Abstract
Authentication is a promising way to treat denial-of-service (DoS) threats against nonpublic services because it allows servers to restrict connections only to authorised users. However, there is a catch with this argument since authentication itself is typically a computationally intensive rocess that is necessarily exposed to unauthenticated entities. This means that the authentication protocol can become a source of denial-of-service vulnerability itself, thereby causing the same problem it is aimed at solving.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
FindSoln runs in time at mostt so that a client can stop searching for a puzzle after a specified amount of time; our difficulty definitions yield that a client must spend at least a certain amount of time to find a valid solution.
- 3.
Note that GetSoln is only obligated to find a solution if puz was actually generated by the challenger. If \(\mathcal{A}\) generated puz, then \(\mathcal{A}\) may need to employ FindSoln to find a solution. Compared to FindSoln, GetSoln has access to additional secret information that may allow it to find a solution more easily.
- 4.
In the random oracle model, a hash function is modelled as an ideal random function accessible to the adversary solely as an oracle [12].
- 5.
The notation p1 ∘ a 1  ⊕  p 2 ∘ a 2  ⊕... ⊕  p n ∘ a n denotes a lottery over the set of actions {a 1 ,a 2 ,...,a n }, where \({p}_{1} + {p}_{2} +... + {p}_{n} = 1\).
References
Abadi, M., M. Burrows, M. Manasse, and T. Wobber. 2003. Moderately hard, memory-bound functions. In the 10th Annual Network and Distributed System Security Symposium, San Diego, 6–7 Feb 2003.
Agah, A., and S.K. Das. 2007. Preventing dos attacks in wireless sensor networks: A repeated game theory approach. International Journal of Network Security 5(2): 145–153.
Aiello, W., S.M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A.D. Keromytis, and O. Reingold. 2004. Just fast keying: Key agreement in a hostile Internet. ACM Transactions on Information and System Security 7(2): 1–30.
Aura, T., and P. Nikander. 1997. Stateless connections. In Proceeding of the International Conference on Information and Communications Security (ICICS’97), eds. Y. Han, T. Okamoto, and S. Qing, LNCS, vol. 1334, 87–97, Beijing, China, Nov 1997. Springer.
Aura, T., P. Nikander, and J. Leiwo. 2000. DoS-resistant authentication with client puzzles. In Security Protocols Workshop 2000, 170–181. Cambridge, Apr 2000.
Aura, T., P. Nikander, and J. Leiwo. 2001. DOS-resistant authentication with client puzzles. In Revised Papers from the 8th International Workshop on Security Protocols, Lecture notes in computer science, vol. 2133, 170–177. Springer-Verlag.
Aura, T., and P. Nikander. 1997. Stateless connections. Technical report A46, Helsinki University of Technology, Digital Systems laboratory, Espoo, Finland.
Back, A. 1997.[-8pc] A partial hash collision based postage scheme. http://www.hashcash.org/papers/announce.txt. Accessed 31 Aug 2011.
Back, A. 2004. Hashcash. http://www.hashcash.org/docs/hashcash.html\#stamp_format__version_1_.. Accessed 31 Aug 2011.
Bellare, M., J. Kilian, and P. Rogaway. 2000. The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3): 362–399.
Bellare, M., and P. Rogaway. 1994. Entity authentication and key distribution. In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, 232–249, London. Springer-Verlag.
Bellare, M., and P. Rogaway. 1993. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications security, CCS ’93, 62–73, New York, 1993. ACM.
Bencsath, B., I. Vajda, and L. Buttyan. 2003. A game based analysis of the client puzzle approach to defend against DoS attacks. In Proceedings of the 2003 International Conference on Software, Telecommunications and Computer Networks, 763–767, 2003.
Canetti, R., S. Halevi, and M. Steiner. 2005. Hardness amplification of weakly verifiable puzzles, In J. Kilian (ed.), Theory of Cryptography Conference (TCC), LNCS 3378, pp. 17–33. Springer, 2005.
Canetti, R., and H. Krawczyk. 2002. Security analysis of IKE’s signature based key-exchange protocol. In M. Yung (ed.), Advances in Cryptology – Proc. CRYPTO, LNCS 2442, pp. 27–52. Springer, 2002.
Castelluccia, C., E. Mykletun, and G. Tsudik (2006). Improving secure server performance by re-balancing SSL/TLS handshakes. In ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, 26–34, New York, 2006. ACM Press.
Chan, E., C.A. Gunter, S. Jahid, E. Peryshkin, and D. Rebolledo. 2008. Using rhythmic nonces for puzzle-based DoS resistance. In Proceedings of the 2nd ACM Workshop on Computer Security Architectures, 51–58, New York, 2008. ACM Press.
Chen, L., P. Morrissey, N.P. Smart, and B. Warinschi. 2009. Security notions and generic constructions for client puzzles. In M. Matsui (ed.), Advances in Cryptology – Proc. ASIACRYPT 2009, LNCS 5912, pp. 505–523. Springer, 2009.
Dwork, C., A. Goldberg, and M. Naor. 2003. On memory-bound functions for fighting spam. In the 23rd Annual International Cryptology Conference (CRYPTO 2003), 426–444, Aug 2003.
Dwork, C., and M. Naor. 1992. Pricing via processing or combatting junk mail. In the 12th Annual International Cryptology Conference on Advances in Cryptology, Lecture notes In Computer Science, vol. 740, 139–147, 1992. Springer-Verlag.
Dwork, C., M. Naor, and H. Wee. 2005. Pebbling and proofs of work. In CRYPTO, 37–54, 2005.
Fallah, M. 5555. A puzzle-based defense strategy against flooding attacks using game theory. IEEE Transactions on Dependable and Secure Computing 99(2): 5555.
Feng, W., E. Kaiser, W. Feng, and A. Luu. 2004. The design and implementation of network layer puzzles. Technical report 04-003, OGI CSE, Aug 2004.
Feng, W., E. Kaiser, and A. Luu. 2005. Design and implementation of network puzzles. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, vol. 4, 2372–2382, March 2005.
Fudenberg, D. and E. Maskin. 1986. The folk theorem in repeated games with discounting or with incomplete information. Econometrica 54(3): 533–54.
Harkins, D. and D. Carrel. 1998. The internet key exchange (IKE), November 1998. Obsoleted by RFC 4306, updated by RFC 4109.
Jakobsson, M., and A. Juels. Proofs of work and bread pudding protocols (extended abstract). In B. Preneel (ed.), Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security, volume 152 of IFIP Conference Proceedings, pp. 258–272. Kluwer, 1999.
Jakobsson, M., and A. Juels. 1999. Proofs of work and bread pudding protocols. In The IFIP TC6 and TC11 Joint Working Conference on Communications and Multimedia Security (CMS Ã99). Also available as http://citeseer.nj.nec.com/238810.html
Juels, A., and J. Brainard. 1999. Client Puzzles: A cryptographic defense against connection depletion attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’99), 151–165, San Diego, Feb 1999. Internet Society Press, Reston.
Karn, P.R., and W.A. Simpson. 1999. Photuris: Session-key management protocol. RFC 2522, IETF.
Kaufman, C. 2005. Internet key exchange (IKEv2) protocol. RFC 4306.
Kennell, R., and L.H. Jamieson. 2003. Establishing the genuinity of remote computer systems. In 12th USENIX Security Symposium, 295–308, 2003.
Kent, S., and R. Atkinson. 1998. Security architecture for the internet protocol. Standards track RFC 2401, IETF. http://www.ietf.org/rfc/rfc2401.txt. Accessed 31 Aug 2011.
Kent, S., and K. Seo. 2005. Security architecture for the internet protocol, December 2005.
Komathy, K., and P. Narayanasamy. 2008. Secure data forwarding against denial of service attack using trust based evolutionary game. In Vehicular Technology Conference, 2008. VTC Spring 2008. IEEE, 31–35, May 2008.
LaMacchia, B., K. Lauter, and A. Mityagin. 2007. Stronger security of authenticated key exchange. In W. Susilo, J.K. Liu, and Y. Mu (eds), First International Conference on Provable Security (ProvSec), LNCS 4784, pp. 1–16. Springer, 2007.
Leiwo, J., P. Nikander, and T. Aura. 2000. Towards network denial of service resistant protocols. In the 15th Annual Working Conference on Information Security (SEC2000), vol. 175, Beijing, China, Aug 2000.
Lemon, J. 2002. Resisting SYN flood DoS attacks with a SYN cache. In the BSDCon 2002, 89–97, Berkley, 11–14 Feb 2002.
Lv, J.-J. 2008. A game theoretic defending model with puzzle controller for distributed dos attack prevention. In 2008 International Conference on Machine Learning and Cybernetics, vol. 2, 1064–1069, July 2008.
Mahimkar, A., and V. Shmatikov. 2005. Game-based analysis of denial-of-service prevention protocols. In CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, 287–301, Washington, DC, 2005. IEEE Computer Society.
Mao, W., and K.G. Paterson. 2002. On the plausible deniability feature of Internet protocols. Manuscript. http://citeseer.ist.psu.edu/678290.html. Accessed 31 Aug 2011.
Matsuura, K., and H. Imai. 2000. Modification of internet key exchange resistant against denial-of-service. In Pre-Proceeding of Internet Workshop 2000 (IWS2000), 167–174, Feb 2000.
Meadows, C. 1999. A formal framework and evaluation method for network denial of service. In Proc. 12th IEEE Computer Security Foundations Workshop (CSFW) 1999, 4, 1999.
Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security 9(1): 143–164.
Menezes, A.J., P.C. van Oorschot, and S.A. Vanstone. 1997. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press. ISBN 0-8493-8523-7.
Mirkovic, J., and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Computer Communication Review 34(2): 39–53.
Moskowitz, R., P. Nikander, P. Jokela, and T.R. Henderson. 2008. Host identity protocol, Apr 2008. RFC 5201.
Narasimhan, H., V. Varadarajan, and C.P. Rangan. 2009. Game theoretic resistance to denial of service attacks using hidden difficulty puzzles. Cryptology ePrint Archive, Report 2009/350. http://eprint.iacr.org/. Accessed 31 Aug 2011.
Narasimhan, H., V. Varadarajan, and C.P. Rangan. 2010. Game theoretic resistance to denial of service attacks using hidden difficulty puzzles. In ISPEC, 359–376, 2010.
Paterson, K.G. 2006. A cryptographic tour of the IPsec standards. Cryptology ePrint Archive, Report 2006/097. http://eprint.iacr.org/2006/097.pdf. Accessed 31 Aug 2011.
Price, G. 2003. A general attack model on hash-based client puzzles. In Cryptography and Coding, 9th IMA International Conference, Cirencester, UK, December 16–18, 2003, Proceedings, ed. K. Paterson, Lecture notes in computer science, 319–331, vol. 2898. Springer-Verlag.
Rabin, M.O. 1979. Digitalized signatures and public-key functions as intractable as factorization. Technical report MIT/LCS/TR-212, Massachusetts Institute of Technology.
Rivest, R.L, A. Shamir, and L. Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2): 120–126.
Rivest, R.L., A. Shamir, and D.A. Wagner. 1996. Time-lock puzzles and timed-release crypto. Technical report TR-684, Massachusetts Institute of Technology, Cambridge, 10 Mar 1996.
Sagduyu, Y.E., and A. Ephremides. 2009. A game-theoretic analysis of denial of service attacks in wireless random access. Wireless Networks 15(5): 651–666.
Shankar, U., M. Chew, and J.D. Tygar. 2004. Side effects are not sufficient to authenticate software. In Proceedings of the Thirteenth USENIX Security Symposium, 89–102, Aug 2004. USENIX.
Simpson, W.A. 1999. IKE/ISAKMP considered harmful. USENIX ;login 24(6).
Smith, J. 2007. Denial of service: Prevention, modelling and detection. PhD thesis, Queensland University of Technology, Brisbane.
Smith, J., J. González Nieto, and C. Boyd. Modelling denial of service attacks on JFK with Meadows’s cost-based framework, 125–134.
Stebila, D., L. Kuppusamy, J. Rangasamy, C. Boyd, and J. Gonzalez-Nieto. 2011. Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols. In Topics in Cryptology – CT-RSA 2011, ed. A. Kiayias Lecture notes in computer science, 284–301, vol. 6558, 2011. Springer, Berlin.
Stebila, D., and B. Ustaoglu. 2009. Towards denial-of-service-resilient key agreement protocols. In C. Boyd and J. González Nieto (eds), Proc. 14th Australasian Conference on Information Security and Privacy (ACISP), LNCS 5594, pp. 389–406. Springer, 2009.
Tritilanunt, S., C. Boyd, J. González Nieto, and E. Foo. 2007. Toward non-parallelizable cryptographic puzzles. In of 6th International Conference on Cryptology and Network Security (CANS 2007), Singapore, 8–10 December 2007.
Ustaoglu, B. 2008. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3): 329–342.
Wang, X. and M.K. Reiter. 2003. Defending against denial-of-service attacks with puzzle auctions. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003. IEEE Computer Society.
Waters, B., A. Juels, J.A. Halderman, and E.W. Felten. 2004. New client puzzle outsourcing techniques for dos resistance. In CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, 246–256, New York, 2004. ACM.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer India Pvt. Ltd.
About this chapter
Cite this chapter
Boyd, C. et al. (2011). Cryptographic Approaches to Denial-of-Service Resistance. In: Raghavan, S., Dawson, E. (eds) An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks. Springer, India. https://doi.org/10.1007/978-81-322-0277-6_6
Download citation
DOI: https://doi.org/10.1007/978-81-322-0277-6_6
Published:
Publisher Name: Springer, India
Print ISBN: 978-81-322-0276-9
Online ISBN: 978-81-322-0277-6
eBook Packages: Computer ScienceComputer Science (R0)