BLIND: A Complete Identity Protection Framework for End-Points

  • Jukka Ylitalo
  • Pekka Nikander
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3957)


In this paper, we present a security framework that provides identity protection against active and passive attacks for end-points. The framework is based on a two-round-trip authenticated Diffie-Hellman key exchange protocol that identifies the end-points to each other and creates a security association between the peers. The protocol hides the public key based identifiers from attackers and eavesdroppers by blinding the identifiers. We complete the identity protection by offering location privacy with forwarding agents. To our knowledge, our privacy enhanced protocol is the first denial-of-service resistant two-round-trip key exchange protocol that offers identity protection for both communicating peers.


Malicious Node Location Privacy Network Address Translation Host Identity Protocol Privacy Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Johnson, D., Perkins, C., Arkko, J.: Mobility Support in IPv6. Internet Draft, work in progress (June 2003)Google Scholar
  2. 2.
    Lamm, S.E., Reed, D.A., Scullin, W.H.: Real-time geographic visualization of world wide web traffic. World Wide Web Journal, The Web After Five Years (Summer 1996)Google Scholar
  3. 3.
    Perkins, C.: IP Mobility Support. RFC 2002 (1996)Google Scholar
  4. 4.
    Escudero-Pascual, A.: Privacy in the next generation internet: Data protection in the context of the european union policy. Ph.D. dissertation, Royal Institute of Technology, Stockholm (December 2002), [Online] Available:
  5. 5.
    Aiello, W., Bellovin, S.M., Blaze, M., Canetti, R., Ionnadis, J., Keromytis, A., Reingold, O.: Efficient, dos-resistant, secure key exchange for internet protocols. ACM Computer Communications Review (November 2002)Google Scholar
  6. 6.
    Saltzer, J., Reed, D., Clark, D.: End-To-End Arguments in System Design. ACM Transactions on Computer Systems 2 (November 1984)Google Scholar
  7. 7.
    Shea, G., Roe, M.: Child-proof Authentication for MIPv6 (CAM). ACM Computer Communications Review 31 (April 2001)Google Scholar
  8. 8.
    Moskowitz, R., Nikander, P., Jokela, P., Henderson, T.: Host Identity Protocol. Internet Draft, work in progress (February 2004)Google Scholar
  9. 9.
    Nikander, P.: An architecture for authorization and delegation in distributed object-oriented agent systems. Ph.D. dissertation, Helsinki University of Technology, Helsinki (March 1999), [Online] Available:
  10. 10.
    Fuller, V., Li, T., Yu, J., Varadhan, K.: Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy. RFC 1519 (September 1993)Google Scholar
  11. 11.
    Molina-Jimenez, C., Marshall, L.: True anonymity without mixes. In: Proc. IEEE Workshop on Internet Applications 2001, San Jose, CA (July 2001)Google Scholar
  12. 12.
    Srisuresh, P., Holdrege, M.: IP Network Address Translator (NAT) Terminology and Considerations. RFC 2663 (1999)Google Scholar
  13. 13.
    Perlman. R.: Understanding IKEv2: Tutorial, and rationale for decisions. Internet Draft, work in progress (February 2003)Google Scholar
  14. 14.
    Nikander, P., Ylitalo, J., Wall, J.: Integrating Security, Mobility, and Multi-Homing in a HIP Way. In: Proc. Network and Distributed Systems Security Symposium, NDSS 2003, San Diego, CA, February (2003)Google Scholar
  15. 15.
    Abadi, M.: Private authentication. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 27–40. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jukka Ylitalo
    • 1
  • Pekka Nikander
    • 1
  1. 1.Ericsson Research NomadicLabJorvasFinland

Personalised recommendations