1 / 17

I nnovative Intrusion-Resilient, DDoS -Resistant Authentication System (IDAS) System

I nnovative Intrusion-Resilient, DDoS -Resistant Authentication System (IDAS) System. Yanjun Zhao. Current Protocols. SSL (Secure Sockets Layer) protocol IPSec(Internet Protocol Security ) suffer from intrusion and single-point ofcompromising

tatum-sellers
Télécharger la présentation

I nnovative Intrusion-Resilient, DDoS -Resistant Authentication System (IDAS) System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Innovative Intrusion-Resilient,DDoS-Resistant Authentication System (IDAS) System Yanjun Zhao

  2. Current Protocols • SSL (Secure Sockets Layer) protocol • IPSec(Internet Protocol Security) • suffer from • intrusion and single-point ofcompromising • DDoS(distributed denial ofservice) attacks.

  3. The Purposes of IDAS • protect credential information by distributing shared secret to multiple computers and thus eliminates the single point of compromising. • detect the use of partial credential as a user/computer and indicate which part of secret is exposed

  4. Even when an insider compromised all related servers, the credential is only valid for a short period of time and will be self healed in next period. • A DDoS resistant protocol must be stateless and efficient as well as stop botnet attacks and “low and slow”attacks.

  5. take a single round trip time, which is faster than any other authentication protocols and is important to the performance of critical applications in a multi-continent network.

  6. A legitimate user shares a p, a hash chain value, and a cryptographic key, k_auth, with the Authentication Server. The p represents a second factor for authentication and can be a password, a token, a biometrics, or smartcard. • Partial secrets of the user are provided with two random number seeds: one is for the nonce generation, and the other is for the hash chain seed.

  7. Time-Dependent Secret

  8. Self-healing Feature of the Authentication Sever

  9. HMAC • HMAC (RFC 2104) is the standard approach in cryptography to ensure the message integrity. • In the context of our authentication protocol, HMAC can be viewed as a fixed-size output produced by two inputs (a message and a secret key). • HMAC is computationally infeasible to produce the valid code without the knowledge of the key.

  10. Distribute Secret

  11. The proposed scheme combines the usage of a p, a key, and a hash chain in a computation-efficient manner to achieve a strong security level.

  12. If the p is not used in the protocol, when an adversary compromises the device, the attacker can succeed in impersonating the user. • If the HMAC key is not used in the protocol, the update of hash chain value might be tampered by the adversary. Thus, the server and the device will be out of synchronization for authentication. • If the hash chain is not used in the protocol, the adversary compromising the server learns the secret HMAC key and p. Then the adversary can succeed in impersonating a user in next authentication session.

  13. The above steps remove the single-point compromising vulnerability of critical user authentication information. • It is useless for an attacker to compromises one of the two servers. If a strong inside attacker compromises both servers, one can pretend to be a user for the current period. • For the next time period, the attacker loses the required hash chain value and the authentication system self heals.

  14. DDoS Resistant

  15. Reference • Chwan-hwa”John” Wu and Tong Liu Simulation for Intrusion-Resilient, DDoS-Resistant Authentication System (IDAS). SpringSim '08: Proceedings of the 2008 Spring Simulation Multiconference

More Related