Just Fast Keying in the Pi Calculus

  • Martín Abadi
  • Bruno Blanchet
  • Cédric Fournet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2986)


JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we analyze it formally in the applied pi calculus (partly in terms of observational equivalences, partly with the assistance of an automatic protocol verifier). We treat JFK’s core security properties, and also other properties that are rarely articulated and studied rigorously, such as resistance to denial-of-service attacks. In the course of this analysis we found some ambiguities and minor problems, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be useful more generally in the specification and verification of security protocols.


Shared Secret Security Protocol Perfect Forward Secrecy Identity Protection Active Attacker 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. In: 29th ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages (POPL 2002), January 2002, pp. 33–44 (2002)Google Scholar
  2. 2.
    Abadi, M., Blanchet, B.: Computer-assisted verification of a protocol for certified email. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 316–335. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Abadi, M., Blanchet, B., Fournet, C.: Just fast keying in the pi calculus (December 2003) (manuscript), available from:
  4. 4.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2001), January 2001, pp. 104–115 (2001)Google Scholar
  5. 5.
    Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ionnidis, J., Keromytis, A., Reingold, O.: Just fast keying (JFK). IETF Internet Draft draft-ietf-ipsec-jfk-04.txt (July 2002)Google Scholar
  6. 6.
    Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ionnidis, J., Keromytis, A., Reingold, O.: Efficient, DoS-resistant, secure key exchange for internet protocols. In: 9th ACM Conference on Computer and Communications Security (CCS 2002), November 2002, pp. 48–58 (2002)Google Scholar
  7. 7.
    Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), June 2001, pp. 82–96 (2001)Google Scholar
  8. 8.
    Blanchet, B.: From secrecy to authenticity in security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system for security protocols and its logical formalization. In: 16th IEEE Computer Security Foundations Workshop (CSFW-16), July 2003, pp. 109–125 (2003)Google Scholar
  10. 10.
    Datta, A., Mitchell, J.C., Pavlovic, D.: Derivation of the JFK protocol (2002),
  11. 11.
    Fournet, C., Abadi, M.: Hiding names: Private authentication in the applied pi calculus. In: Okada, M., Pierce, B.C., Scedrov, A., Tokuda, H., Yonezawa, A. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 317–338. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Harkins, D., Carrel, D.: RFC 2409: The Internet Key Exchange (IKE) (November 1998),
  13. 13.
    Internet Key Exchange (IKEv2) Protocol, IETF Internet Draft at: (October 2003)
  14. 14.
    Kemmerer, R., Meadows, C., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7(2), 79–130 (Spring 1994)zbMATHCrossRefGoogle Scholar
  15. 15.
    Lincoln, P., Mitchell, J., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: Fifth ACM Conference on Computer and Communications Security (CCS 1998), pp. 112–121 (1998)Google Scholar
  16. 16.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Meadows, C.: Analysis of the InternetKey Exchange protocol using the NRL protocol analyzer. In: IEEE Symposium on Security and Privacy, May 1999, pp. 216–231 (1999)Google Scholar
  18. 18.
    Meadows, C.: A cost-based framework for analysis of denial of service networks. Journal of Computer Security 9(1/2), 143–164 (2001)Google Scholar
  19. 19.
    Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)zbMATHCrossRefGoogle Scholar
  20. 20.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6(1-2), 85–128 (1998)Google Scholar
  21. 21.
    Thayer Fábrega, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: IEEE Symposium on Security and Privacy, May 1998, pp. 160–171 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Martín Abadi
    • 1
  • Bruno Blanchet
    • 2
  • Cédric Fournet
    • 3
  1. 1.University of CaliforniaSanta Cruz
  2. 2.CNRS, Département d’Informatique, École Normale Supérieure, Paris and Max-Planck-Institut für InformatikSaarbrücken
  3. 3.Microsoft Research 

Personalised recommendations