Abstract
JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we formally analyze this protocol in the applied pi calculus (partly in terms of observational equivalences and partly with the assistance of an automatic protocol verifier). We treat JFK's core security properties and also other properties that are rarely articulated and rigorously studied, such as plausible deniability and resistance to denial-of-service attacks. In the course of this analysis, we found some ambiguities and minor problems, such as limitations in identity protection, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be more generally useful in the specification and verification of security protocols.
- Abadi, M. and Blanchet, B. 2005a. Analyzing security protocols with secrecy types and logic programs. Journal of the ACM 52, 1, 102--146. Google Scholar
Digital Library
- Abadi, M. and Blanchet, B. 2005b. Computer-assisted verification of a protocol for certified email. Science of Computer Programming 58, 1--2 (Oct.), 3--27. Google Scholar
Digital Library
- Abadi, M. and Fournet, C. 2001. Mobile values, new names, and secure communication. In 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'01). 104--115. Google Scholar
Digital Library
- Abadi, M. and Fournet, C. 2004. Private authentication. Theoretical Computer Science 322, 3 (Sept.), 427--476. Parts of this work were presented at PET'02 (LNCS 2482) and ISSS'02 (LNCS 2602). Google Scholar
Digital Library
- Abadi, M. and Gordon, A. D. 1999. A calculus for cryptographic protocols: The spi calculus. Information and Computation 148, 1 (Jan.), 1--70. An extended version appeared as Digital Equipment Corporation Systems Research Center report No. 149, January 1998. Google Scholar
Digital Library
- Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ionnidis, J., Keromytis, A., and Reingold, O. 2002a. Efficient, DoS-resistant, secure key exchange for internet protocols. In 9th ACM Conference on Computer and Communications Security (CCS'02). 48--58. Google Scholar
Digital Library
- Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ionnidis, J., Keromytis, A., and Reingold, O. 2002b. Just fast keying (JFK). IETF Internet Draft draft-ietf-ipsec-jfk-04.txt.Google Scholar
- Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ionnidis, J., Keromytis, A., and Reingold, O. 2004. Just fast keying: Key agreement in a hostile internet. ACM Transactions on Information and System Security 7, 2 (May), 1--30. Google Scholar
Digital Library
- Blanchet, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14). 82--96. Google Scholar
Digital Library
- Blanchet, B. 2002. From secrecy to authenticity in security protocols. In Static Analysis, 9th International Symposium (SAS'02). LNCS, vol. 2477. Springer-Verlag, New York. 342--359. Google Scholar
Digital Library
- Blanchet, B. 2004. Automatic proof of strong secrecy for security protocols. In IEEE Symposium on Security and Privacy. 86--100.Google Scholar
Cross Ref
- Blanchet, B., Abadi, M., and Fournet, C. 2005. Automated verification of selected equivalences for security protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005). IEEE Computer Society, Washington, D.C. 331--340. Google Scholar
Digital Library
- Bodei, C. 2000. Security issues in process calculi. Ph.D. thesis, Università di Pisa.Google Scholar
- Datta, A., Mitchell, J. C., and Pavlovic, D. 2002. Derivation of the JFK protocol. http://www.stanford.edu/~danupam/composition.ps.Google Scholar
- Datta, A., Derek, A., Mitchell, J. C., and Pavlovic, D. 2004. Abstraction and refinement in protocol derivation. In 17th IEEE Computer Security Foundations Workshop (CSFW-17). 30--45. Google Scholar
Cross Ref
- Datta, A., Derek, A., Mitchell, J. C., and Pavlovic, D. 2005. A derivation system and compositional logic for security protocols. Journal of Computer Security 13, 3, 423--482. Google Scholar
Digital Library
- Harkins, D. and Carrel, D. 1998. RFC 2409: The Internet Key Exchange (IKE). http://www.ietf.org/rfc/rfc2409.txt. Google Scholar
- Harkins, D., Kaufman, C., Kivinen, T., Kent, S., and Perlman, R. 2002. Design rationale for IKEv2. IETF Internet Draft (expired) draft-ietf-ipsec-ikev2-rationale-00.txt.Google Scholar
- Karn, P. and Simpson, W. 1999. RFC 2522: Photuris: Session-key management protocol. http://www.ietf.org/rfc/rfc2522.txt. Google Scholar
Digital Library
- Kaufman, C. 2005. RFC 4306: Internet Key Exchange (IKEv2) Protocol. http://www.ietf.org/rfc/rfc4306.txt.Google Scholar
- Kemmerer, R., Meadows, C., and Millen, J. 1994. Three systems for cryptographic protocol analysis. Journal of Cryptology 7, 2 (Spring), 79--130.Google Scholar
Digital Library
- Lincoln, P., Mitchell, J., Mitchell, M., and Scedrov, A. 1998. A probabilistic poly-time framework for protocol analysis. In Fifth ACM Conference on Computer and Communications Security (CCS'98). 112--121. Google Scholar
Digital Library
- Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems. LNCS, vol. 1055. Springer-Verlag, New York. 147--166. Google Scholar
Digital Library
- Mao, W. and Paterson, K. G. 2003. On the plausible deniability feature of internet protocols. Unpublished manuscript.Google Scholar
- Meadows, C. 1999. Analysis of the Internet Key Exchange protocol using the NRL protocol analyzer. In IEEE Symposium on Security and Privacy. 216--231.Google Scholar
Cross Ref
- Meadows, C. 2001. A cost-based framework for analysis of denial of service networks. Journal of Computer Security 9, 1/2, 143--164. Google Scholar
Digital Library
- Needham, R. M. and Schroeder, M. D. 1978. Using encryption for authentication in large networks of computers. Communications of the ACM 21, 12 (Dec.), 993--999. Google Scholar
Digital Library
- Paulson, L. C. 1998. The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6, 1--2, 85--128. Google Scholar
Digital Library
- Roe, M. 1997. Cryptography and evidence. Ph.D. thesis, Clare College, University of Cambrige, UK. Available at http://research.microsoft.com/users/mroe/thesis.pdf.Google Scholar
- Sangiorgi, D. and Walker, D. 2001. The Pi-calculus: A Theory of Mobile Processes. Cambridge University Press, Cambridge. Google Scholar
Digital Library
- Thayer Fábrega, F. J., Herzog, J. C., and Guttman, J. D. 1998. Strand spaces: Why is a security protocol correct? In IEEE Symposium on Security and Privacy. 160--171.Google Scholar
- Wagner, D. and Schneier, B. 1996. Analysis of the SSL 3.0 protocol. In 2nd USENIX Workshop on Electronic Commerce. 29--40. Google Scholar
Digital Library
Index Terms
Just fast keying in the pi calculus
Recommendations
Universally Composable Notions of Key Exchange and Secure Channels
EUROCRYPT '02: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in CryptologyRecently, Canetti and Krawczyk (Eurocrypt'2001) formulated a notion of security for key-exchange (ke) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice ...
An novel three-party authenticated key exchange protocol using one-time key
Three-party authenticated key exchange protocol (3PAKE) is an important cryptographic technique for secure communication which allows two parties to agree a new secure session key with the help of a trusted server. In this paper, we propose a new three-...
Universally composable three-party password-authenticated key exchange with contributiveness
Three-party password-authenticated key exchange 3PAKE allows two clients, each sharing a password with a trusted server, to establish a session key with the help of the server. It is a quite practical mechanism for establishing secure channels in a ...






Comments