X\}_{K_{A,B}}</math>

This states that [[Alice and Bob|Alice]] <math>A</math> intends a message for Bob <math>B</math> consisting of a message <math>X</math> encrypted under shared key <math>K_{A,B}</math>.

== Examples ==
* [[Internet Key Exchange]]
* [[IPsec]]
* [[Kerberos (protocol)|Kerberos]]
* [[Off-the-Record Messaging]]
* [[Point to Point Protocol]]
* [[Secure Shell]] (SSH)
* [[Signal Protocol]]
* [[Transport Layer Security]]
* [[ZRTP]]

== See also ==

* [[List of cryptosystems]]
* [[Secure channel]]
* [[Security Protocols Open Repository]]
* [[Comparison of cryptography libraries]]
* [[Quantum cryptographic protocol]]

== References ==
{{Reflist}}

==Further reading==
* {{cite conference|last1=Ermoshina|first1=Ksenia|last2=Musiani|first2=Francesca|last3=Halpin|first3=Harry|editor=Bagnoli, Franco|display-editors=et al|pages=244–254|title=End-to-End Encrypted Messaging Protocols: An Overview|book-title=Internet Science |publisher=Springer |location=Florence, Italy |conference=INSCI 2016 |doi=10.1007/978-3-319-45982-0_22 |isbn=978-3-319-45982-0 |date=September 2016 |url=https://hal.inria.fr/hal-01426845/file/paper_21.pdf}}

{{Cryptography navbox}}

[[Category:Cryptographic protocols| ]]