Denial of service in public key protocols

Network denial of service attacks have become a widespread problem on the Internet. However, denial of service is often considered to be an implementation issue by protocol designers. In this paper I present a survey of the literature on designing denial of service resistant communication protocols. I consider several different types of resources vulnerable to resource consumption attacks, and outline countermeasures against such attacks. I also describe how these countermeasures are used in the ISAKMP/IKE and Photuris protocols, and give overview of design recommendations for future protocols.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[3]  Jin-Yi Cai,et al.  Making benchmarks uncheatable , 1998, Proceedings. IEEE International Computer Performance and Dependability Symposium. IPDS'98 (Cat. No.98TB100248).

[4]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[5]  Ari Juels,et al.  $evwu Dfw , 1998 .

[6]  Catherine A. Meadows Open Issues in Formal Methods for Cryptographic Protocol Analysis , 2001, MMM-ACNS.

[7]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[8]  R. Hunt,et al.  TCP/IP security threats and attack methods , 1999, Comput. Commun..

[9]  Matthew K. Franklin,et al.  Auditable Metering with Lightweight Security , 1997, J. Comput. Secur..

[10]  Marshall T. Rose On the Design of Application Protocols , 2001, RFC.

[11]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[12]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[13]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[14]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[15]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[16]  Stuart G. Stubblebine,et al.  Publicly Verifiable Lotteries: Applications of Delaying Functions , 1998, Financial Cryptography.

[17]  William Allen Simpson Photuris: Design Criteria , 1999, Selected Areas in Cryptography.

[18]  Hideki Imai,et al.  Protection of Authenticated Key-Agreement Protocol against a Denial-of-Service Attack , 1998 .

[19]  Hideki Imai,et al.  Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks , 2000 .

[20]  Marten van Sinderen On the design of application protocols , 1995 .

[21]  Peter G. Neumann,et al.  Inside Risks: denial-of-service attacks , 2000, CACM.

[22]  T. Aura AUTHORIZATION AND AVAILABILITY - ASPECTS OF OPEN NETWORK SECURITY , 2000 .

[23]  Moti Yung,et al.  Scalability and flexibility in authentication services: the KryptoKnight approach , 1997, Proceedings of INFOCOM '97.

[24]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[25]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[26]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[27]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[28]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[29]  Philip R. Karn,et al.  Photuris: Extended Schemes and Attributes , 1999, RFC.

[30]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[31]  Rolf Oppliger,et al.  Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks , 1999, Communications and Multimedia Security.

[32]  Mihir Bellare,et al.  Verifiable partial key escrow , 1997, CCS '97.

[33]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[34]  Dahlia Malkhi,et al.  Auditable metering with lighweight security , 1998 .

[35]  William Simpson IKE/ISAKMP considered harmful , 1999 .

[36]  Shoichi Hirose,et al.  Enhancing the Resistence of a Provably Secure Key Agreement Protocol to a Denial-of-Service Attack , 1999, ICICS.

[37]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[38]  Kanta Matsuura,et al.  Resolution of ISAKMP/Oakley key-agreement protocol resistant against denial-of-service attack , 1999, 1999 Internet Workshop. IWS99. (Cat. No.99EX385).

[39]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[40]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[41]  Radia Perlman,et al.  Folklore of Protocol Design , 1998 .

[42]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.