An integrated approach to cryptographic mitigation of denial-of-service attacks

Gradual authentication is a principle proposed by Meadows as a way to tackle denial-of-service attacks on network protocols by gradually increasing the confidence in clients before the server commits resources. In this paper, we propose an efficient method that allows a defending server to authenticate its clients gradually with the help of some fast-to-verify measures. Our method integrates hash-based client puzzles along with a special class of digital signatures supporting fast verification. Our hash-based client puzzle provides finer granularity of difficulty and is proven secure in the puzzle difficulty model of Chen et al. (2009). We integrate this with the fast-verification digital signature scheme proposed by Bernstein (2000, 2008). These schemes can be up to 20 times faster for client authentication compared to RSA-based schemes. Our experimental results show that, in the Secure Sockets Layer (SSL) protocol, fast verification digital signatures can provide a 7% increase in connections per second compared to RSA signatures, and our integration of client puzzles with client authentication imposes no performance penalty on the server since puzzle verification is a part of signature verification.

[1]  Jason Smith,et al.  Modelling denial of service attacks on JFK with Meadows's cost-based framework , 2006, ACSW.

[2]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[3]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[4]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[5]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[6]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[7]  Gene Tsudik,et al.  Improving secure server performance by re-balancing SSL/TLS handshakes , 2006, ASIACCS '06.

[8]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .

[9]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[10]  Daniel J. Bernstein Proving Tight Security for Rabin-Williams Signatures , 2008, EUROCRYPT.

[11]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[12]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.

[13]  Jason Smith,et al.  Denial-of-service resistance in key establishment , 2007, Int. J. Wirel. Mob. Comput..

[14]  Daniel J. Bernstein,et al.  A Secure Public-Key Signature System With Extremely Fast Verification , 2000 .

[15]  Colin Boyd,et al.  Toward Non-parallelizable Client Puzzles , 2007, CANS.

[16]  Wu-chi Feng,et al.  Design and implementation of network puzzles , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[17]  Abdulmotaleb El-Saddik,et al.  Requirements for Client Puzzles to Defeat the Denial of Service and the Distributed Denial of Service Attacks , 2006, Int. Arab J. Inf. Technol..

[18]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[19]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[20]  Ari Juels,et al.  $evwu Dfw , 1998 .

[21]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.

[22]  Colin Boyd,et al.  Stronger Difficulty Notions for Client Puzzles and Denial-of-Service-Resistant Protocols , 2011, CT-RSA.

[23]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[24]  Douglas Stebila,et al.  Towards Denial-of-Service-Resilient Key Agreement Protocols , 2009, ACISP.

[25]  Hugh C. Williams,et al.  A modification of the RSA public-key encryption procedure (Corresp.) , 1980, IEEE Trans. Inf. Theory.

[26]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..