BY DR. SCOTT VANSTONE
The importance of key establishment schemes and the underlying cryptographic primitives cannot be understated. Most standards groups equate good security with the use of the Advanced Encryption Standard (AES). For example, AES is seen as the fix for wireless LAN 802.11i security (Counter mode with CBC-MAC protocol CCMP) to replace RC4. While AES is a good choice for bulk encryption, the flaws in WEP are largely related to key establishment. Plus, this move to AES will also impose a full-blown hardware upgrade for the manufacturers.
For 802.11i security, key establishment is derived from 802.1x, a port level authentication protocol. However, the security of this architecture is not well understood. Standards groups would be well advised to follow the key establishment recommendations proposed by NIST.
NIST Special Publication 800-56: Recommendation on Key Establishment Schemes (Draft) presents many flexible options for key establishment to address different industry scenarios. NIST clearly understands the many security attributes and bases their recommendations on well-studied cryptographic protocols and primitives.
NIST is not alone in these recommendations. Many open, security standards, such as ANSI X9, IEEE 1363-2000, IETF TLS/SSL, IETF IPSec and S/MIME, also propose use of these same key establishment schemes that have proven to be quite robust in real world implementations.
These key establishment schemes include Diffie-Hellman (DH) key agreement and its improvement, Menezes-Qu-Vanstone (MQV). While DH offers a very simple way of creating a shared secret between two entities, there are some major security weaknesses that must be overcome.
The major flaw that MQV addresses relates to a malicious user stealing a private key and using it to masquerade as a third party to the user whose key was compromised. Security protocols such as IPSec overcome this weakness by adding another step in the protocol. However, this makes the protocol less efficient. If you could find a key establishment scheme that offers the required security attributes with significant performance advantages then why not use it?
The ECMQV scheme offers the performance advantages because elliptic curve groups have smaller key sizes and faster computations than other types groups of similar security while offering equivalent security. This makes MQV extremely well suited for very constrained environments such as smart cards, mobile devices and RFIDs.
When we take these attributes into account and the fact that NIST and ANSI have already standardized MQV, it only makes sense that security protocols such as 802.11i should at least consider it as the primitive for key establishment.
This issue of Code and Cipher focusses on the subject of key establishment in current security standards and highlights the importance of this often overlooked but central area of concern.