Common use of Other Protocols Clause in Contracts

Other Protocols. The predecessor to IKE, Photuris [Xxxx and Xxxxxxx 1999], first introduced the concept of cookies to counter “blind” DoS attacks. The protocol itself is a six-message variation of the StS protocol. It is similar to IKE in the message layout and purpose, except that the SA information has been moved to the third message. For rekeying, a two-message exchange can be used to request a uni- directional SPI (thus, to completely rekey, four messages are needed). Photuris is vulnerable to the same computation-based DoS attack as IKE, mentioned above. Nonetheless, one of the variants of this protocol has four messages and provided DoS protection via stateless cookies. SKEME [Xxxxxxxx 1996] shares many of the requirements for JFK, and many aspects of its design were adopted in IKE. It serves more as a set of protocol building blocks, rather than a specific protocol instance. Depending on the specific requirements for the key-management protocol, these blocks could be combined in several ways. An interesting aspect of SKEME is its avoidance of digital signatures; public-key encryption is used instead, to provide authen- tication assurances. The reason behind this was to allow both parties of the protocol to be able to repudiate the exchange. SKIP [Xxxx and Xxxxxxxxx 1995] was an early proposal for an IPsec key- management mechanism. It uses long-term DH public keys to derive long-term shared keys between parties, which is used to distribute session keys between the two parties. The distribution of the session key occurs in-band, that is, the session key is encrypted with the long-term key and is injected in the encrypted packet header. While this scheme has good synchronization properties in terms of rekeying, the base version lacks any provision for PFS. It was later provided via an extension [Xxxx 1996]. However, as the authors admit, this extension detracts from the original properties of SKIP. Furthermore, there is no identity protection provided, since the certificates used to verify the DH public keys are (by design) publicly available, and the source/destination master identities are contained in each packet (so that a receiver can retrieve the sender’s DH certificate). The latter can be used to mount a DoS attack on a receiver, by forcing them to retrieve and verify a DH certificate, and then compute the DH shared secret. The host identity payload (HIP) [Xxxxxxxxx 2001] uses cryptographic public keys as the host identifiers, and introduces a set of protocols for establishing SAs for use in IPsec. The HIP protocol is a four-packet exchange, and uses client puzzles to limit the number of sessions an attacker can initiate. HIP also allows for reuse of the DH value over a period of time, to handle a high rate of sessions. For rekeying, a HIP packet protected by an existing IPsec session is used. HIP does not provide identity protection, and it depends on the existence of an out-of-band mechanism for distributing keys and certificates, or on extra HIP messages for exchanging this information (thus, the message count is effectively 6, or even 8, for most common usage scenarios).

Other Protocols. The predecessor to IKE, Photuris [Xxxx and Xxxxxxx 1999], first introduced the concept of cookies to counter “blind” DoS attacks. The protocol itself is a six-message variation of the StS protocol. It is similar to IKE in the message layout and purpose, except that the SA information has been moved to the third message. For rekeying, a two-message exchange can be used to request a uni- directional SPI (thus, to completely rekey, four messages are needed). Photuris is vulnerable to the same computation-based DoS attack as IKE, mentioned above. Nonetheless, one of the variants of this protocol has four messages and provided DoS protection via stateless cookies. SKEME [Xxxxxxxx 1996] shares many of the requirements for JFK, and many aspects of its design were adopted in IKE. It serves more as a set of protocol building blocks, rather than a specific protocol instance. Depending on the specific requirements for the key-management protocol, these blocks could be combined in several ways. An interesting aspect of SKEME is its avoidance of digital signatures; public-key encryption is used instead, to provide authen- tication assurances. The reason behind this was to allow both parties of the protocol to be able to repudiate the exchange. SKIP [Xxxx Aziz and Xxxxxxxxx 1995] was an early proposal for an IPsec key- management mechanism. It uses long-term DH public keys to derive long-term shared keys between parties, which is used to distribute session keys between the two parties. The distribution of the session key occurs in-band, that is, the session key is encrypted with the long-term key and is injected in the encrypted packet header. While this scheme has good synchronization properties in terms of rekeying, the base version lacks any provision for PFS. It was later provided via an extension [Xxxx Aziz 1996]. However, as the authors admit, this extension detracts from the original properties of SKIP. Furthermore, there is no identity protection provided, since the certificates used to verify the DH public keys are (by design) publicly available, and the source/destination master identities are contained in each packet (so that a receiver can retrieve the sender’s DH certificate). The latter can be used to mount a DoS attack on a receiver, by forcing them to retrieve and verify a DH certificate, and then compute the DH shared secret. The host identity payload (HIP) [Xxxxxxxxx 2001] uses cryptographic public keys as the host identifiers, and introduces a set of protocols for establishing SAs for use in IPsec. The HIP protocol is a four-packet exchange, and uses client puzzles to limit the number of sessions an attacker can initiate. HIP also allows for reuse of the DH value over a period of time, to handle a high rate of sessions. For rekeying, a HIP packet protected by an existing IPsec session is used. HIP does not provide identity protection, and it depends on the existence of an out-of-band mechanism for distributing keys and certificates, or on extra HIP messages for exchanging this information (thus, the message count is effectively 6, or even 8, for most common usage scenarios).

Other Protocols. The predecessor to IKE, Photuris [Xxxx and Xxxxxxx 1999], first fi rst introduced the concept of cookies to counter “blind” DoS denial of service attacks. The protocol itself is a six6-message variation vari- ation of the StS Station to Station protocol. It is similar to IKE in the message layout and purposepur- pose, except that the SA information has been moved to the third message. For rekeyingre-keying, a two-message exchange can be used to request a uni- uni-directional SPI (thus, to completely rekeyre- key, four 4 messages are needed). Photuris is vulnerable to the same computation-based DoS attack as IKE, mentioned above. Nonetheless, one of the variants of this protocol has four 4 messages and provided DoS protection via stateless cookies. SKEME [Xxxxxxxx 1996] shares many of the requirements for JFK, and many aspects of its design were adopted in IKE. It serves more as a set of protocol building blocks, rather than a specific specifi c protocol instance. Depending on the specific specifi c requirements for the key-key management protocol, these blocks could be combined in several ways. An interesting aspect of SKEME is its avoidance of digital signatures; public-public key encryption is used instead, to provide authen- tication authentication assurances. The reason behind this was to allow both parties of the protocol to be able to repudiate the exchange. SKIP [Xxxx Aziz and Xxxxxxxxx 1995] was an early proposal for an IPsec key- key management mechanism. It uses long-term DH Diffi e-Xxxxxxx public keys to derive long-term shared keys between parties, which is used to distribute session keys between the two parties. The distribution of the session key occurs in-band, that isi.e., the session key is encrypted with the long-term key and is injected in the encrypted packet header. While this scheme has good synchronization properties in terms of rekeyingre-keying, the base version lacks any provision for PFS. It was later provided via an extension [Xxxx Aziz 1996]. However, as the authors admit, this extension detracts from the original properties of SKIP. Furthermore, there is no identity protection provided, since the certificates certifi xxxxx used to verify the DH Diffi e-Xxxxxxx public keys are (by design) publicly available, and the source/destination master identities are contained in each packet (so that a receiver can retrieve the sender’s DH certificateDiffi e-Xxxxxxx certifi cate). The latter can be used to mount a DoS attack on a receiver, by forcing them to retrieve and verify a DH certificateDiffi e-Xxxxxxx certifi cate, and then compute the DH Diffi e-Xxxxxxx shared secret. The host identity payload Host Identity Payload (HIP) [Xxxxxxxxx 2001] uses cryptographic public keys as the host identifiersidentifi ers, and introduces a set of protocols for establishing SAs for use in IPsec. The HIP protocol is a four-packet exchange, and uses client puzzles to limit the number of sessions an attacker can initiate. HIP also allows for reuse of the DH Diffi e-Xxxxxxx value over a period of time, to handle a high rate of sessions. For rekeyingre-keying, a HIP packet protected by an existing IPsec session is used. HIP does not provide identity protection, and it depends on the existence of an out-of-band mechanism for distributing keys and certificatescertifi xxxxx, or on extra HIP messages for exchanging this information (thus, the message count is effectively 6, or even 8, for most common usage scenarios).

Other Protocols. The predecessor to IKE, Photuris [Xxxx and Xxxxxxx 1999], first fi rst introduced the concept of cookies to counter “blind” DoS denial of service attacks. The protocol itself is a six6-message variation vari- ation of the StS Station to Station protocol. It is similar to IKE in the message layout and purposepur- pose, except that the SA information has been moved to the third message. For rekeyingre-keying, a two-message exchange can be used to request a uni- uni-directional SPI (thus, to completely rekeyre- key, four 4 messages are needed). Photuris is vulnerable to the same computation-based DoS attack as IKE, mentioned above. Nonetheless, one of the variants of this protocol has four 4 messages and provided DoS protection via stateless cookies. SKEME [Xxxxxxxx 1996] shares many of the requirements for JFK, and many aspects of its design were adopted in IKE. It serves more as a set of protocol building blocks, rather than a specific specifi c protocol instance. Depending on the specific specifi c requirements for the key-key management protocol, these blocks could be combined in several ways. An interesting aspect of SKEME is its avoidance of digital signatures; public-public key encryption is used instead, to provide authen- tication authentication assurances. The reason behind this was to allow both parties of the protocol to be able to repudiate the exchange. SKIP [Xxxx and Xxxxxxxxx 1995] was an early proposal for an IPsec key- key management mechanism. It uses long-term DH Diffi e-Xxxxxxx public keys to derive long-term shared keys between parties, which is used to distribute session keys between the two parties. The distribution of the session key occurs in-band, that isi.e., the session key is encrypted with the long-term key and is injected in the encrypted packet header. While this scheme has good synchronization properties in terms of rekeyingre-keying, the base version lacks any provision for PFS. It was later provided via an extension [Xxxx 1996]. However, as the authors admit, this extension detracts from the original properties of SKIP. Furthermore, there is no identity protection provided, since the certificates certifi xxxxx used to verify the DH Diffi e-Xxxxxxx public keys are (by design) publicly available, and the source/destination master identities are contained in each packet (so that a receiver can retrieve the sender’s DH certificateDiffi e-Xxxxxxx certifi cate). The latter can be used to mount a DoS attack on a receiver, by forcing them to retrieve and verify a DH certificateDiffi e-Xxxxxxx certifi cate, and then compute the DH Diffi e-Xxxxxxx shared secret. The host identity payload Host Identity Payload (HIP) [Xxxxxxxxx 2001] uses cryptographic public keys as the host identifiersidentifi ers, and introduces a set of protocols for establishing SAs for use in IPsec. The HIP protocol is a four-packet exchange, and uses client puzzles to limit the number of sessions an attacker can initiate. HIP also allows for reuse of the DH Diffi e-Xxxxxxx value over a period of time, to handle a high rate of sessions. For rekeyingre-keying, a HIP packet protected by an existing IPsec session is used. HIP does not provide identity protection, and it depends on the existence of an out-of-band mechanism for distributing keys and certificatescertifi xxxxx, or on extra HIP messages for exchanging this information (thus, the message count is effectively 6, or even 8, for most common usage scenarios).