A Proposal for DoS-Defensive Internet Key Exchange

  • MyungSik Choi
  • DongJin Kwak
  • SangJae Moon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2668)


A variety of DoS attacks are incapacitating the Net infrastructures. IKEs can be easily targeted by these attacks because they force to process heavy computations, and an IKE is the beginning handshake procedure for secure communications. This paper analyzes existing DoS resistant protocols that have several inappropriateness to apply an IKE and points out DoS vulnerability of three IKE candidates. It proposes a new DoS defensive IKE against CPU and memory exhaustion DoS attacks. Moreover, the proposed IKE enhances a capacity of the responder that may be a heavily loaded web-server or a mobile device.


Denial of Service Internet Key Exchange Authentication and Key Agreement IPsec 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity”, Proceedings of the 10th USENIX Security Symposium, pages 9–22, August 2001.Google Scholar
  2. 2.
    D. Harkins, D. Carrel: The Internet Key Exchage (IKE), rfc2409, 1998.Google Scholar
  3. 3.
    W. Diffie, and M. Hellman, “New directions in cryptography”, IEEE Trans, Information Theory, Vol. IT-22,No. 6, pages 644–654, 1976.CrossRefMathSciNetGoogle Scholar
  4. 4.
    S. Kent, and R. Atkinson: IP Authentication Header (AH), rfc2402, 1998.Google Scholar
  5. 5.
    S. Kent, and R. Atkinson: IP Encapsulating Security Payload (ESP), rfc2402, 1998.Google Scholar
  6. 6.
    Dan Harkins, C. Kaufman, S. Kent, T. Kivinen, and R. Perlman: Proposal for the IKEv2 Protocol, draft-ietf-ipsec-ikev2-01.txt, 2002.Google Scholar
  7. 7.
    W. Aiello, S.M. Bellovin, R. Canetti, J. Ioannidis, A.D. Keromytis, and O. Reingold: Just Fast Keying (JFK), draft-ietf-ipsec-jfk-01.txt, 2002.Google Scholar
  8. 8.
    H. krawczyk, and Technion: The IKE-SIGMA Protocol, draft-krawczyk-ipsec-ikesigma-00.txt, 2001.Google Scholar
  9. 9.
    C. Dwork and M. Naor., “Pricing Via Processing or Combatting Junk Mail”, Advances in Cryptology (CRYPTO’ 92), volume 740 of Lecture Notes in Computer Science, pages 139–147, 16–20 August 1992.Google Scholar
  10. 10.
    Jussipekka Leiwo, Pekka Nikander, and Tuomas Aura, “Towards network denial of service resistant protocols”, Proceedings of the 15th International Information Security Conference (IFIP/SEC 2000), Beijing, China, August 2000.Google Scholar
  11. 11.
    K. Matsuura and H. Imai, “Protection of authenticated keyagreement protocol against a denial-of-service attack”, Proceedings of 1998 International Symposium on Information Theory and Its Applications (ISITA’98), pages 466–470, Oct. 1998.Google Scholar
  12. 12.
    Tuomas Aura and Pekka Nikander, “Stateless connections”, Proceedings of International Conference on Information and Communications Security (ICICS’97), Vol. 1334 of LNCS, pages 87–97, Beijing, China, November 1997Google Scholar
  13. 13.
    K. Matsuura and H. Imai, “Modification of Internet Key Exchange Resistant against Denial-of-Service”, Pre-Proceedings of Internet Workshop 2000 (IWS2000), pages 167–174, Feb. 2000.Google Scholar
  14. 14.
    NIST: Digital Signature Standard, Federal Information Processing Standards Publication 186, 1994.Google Scholar
  15. 15.
    C.P. Schnorr, “Efficient Signature Generation by Smart Cards”, Journal of Cryptology, Vol.4, pages 161–174, 1991.zbMATHCrossRefGoogle Scholar
  16. 16.
    Faul Hoffman, and VPN Consortium: Features of Proposed Successors to IKE, draft-ietf-ipsec-soi-features-00.txt, 2002.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • MyungSik Choi
    • 1
  • DongJin Kwak
    • 2
  • SangJae Moon
    • 2
  1. 1.Telecommunication Network DivisionSamsung Electronics Co., Ltd.Korea
  2. 2.Mobile Network Security Technology Research CenterKyungpook National UniversityDaeguKorea

Personalised recommendations