Abstract. We propose two public-key schemes to achieve “deniable authentication” for the Internet Key Exchange (IKE). Our protocols can be implemented using different concrete mechanisms and we discuss different options; in particular we suggest solutions based on elliptic curve pairings. The protocol designs use the modular construction method of Canetti and Krawczyk which provides the basis for a proof of security. Our schemes can, in some situations, be more efficient than existing IKE protocols as well as having stronger deniability properties. 1

In this work, we develop a family of protocols for deniable Internet Key-Exchange (IKE) with the following properties: • Highly practical efficiency, and conceptual simplicity and clarity. • Forward and concurrent (non-malleable) deniability against adversaries with arbitrary auxiliary inputs, and better privacy protection of players ’ roles. • Provable security in the Canetti-Krawczyk post-specified-peer model, and maintenance of essential security properties not captured by the Canetti-Krawczyk security model. • Compatibility with the widely deployed and standardized SIGMA (i.e., the basis of IKEv2) and (H)MQV protocols, when parties possess DL public-keys. Our protocols could potentially serve, in part, as either the underlying basis or a useful alternative for the next generation of IKE (i.e., IKEv3) of IPsec (in particular, when deniability is desired). In view of the wide deployment and use of IKE and increasing awareness of privacy protection (especially for E-commerce over Internet), this work is naturally of practical interest. 1

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington

2007 To all honest intruders. iii ivAcknowledgments I want to thank my supervisor David Basin for guiding and supporting me and at the same time giving me the freedom to pursue my ideas. He has shaped my scientific work and style by forcing me to abstract and to “crispify ” my ideas. I want to thank Luca Viganò, who has also supported me throughout my doctoral research. Writing papers and discussing ideas with him was not only highly productive, it was also a pleasure. I want to thank David Basin, Achim Brucker, Paul Hankes Drielsma, Felix Klaedtke, Pascal Lafourcade, Patrik Schaller, and Luca Viganò for helpful comments on the first draft of my thesis. I also want to thank all past and present members of the AVISPA team for many inspiring discussions and the productive teamwork. Most importantly, I want to thank my parents for their love and support. Thank you all very much!

Abstract—Key management is a vital component in any modern security protocol. Due to scalability and practical implementation considerations automatic key management seems a natural choice in significantly large virtual private networks (VPNs). In this context IETF Internet Key Exchange (IKE) is the most promising protocol under permanent review. We have made a humble effort to pinpoint IKEv2 net gain over IKEv1 due to recent modifications in its original structure, along with a brief overview of salient improvements between the two versions. We have used US National Institute of Technology NIIST VPN simulator to get some comparisons of important performance metrics. Keywords—Quantitative Analyses, IKEv1, IKEv2, NIIST. I.

In this paper, we first present a concrete formal protocol design approach, which is based on authentication tests, to create an Efficient and Secure Internet Key Exchange (ESIKE) protocol. Then we formally prove the secure properties of ESIKE with strand space model and authentication tests. The ESIKE protocol overcomes the security shortages of the Internet Key Exchange (IKE), and can provide secure negotiation of session key and Security Association (SA), protection of endpoints ’ identities, and mutual authentication between the initiator and the responder. It needs only three messages and less computational load, so it is simple and efficient.