Security Analysis of IKE’s Signature-Based Key-Exchange Protocol

  • Ran Canetti
  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


We present a security analysis of the Diffie-Hellman key- exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard. The analysis is based on an adaptation of the key-exchange model from [Canetti and Krawczyk, Eurocrypt’


Security Analysis Secure Channel Response Message Perfect Forward Secrecy Semantic Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology, — CRYPTO’93, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994, pp. 232–249.Google Scholar
  3. 3.
    R. Canetti, “Universally Composable Security: A New paradigm for Cryptographic Protocols”, 42nd FOCS, 2001. Full version available at
  4. 4.
    Canetti, R., and Krawczyk, H., “Security Analysis of IKE’s Signature-based Key-Exchange Protocol”, full version. Cryptology ePrint Archive (, 2002.
  5. 5.
    Canetti, R., and Krawczyk, H., “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Advances in Cryptology — EUROCRYPT 2001, Full version in:
  6. 6.
    Canetti, R., and Krawczyk, H., “Universally Composable Notions of Key Exchange and Secure Channels”, Eurocrypt 02, 2002. Full version available at
  7. 7.
    R. Cramer and V. Shoup, “A Practical Public Key Cryptosystem Provable Secure Against Adaptive Chosen Ciphertext Attack”, In Crypto’ 98, LNCS No. 1462, pages 13–25, 1998.Google Scholar
  8. 8.
    W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticated key exchanges”, Designs, Codes and Cryptography, 2, 1992, pp. 107–125.CrossRefGoogle Scholar
  9. 9.
    Gennaro, R., Krawczyk H., and Rabin, T., “Hashed Diffie-Hellman: A Hierarchy of Diffie-Hellman Assumptions”, manuscript, Feb 2002.Google Scholar
  10. 10.
    O. Goldreich, “Foundations of Cryptography: Basic Tools”, Cambridge Press, 2001.Google Scholar
  11. 11.
    D. Harkins and D. Carrel, ed., “The Internet Key Exchange (IKE)”, RFC 2409, Nov. 1998.Google Scholar
  12. 12.
    ISO/IEC IS 9798-3, “Entity authentication mechanisms-Part 3: Entity authentication using asymmetric techniques”, 1993.Google Scholar
  13. 13.
    Karn, P., and Simpson W.A., “The Photuris Session Key Management Protocol”, draft-ietf-ipsec-photuris-03.txt, Sept. 1995.Google Scholar
  14. 14.
    S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol”, Request for Comments 2401, Nov. 1998.Google Scholar
  15. 15.
    Krawczyk, H., “SKEME: A Versatile Secure Key Exchange Mechanism for Internet,”, Proceedings of the 1996 Internet Society Symposium on Network and Distributed System Security, Feb. 1996, pp. 114–127.Google Scholar
  16. 16.
    Krawczyk, H., IPsec mailing list archives,, April-June 1995.
  17. 17.
    Krawczyk, H., “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”, Crypto’2001. Full version in: Cryptology ePrint Archive (, Report 2001/045.
  18. 18.
    Krawczyk, H., “SIGMA: the’ sIGn-and-MAc’ Approach to Authenticated Diffie-Hellman Protocols”,
  19. 19.
    Meadows, C., “Analysis of the Internet Key Exchange Protocol Using the NRL Protocol Analyzer”, Proceedings of the 1999 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, May 1999.Google Scholar
  20. 20.
    A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
  21. 21.
    Orman, H., “The OAKLEY Key Determination Protocol”, Request for Comments 2412, Nov. 1998.Google Scholar
  22. 22.
    V. Shoup, “On Formal Models for Secure Key Exchange”, Theory of Cryptography Library, 1999. Available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Ran Canetti
    • 1
  • Hugo Krawczyk
    • 2
  1. 1.T.J. Watson Research CenterIBMUSA
  2. 2.EE DepartmentTechnionHaifaIsrael

Personalised recommendations