140 likes | 281 Vues
Evaluating Authenticated, DoS Resistant Key Exchange Protocols. J.W. Pope CS 589 December 12, 2003. Non-DoS-Resistant Models. Diffie-Hellman: Original model, completely unauthenticated. Station-to-Station: Authenticated, but not DoS resistant.
E N D
Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003
Non-DoS-Resistant Models • Diffie-Hellman: Original model, completely unauthenticated. • Station-to-Station: Authenticated, but not DoS resistant. • Internet Key Exchange: Complex, inefficient, not DoS resistant. (not shown)
JFK vs. Client Puzzles • JFK ensures DoS resistance by allowing the responder or server to commit no state and little CPU time until the initiator is fully authenticated. • The Client Puzzle model ensures the same by allowing the responder to commit no state and little CPU time until the client solves a puzzle.
Memory-Exhaustion DoS - JFK • The JFK protocol commits no state until the second round. • In order for an attacker to reach this point, it must perform a digital signature, whereas the responder need only compute a signed hash. • Attacker does not need to commit any state.
Memory-Exhaustion DoS – Client Puzzles • The Client Puzzle model does not commit any state until the second round. • To reach this point, the attacker must solve a puzzle. • The puzzle involves computing 2k hashes, on the average. • The responder needs only to compute one hash. • The attacker does not need to commit any state.
CPU-Exhaustion Attack - JFK • The first round of JFK requires the responder to compute a keyed hash. • An experiment shows that an arbitrarily chosen TCC machine can compute approximately 10,000 keyed hashes in one second (as compared to 94 Diffie-Hellman exponentiations!) • A sustained attack of 10,000 or more spurious packets per second will bring down a JFK server. • An attacker can also complete the first round, then force the responder to verify a spurious signature (50 per second) in the second round.
CPU-Exhaustion Attack – Client Puzzles • In the second round, the responder must compute a hash. • An experiment shows that an arbitrarily chosen TCC machine can hash blocks of text the same size as expected for the initiator’s second message at a rate of approximately 13,000 per second. • However, increasing the level of puzzle difficulty will not help if the attacker is simply submitting random packets! • An attacker can also solve the puzzle, forcing the responder to verify a spurious signature.
Other Issues • We have assumed a public server model for the responder. • Should the same server be distributing puzzles and authenticating clients? • If the same server performs both tasks, then during an attack, requestors will not be able to contact the server to get a current nonce– including the attacker! • If the attacker does not have a current nonce, the attack cannot continue.
Attempted Simulations • Some difficulty has been encountered in simulating these attacks. • A TCC machine was used to simulate an attack against a STS server (using different processes over loopback, to avoid flooding the network) • The number of packets generated was insufficient to impact service.
Analysis: • CPU-Exhaustion resistance: Client Puzzles enjoys a slight edge on JFK. In case of spurious signature attack, Client Puzzles is much more effective due to adjustable difficulty level. • Memory-Exhaustion resistance: Neither appears to hold any particular advantage over the other.
Analysis (cont’d) • Burdens on client: The additional burden placed on the initiator by the Client Puzzle model is not significant (except during attacks when k > 7). • JFK has a slight security advantage in that it is the session key for protocol messages is different from the final key, but this innovation can be introduced into Client Puzzles. • Most importantly, both protocols offer massive improvements over existing models.
JFK vs. Client Puzzles • When DoS-resistance is of the utmost importance, use Client Puzzles • When DoS-resistance is important, but efficiency is as well, use JFK.
References • Aiello, W., S.M. Bellovin, M. Blaze, R. Canetti, J. Ionnidis, A.D. Keromytis, O. Reingold, “Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols”, Security Protocols, B. Christianson, et al. (Eds.), Lecture Notes in Computer Science 2467, pp. 27-39, Springer-Verlag, 2002 • Aura, T., P. Nikander, J. Leiwo, “DoS-Resistant Authentication with Client Puzzles”, Security Protocols, B. Christianson, et al. (Eds.), Lecture Notes in Computer Science 2133, pp. 170-177, Springer-Verlag, 2001 • Diffie, W., M.E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, 22 (6), pp. 644-654, November 1976 • Diffie, W., P.C. van Oorschot, M.J. Wiener, “Authentication and Authenticated Key Exchange”, Designs, Codes, and Cryptography, 2, pp. 107-125, 1992 • Harkins, D., D. Carrel, “The Internet Key Exchange (IKE)”, Network Working Group RFC 2409, Internet Engineering Task Force, http://www.ietf.org/rfc/rfc2409.txt, November 1998 • Krawczyk, H., M. Bellare, R. Canetti, “HMAC: Keyed-Hashing for Message Authentication”, Network Working Group RFC 2104, Internet Engineering Task Force, http://www.ietf.org/rfc/rfc2104.txt, February 1997 • Menezes, A., P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996 • Schneier, B., Applied Cryptography, 2nd Edition, Wiley, 1996 • Stinson, D.R., Cryptography- Theory and Practice, CRC Press, 1995