just fast keying jfk protocol n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Just Fast Keying (JFK) Protocol PowerPoint Presentation
Download Presentation
Just Fast Keying (JFK) Protocol

Loading in 2 Seconds...

play fullscreen
1 / 11

Just Fast Keying (JFK) Protocol - PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on

CS 395T. Just Fast Keying (JFK) Protocol. Outline. “Rational derivation” of the JFK protocol Combine known techniques for shared secret creation, authentication, identity and anti-DoS protection [Datta, Mitchell, Pavlovic Tech report 2002] Just Fast Keying (JFK) protocol

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Just Fast Keying (JFK) Protocol' - columbia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • “Rational derivation” of the JFK protocol
    • Combine known techniques for shared secret creation, authentication, identity and anti-DoS protection
      • [Datta, Mitchell, Pavlovic Tech report 2002]
  • Just Fast Keying (JFK) protocol
    • State-of-the-art key establishment protocol
      • [Aiello, Bellovin, Blaze, Canetti,

Ioannidis, Keromytis, Reingold CCS 2002]

  • Modeling JFK in applied pi calculus
    • Specification of security properties as equivalences
      • [Abadi,Fournet POPL 2001]
      • [Abadi, Blanchet, Fournet ESOP 2004]
design objectives for key exchange
Design Objectives for Key Exchange
  • Shared secret
    • Create and agree on a secret which is known only to protocol participants
  • Authentication
    • Participants need to verify each other’s identity
  • Identity protection
    • Eavesdropper should not be able to infer participants’ identities by observing protocol execution
  • Protection against denial of service
    • Malicious participant should not be able to exploit the protocol to cause the other party to waste resources
ingredient 1 diffie hellman
Ingredient 1: Diffie-Hellman

A  B: ga

B  A: gb

  • Shared secret: gab
    • Diffie-Hellman guarantees perfect forward secrecy
  • Authentication
  • Identity protection
  • DoS protection
ingredient 2 challenge response
Ingredient 2: Challenge-Response

A  B: m, A

B  A: n, sigB{m, n, A}

A  B: sigA{m, n, B}

  • Shared secret
  • Authentication
    • A receives his own number m signed by B’s private key and deduces that B is on the other end; similar for B
  • Identity protection
  • DoS protection
dh challenge response
DH + Challenge-Response

ISO 9798-3 protocol:

A  B: ga, A

B  A: gb, sigB{ga, gb, A}

A  B: sigA{ga, gb, B}

  • Shared secret: gab
  • Authentication
  • Identity protection
  • DoS protection

m := ga

n := gb

ingredient 3 encryption
Ingredient 3: Encryption

Encrypt signatures to protect identities:

A  B: ga, A

B  A: gb, EK{sigB{ga, gb, A}}

A  B: EK{sigA{ga, gb, B}}

  • Shared secret: gab
  • Authentication
  • Identity protection (for responder only!)
  • DoS protection
refresher anti dos cookie
Refresher: Anti-DoS Cookie
  • Typical protocol:
    • Client sends request (message #1) to server
    • Server sets up connection, responds with message #2
    • Client may complete session or not (potential DoS)
  • Cookie version:
    • Client sends request to server
    • Server sends hashed connection data back
      • Send message #2 later, after client confirms
    • Client confirms by returning hashed data
    • Need extra step to send postponed message
ingredient 4 anti dos cookie
Ingredient 4: Anti-DoS Cookie

“Almost-JFK” protocol:

A  B: ga, A

B  A: gb, hashKb{gb, ga}

A  B: ga, gb, hashKb{gb, ga}

EK{sigA{ga, gb, B}}

B  A: gb, EK{sigB{ga, gb, A}}

  • Shared secret: gab
  • Authentication
  • Identity protection
  • DoS protection?

Doesn’t quite work: B must

remember his DH exponential b

for every connection

additional features of jfk
Additional Features of JFK
  • Keep ga, gb values medium-term, use (ga,nonce)
    • Use same Diffie-Hellman value for every connection (helps against DoS), update every 10 minutes or so
    • Nonce guarantees freshness
    • More efficient, because computing ga, gb, gab is costly
  • Two variants: JFKr and JFKi
    • JFKr protects identity of responder against active attacks and of initiator against passive attacks
    • JFKi protects only initiator’s identity from active attack
  • Responder may keep an authorization list
    • May reject connection after learning initiator’s identity
jfkr protocol aiello et al
JFKr Protocol [Aiello et al.]

If initiator knows

group g in advance

xi=gdi

Ni, xi

R

I

xr=gdr

DH group

tr=hashKr(xr,Nr,Ni,IPi)

Same dr for

every connection

Ni, Nr, xr, gr, tr

xidr=xrdi=x Ka,e,v=hashx(Ni,Nr,{a,e,v})

derive a set of keys from shared secret and nonces

Ni, Nr, xi, xr, tr, ei, hi

ei=encKe(IDi,ID’r,sai,sigKi(Nr,Ni,xr,xi,gr))

hi=hashKa(“i”,ei)

er, hr

check integrity before decrypting

“hint” to responder which identity to use

er=encKe(IDr,sar,sigKr(xr,Nr,xi,Ni))

hr=hashKa(“r”,er)

real identity of the responder