1 / 14

Evaluating Authenticated, DoS Resistant Key Exchange Protocols

Evaluating Authenticated, DoS Resistant Key Exchange Protocols. J.W. Pope CS 589 December 12, 2003. Non-DoS-Resistant Models. Diffie-Hellman: Original model, completely unauthenticated. Station-to-Station: Authenticated, but not DoS resistant.

elam
Télécharger la présentation

Evaluating Authenticated, DoS Resistant Key Exchange Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003

  2. Non-DoS-Resistant Models • Diffie-Hellman: Original model, completely unauthenticated. • Station-to-Station: Authenticated, but not DoS resistant. • Internet Key Exchange: Complex, inefficient, not DoS resistant. (not shown)

  3. JFK vs. Client Puzzles • JFK ensures DoS resistance by allowing the responder or server to commit no state and little CPU time until the initiator is fully authenticated. • The Client Puzzle model ensures the same by allowing the responder to commit no state and little CPU time until the client solves a puzzle.

  4. Memory-Exhaustion DoS - JFK • The JFK protocol commits no state until the second round. • In order for an attacker to reach this point, it must perform a digital signature, whereas the responder need only compute a signed hash. • Attacker does not need to commit any state.

  5. Memory-Exhaustion DoS – Client Puzzles • The Client Puzzle model does not commit any state until the second round. • To reach this point, the attacker must solve a puzzle. • The puzzle involves computing 2k hashes, on the average. • The responder needs only to compute one hash. • The attacker does not need to commit any state.

  6. CPU-Exhaustion Attack: Statistics

  7. CPU-Exhaustion Attack - JFK • The first round of JFK requires the responder to compute a keyed hash. • An experiment shows that an arbitrarily chosen TCC machine can compute approximately 10,000 keyed hashes in one second (as compared to 94 Diffie-Hellman exponentiations!) • A sustained attack of 10,000 or more spurious packets per second will bring down a JFK server. • An attacker can also complete the first round, then force the responder to verify a spurious signature (50 per second) in the second round.

  8. CPU-Exhaustion Attack – Client Puzzles • In the second round, the responder must compute a hash. • An experiment shows that an arbitrarily chosen TCC machine can hash blocks of text the same size as expected for the initiator’s second message at a rate of approximately 13,000 per second. • However, increasing the level of puzzle difficulty will not help if the attacker is simply submitting random packets! • An attacker can also solve the puzzle, forcing the responder to verify a spurious signature.

  9. Other Issues • We have assumed a public server model for the responder. • Should the same server be distributing puzzles and authenticating clients? • If the same server performs both tasks, then during an attack, requestors will not be able to contact the server to get a current nonce– including the attacker! • If the attacker does not have a current nonce, the attack cannot continue.

  10. Attempted Simulations • Some difficulty has been encountered in simulating these attacks. • A TCC machine was used to simulate an attack against a STS server (using different processes over loopback, to avoid flooding the network) • The number of packets generated was insufficient to impact service.

  11. Analysis: • CPU-Exhaustion resistance: Client Puzzles enjoys a slight edge on JFK. In case of spurious signature attack, Client Puzzles is much more effective due to adjustable difficulty level. • Memory-Exhaustion resistance: Neither appears to hold any particular advantage over the other.

  12. Analysis (cont’d) • Burdens on client: The additional burden placed on the initiator by the Client Puzzle model is not significant (except during attacks when k > 7). • JFK has a slight security advantage in that it is the session key for protocol messages is different from the final key, but this innovation can be introduced into Client Puzzles. • Most importantly, both protocols offer massive improvements over existing models.

  13. JFK vs. Client Puzzles • When DoS-resistance is of the utmost importance, use Client Puzzles • When DoS-resistance is important, but efficiency is as well, use JFK.

  14. References • Aiello, W., S.M. Bellovin, M. Blaze, R. Canetti, J. Ionnidis, A.D. Keromytis, O. Reingold, “Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols”, Security Protocols, B. Christianson, et al. (Eds.), Lecture Notes in Computer Science 2467, pp. 27-39, Springer-Verlag, 2002 • Aura, T., P. Nikander, J. Leiwo, “DoS-Resistant Authentication with Client Puzzles”, Security Protocols, B. Christianson, et al. (Eds.), Lecture Notes in Computer Science 2133, pp. 170-177, Springer-Verlag, 2001 • Diffie, W., M.E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, 22 (6), pp. 644-654, November 1976 • Diffie, W., P.C. van Oorschot, M.J. Wiener, “Authentication and Authenticated Key Exchange”, Designs, Codes, and Cryptography, 2, pp. 107-125, 1992 • Harkins, D., D. Carrel, “The Internet Key Exchange (IKE)”, Network Working Group RFC 2409, Internet Engineering Task Force, http://www.ietf.org/rfc/rfc2409.txt, November 1998 • Krawczyk, H., M. Bellare, R. Canetti, “HMAC: Keyed-Hashing for Message Authentication”, Network Working Group RFC 2104, Internet Engineering Task Force, http://www.ietf.org/rfc/rfc2104.txt, February 1997 • Menezes, A., P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996 • Schneier, B., Applied Cryptography, 2nd Edition, Wiley, 1996 • Stinson, D.R., Cryptography- Theory and Practice, CRC Press, 1995

More Related