Abstract
SSL/TLS has been designed to protect authenticity, integrity, and confidentiality. However, considering the possibility of TCP data injection, as described in [Wa04], it becomes obvious that this protocol is vulnerable to DoS attacks just because it is layered upon TCP. In this paper, we analyze DoS-attacks on SSL/TLS and describe a simple, yet effective way to provide protection for SSL/TLS by protecting the underlying TCP connection. We focus on a simple, feasible, and efficient solution, trying to balance security and usability issues by using the built-in key exchange of SSL/TLS to initialize TCP’s MD5 option.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
[AAL+05]_Arends, R., Austein, R., Larson, M., Massey, D., und Rose, S. DNS Security Introduction and Requirements. RFC 4033. March 2005.
Cox, A., Miller, D. S., und Schwartz, D. RFC2385 (MD5 signature in TCP packets) support. Linux Kernel Mailinglist. Mar 2002.
Dierks, T. und Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346. April 2006. Updated by RFCs 4366, 4680, 4681.
Eastlake 3rd, D. und Jones, P. US Secure Hash Algorithm 1 (SHA1). RFC 3174. September 2001.
Freier, A. O., Freier, A. O., und Kocher, P. C. The SSL Protocol Version 3.0. Draft. Nov 1998. http://wp.netscape.com/eng/ssl3/.
[FGM+99]_Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., und Berners-Lee, T. Hypertext Transfer Protocol — HTTP/1.1. RFC 2616. June 1999. Updated by RFC 2817.
Frankel, S. und Herbert, H. The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec. RFC 3566. September 2003.
Heffernan, A. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385. August 1998.
Jacobson, V., Braden, R., und Borman, D. TCP Extensions for High Performance. RFC 1323. May 1992.
Kaufman, C. Internet Key Exchange (IKEv2) Protocol. RFC 4306. December 2005.
Krawczyk, H., Bellare, M., und Canetti, R. HMAC: Keyed-Hashing for Message Authentication. RFC 2104. February 1997.
Kent, S. IP Authentication Header. RFC 4302. December 2005.
Kent, S. und Seo, K. Security Architecture for the Internet Protocol. RFC 4301. December 2005.
Madson, C. und Glenn, R. The Use of HMAC-MD5-96 within ESP and AH. RFC 2403 (Proposed Standard). November 1998.
Madson, C. und Glenn, R. The Use of HMAC-SHA-1-96 within ESP and AH. RFC 2404. November 1998.
Mathis, M., Mahdavi, J., Floyd, S., und Romanow, A. TCP Selective Acknowledgement Options. RFC 2018. October 1996.
McDonald, D., Metz, C, und Phan, B. PF_KEY Key Management API, Version 2. RFC 2367. July 1998.
Metzger, P. und Simpson, W. IP Authentication using Keyed MD5. RFC 1828. August 1995.
Netfilter-Group. The netfuter/iptables project homepage. Website. http://www.netfilter.org/.
Postel, J. Transmission Control Protocol. RFC 793. September 1981. Updated by RFC 3168.
Rivest, R. The MD5 Message-Digest Algorithm. RFC 1321 (Informational). April 1992.
Rescorla, E. und Modadugu, N. Datagram Transport Layer Security. RFC 4347. April 2006.
Richardson, M. und Redelmeier, D. Opportunistic Encryption using the Internet Key Exchange (IKE). RFC 4322. December 2005.
Stewart, R. und Stewart, R. Improving TCP’s Robustness to Blind In-Window Attacks. Draft v5. Jun 2006.
Watson, P. A.: Slipping in the Windows: TCP reset attacks. In: Cansecwest. 2004.
Wang, X. und Yu, H.: How to break md5 and other hash functions. In: Advances in Cryptology-Eurocrypt. 2005.
Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis. Whitepaper. Apr 2001. http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Völker, L., Schöller, M. (2007). Secure TLS: Preventing DoS Attacks with Lower Layer Authentication. In: Braun, T., Carle, G., Stiller, B. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69962-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-540-69962-0_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69961-3
Online ISBN: 978-3-540-69962-0
eBook Packages: Computer Science and Engineering (German Language)