[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compare-jfk-sigma.txt

To: hugo@ee.technion.ac.il, ipsec@lists.tislabs.com
Subject: Re: compare-jfk-sigma.txt
From: Ran Canetti <canetti@watson.ibm.com>
Date: Tue, 4 Dec 2001 00:26:15 -0500
Sender: owner-ipsec@lists.tislabs.com


Hugo,

I agree with most of the facts in your assessment of JFK vs. SIGMA.
To sum up, the main technical points seem to be:

In terms of security:

* The "basic security" of both protocols is sound.

* Both protocols allow reuse of the DH exponents in times of high load
  with a similar price in PFS.

* Both protocols offer comparable DOS protection. (What gets included in
  the cookies can be decided upon independently of the rest of the protocol.)

* Both protocols offer identity protection for the initiator against active
  attackers.

* SIGMA offers ID protection for the the receiver against eavesdroppers.
  JFK does not.


In terms of performance:

* SIGMA is either 3/5 messages, depending on whether DOS protection is
  turned on. JFK is 4 messages period. 

* JFK has an additional signature that, in times of high load, can be
  amotized over many sessions.


Now that the main technical differences are clear, it should be easier for 
people to decide which properties are preferable to them.


Ran

Follow-Ups:

Re: compare-jfk-sigma.txt

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: RE: On shared keys (was RE: SOI: identity protection and DOS)
Next by Date: Re: Some comments on JFK
Prev by thread: RE: compare-jfk-sigma.txt
Next by thread: Re: compare-jfk-sigma.txt
Index(es):
- Main
- Thread