PFX - How Not to Design a Crypto Protocol/Standard

This document was originally intended to be a companion to my X.509 style guide, containing various hints and tips on how best to implement PFX/PKCS #12. However after trying to read it several times over, I've come to the conclusion that if this came from anyone but Microsoft, it would probably be regarded as some kind of deliberate sabotage attempt on crypto PDU design. After a week or so of not being able to bring myself to touch it I'd think "It can't be that bad, it just can't be that bad", and then go back and start reading again and find that it really *was* that bad.

As it turns out, because PFX is so comprehensively broken it's far easier to take the style guides "try and do this to demonstrate good style" and turn it around into PFX's "do this to demonstrate bad style". As a result, I've decided to do a rant instead of a proper discussion like the style guide. Rants are far more fun to write anyway.

So, here's the PFX anti-style guide, or "How not to design a crypto protocol/standard".

Confusion at a High Level

Your first task is to ensure that things are as confused as possible at the highest, most abstract level. To create this effect, try any or all of the following:

Confusion through Misuse of Standards

Your next avenue for mis-designing a crypto standard is to abuse the standards on which your one is based. For example:

Confusion in the Details

Now that you've done all this, you can get down to the low-level details which make a protocol difficult or impossible to implement. Among the tricks you can use are:

Confusion via Corporate Politics

This one is rather tricky and will require some careful manoeuvering to get right, but the resulting effect on security and interoperability can be devastating:

There you have it, how not to design a crypto protocol. If you follow these guidelines to the letter, you can virtually guarantee an endless amount of confusion, implementation problems, and relying on the lowest common denominator level of (in-)security when your substandard is fielded.

For those of you who have read this far, I'd like to get some idea of peoples feelings over PFX. So far I haven't been able to find anyone who has anything good to say about this thing, so I'm carrying out a small survey to see what the overall feeling is. If you could send me a quick comment, either "PFX sucks" or "PFX is great", I'll tally up the responses and add them to this document. You can click on one of the following to send the mail:

PFX sucks!

PFX is great!

The following rough pie chart represents the survey results to date:

Does PFX suck?

             O   Yes, 100%

Finally, a modest proposal: Rename this whole abortion to "PKCS #13" and get an IETF group to start again from scratch and do PKCS #12 properly. Failing that, an update of the (now rather dated and limited) PKCS #5 format would probably have more or less the same effect.


PFX - How Not to Design a Crypto Protocol/Standard / Peter Gutmann / pgut001@cs.auckland.ac.nz