Presentation is loading. Please wait.

Presentation is loading. Please wait.

Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08."— Presentation transcript:

1 Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08

2 Outline u“Rational derivation” of the JFK protocol Combine known techniques for shared secret creation, authentication, identity and anti-DoS protection –[Datta, Mitchell, PavlovicTech report 2002] uJust Fast Keying (JFK) protocol State-of-the-art key establishment protocol –[Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, ReingoldCCS 2002] uModeling JFK in applied pi calculus Specification of security properties as equivalences –[Abadi,FournetPOPL 2001] –[Abadi, Blanchet, FournetESOP 2004] Later lecture

3 Design Objectives for Key Exchange uShared secret Create and agree on a secret which is known only to protocol participants uAuthentication Participants need to verify each other’s identity uIdentity protection Eavesdropper should not be able to infer participants’ identities by observing protocol execution uProtection against denial of service Malicious participant should not be able to exploit the protocol to cause the other party to waste resources

4 Ingredient 1: Diffie-Hellman A  B: g a B  A: g b Shared secret: g ab –Diffie-Hellman guarantees perfect forward secrecy Authentication Identity protection DoS protection

5 Ingredient 2: Challenge-Response A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret Authentication –A receives his own number m signed by B’s private key and deduces that B is on the other end; similar for B Identity protection DoS protection

6 DH + Challenge-Response ISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: g ab Authentication Identity protection DoS protection m := g a n := g b

7 Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: g ab Authentication Identity protection (for responder only!) DoS protection

8 Refresher: Anti-DoS Cookie uTypical protocol: Client sends request (message #1) to server Server sets up connection, responds with message #2 Client may complete session or not (potential DoS) uCookie version: Client sends request to server Server sends hashed connection data back –Send message #2 later, after client confirms Client confirms by returning hashed data Need extra step to send postponed message

9 Ingredient 4: Anti-DoS Cookie “Almost-JFK” protocol: A  B: g a, A B  A: g b, hash Kb {g b, g a } A  B: g a, g b, hash Kb {g b, g a } E K {sig A {g a, g b, B}} B  A: g b, E K {sig B {g a, g b, A}} Shared secret: g ab Authentication Identity protection DoS protection? Doesn’t quite work: B must remember his DH exponential b for every connection

10 Additional Features of JFK uKeep g a, g b values medium-term, use (g a,nonce) Use same Diffie-Hellman value for every connection (helps against DoS), update every 10 minutes or so Nonce guarantees freshness More efficient, because computing g a, g b, g ab is costly uTwo variants: JFKr and JFKi JFKr protects identity of responder against active attacks and of initiator against passive attacks JFKi protects only initiator’s identity from active attack uResponder may keep an authorization list May reject connection after learning initiator’s identity

11 JFKr Protocol [Aiello et al.] I R N i, x i x i =g di N i, N r, x r, g r, t r x r =g dr t r =hash Kr (x r,N r,N i,IP i ) N i, N r, x i, x r, t r, e i, h i e i =enc Ke (ID i,ID’ r,sa i,sig Ki (N r,N i,x r,x i,g r )) x i dr =x r di =x K a,e,v =hash x (N i,N r,{a,e,v}) h i =hash Ka (“i”,e i ) e r, h r e r =enc Ke (ID r,sa r,sig Kr (x r,N r,x i,N i )) h r =hash Ka (“r”,e r ) “hint” to responder which identity to use derive a set of keys from shared secret and nonces real identity of the responder check integrity before decrypting Same d r for every connection DH group If initiator knows group g in advance

Download ppt "Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08."

Similar presentations

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003.

Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Similar presentations

Ads by Google