Just Fast Keying: Key Agreement In A
Hostile Internet
William Aiello
AT&T Labs Research
aiello@research.att.com
Steven M. Bellovin
AT&T Labs Research
smb@research.att.com
Matt Blaze
AT&T Labs Research
mab@research.att.com
Ran Canetti
IBM T.J. Watson Research Center
canetti@watson.ibm.com
John Ioannidis
AT&T Labs Research
ji@research.att.com
Angelos D. Keromytis
Columbia University
angelos@cs.columbia.edu
Omer Reingold
AT&T Labs Research
omer@research.att.com
This work was partially supported by DARPA under Contract F39502-99-1-0512-MOD P0001. A previous version of this paper appeared as [Aiello et al. 2003].
Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use
provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server
notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the
ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific
permission and/or a fee.
c 2004 ACM 0000-0000/2004/0000-0001 $5.00
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004, Pages 1–30.
2
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
We describe Just Fast Keying (JFK), a new key-exchange protocol, primarily designed for use
in the IP security architecture. It is simple, efficient, and secure; we sketch a proof of the latter
property. JFK also has a number of novel engineering parameters that permit a variety of tradeoffs,
most notably the ability to balance the need for perfect forward secrecy against susceptibility to
denial-of-service attacks.
Categories and Subject Descriptors: C.2.0 [Security and Protection]: Key Agreement Protocols
General Terms: Security, Reliability, Standardization
Additional Key Words and Phrases: Cryptography, Denial of Service Attacks
1.
INTRODUCTION
Many public-key-based key-setup and key-agreement protocols already exist and have
been implemented for a variety of applications and environments. Several have been proposed for the IPsec protocol suite, and one, IKE [Harkins and Carrel 1998], is the current
standard. IKE has a number of defi ciencies, the three most important being that the number of rounds is high, that it is vulnerable to denial-of-service attacks, and the complexity
of the protocol and its specifi cation. This complexity has led to interoperability problems
— so much so that, several years after its initial adoption by the IETF, there are still noninteroperating commercial implementations.
While it might be possible to “patch” the IKE protocol to fi x some of these problems,
it may be perferable to construct a new protocol that more narrowly addresses the requirements “from the ground up.” We set out to engineer a new key exchange protocol specifi cally for Internet security applications. We call our new protocol “JFK,” which stands for
“Just Fast Keying.”
1.1 Design Goals
We seek a protocol with the following characteristics:
. Security: No one other than the participants may have access to the generated key.
. PFS: It must approach Perfect Forward Secrecy.
. Privacy: It must preserve the privacy of the initiator and/or responder, insofar as possible.
. Memory-DoS: It must resist memory exhaustion attacks.
. Computation-DoS: It must resist CPU exhaustion attacks on the responder.
. Availability: It must protect against easy to mount protocol-specifi c DoS attacks, e.g.,
in a wireless environment where an attacker can observe everyone’s transmissions but cannot interfere with the transmitted packets themselves.
. Efficiency: It must be effi cient with respect to computation, bandwidth, and number of
rounds.
. Non-Negotiated: It must avoid complex negotiations over capabilities.
. Simplicity: The resulting protocol must be as simple as possible, within the constraints
of the requirements.
The Security requirement is obvious enough (we use the security model of [Canetti and
Krawczyk 2001; 2002a]). The rest, however, require some discussion.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
3
The PFS property is perhaps the most controversial. (PFS is an attribute of encrypted
communications allowing for a long-term key to be compromised without affecting the
security of past session keys.) Rather than assert that “we must have perfect forward secrecy at all costs,” we treat the amount of forward secrecy as an engineering parameter
that can be traded off against other necessary functions, such as effi ciency or resistance
to denial-of-service attacks. In fact, this corresponds quite nicely to the reality of today’s
Internet systems, where a compromise during the existence of a security association will
reveal the plaintext of any ongoing transmissions. Our protocol has a forward secrecy interval; security associations are protected against compromises that occur outside of that
interval. Specifi cally, we allow a party to reuse the same secret Diffi e-Hellman exponents
for multiple exchanges within a given time period; this may save a large number of costly
modular exponentiations.
The Privacy property means that the protocol must not reveal the identity of a participant
to any unauthorized party, including an active attacker that attempts to act as the peer.
Clearly, it is not possible for a protocol to protect both the initator and the responder against
an active attacker; one of the participants must always “go fi rst.” In general, we believe
that the most appropriate choice is to protect the initator, since the initator is typically
a relatively anonymous “client,” while the responder’s identity may already be known.
Conversely, protecting the responder’s privacy may not be of much value (except perhaps
in peer-to-peer communication): in many cases, the responder is a server with a fi xed
address or characteristics (e.g., well-known web server). One approach is to allow for a
protocol that allows the two parties to negotiate who needs identity protection. In JFK, we
decided against this approach: it is unclear what, if any, metric can be used to determine
which party should receive identity protection; furthermore, this negotiation could act as a
loophole to make initiators reveal their identity fi rst. Instead, we propose two alternative
protocols: one that protects the initator against an active attack, and another that protects
the responder. These two protocols are respectively named JFKi and JFKr.
The Memory-DoS and Computation-DoS properties have become more important in the
context of recent Internet denial-of-service attacks. Photuris [Karn and Simpson 1999]
was the fi rst published key management protocol for which DoS-resistance was a design
consideration; we suggest that these properties are at least as important today. We also
extend these properties with a general Availability requirement, by which we mean that
the protocol must try to counter attacks that aim to disrupt a legitimate exchange, especially in environments where an attacker may have limited capabilities in terms of packet
modifi cation (e.g., a wireless network).
The Efficiency property is worth discussing. In many protocols, key setup must be performed frequently enough that it can become a bottleneck to communication. The key
exchange protocol must minimize computation as well total bandwidth and round trips.
Round trips can be an especially important factor when communicating over unreliable
media. Using our protocols, only two round-trips are needed to set up a working security
association. This is a considerable saving in comparison with existing protocols, such as
IKE.
The Non-Negotiated property is necessary for several reasons. Negotiations create complexity and round trips, and hence should be avoided. Denial of service resistance is also
relevant here; a partially-negotiated security association consumes resources.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
4
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
The Simplicity property is motivated by several factors. Effi ciency is one; increased likelihood of correctness is another. But our motivation is especially colored by our experience
with IKE. Even if the protocol is defi ned correctly, it must be implemented correctly; as
protocols become more complex, implementation and interoperability errors occur more
often. This hinders both security and interoperability. Our design follows the traditional
design paradigm of successful internetworking protocols: keep individual building blocks
as simple as possible; avoid large, complex, monolithic protocols. We have consciously
chosen to omit support for certain features when we felt that adding such support would
cause an increase in complexity that was disproportional to the benefi t gained.
Protocol design is, to some extent, an engineering activity, and we need to provide for
trade-offs between different types of security. There are trade-offs that we made during
the protocol design, and others, such as that between forward secrecy and computational
effort, that are left to the implementation and to the user, e.g., selected as parameters during
confi guration and session negotiation.
2.
PROTOCOL DEFINITION
We present two variants of the JFK protocol. Both variants take two round-trips (i.e., four
messages) and both provide the same level of DoS protection. The fi rst variant, denoted
JFKi, provides identity protection for the initiator even against active attacks. The identity
of the responder is not protected. This type of protection is appropriate for a client-server
scenario where the initiator (the client) may wish to protect its identity, whereas the identity
of the responder (the server) is public. As discussed in Section 4, this protocol uses the
basic design of the ISO 9798-3 key exchange protocol [IEEE 1993; Canetti and Krawczyk
2001], with modifi cations that guarantee the properties discussed in the Introduction.
The second variant, JFKr, provides identity protection for the responder against active
adversaries. Furthermore, it protects both sides’ identities against passive eavesdroppers.
This type of protection is appropriate for a peer-to-peer scenario where the responder may
wish to protect its identity. Note that it is considerably easier to mount active identityprobing attacks against the responder than against the initiator. Furthermore, JFKr provides repudiability on the key exchange, since neither side can prove to a third party that
their peer in fact participated in the protocol exchange with them. (In contrast, JFKi
authentication is non-repudiable, since each party signs the other’s identity along with
session-specifi c information such as the nonces). This protocol uses the basic design of
the Sign-and-MAC (SIGMA) protocol from [Krawczyk 2002], again with the appropriate
modifi cations.
2.1 Notation
First, some notation:
Hk (M )
Keyed hash (e.g., HMAC [Krawczyk et al. 1997]) of message M using key
k. We assume that H is a pseudorandom function. This also implies that H is
a secure message authentication (MAC) function. In some places we make a
somewhat stronger assumption relating H and discrete logarithms; see more
details within.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
e
{M }K
Ka
·
5
Encryption using symmetric key Ke , followed by MAC authentication with
symmetric key Ka of message M . The MAC is computed over the ciphertext,
prefi xed with the literal ASCII string "I" or "R", depending on who the
message sender is (initiator or responder).
Sx [M ]
Digital signature of message M with the private key belonging to principal x
(initiator or responder). It is assumed to be a non-message-recovering signature.
The message components used in JFK are:
IPI
Initiator’s network address.
gx
Diffi e-Hellman (DH) exponentials; also identifying the group-ID.
g
i
Initiator’s current exponential, (mod p).
g
r
Responder’s current exponential, (mod p).
NI
Initiator nonce, a random bit-string.
N ′I
Initiator’s initial nonce, computed as H(NI ).
NR
Responder nonce, a random bit-string.
IDI
Initiator’s certifi cates or public-key identifying information.
IDR
Responder’s certifi cates or public-key identifying information.
IDR′
An indication by the initiator to the responder as to what authentication information (e.g., certifi cates) the latter should use.
HKr
A transient hash key private to the responder.
sa
Cryptographic and service properties of the security association (SA) that the
initiator wants to establish. It contains a Domain-of-Interpretation which JFK
understands, and an application-specifi c bit-string.
sa′
SA information the responder may need to give to the initiator (e.g., the responder’s SPI, in IPsec).
Kir
Shared key derived from g ir , N ′ I , and NR used for protecting the application
(e.g., the IPsec SA).
Ke , K a
Shared keys derived from g ir , N ′ I , and NR , used to encrypt and authenticate
Messages (3) and (4) of the protocol.
grpinfoR All groups supported by the responder, the symmetric algorithms used to
protect Messages (3) and (4), and the hash function used for key generation.
Both parties must pick a fresh nonce at each invocation of the JFK protocol. The nonces
are used in the session-key computation, to provide key independence when one or both
parties reuse their DH exponential; the session key will be different between independent
runs of the protocol, as long as one of the nonces or exponentials changes. HK R is a global
parameter for the responder — it stays the same between protocol runs, but can change
periodically.
2.2 The JFKi Protocol
The JFKi protocol consists of four messages (two round trips):
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
6
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
I → R : N ′ I , g i , IDR′
(1)
R → I : N ′ I , NR , g r , grpinfoR , IDR ,
SR [g r , grpinfoR ],
HHKR (g r , NR , N ′ I , IPI )
(2)
I → R : N I , NR , g i , g r ,
HHKR (g r , NR , N ′ I , IPI ),
e
{IDI , sa, SI [N ′ I , NR , g i , g r , IDR , sa]}K
Ka
(3)
e
R → I : {SR [N ′ I , NR , g i , g r , IDI , sa, sa′ ], sa′ }K
Ka
(4)
The keys Ke and Ka , used to protect the confi dentiality and integrity of Messages (3)
and (4) respectively, are computed as Hgir (N ′ I , NR , "1") and Hgir (N ′ I , NR , "2") respectively. The session key, Kir , is Hgir (N ′ I , NR , "0"). This key is passed to IPsec or,
more generally, to the application that requested key agreement services. (Note that there
may be a difference in the number of bits from the HMAC and the number produced by
the raw Diffi e-Hellman exchange; the 512 least-signifi cant bits are of gir are used as the
key in that case). If the key used by IPsec is longer than the output of the HMAC, the key
extension method of IKE is used to generate more keying material.
Message (1) is straightforward; note that it assumes that the initiator already knows a
group and generator that are acceptable to the responder. The initiator can reuse a g i value
in multiple instances of the protocol with the responder, or other responders that accept the
same group, for as long as she wishes her forward secrecy interval to be. We discuss how
the initiator can discover what groups to use in a later section. This message also contains
an indication as to which ID the initiator would like the responder to use to authenticate.
IDR′ is sent in the clear; however, the responder’s ID in Message (2) is also sent in the
clear, so there is no loss of privacy.
Message (2) is more complex. Assuming that the responder accepts the Diffi e-Hellman
group in the initiator’s message (rejections are discussed in Section 2.5), he replies with
a signed copy of his own exponential (in the same group, also (mod p)), information on
what secret key algorithms are acceptable for the next message, a random nonce, his identity (certifi cates or a string identifying his public key), and an authenticator calculated from
a secret, HKR , known to the responder; the authenticator is computed over the responder’s
exponential, the two nonces, and the initiator’s network address. The responder’s exponential may also be reused; again, it is regenerated according to the responder’s forward
secrecy interval. The signature on the exponential needs to be calculated at the same rate
as the responder’s forward secrecy interval (when the exponential itself changes). Finally,
note that the responder does not need to generate any state at this point, and the only cryptographic operation is a MAC calculation. If the responder is not under heavy load, or if
PFS is deemed important, the responder may generate a new exponential and corresponding signature for use in this exchange; of course, this would require keeping some state
(the secret part of the responder’s Diffi e-Hellman computation).
Message (3) echoes back the data sent by the responder, including the authenticator.
However, instead of the initial nonce, N ′ I , the initiator now sends its source, NI . The
authenticator is used by the responder to verify the authenticity of the returned data. The
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
7
authenticator also confi rms that the sender of the Message (3) used the same address as
in Message (1) — this can be used to detect and counter a “cookie jar” DoS attack 1 . A
valid authenticator indicates to the responder that a roundtrip has been completed (between
Messages (1), (2), and (3)). To check the authenticator, the responder must fi rst compute
N ′ I from its source, NI by applying the hash function H. The purpose of this scheme is to
avoid a certain attack in environments where an attacker can eavesdrop traffi c but cannot
modify already transmitted packets, e.g., in a wireless network. In such an environment, if
NI was used instead of N ′ I , the eavesdropper could construct a valid-looking Message (3)
(by copying the nonces, exponentials, and the authenticator) that would cause the responder
to perform the (expensive) public-key operations, only to then drop the packet because
further processing would detect that the message was fake (by failure to decrypt or verify
the remainder of the payload, as we shall see shortly). The responder is then left with
two options: blacklist the authenticator (causing the exchange with the initiator to fail),
or simply discard the packet (thus allowing a computation-based DoS attack). With our
approach, however, the eavesdropper cannot produce a valid NI (since that would imply a
weak hash function) and thus cannot produce a Message (3) that will pass the authenticator
verifi cation phase. If the eavesdropper cannot intercept or preempt a valid Message (3), as
may be the case with some wireless networks, they cannot hijack the initiator’s response
to mount this DoS attack. Note that if a legitimate Message (3) is transmitted over the
wireless network but is somehow not received by the Responder, an eavesdropper can use
it to mount the previously described attack. Althought the scheme is not fool-proof, it
signifi cantly raises the bar against this denial of service attack in certain environments,
without hindering the exchange under normal circumstances.
Message (3) also includes the initiator’s identity and service request, and a signature
computed over the nonces, the responder’s identity, and the two exponentials. This latter
information is all encrypted and authenticated under keys Ke and Ka , as already described.
The encryption and authentication use algorithms specifi ed in grpinfoR . The responder
keeps a copy of recently-received Messages (3), and their corresponding Message (4).
Receiving a duplicate (or replayed) Message (3) causes the responder to simply retransmit
the corresponding Message (4), without creating new state or invoking IPsec. This cache of
messages can be reset as soon as HKR is changed. The responder’s exponential (g r ) is resent by the initiator because the responder may be generating a new g r for every new JFK
protocol run (e.g., if the arrival rate of requests is below some threshold). It is important
that the responder deal with repeated Messages (3) as described above. Responders that
create new state for a repeated Message (3) open the door to attacks against the protocol
and/or underlying application (IPsec).
Note that the signature is protected by the encryption. This is necessary for identity
protection, since everything signed is public except the sa, and that is often guessable. An
attacker could verify guesses at identities if the signature were not encrypted.
Message (4) contains application-specifi c information (such as the responder’s IPsec
SPI), and a signature on both nonces, both exponentials, and the initiator’s identity. Everything is encrypted and authenticated by the same Ke and Ka used in Message (3), which
are derived from N ′ I , NR , and g ir . The encryption and authentication algorithms are
1 The “cookie jar” DoS attack involves an attacker that is willing to reveal the address of one subverted host so as
to acquire a valid cookie (or number of cookies) that can then be used by a large number of other subverted hosts
to launch a DDoS attack using the valid cookie(s).
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
8
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
specifi ed in grpinfoR .
2.3 Discussion
The design follows from our requirements. With respect to communication effi ciency,
observe that the protocol requires only two round trips. The protocol is optimized to protect
the responder against denial of service attacks on state or computation. The initiator bears
the initial computational burden and must establish round-trip communication with the
responder before the latter is required to perform expensive operations. At the same time,
the protocol is designed to limit the private information revealed by the initiator; she does
not reveal her identity until she is sure that only the responder can retrieve it. (An active
attacker can replay an old Message (2) as a response to the initiator’s initial message, but
he cannot retrieve the initiator’s identity from Message (3) because he cannot complete the
Diffi e-Hellman computation).
The initiator’s fi rst message, Message (1), is a straightforward Diffi e-Hellman exponential. Note that this is assumed to be encoded in a self-identifying manner, i.e., it contains
a tag indicating which modulus and base was used. The nonce N ′ I serves three purposes:
fi rst, it allows the initiator to reuse the same exponential across different sessions (with the
same or different responders, within the initiator’s forward secrecy interval) while ensuring that the resulting session key will be different. Secondly, it can be used to differentiate
between different parallel sessions (in any case, we assume that the underlying transport
protocol, i.e., UDP, can handle the demultiplexing by using different ports at the initiator).
Lastly, it allows the responder to distinguish between a valid Message (3) and one produced
by an eavesdropper, as we discussed in the previous section.
Message (2) must require only minimal work for the responder, since at that point he has
no idea whether the initiator is a legitimate correspondent or, e.g., a forged message from
a denial of service attack; no round trip has yet occurred with the initiator. Therefore, it is
important that the responder not be required at this point to perform expensive calculations
or create state. Here, the responder’s cost will be a single authentication operation, the cost
of which (for HMAC) is dominated by two invocations of a cryptographic hash function,
plus generation of a random nonce NR .
The responder may compute a new exponential g b (mod p) for each interaction. This is
an expensive option, however, and at times of high load (or attack) it would be inadvisable.
The nonce prevents two successive session keys from being the same, even if both the
initiator and the responder are reusing exponentials. One case when both sides may reuse
the same exponentials is when the initiator is a low-power device (e.g., a cellphone) and
the responder is a busy server.
A simple way of addressing DoS is to periodically (e.g., once every 30 seconds) generate
an (r, g r , HHKR (g r ), SR [g r ]) tuple and place it in a FIFO queue. As requests arrive (in
particular, as valid Messages (3) are processed), the fi rst entry from the FIFO is removed;
thus, as long as valid requests arrive at under the generation rate, PFS is provided for
all exchanges. If the rate of valid protocol requests exceeds the generating rate, a JFK
implementation should reuse the last tuple in the FIFO. Notice that in this scheme, the
same g r may be reused in different sessions, if these sessions are interleaved. This does
not violate the PFS or other security properties of the protocol.
If the responder is willing to accept the group identifi ed in the initiator’s message, his
exponential must be in the same group. Otherwise, he may respond with an exponential
from any group of his own choosing. The fi eld grpinfoR lists what groups the responder
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
9
fi nds acceptable, if the initiator should wish to restart the protocol. This provides a simple
mechanism for the initiator to discover the groups currently allowed by the responder. That
fi eld also lists what encryption and MAC algorithms are acceptable for the next two messages. This is not negotiated; the responder has the right to decide what strength encryption
is necessary to use his services.
Note that the responder creates no state when sending this message. If it is fraudulent,
that is, if the initiator is non-existent or intent on perpetrating a denial-of-service attack,
the responder will not have committed any storage resources.
In Message (3), the initiator echoes content from the responder’s message, including
the authenticator. The authenticator allows the responder to verify that he is in round-trip
communication with a legitimate potential correspondent. By revealing the source, N I , of
the initial nonce, N ′ I , the initiator denies an eavesdropper the ability to disrupt the protocol
exchange by transmitting a valid-looking Message (3), as discussed above. The initiator
also uses the key derived from the two exponentials and the two nonces to encrypt her
identity and service request. The initiator’s nonce is used to ensure that this session key is
unique, even if both the initiator and the responder are reusing their exponentials and the
responder has “forgotten” to change nonces.
Because the initiator can validate the responder’s identity before sending her own and because her identifying information (ignoring her public key signature) is sent encrypted, her
privacy is protected from both passive and active attackers. An active attacker can replay
an old Message (2) as a response to the initiator’s initial message, but he cannot retrieve
the initiator’s identity from Message (3) because he cannot complete the Diffi e-Hellman
computation. The service request is encrypted, too, since its disclosure might identify the
requester. The responder may wish to require a certain strength of cryptographic algorithm
for selected services.
Upon successful receipt and verifi cation of this message, the responder has a shared
key with a party known to be the initiator. The responder further knows what service the
initiator is requesting. At this point, he may accept or reject the request.
The responder’s processing on receipt of Message (3) requires verifying an authenticator
and, if that is successful, performing several public key operations to verify the initiator’s
signature and certifi cate chain. The authenticator (requiring three hash operations, two
for the HMAC computation and one for deriving N ′ I from the received NI ) is suffi cient
defense against forgery; replays, however, could cause considerable computation. The defense against this is to cache the corresponding Message (4); if a duplicate Message (3)
is seen, the cached response is retransmitted; the responder does not create any new state
or notify the application (e.g., IPsec). The key for looking up Messages (3) in the cache
is the authenticator; this prevents DoS attacks where the attacker randomly modifi es the
encrypted blocks of a valid message, causing a cache miss and thus more processing to be
done at the responder. Further, if the authenticator verifi es but there is some problem with
the message (e.g., the certifi cates do not verify), the responder can cache the authenticator
along with an indication as to the failure (or the actual rejection message), to avoid unnecessary processing (which may be part of a DoS attack). This cache of Messages (3) and
authenticators can be purged as soon as HKR is changed (since the authenticator will no
longer pass verifi cation).
Caching Message (3) and refraining from creating new state for replayed instances of
Message (3) also serves another security purpose. If the responder were to create a new
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
10
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
state and send a new Message (4), and a new sa′ for a replayed Message (3), then an
attacker who compromised the initiator could replay a recent session with the responder.
That is, by replaying Message (3) from a recent exchange between the initiator and the
responder, the attacker could establish a session with the responder where the session-key
would be identical to the key of the previous session (which took place when the initiator
was not yet compromised). This could compromise the Forward Security of the initiator.
There is a risk, however, in keeping this message cached for too long: if the responder’s
machine is compromised during this period, perfect forward secrecy is compromised. We
can tune this by changing the MAC key HKR more frequently. The cache can be reset
when a new HKR is chosen.
In Message (4), the responder sends to the initiator any responder-specifi c application
data (e.g., the responder’s IPsec SPI), along with a signature on both nonces, both exponentials, and the initiator’s identity. All the information is encrypted and authenticated using
keys derived from the two nonces, N ′ I and NR , and the Diffi e-Hellman result. The initiator can verify that the responder is present and participating in the session, by decrypting
the message and verifying the enclosed signature.
2.4 The JFKr Protocol
Using the same notation as in JFKi, the JFKr protocol is:
I → R : N ′ I , gi
(1)
R → I : N ′ I , NR , g r , grpinfoR ,
HHKR (g r , NR , N ′ I , IPI )
(2)
I → R : N I , NR , g i , g r ,
HHKR (g r , NR , N ′ I , IPI )
e
{IDI , IDR′ , sa, SI [N ′ I , NR , g i , g r , grpinfoR ]}K
Ka
(3)
e
R → I : {IDR , sa′ , SR [g r , NR , g i , N ′ I ]}K
Ka ,
(4)
As in JFKi, the keys used to protect Messages (3) and (4), Ke and Ka , are respectively
computed as Hgir (N ′ I , NR , "1") and Hgir (N ′ I , NR , "2"). The session key passed to
IPsec (or some other application), Kir , is Hgir (N ′ I , NR , "0").
Both parties send their identities encrypted and authenticated under Ke and Ka respectively, providing both parties with identity protection against passive eavesdroppers. In
addition, the party that fi rst reveals its identity is the initiator. This way, the responder is
required to reveal its identity only after it verifi es the identity of the initiator. This guarantees active identity protection to the responder.
We remark that it is essentially impossible, under current technology assumptions, to
have a two-round-trip protocol that provides DoS protection for the responder, passive
identity protection for both parties, and active identity protection for the initiator. An informal argument proceeds as follows: if DoS protection is in place, then the responder
must be able to send his fi rst message before he computes any shared key; This is so since
computing a shared key is a relatively costly operation in current technology. This means
that the responder cannot send his identity in the second message, without compromising his identity protection against passive eavesdroppers. This means that the responder’s
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
11
identity must be sent in the fourth (and last) message of the protocol. Consequently, the
initiator’s identity must be sent before the responder’s identity is sent.
2.5 Rejection Messages
Instead of sending Messages (2) or (4), the responder can send a ‘rejection’ instead. For
Message (2), this rejection can only be on the grounds that he does not accept the group
that the initiator has used for her exponential. Accordingly, the reply should indicate what
groups are acceptable. Since Message (2) already contains the fi eld grpinfoR (which indicates what groups are acceptable), no explicit rejection message is needed. (For effi ciency’s
sake, the group information could also be in the responder’s long-lived certifi cate, which
the initiator may already have.)
Message (4) can be a rejection for several reasons, including lack of authorization for
the service requested. But it could also be caused by the initiator requesting cryptographic
algorithms that the responder regards as inappropriate, given the requester (initiator), the
service requested, and possibly other information available to the responder, such as the
time of day or the initiator’s location as indicated by the network. In these cases, the
responder’s reply should list acceptable cryptographic algorithms, if any. The initiator
would then send a new Message (3), which the responder would accept anew; again, the
responder does not create any state until after a successful Message (3) receipt.
3.
WHAT JFK AVOIDS
By intent, JFK does not do certain things. It is worth enumerating them, if only to stimulate discussion about whether certain protocol features are ever appropriate. In JFK, the
“missing” features were omitted by design, in the interests of simplicity.
3.1 Multiple Authentication Options
The most obvious “omission” is any form of authentication other than by certifi cate chains
trusted by the each party. We make no provisions for shared secrets, token-based authentication, certifi cate discovery, or explicit cross-certifi cation of PKIs. In our view, these are
best accomplished by outboard protocols. Initiators that wish to rely on any form of legacy
authentication can use the protocols being defi ned by the IPSRA [Sheffer et al. 2001] or
SACRED [Arsenault and Farrell 2001; Gustafson et al. 2001] IETF working groups. While
these mechanisms do add extra round trips, the expense can be amortized across many
JFK negotiations. Similarly, certifi cate chain discovery (beyond the minimal capabilities
implicit in IDI and IDR ) should be accomplished by protocols defi ned for that purpose.
By excluding the protocols from JFK, we can exclude them from our security analysis; the
only interface between the two is a certifi cate chain, which by defi nition is a stand-alone
secure object.
We also eliminate negotiation generally, in favor of ukases issued by the responder. The
responder is providing a service; it is entitled to set its own requirements for that service.
Any cryptographic primitive mentioned by the responder is acceptable; the initiator can
choose any it wishes. We thus eliminate complex rules for selecting the “best” choice
from two different sets. We also eliminate the need that state be kept by the responder; the
initiator can either accept the responder’s desires or restart the protocol.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
12
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
3.2 Phase II and Lack Thereof
JFK rejects the notion of two different phases. As will be discussed in Section 5, the
practical benefi ts of quick mode are limited. Furthermore, we do not agree that frequent
rekeying is necessary. If the underlying block cipher is suffi ciently limited as to bar longterm use of any one key, the proper solution is to replace that cipher. For example, 3DES
is inadequate for protection of very high speed transmissions, because the probability of
collision in CBC mode becomes too high after encryption of 232 plaintext blocks. Using
AES instead of 3DES solves that problem without complicating the key exchange.
Phase II of IKE is used for several things; we do not regard any of them as necessary.
One is generating the actual keying material used for security associations. It is expected
that this will be done several times, to amortize the expense of the Phase I negotiation.
A second reason for this is to permit very frequent rekeying. Finally, it permits several
separate security associations to be set up, with different parameters.
We do not think these apply. First, with modern ciphers such as AES, there is no need
for frequent key changes. AES keys are long enough that brute force attacks are infeasible.
Its longer block size protects against CBC limitations when encrypting many blocks.
We also feel that JFK is effi cient enough that avoiding the overhead of a full key exchange is not required. Rather than adding new SAs to an existing Phase I SA, we suggest
that a full JFK exchange be initiated instead. We note that the initiator can also choose to
reuse its exponential, it if wishes to trade perfect forward secrecy for computation time. If
state already exists between the initiator and the responder, they can simply check that the
Diffi e-Hellman exponentials are the same; if so, the result of the previous exponentiation
can be reused. As long as one of the two parties uses a fresh nonce in the new protocol
exchange, the resulting cryptographic keys will be fresh and not subject to a related key
(or other, similar) attack. As we discuss in Section 3.3, a similar performance optimization
can be used on the certifi cate-chain validation.
A second major reason for Phase II is dead-peer detection. IPsec gateways often need
to know if the other end of a security association is dead, both to free up resources and to
avoid “black holes.” In JFK, this is done by noting the time of the last packet received. A
peer that wishes to elicit a packet may send a “ping.” Such hosts may decline any proposed
security associations that do not permit such “ping” packets.
A third reason for Phase II is general security association control, and in particular SA
deletion. While such a desire is not wrong, we prefer not to burden the basic key exchange
mechanism with extra complexity. There are a number of possible approaches. Ours requires that JFK endpoints implement the following rule: a new negotiation that specifi es
an SPD identical to the SPD of an existing SA overwrites it. To some extent, this removes
any need to delete an SA if black hole avoidance is the concern; simply negotiate a new
SA. To delete an SA without replacing it, negotiate a new SA with a null ciphersuite.
3.3 Rekeying
When a negotiated SA expires (or shortly before it does), the JFK protocol is run again. It
is up to the application to select the appropriate SA to use among many valid ones. In the
case of IPsec, implementations should switch to using the new SA for outgoing traffi c, but
would still accept traffi c on the old SA (as long as that SA has not expired).
To address performance considerations, we should point out that, properly implemented,
rekeying only requires one signature and one verifi cation operation in each direction, if
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
13
both parties use the same Diffi e-Hellman exponentials (in which case, the cached result
can be reused) and certifi cates: the receiver of an ID payload compares its hash with those
of any cached ID payloads received from the same peer. While this is an implementation
detail, a natural location to cache past ID payloads is along with already established SAs
(a convenient fact, as rekeying will likely occur before existing SAs are allowed to expire,
so the ID information will be readily available). If a match is found and the result has not
“expired” yet, then we do not need to re-validate the certifi cate chain. A previously verifi ed
certifi cate chain is considered valid for the shortest of its CRL re-validate time, certifi cate
expiration time, OCSP result validity time, etc. For each certifi cate chain, there is one
such value associated (the time when one of its components becomes invalid or needs to
be checked again). Notice that an implementation does not need to cache the actual ID
payloads; all that is needed is the hash and the expiration time.
That said, if for some reason fast rekeying is needed for some application domain, it
should be done by a separate protocol.
4.
DISCUSSION OF THE SECURITY ANALYSIS
Detailed formal defi nitions and proofs of security of the JFK protocols are beyond the
scope of this paper. Nonetheless, below we sketch the main ideas of the analysis, with emphasis on those that require extending the existing techniques for key agreement protocols.
There are currently two main approaches to analyzing the security of protocols: the
formal-methods approach and the cryptographic reduction approach. In the former, the
cryptographic components of a protocol are modeled by “ideal boxes.” Then automatic
theorem-verifi cation tools are applied to the protocol. In this approach, if the verifi cation
returns a failure, the protocol has a serious flaw (and the flaw is typically explicitly presented). However, even if the verifi cation procedure does not return a flaw, it still does
not follow that the protocol is resistant to all feasible attacks. This is due to the idealized
modeling of the cryptographic primitives.
The cryptographic reduction approach provides a less abstract treatment of the security
of protocols, taking into account the imperfections of the underlying cryptographic primitives. Specifi cally, the underlying cryptographic primitives are assumed to be resistant with
high probability to all attacks that consume a given amount of resources. The probability
and resource amounts are treated as parameters. For this exposition we denote the tuple of
parameters the security level. A proof of security in this approach derives the security level
for the protocol essentially as a function of the security levels of the underlying primitives.
Intuitively, a protocol is secure if the security level of the protocol are not much smaller
than the security levels of the underlying primitives. As in the formal methods approach,
a proof of security in the cryptographic reduction approach does not imply that the protocol is resistant to all feasible attacks. However, it does imply that any effi cient attack on
the protocol can be converted into an effi cient attack on one of the underlying primitives.
Essentially a proof in the cryptographic reduction approach shows that the intractability
of attacking the protocol follows if the underlying cryptographic primitives are assumed
to be intractable to break. The security of the protocol thus rests solely on the security
assumptions on the primitives and not on any implicit or hidden assumptions.
The formal-methods approach, being automatable, has the advantage that it is less susceptible to human errors and oversights in analysis. However, when verifi able proofs are
attainable via the cryptographic reduction approach they provide more quantitive informaACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
14
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
tion about the relationship between the security of the cryptographic primitives and the
security of the protocols. This quantitative information is often very important when determining the operating parameters of the protocol.
We stress that neither approach provides full analysis of an implementation of the protocol. In particular, issues like coding errors, buffer overflows, and the like are not treated.
These should be dealt with carefully, using different tools, on an implementation-byimplementation basis.
Our analysis follows the cryptographic reduction approach. We welcome any additional
analysis. In particular, analysis based on formal methods would be a useful complement.
We separate the analysis of the “core security” of the protocol from the analysis of added
security features such as DoS protection and identity protection. We discuss fi rst the core
security.
4.1 Security of Key Agreement Protocols
JFK was designed for application environments, such as IPsec, in which many sessions of
the same protocol may be active in a given host concurrently. In such a setting the protocol
in each host must have a method of multiplexing among various active concurrent sessions.
For simplicity here we assume that each flow has an implicit or explicit session identifi er of
the initiator’s, denoted sI , which is unique among all active sessions in host I, and that each
flow, except perhaps the fi rst, has an implicit or explicit session identifi er of the responder’s,
denoted sR , which is unique among all active sessions in host R. And we denote the
session id s as the pair (sI , sR ). The cryptographic security issues for concurrent sessions
of key agreement protocols were fi rst formalized in [Bellare and Rogaway 1993]. The
starting point for our treatment and analysis is based on that of [Canetti and Krawczyk
2001], which in turn is based on [Bellare and Rogaway 1993]. See these papers for more
references and comparisons with other analytical work. We briefly sketch the security
model below which we denote the SK-security model [Canetti and Krawczyk 2001].
Very roughly, the core security of a key exchange protocol boils down to two requirements, correctness and pseudorandomness, which may be summarized as follows.
Session Key Agreement Requirements: If party A generates a key KA associated with a
session-identifi er s and peer identity B, and party B generates a key KB associated with
the same session identifi er s and peer A, then
(1) Correctness: KA must be equal to KB .
(2) Pseudorandomness: KA must be indistinguishable from a truly random string to
all parties except A, and B, and those parties that have broken into A or B or have
compromised that session of A or B.
These requirements must remain true even in the presence of adversaries. There are two
essential ideas in modeling the adversary in the SK-security model. The fi rst is to model
the network as a star with the adversary at the hub. All messages sent from one host intended for another host fi rst go to the adversary. Furthermore, the adversary can modify,
reroute, stall, reorder, inject, and/or drop any and all messages. This captures the adversary’s ability to mount “man-in-the-middle” attacks, as well as eavesdropping on packets
before sending them on their way to the intended recipient. The second modifi cation is
to allow the adversary to control the timing of events and thus, for example, to control
the interleaving of sessions made possible by the concurrent capability of the protocol. In
this model the protocol is event/message driven. In particular, a protocol session in a host
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
15
may be initiated by an initiate-session event in the host itself, in which case the host is the
initiator in that protocol session. Such an event specifi es the intended responder for that
session. A protocol session in a host may also be initiated by the receipt of a message from
the adversary (i.e., ostensibly from another host), in which case the host is the responder
in that protocol session. The adversary is given the power to issue initiate-session events
to hosts in any fashion it sees fi t. Recall the adversary also controls the timing of the sending and receiving of all messages. The adversary can thus create arbitrary interleavings of
messages of multiple sessions within the same host.
As alluded to above, a key agreement protocol is said to be SK-secure if it meets the
security requirements above even in the face of an adversary with the above powers that
runs in a feasible amount of time. But to be a bit more precise we need to expand on the
pseudorandomness requirement, which is to say we need to describe the meaning of pseudorandomness in our context, and the capabilities given to the adversary in its attempt to
distinguish a session key from a truly random string. In addition to dynamically initiating
sessions and controlling the timing/content of all received messages, the adversary is allowed to make session key queries. That is, it is allowed to dynamically query a host of its
choosing and receive the session key of its choosing of any thus-far completed sessions of
that host. (This models compromise of a key by some other protocol that uses the key and
perhaps leaks information about it.) The adversary is also allowed to make session-state
queries and long-term key queries (which model different levels of break-ins to the parties).
That is, it is allowed to dynamically query and receive the the internal information of the
session and the long term keys of the hosts of its choosing. Note that after the adversary
has received the long term keys of a host, all of the session keys subsequently agreed to
with that host will be known to the adversary. The adversary must at some point ask for a
challenge query. That is, it dynamically chooses a host and a thus-far completed session
as the test session. It receives in response a challenge string that is either the session key
of the test session or a random string of the same length with equal probability. The adversary may continue to query and receive session keys or long term keys after it has made its
challenge query. Eventually, the adversary must output an answer that is either “random
string” or “session key.” The goal of an adversary is for it’s probability of being correct to
exceed 1/2 by as much as possible. The session keys of a protocol meet the pseudorandom
requirement as long as the probability that any feasible adversary is correct is at most 1/2
plus a neglible amount.
The alert reader will notice that the adversary can always win the above game with
probability 1 unless some additional restrictions are imposed. In particular, the adversary
is not allowed to have queried at any time either endpoint host of the test session for the
session key of that session or for the long term keys of that host. But these are the only
restrictions placed on the behavior of the adversary.
Note that a protocol that is secure in this sense is very robust. For example, if an adversary, even one that sees every message between every host, breaks into one session, the
rest of the session keys agreed to by the various hosts do not become compromised in any
discernible way. In a very strong sense the session keys among all of the sessions behave
as independent random strings in terms of computational distinguishability. There is no
discernible correlation even between session keys of concurrent sessions in the same host.
In fact, as was shown in [Canetti and Krawczyk 2002b], this notion of security guarantees
strong secure composability properties.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
16
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
We stress that this is only a rough sketch of the requirement. For full details see [Canetti
and Krawczyk 2001; 2002a].
We fi rst discuss the protocols in the restricted case where the parties do not reuse the
private DH exponents for multiple sessions.
4.1.1 The core cryptographic protocol of JFKi:. The basic cryptographic core of this
protocol is the same as the ISO 9798-3 protocol. This protocol can be briefly summarized
as below. For subsequent discussion, B plays the role of the initiator and A plays the role
of responder.
JFKi’
A ← B : NB , B, g b
(1)
A → B : NA , NB , A, g a , SA [NA , NB , g a , g b , B] (2)
A ← B : NA , NB , SB [NA , NB , g a , g b , A]
(3)
A salient point about this protocol is that each party signs, in addition to the nonces and
the two public DH exponents, the identity of the peer. If the peer’s identity is not signed
then the protocol is completely broken. JFKi inherits the same basic core security. In
addition, JFKi adds a preliminary cookie mechanism for DoS protection (which results in
adding one flow to the protocol and having the responder in JFKi play the role of A), and
encrypts the last two messages in order to provide identity protection for the initiator. We
will discuss these additions further below.
The session key for JFKi’ is derived from a pseudorandom function H with key g ab and
input NA , NB and output of the appropriate length for the subsequent session.
The JFKi’ protocol was analyzed and proven secure in [Canetti and Krawczyk 2001].
That is, [Canetti and Krawczyk 2001] show that the protocol is SK-secure if the the signature scheme is secure, the pseudorandom function H is secure, and the the Decisional
Diffi e Hellman (DDH) assumption holds. As we later will need to strengthen this latter
assumption we discuss it briefly below.
The DDH problem for the cyclic group G is as follows. With equal probability the
input is either a Diffi e Hellman tuple (g, ga , g b , g ab ) or a “random tuple” (g, g a , g b , g r )
where g is a generator of G, and where a, b, and r are random in {1, 2, . . . , |G|}. The
output is a declaration saying that the input is a Diffi e Hellman tuple or that the input is a
random tuple. The DDH assumption holds for a group G if for all feasible algorithms the
probability that the algorithm is correct at most 1/2 plus a negligible amount.
4.1.2 The core cryptographic protocol of JFKr:. The basic cryptographic core of JFKr
follows the design of the SIGMA protocol [Krawczyk 2002] (which also serves as the basis
to the signature mode of IKE). SIGMA was analyzed and proven secure in [Canetti and
Krawczyk 2002a]. This basic protocol, called JFKr’ for in the ensuing discussion, can be
briefly summarized as follows:
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
A ← B : NB , g b
·
17
(1)
A → B : NA , NB , A, g a , SA [NA , NB , g a , g b ],
(2)
HKa (NA , NB , A)
A ← B : NA , NB , B, SB [NA , NB , g a , g b ],
HKa (NA , NB , B)
(3)
Here, neither party signs the identity of its peer. Instead, each party includes a MAC
applied to its own identity (concatenated with NA and NB ). The key for the MAC and
the session key are derived as in JFKr from a pseudorandom function H with key g ab and
inputs NA , NB , “2” and NA , NB , “0”, respectively.
The proof of security of JFKr’ [Canetti and Krawczyk 2002a] assumes that the signature
scheme is secure, that H is a secure MAC, that H used for key derivation is a secure
pseudorandom function, and that the DDH assumption holds. Note that the function used
for the MAC on the wire need not be the same as the function used for key derivation. For
protocol simplicity we have assumed they are the same.
In the next section we discuss the security implications of the encryption of the third and
fourth flows in the JFK protocols. In the subsequent section we defi ne a formal model of
identity protection and discuss how it is achieved by virtue of the security of the encryption.
Finally, we discuss the security implications of the DoS protection mechanisms employed
in the JFK protocols.
4.2 Adding Encryption to the Protocols
In this section we discuss the security issues associated encrypting and MACing the last
two flows. The impetus for adding encryption to the third and fourth flows of the JFK
protocols is identity protection which we will discuss more formally in the next section.
And proving that these flows actually enjoy the appropriate encryption property is an important step in proving identity protection, as we will discuss below. But the parties may
want other information, such as policy information, to remain confi dential in these flows
as well. Thus, the confi dentiality property of these flows is important in its own right.
In both JFKi and JFKr, the third and fourth flows are encrypted and then MACed. The
encryption is assumed to be secure against adaptive chosen plaintext attacks (CPA encryption). If the keys for the encryption and the MAC can be shown to be pseudorandom then
CPA encryption followed by a secure MAC yields a confi dentiality scheme that is secure
against adaptive chosen ciphertexts attacks. Thus the confi dentiality property of these flows
rests on the pseudorandomness of the encryption and MAC keys.
Recall that the keys for the encryption and the MAC are derived by Hgir (NI , NR , “1”)
and Hgir (NI , NR , “2”) whereas the session key is derived by Hgir (NI , NR , “0”). The
pseudorandomness of these values depends on the pseudorandomness of the Diffi e Hellman value g ir which in turn depends on the DDH assumption. It is tempting to conclude
that since the session key has been proven to be pseudorandom for protocols essentially
identical to JFKi and JFKr except that the encryption and MACing are not present, that
the encryption and MAC keys are also pseudorandom given that they are derived in the
same manner. It is also tempting to conclude that since the security of the session keys of,
say, JFKi’ and JFKr’ are secure that this immediately implies that the session keys of JFKi
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
18
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
and JFKr are secure. Unfortunately, given the details of the model described above, this
does not follow. The essential reasons are as follows. In the standard SK-security model
described above, the adversary only queries for the session key in a host if that session is
completed in that host. But the adversary may attempt to break the confi dentiality of, say,
the third flow without allowing the session to complete. Moreover, in JFKi and JFKr more
artifacts of g ir (i.e., the encryptions and MACs using keys derived from g ir ) are available
to the adversary than in JFKi’ and JFKr’. Intuitively, these artifacts seem to be computationally useless to the adversary. Indeed, they would be if g ir were pseudorandom but this
is what we are trying to prove in the fi rst place.
To break this circular reasoning we must prove something stronger than what is proven in
the SK-security model of [Canetti and Krawczyk 2001]. We must effectively show that g ir
is pseudorandom in a well defi ned sense before it is used to derive the encryption and MAC
keys. Intuitively, this guarantees that the encryptions and MACs thus leak no discernible
information about g ir for the remainder of the session. Thus, g ir remains pseudorandom
until the end of the session and the hosts can use it to derive a pseudorandom session key.
In such a case we would have the simultaneous pseudorandomness of all of the keys.
More formally, we augment the SK-security model beyond that in [Canetti and Krawczyk
2001] as follows. For JFKi and JFKr we allow the adversary to make a session-symmetrickeys query for Ka and Ke of a session after either the initiator has sent the third flow or
after the responder has received the third flow. We also allow the adversary to ask for a
session-symmetric-keys test for a host and session of its choosing in which it is presented
with equal probability either the Ka and Ke of that session or a random string of the same
length. As with the session-symmetric-keys query, the test is either after the initiator has
sent the third flow or the responder has received the third flow. After asking for the test,
the adversary may continue to make session-symmetric-keys queries, session-key queries,
and long term key queries. The adversary must eventually output an answer that is either
“random string” or “session symmetric keys.” The goal of an adversary is for it’s probability of being correct to exceed 1/2 by as much as possible. The encryption and MAC keys
of our protocols are pseudorandom as long as the probability that any feasible adversary is
correct exceeds 1/2 by only a neglible amount. The only restriction is that the adversary
may not make session-symmetric-keys queries or long-term key queries of the “matching”
host of the session-symmetric-keys test. This restriction can be described precisely but we
omit the details here.
We can prove the simultaneous pseudorandomness of the the encryption keys, the MAC
keys, and the security of the session keys (i.e., correctness and pseudorandomness) for both
JFKi and JFKr. The proof of security assumes that the signature scheme is secure, that H
is a secure MAC, that the encryption scheme is secure against adaptive plaintext attacks,
that the H used for key derivation is a secure pseudorandom function, and that the DDH
assumption holds.
The security of the encryption and MACs of the JFK protocols goes most of the way
toward providing identity protection. Nonetheless, there are some additional subtitlies that
are useful to formalize and we do so below.
Using the security of the encryption and MAC of the JFK protocols the following can
be shown to follow. Both JFKi and JFKr provide identity protection against passive adversaries. Furthermore, JFKr provides identity protection against active adversaries for the
responder and JFKi provides identity protection against active adversaries for the intiator.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
19
4.3 DoS protection
There are two elements to the DoS protection in JFKi and JFKr. The fi rst is the cookie in the
responder’s fi rst reply that enables the responder to not have to store any per session state.
The addition of this cookie to the core cryptographic protocols above does not reduce the
security. That is, an adversary that breaks the protocol with the cookie can be used to create
an adversary that breaks the protocol without the cookie. This reduction is straightforward
and the details are omitted here. We thus consider below the variants of JFKi and JFKr
which do not include these cookies.
The second element of DoS protection is to not require the responder to perform any
public key operations in its fi rst reply. To achieve this we do two things. First we add an
extra flow at the beginning of the protocol which effectively reverses the roles of A and
B in JFKi’ and JFKr’ above. In particular, the responder does not have to produce a fresh
signature for each of its fi rst replies as in JFKi’ and JFKr’. Second, we allow the responder
(and initiator) to reuse a DH value as often as it sees fi t before erasing it and using a new
DH value.
The addition of the extra round does not affect the security analysis for the session keys
beyond that of, say, JFKi’ and JFKr’ above. However, allowing the reuse of DH values
creates two main diffi culties. The fi rst requires further changes to the security model above
and the second requires a stronger assumption on the cryptographic primitives. We will
discuss these issues in turn below.
4.3.0.1 Perfect Forward Secrecy and Adaptive Forward Secrecy. A standard security
requirement for a secret key agreement protocol is perfect forward secrecy (PFS) [G ünther
1989; Diffi e et al. 1992a]. Intuitively, PFS guarantees that compromises of a host at time
t do not allow an adversary to determine session keys that have been generated and subsequently erased before time t. The models discussed above capture this property. in part.
Specifi cally, even if an adversary sees all of the session keys generated by a host after it
chooses a test session in that host, the session key of the test session is still indistinguishable from random for an SK-secure protocol.
In the case when the hosts always use a fresh, random DH value for each session, the
models are easily modifi ed to capture all of the perfect forward secrecy requirement. All
that is necessary is the partial removal of a restriction placed on the adversary. In the
models above, the adversary is not allowed to have made a long term key query of either
of the hosts of the completed test session, either before it made the test session or after.
To model PFS, the adversary is allowed to make long term key queries (in addition to the
session key queries that it is already allowed) of the hosts of a test session after the session
is complete (but it is still not allowed to have made a long term key query of either of the
hosts of the test session before the test session is begun). A protocol achieves PFS security
if it is secure against this more powerful adversary. Assuming that all hosts delete g ir as
soon as possible, JFKi and JFKr achieve PFS when they use fresh, random DH values for
each session.
We now discuss the security of JFKi and JFKr in the case that hosts reuse their DH
exponent and value over multiple KE-sessions within a given time period. This provides
some measure of protection against denial of service attacks. But it comes at the price of
slightly weakening the perfect forward secrecy. To see this suppose that the test session
of the adversary involves a responder that was using the DH exponent and value r and
g r , respectively, for that session. Suppose that the responder continues to use these values
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
20
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
and the adversary subsequently breaks into this host. In this case the adversary can clearly
compromise the test session key.
In spite of this, the JFK protocols with DH reuse still enjoy an “intermediate” level
of forward secrecy which we call adaptive forward secrecy (AFS). The intuition is as
follows. We consider that the Diffi e Hellman exponent and value are used in phases by a
host. During a phase, a single DH exponent and value are used for all sessions that are
initiated in that phase. A host may choose new DH values and begin a new phase at any
time, and it may make that decision to start a new phase in an adaptive manner. (We assume
here that when a new phase starts, the DH values of the previous stage are erased and any
received messages generated by sessions started with previous DH values receive a failure
reply. We can also model protocols that keep several DH values in memory for received
messages but for simplicity we do not consider that here.)
Clearly, with such a protocol, if an adversary breaks into a host even at the end of a
phase, all of the session keys generated during that phase would be compromised. But
some protocols may have the property that even if a host is broken into during a phase,
all session keys generated during all previous phases remain secure. Protocols with this
property are said to have adaptive forward secrecy.
To formalize adaptive forward secrecy (AFS), we modify the basic defi nition of SKsecurity yet again (this modifi cation comes instead of the modifi cation leading to the defi nition of perfect forward secrecy (PFS)). The modifi cation is as follows.
On top of its usual capabilities in the SK model, we provide the adversary with a new
capability: At any time during the computation, the adversary can activate a new AFS
phase in a host of its choosing. In response, the protocol may instruct the host to perform
some protocol steps.
The distinguishing game for the adversary is the same as in the fi rst SK security defi nition but with a new restriction on the adversary’s long-term key queries. There cannot be a
long term key query of either host of the test session at any time during either AFS phase
in which the test session was initiated and completed.
A natural four round variant of JFKr and JFKi without the encryption and MACing for
identity protection but with DH reuse can be shown to have AFS security under the DDH
assumption. However, as we will discuss below, the DDH assumption is not suffi cient for
AFS security or identity protection when the third and fourth flows of the JFK protocols
are encrypted and MACed.
4.3.0.2 The Malleability of Diffie Hellman Values. Re-using the Diffi e-Hellman values
for multiple sessions may potentially cause another problem, which is unrelated to forward
secrecy, and has to do with the “core security” of the protocol. Let us sketch this potential
problem and the way we deal with it in the analysis.
Consider the following scenario in JFKi. The adversary starts a new AFS phase in hosts
I and R and records an entire session-key protocol where I and R play the role of the
initiator and responder, respectively. The adversary subsequently gives an initiate-session
event to I with responder R. The adversary receives the fi rst flow from I but does not
pass it on to R. Instead, it sends back to I a replay of R’s previous flow 2 but with I’s
new nonce and a new DH value, say, g 2r . Note that the adversary can easily compute this
given just the g r it saw in the fi rst complete session. I receives this message, calculates
new encryption and MAC keys using H with function key g 2ir , and sends flow 3 to the
adversary.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
initiator
·
21
responder
Initiator Diffie−
Hellman public
value
c value
e−Hellman publi
Responder Diffi
Initiator RSA sig
nature and certi
Responder RSA
ficate(s)
rtificate(s)
signature and ce
Fig. 1. 4-message Station to Station key agreement protocol.
This is precisely where a problem occurs with the standard security assumptions of our
the cryptographic primitives. The security of a pseudorandom function such as H assumes
that the function keys used by H are random and independent. But here the adversary has
induced I to compute H using a pair of function keys that are random but not independent.
In fact, the dependence is set by the adversary. This is an example of the malleability of the
Diffi e Hellman key exchange. In this example one function key is the square of the other.
To achieve a proof of AFS security and identity protection when DH values are reused in
the JFK protocols we require stronger assumptions on our cryptographic primitives. Rather
than using the standard pseudo random function security assumption for H and the standard DDH assumption, we use what we call the combined H/DDH security assumption.
Roughly, this assumption is as follows. An adversary is given g, g r , and g i , for random i
and r, and in addition is given Hgir (x) for a known x potentially of its choosing. Combined H/DDH security requires that this value remains computationally indistinguishable
from a random value even when the adversary queries for and is given the values of H k (y)
for y’s of its choosing and k’s of the form ur or v i , for u or v of its choosing in G. The
only restriction is that it may not choose y = x and u = g i or y = x and v = g r since in
these cases the query would return the value Hgir (x) itself.
As an example, since the adversary knows g i , it can compute a u of the form g ik for a
k of its choosing. It can subsequently query H with key g ikr . While the exact value of
the two keys remains unknown to the adversary, it does know that the second key is a kth
power of the original DH key.
Using this combined H/DDH assumption, in concert with secure signatures, encryption,
and MACS, we can show that the JFK protocols with DH reuse achieve AFS security and
identity protection.
5.
RELATED WORK
The basis for most key agreement protocols based on public-key signatures has been the
Station to Station (StS) [Diffi e et al. 1992b] protocol. In its simplest form, shown in FigACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
22
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
ure 1, this consists of a Diffi e-Hellman exchange, followed by a public key signature authentication step, typically using the RSA algorithm in conjunction with some certifi cate
scheme such as X.509. In most implementations, the second message is used to piggyback the responder’s authentication information, resulting in a 3-message protocol, shown
in Figure 2. Other forms of authentication may be used instead of public key signatures
(e.g., Kerberos[Miller et al. 1987] tickets, or preshared secrets), but these are typically applicable in more constrained environments. While the short version of the protocol has
been proven to be the most effi cient [Gong 1995] in terms of messages and computation,
it suffers from some obvious DoS vulnerabilities.
5.1 Internet Key Exchange (IKE)
The Internet Key Exchange protocol (IKE) [Harkins and Carrel 1998] is the current IETF
standard for key establishment and SA parameter negotiation. IKE is based on the ISAKMP
[Maughan et al. 1998] framework, which provides encoding and processing rules for a set
of payloads commonly used by security protocols, and the Oakley protocol, which describes an adaptation of the StS protocol for use with IPsec.2 The public-key encryption
modes of IKE are based on SKEME [Krawczyk 1996].
IKE is a two-phase protocol: during the fi rst phase, a secure channel between the two
key management daemons is established. Parameters such as an authentication method,
encryption/hash algorithms, and a Diffi e-Hellman group are negotiated at this point. This
set of parameters is called a “Phase I SA.” Using this information, the peers authenticate
each other and compute key material using the Diffi e-Hellman algorithm. Authentication
can be based on public key signatures, public key encryption, or preshared passphrases.
There are efforts to extend this to support Kerberos tickets [Miller et al. 1987] and handheld authenticators. It should also be noted that IKE can support other key establishment
mechanisms (besides Diffi e-Hellman), although none has been proposed yet.3
Furthermore, there are two variations of the Phase I message exchange, called “main
mode” and “aggressive mode.” Main mode provides identity protection, by transmitting
the identities of the peers encrypted, at the cost of three message round-trips (see Figure 3).
Aggressive mode provides somewhat weaker guarantees, but requires only three messages
(see Figure 4).
As a result, aggressive mode is very susceptible to untraceable4 denial of service (DoS)
attacks against both computational and memory resources [Simpson 1999]. Main mode is
also susceptible to untraceable memory exhaustion DoS attacks, which must be compensated for in the implementation using heuristics for detection and avoidance. To wit:
—The responder has to create state upon receiving the fi rst message from the initiator,
since the Phase I SA information is exchanged at that point. This allows for a DoS
attack on the responder’s memory, using random source-IP addresses to send a flood
2 We
remark, however, that the actual cryptographic core of IKE’s signature mode is somewhat different than
Oakley. In Oakley the peer authentication is guaranteed by having each party explicitly sign the peer identity.
In contrast, IKE guarantees peer authentication by having each party MAC its own identity using a key derived
from the agreed Diffie-Hellman secret. This method of peer authentication is based on the Sign-and-Mac design [Krawczyk 2002].
3 There is ongoing work (still in its early stages) in the IETF to use IKE as a transport mechanism for Kerberos
tickets, for use in protecting IPsec traffic.
4 The attacker can use a forged address when sending the first message in the exchange.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
initiator
·
23
responder
Initiator Diffie−
Hellman public
value
c value
e−Hellman publi
Responder Diffi
ate(s)
fic
rti
ce
d
an
e
signatur
Responder RSA
Initiator RSA sig
nature and certi
ficate(s)
Fig. 2. 3-message Station to Station key agreement protocol.
of requests. To counter this, the responder could employ mechanisms similar to those
employed in countering TCP SYN attacks [Heberlein and Bishop 1996; CERT 1996;
Schuba et al. 1997]. JFK maintains no state at all after receiving the fi rst message.
—An initiator who is willing to go through the fi rst message round-trip (and thus identify
her address) can cause the responder to do a Diffi e-Hellman exponential generation as
well as the secret key computation on reception of the third message of the protocol.
The initiator could do the same with the fi fth message of the protocol, by including a
large number of bogus certifi cates, if the responder blindly verifi es all signatures. JFK
mitigates the effects of this attack by reusing the same exponential across different sessions.
The second phase of the IKE protocol is commonly called “quick mode” and results in
IPsec SAs being established between the two negotiating parties, through a three-message
exchange. Parameters such as the IP security protocol to use (ESP/AH), security algorithms, the type of traffi c that will be protected, etc. are negotiated at this stage. Since
the two parties have authenticated each other and established a shared key during Phase
I, quick mode messages are encrypted and authenticated using that information. Furthermore, it is possible to derive the IPsec SA keying material from the shared key established
during the Phase I Diffi e-Hellman exchange. To the extent that multiple IPsec SAs between the same two hosts are needed, this two-phase approach results in faster and more
lightweight negotiations (since the same authentication information and keying material is
reused).
Unfortunately, two hosts typically establish SAs protecting all the traffi c between them,
limiting the benefi ts of the two-phase protocol to lightweight re-keying. If PFS is desired,
this benefi t is further diluted.
Another problem of the two-phase nature of IKE manifests itself when IPsec is used for
fi ne-grained access control to network services. In such a mode, credentials exchanged in
the IKE protocol are used to authorize users when connecting to specifi c services. Here,
a complete Phase I & II exchange will have to be done for each connection (or, more
generally, traffi c class) to be protected, since credentials, such as public key certifi cates,
are only exchanged during Phase I.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
24
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
initiator
responder
Initiator cookie,
proposed phase
1 SA
ase1 SA
ie, accepted Ph
Responder cook
Initiator Diffie-H
ellman value &
Nonce
e-Hellman value
Responder Diffi
Initiator signatur
& Nonce
e, certs & identi
ty
ntity
ture, certs & ide
Responder signa
Fig. 3. IKE Main Mode exchange with certificates.
IKE protects the identities of the initiator and responder from eavesdroppers. 5 The identities include public keys, certifi cates, and other information that would allow an eavesdropper to determine which principals are trying to communicate. These identities can be
independent of the IP addresses of the IKE daemons that are negotiating (e.g., temporary
addresses acquired via DHCP, public workstations with smartcard dongles, etc.). However,
since the initiator reveals her identity fi rst (in message 5 of Main Mode), an attacker can
pose as the responder until that point in the protocol. The attackers cannot complete the
protocol (since they do not possess the responder’s private key), but they can determine
the initiator’s identity. This attack is not possible on the responder, since she can verify
the identity of the initiator before revealing her identity (in message 6 of Main Mode).
However, since most responders would correspond to servers (fi rewalls, web servers, etc.),
the identity protection provided to them seems not as useful as protecting the initiator’s
identity.6 Fixing the protocol to provide identity protection for the initiator would involve
reducing it to 5 messages and having the responder send the contents of message 6 in message 4, with the positive side-effect of reducing the number of messages, but breaking the
message symmetry and protocol modularity.
Finally, thanks to the desire to support multiple authentication mechanisms and different
modes of operation (Aggressive vs. Main mode, Phase I / II distinction), both the protocol
specifi cation and the implementations tend to be bulky and fairly complicated. These are
undesirable properties for a critical component of the IPsec architecture.
Several works (including [Ferguson and Schneier 1999; Kaufman and Perlman 2000;
5 Identity protection is provided only in Main Mode (also known as Identity Protection Mode); Aggressive Mode
does not provide identity protection for the initiator.
6 One case where protecting the responder’s identity can be more useful is in peer-to-peer scenarios.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
initiator
·
25
responder
Initiator cookie,
proposed Phase
1 SA
Initiator Diffie−
Hellman value
& Identity
ase1 SA
ie, accepted Ph
Responder cook
Identity
&
lue
va
an
e−Hellm
ate(s)
fic
Responder Diffi
rti
ce
d
an
e
tur
Responder signa
Initiator signatur
e and certificate
(s)
Fig. 4. IKE Aggressive Mode exchange with certificates.
Kaufman et al. 2001]) point out many defi ciencies in the IKE protocol, specifi cation, and
common implementations. They suggest removing several features of the protocol (e.g.,
aggressive mode, public key encryption mode, etc.), restore the idea of stateless cookies, and protect the initiator’s (instead of the responder’s) identity from an active attacker.
They also suggest some other features, such as one-way authentication (similar to what
is common practice when using SSL/TLS [Dierks and Allen 1999] on the web). These
major modifi cations would bring the IKE protocol closer to JFK, although they would not
completely address the DoS issues.
A measure of the complexity of IKE can be found in the analyses done in [Meadows
1999a; 2000]. No less than 13 different sub-protocols are identifi ed in IKE, making understanding, implementation, and analysis of IKE challenging. While the analysis did not
reveal any attacks that would compromise the security of the protocol, it did identify various potential attacks (DoS and otherwise) that are possible under some valid interpretations
of the specifi cation and implementation decisions.
Some work has been done towards addressing, or at least examining, the DoS problems found in IKE [Matsuura and Imai 1999; 2000] and, more generally, in public key
authentication protocols [Leiwo et al. 2000; Jakobsson and Juels 1999]. Various recommendations on protocol design include use of client puzzles [Juels and Brainard 1999;
Aura et al. 2000], stateless cookies [Oppliger 1999], forcing clients to store server state,
rearranging the order of computations in a protocol [Hirose and Matsuura 1999], and the
use of a formal-methods framework for analyzing the properties of protocols with respect
to DoS attacks [Meadows 1999b]. The advantages of being stateless, at least in the beginning of a protocol run, were recognized in the security protocol context in [Janson et al.
1997] and [Aura and Nikander 1997]. The latter presented a 3-message version of IKE,
similar to JFK, that did not provide the same level of DoS protection as JFK does, and had
no identity protection.
5.2 IKEv2
IKEv2 [Harkins et al. 2002] is another proposal for replacing the original IKE protocol.
The cryptographic core of the protocol, as shown in Figure 5, is very similar to JFKr. The
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
26
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
initiator
responder
Initiator Keyin
Initiator cookieg Material, Phase I SA,
,
rial, Phase 1 SA
g Mate
Responder Keyin
ie
ok
co
r
Responde
Initiator authenti
Phase II SA, Tr cation and certificate(s)
affic Selectors,
Identities
rtificate(s)
ntication and ce
Responder authe II SA and Traffic Selectors
e
as
Ph
Accepted
Fig. 5. IKEv2 protocol exchange.
main differences between IKEv2 and JFKr are:
—IKEv2 implements DoS protection by optionally allowing the responder to respond to a
Message (1) with a cookie, which the sender has to include in a new Message (1). Under
normal conditions, the exchange would consist of the 4 messages shown; however, if the
responder detects a DoS attack, it can start requiring the extra roundtrip. One claimed
benefi t of this extra roundtrip is the ability to avoid memory-based DoS attacks against
the fragmentation/reassembly part of the networking stack. (Briefly, the idea behind
such an attack is that an attacker can send many incomplete fragments that fi ll out the
reassembly queue of the responder, denying service to other legitimate initiators. In
IKEv2, because the “large” messages are the last two in the exchange, it is possible for
the implementation to instruct the operating system to place fragments received from
peers that completed a roundtrip to a separate, reserved reassembly queue.)
—IKEv2 supports a Phase II exchange, similar to the Phase I/Phase II separation in the
original IKE protocol. It supports creating subsequent IPsec SAs with a single roundtrip,
as well as SA-teardown using this Phase II.
—IKEv2 proposals contain multiple options that can be combined in arbitrary ways; JFK,
in contrast, takes the approach of using ciphersuites, similar to the SSL/TLS protocols [Dierks and Allen 1999].
—IKEv2 supports legacy authentication mechanisms (in particular, pre-shared keys). JFK
does not, by design, support other authentication mechanisms, as discussed in Section 3;
while it is easy to do so (and we have a variant of JFKr that can do this without loss of
security), we feel that the added value compared to the incurred complexity does not
justify the inclusion of this feature in JFK.
Apart from these main differences, there are a number of superfi cial ones (e.g., the
“wire” format) which are more a matter of taste than of difference in protocol design philosophy. The authors of the two proposals have helped create a joint draft [Hoffman 2002],
submitted to the IETF IPsec Working Group. In that draft, a set of design options reflectACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
27
ing the differences in the two protocols is presented to the working group. Concurrent with
the writing of this paper, and based on this draft, a unifi ed proposal is being written. This
unifi ed proposal combines properties from both JFK and IKEv2. It adopts the approach of
setting up a security association within two round trips, while providing DoS protection for
the responder (and, in particular, allowing the responder to be almost completely stateless
between the sending of message 2 and the receipt of message 3.)
5.3 Other Protocols
The predecessor to IKE, Photuris [Karn and Simpson 1999], fi rst introduced the concept of
cookies to counter “blind” denial of service attacks. The protocol itself is a 6-message variation of the Station to Station protocol. It is similar to IKE in the message layout and purpose, except that the SA information has been moved to the third message. For re-keying, a
two-message exchange can be used to request a uni-directional SPI (thus, to completely rekey, 4 messages are needed). Photuris is vulnerable to the same computation-based DoS
attack as IKE, mentioned above. Nonetheless, one of the variants of this protocol has 4
messages and provided DoS protection via stateless cookies.
SKEME [Krawczyk 1996] shares many of the requirements for JFK, and many aspects
of its design were adopted in IKE. It serves more as a set of protocol building blocks,
rather than a specifi c protocol instance. Depending on the specifi c requirements for the
key management protocol, these blocks could be combined in several ways. An interesting
aspect of SKEME is its avoidance of digital signatures; public key encryption is used
instead, to provide authentication assurances. The reason behind this was to allow both
parties of the protocol to be able to repudiate the exchange.
SKIP [Aziz and Patterson 1995] was an early proposal for an IPsec key management
mechanism. It uses long-term Diffi e-Hellman public keys to derive long-term shared keys
between parties, which is used to distribute session keys between the two parties. The
distribution of the session key occurs in-band, i.e., the session key is encrypted with the
long-term key and is injected in the encrypted packet header. While this scheme has good
synchronization properties in terms of re-keying, the base version lacks any provision for
PFS. It was later provided via an extension [Aziz 1996]. However, as the authors admit, this
extension detracts from the original properties of SKIP. Furthermore, there is no identity
protection provided, since the certifi cates used to verify the Diffi e-Hellman public keys are
(by design) publicly available, and the source/destination master identities are contained
in each packet (so that a receiver can retrieve the sender’s Diffi e-Hellman certifi cate). The
latter can be used to mount a DoS attack on a receiver, by forcing them to retrieve and
verify a Diffi e-Hellman certifi cate, and then compute the Diffi e-Hellman shared secret.
The Host Identity Payload (HIP) [Moskowitz 2001] uses cryptographic public keys as
the host identifi ers, and introduces a set of protocols for establishing SAs for use in IPsec.
The HIP protocol is a four-packet exchange, and uses client puzzles to limit the number of
sessions an attacker can initiate. HIP also allows for reuse of the Diffi e-Hellman value over
a period of time, to handle a high rate of sessions. For re-keying, a HIP packet protected by
an existing IPsec session is used. HIP does not provide identity protection, and it depends
on the existence of an out-of-band mechanism for distributing keys and certifi cates, or on
extra HIP messages for exchanging this information (thus, the message count is effectively
6, or even 8, for most common usage scenarios).
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
28
6.
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
CONCLUSION
Over the years, many different key exchange protocols have been proposed. Some have
had security flaws; others have not met certain requirements.
JFK addresses the fi rst issue by simplicity, and by a proof of correctness. (Again, full
details of this are deferred to the analysis paper.) We submit that proof techniques have
advanced enough that new protocols should not be deployed without such an analysis. We
also note that the details of the JFK protocol changed in order to accommodate the proof:
tossing a protocol over the wall to the theoreticians is not a recipe for success. But even a
proof of correctness is not a substitute for simplicity of design; apart from the chance of
errors in the formal analysis, a complex protocol implies a complex implementation, with
all the attendant issues of buggy code and interoperability problems.
The requirements issue is less tractable, because it is not possible to foresee how threat
models or operational needs will change over time. Thus, StS is not suitable for an environment where denial of service attacks are a concern. Another comparatively-recent
requirement is identity protection. But the precise need — whose identity should be protected, and under what threat model — is still unclear, hence the need for both JFKi and
JFKr.
Finally, and perhaps most important, we show that some attributes often touted as necessities are, in fact, susceptible to a cost-benefi t analysis. Everyone understands that
cryptographic primitives are not arbitrarily strong, and that cost considerations are often
used in deciding on algorithms, key lengths, block sizes, etc. We show that DoS-resistance
and perfect forward secrecy have similar characteristics, and that it is possible to improve
some aspects of a protocol (most notably the number of round trips required) by treating
others as parameters of the system, rather than as absolutes.
ACKNOWLEDGMENTS
Ran Atkinson, Matt Crawford, Paul Hoffman, and Eric Rescorla provided useful comments, and discussions with Hugo Krawczyk proved very useful. Dan Harkins suggested
the inclusion of IPI in the authenticator. David Wagner made useful suggestions on the
format of Message (2) in JFKi. The design of the JFKr protocol was influenced by the
SIGMA and IKEv2 protocols. Yogesh Swami proposed the scheme protecting against
Message (3) DoS attacks.
REFERENCES
A IELLO , W., B ELLOVIN , S. M., B LAZE , M., C ANETTI , R., I OANNIDIS , J., K EROMYTIS , A. D., AND R EIN GOLD , O. 2003. Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols. In Proceedings of the
ACM Computer and Communications Security (CCS) Conference. 48–58.
A RSENAULT, A. AND FARRELL , S. 2001. Securely available credentials - requirements. Request for Comments
3157, Internet Engineering Task Force. Aug.
AURA , T. AND N IKANDER , P. 1997. Stateless connections. In Proc. of International Conferenec on Information
and Communications Security (ICICS ’97), Lecture Notes in Computer Science volume 1334. Springer, 87–97.
AURA , T., N IKANDER , P., AND L EIWO , J. 2000. DOS-resistant authentication with client puzzles. In Proc. of
the 8th International Workshop on Security Protocols.
A ZIZ , A. 1996. SKIP extension for perfect forward secrecy (PFS). Internet Draft, Internet Engineering Task
Force. August.
A ZIZ , A. AND PATTERSON , M. 1995. Simple Key Management for Internet Protocols (SKIP). In Proc. of the
1995 INET conference.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
Just Fast Keying: Key Agreement In A Hostile Internet
·
29
B ELLARE , M. AND ROGAWAY, P. 1993. Entity Authentication and Key Distribution. In Proc. of the Crypto
conference.
C ANETTI , R. AND K RAWCZYK , H. 2001. Analysis of Key-Exchange Protocols and Their Use for Building
Secure Channels. In Proc. of the Eurocrypt conference.
C ANETTI , R. AND K RAWCZYK , H. 2002a. Security Analysis of IKE’s Signature-based Key-Exchange Protocol.
In Proc. of the Crypto conference.
C ANETTI , R. AND K RAWCZYK , H. 2002b. Universally Composable Notions of Key Exchange and Secure
Channels. In Proc. of the EuroCrypt conference.
CERT. 1996.
Advisory CA-96.21: TCP SYN Flooding.
ftp://info.cert.org/pub/cert advisories/CA96.21.tcp syn flooding.
D IERKS , T. AND A LLEN , C. 1999. The TLS protocol version 1.0. Request for Comments (Proposed Standard)
2246, Internet Engineering Task Force. Jan.
D IFFIE , W., VAN O ORSCHOT, P., AND W IENER , M. 1992a. Authentication and authenticated key exchanges.
Designs, Codes and Cryptography 2, 2, 107–125.
D IFFIE , W., VAN O ORSCHOT, P., AND W IENER , M. 1992b. Authentication and Authenticated Key Exchanges.
Designs, Codes and Cryptography 2, 107–125.
F ERGUSON , N. AND S CHNEIER , B. 1999. A Cryptographic Evaluation of IPSec. http://www.
counterpane.com/ipsec.html.
G ONG , L. 1995. Efficient Network Authentication Protocols: Lower Bounds and Optimal Implementations.
Distributed Computing 9, 3, 131–145.
G ÜNTHER , C. G. 1989. An identity-based key-exchange protocol. In Proc. of the EuroCrypt Conference. 29–37.
G USTAFSON , D., J UST, M., AND N YSTROM , M. 2001. Securely available credentials - credential server framework. Internet Draft, Internet Engineering Task Force. Aug. Work in progress.
H ARKINS , D. AND C ARREL , D. 1998. The Internet Key Exchange (IKE). Request for Comments (Proposed
Standard) 2409, Internet Engineering Task Force. Nov.
H ARKINS , D., K AUFMAN , C., K ENT, S., K IVINEN , T., AND P ERLMAN , R. 2002. Proposal for the IKEv2
Protocol. Internet Draft, Internet Engineering Task Force. April. Work in progress.
H EBERLEIN , L. AND B ISHOP, M. 1996. Attack Class: Address Spoofing. In Proceedings of the 19th National
Information Systems Security Conference. 371–377.
H IROSE , S. AND M ATSUURA , K. 1999. Enhancing the resistance of a provably secure key agreement protocol
to a denial-of-service attack. In Proc. of the 2nd International Conference on Information and Communication
Security (ICICS ’99). 169–182.
H OFFMAN , P. 2002. Features of Proposed Successors to IKE. Internet Draft, Internet Engineering Task Force.
April. Work in progress.
IEEE. 1993. Entity authentication mechanisms —part 3: Entity authentication using asymmetric techniques.
Tech. Rep. ISO/IEC IS 9798-3, ISO/IEC.
JAKOBSSON , M. AND J UELS , A. 1999. Proofs of work and bread pudding protocols. In Proc. of the IFIP TC6
and TC11 Joint Working Conference on Communications and Multimedia Security.
JANSON , P., T SUDIK , G., AND Y UNG , M. 1997. Scalability and flexibility in authentication services: the
KryptoKnight approach. In Proc. of IEEE INFOCOM. 725–736.
J UELS , A. AND B RAINARD , J. 1999. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proc. of the Network and Distributed Systems Security Symposium (NDSS ’99). 151–165.
K ARN , P. AND S IMPSON , W. 1999. Photuris: Session-key management protocol. Request for Comments 2522,
Internet Engineering Task Force. Mar.
K AUFMAN , C. ET AL . 2001. Code-preserving Simplifications and Improvements to IKE. Internet Draft, Internet
Engineering Task Force. July. Work in progress.
K AUFMAN , C. AND P ERLMAN , R. 2000. Analysis of IKE. In IEEE Transactions on Network Computing,.
K RAWCZYK , H. 1996. SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In Proc. of Network
and Distributed System Security Symposium (NDSS).
K RAWCZYK , H. 2002. Invited Talk. SIGMA: the SIGn-and-MAc Approach to Authenticated Diffie Hellman
and its Use in the IKE Protocols. In Proc. of the Crypto conference.
K RAWCZYK , H., B ELLARE , M., AND C ANETTI , R. 1997. HMAC: keyed-hashing for message authentication.
Request for Comments 2104, Internet Engineering Task Force. Feb.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.
30
·
Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold
L EIWO , J., N IKANDER , P., AND AURA , T. 2000. Towards network denial of service resistant protocols. In
Proc. of the 15th International Information Security Conference (IFIP/SEC).
M ATSUURA , K. AND I MAI , H. 1999. Resolution of ISAKMP/Oakley key-agreement protocol resistant against
denial-of-service attack. In Proc. of Internet Workshop (IWS ’99). 17–24.
M ATSUURA , K. AND I MAI , H. 2000. Modified aggressive mode of Internet key exchange resistant against
denial-of-service attacks. IEICE Transactions on Information and Systems E83-D, 5 (May), 972–979.
M AUGHAN , D., S CHERTLER , M., S CHNEIDER , M., AND T URNER , J. 1998. Internet security association and
key management protocol (ISAKMP). Request for Comments (Proposed Standard) 2408, Internet Engineering
Task Force. Nov.
M EADOWS , C. 1999a. Analysis of the Internet Key Exchange protocol using the NRL protocol analyzer. In
Proc. of the IEEE Symposium on Security and Privacy. 216–231.
M EADOWS , C. 1999b. A formal framework and evaluation method for network denial of service. In Proc. of
the 12th IEEE Computer Security Foundations Workshop. 4–13.
M EADOWS , C. 2000. Open issues in formal methods for cryptographic protocol analysis. In Proc. of DARPA
Information Survivability Conference and Exposition (DISCEX 2000). IEEE Computer Society Press, 237–
250.
M ILLER , S. P., N EUMAN , B. C., S CHILLER , J. I., AND S ALTZER , J. H. 1987. Kerberos Authentication and
Authorization System. Tech. rep., MIT. December.
M OSKOWITZ , R. 2001. The Host Identity Payload. Internet Draft, Internet Engineering Task Force. July. Work
in progress.
O PPLIGER , R. 1999. Protecting key exchange and management protocols against resource clogging attacks.
In Proc. of the IFIP TC6 and TC11 Joint Working Conference on Communications and Multimedia Security
(CMS ’99). 163–175.
S CHUBA , C., K RSUL , I., K UHN , M., S PAFFORD , E., S UNDARAM , A., AND Z AMBONI , D. 1997. Analysis of
a denial of service attack on tcp. In IEEE Security and Privacy Conference (Oakland). 208–223.
S HEFFER , Y., K RAWCZYK , H., AND A BOBA , B. 2001. PIC, a pre-IKE credential provisioning protocol. Internet
Draft, Internet Engineering Task Force. Nov. Work in progress.
S IMPSON , W. A. 1999. IKE/ISAKMP Considered Harmful. USENIX ;login:.
ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004.