[Cryptography] A seemingly simple question ...

[Thierry Moreau]

I used to think that a simple question to experts triggers a lengthy and 
complex answer.

Now I have a simple question in a field where I might be an expert (we 
are always on a learning curve).

An application requires data exchange between two distant server systems 
operated by "responsible organizations" according to a lasting agreement.

A secure channel is thus required between these two server applications. 
Confidentiality, data integrity, remote party authentication, and replay 
attack prevention would be needed. Non-repudiation is a non-goal (since 
no legal precedent ever hinted that public key crypto digital signatures 
would be a legal standard of courtroom evidence).

Supposedly, the initial cryptographic key material setup need not be 
efficient.

What is the typical secure protocol deployed in this context? Obviously, 
"TLS" or "IPsec" is a partial answer due to the many protocol versions, 
options, configurations, ...

Also, if the answer is a transport layer protocol (e.g. TLS in a given 
profile) or a network layer protocol (e.g. IPsec in a given profile), is 
there any notable vulnerability originating from the fact that the 
security requirement is at the application layer? If so, what are the 
countermeasures?

Hope this question is of interest to some of you!

Regards,

- Thierry Moreau