Abstract
A variety of DoS attacks are incapacitating the Net infrastructures. IKEs can be easily targeted by these attacks because they force to process heavy computations, and an IKE is the beginning handshake procedure for secure communications. This paper analyzes existing DoS resistant protocols that have several inappropriateness to apply an IKE and points out DoS vulnerability of three IKE candidates. It proposes a new DoS defensive IKE against CPU and memory exhaustion DoS attacks. Moreover, the proposed IKE enhances a capacity of the responder that may be a heavily loaded web-server or a mobile device.
This research was supported by University IT Research Center Project.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity”, Proceedings of the 10th USENIX Security Symposium, pages 9–22, August 2001.
D. Harkins, D. Carrel: The Internet Key Exchage (IKE), rfc2409, 1998.
W. Diffie, and M. Hellman, “New directions in cryptography”, IEEE Trans, Information Theory, Vol. IT-22,No. 6, pages 644–654, 1976.
S. Kent, and R. Atkinson: IP Authentication Header (AH), rfc2402, 1998.
S. Kent, and R. Atkinson: IP Encapsulating Security Payload (ESP), rfc2402, 1998.
Dan Harkins, C. Kaufman, S. Kent, T. Kivinen, and R. Perlman: Proposal for the IKEv2 Protocol, draft-ietf-ipsec-ikev2-01.txt, 2002.
W. Aiello, S.M. Bellovin, R. Canetti, J. Ioannidis, A.D. Keromytis, and O. Reingold: Just Fast Keying (JFK), draft-ietf-ipsec-jfk-01.txt, 2002.
H. krawczyk, and Technion: The IKE-SIGMA Protocol, draft-krawczyk-ipsec-ikesigma-00.txt, 2001.
C. Dwork and M. Naor., “Pricing Via Processing or Combatting Junk Mail”, Advances in Cryptology (CRYPTO’ 92), volume 740 of Lecture Notes in Computer Science, pages 139–147, 16–20 August 1992.
Jussipekka Leiwo, Pekka Nikander, and Tuomas Aura, “Towards network denial of service resistant protocols”, Proceedings of the 15th International Information Security Conference (IFIP/SEC 2000), Beijing, China, August 2000.
K. Matsuura and H. Imai, “Protection of authenticated keyagreement protocol against a denial-of-service attack”, Proceedings of 1998 International Symposium on Information Theory and Its Applications (ISITA’98), pages 466–470, Oct. 1998.
Tuomas Aura and Pekka Nikander, “Stateless connections”, Proceedings of International Conference on Information and Communications Security (ICICS’97), Vol. 1334 of LNCS, pages 87–97, Beijing, China, November 1997
K. Matsuura and H. Imai, “Modification of Internet Key Exchange Resistant against Denial-of-Service”, Pre-Proceedings of Internet Workshop 2000 (IWS2000), pages 167–174, Feb. 2000.
NIST: Digital Signature Standard, Federal Information Processing Standards Publication 186, 1994.
C.P. Schnorr, “Efficient Signature Generation by Smart Cards”, Journal of Cryptology, Vol.4, pages 161–174, 1991.
Faul Hoffman, and VPN Consortium: Features of Proposed Successors to IKE, draft-ietf-ipsec-soi-features-00.txt, 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, M., Kwak, D., Moon, S. (2003). A Proposal for DoS-Defensive Internet Key Exchange. In: Kumar, V., Gavrilova, M.L., Tan, C.J.K., L’Ecuyer, P. (eds) Computational Science and Its Applications — ICCSA 2003. ICCSA 2003. Lecture Notes in Computer Science, vol 2668. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44843-8_35
Download citation
DOI: https://doi.org/10.1007/3-540-44843-8_35
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40161-2
Online ISBN: 978-3-540-44843-3
eBook Packages: Springer Book Archive