[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: compare-jfk-sigma.txt
Hugo,
I agree with most of the facts in your assessment of JFK vs. SIGMA.
To sum up, the main technical points seem to be:
In terms of security:
* The "basic security" of both protocols is sound.
* Both protocols allow reuse of the DH exponents in times of high load
with a similar price in PFS.
* Both protocols offer comparable DOS protection. (What gets included in
the cookies can be decided upon independently of the rest of the protocol.)
* Both protocols offer identity protection for the initiator against active
attackers.
* SIGMA offers ID protection for the the receiver against eavesdroppers.
JFK does not.
In terms of performance:
* SIGMA is either 3/5 messages, depending on whether DOS protection is
turned on. JFK is 4 messages period.
* JFK has an additional signature that, in times of high load, can be
amotized over many sessions.
Now that the main technical differences are clear, it should be easier for
people to decide which properties are preferable to them.
Ran
Follow-Ups: