Using Coloured Petri Nets to Simulate DoS-resistant Protocols

In this work, we examine unbalanced computation between an initiator and a responder that leads to resource exhaustion attacks in key exchange protocols. We construct models for two cryp-tographic protocols; one is the well-known Internet protocol named Secure Socket Layer (SSL) protocol, and the other one is the Host Identity Protocol (HIP) which has built-in DoS-resistant mechanisms. To examine such protocols, we develop a formal framework based on Timed Coloured Petri Nets (Timed CPNs) and use a simulation approach provided in CPN Tools to achieve a formal analysis. By adopting the key idea of Meadows' cost-based framework and re¯ning the de¯nition of operational costs during the protocol execution, our simulation provides an accurate cost estimate of protocol execution compar- ing among principals, as well as the percentage of successful connections from legitimate users, under four di®erent strategies of DoS attack.

[1]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[2]  Søren Christensen,et al.  Teaching Coloured Petri Nets- A Gentle Introduction to Formal Methods in a Distributed Systems Course , 1997, ICATPN.

[3]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[4]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[5]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[6]  Tuomas Aura,et al.  Analysis of the HIP Base Exchange Protocol , 2005, ACISP.

[7]  NikanderP.,et al.  Host Identity Protocol (HIP) , 2008 .

[8]  Chuang Lin,et al.  Optimization and benchmark of cryptographic algorithms on network processors , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[9]  Jason Smith,et al.  Modelling denial of service attacks on JFK with Meadows's cost-based framework , 2006, ACSW.

[10]  Jacob Beal Deamplification of DoS Attacks via Puzzles , 2004 .

[11]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[12]  Issam Al-Azzoni,et al.  THE VERIFICATION OF CRYPTOGRAPHIC PROTOCOLS USING COLOURED PETRI NETS , 2004 .

[13]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[14]  Dirk Fox Computer Emergency Response Team (CERT) , 2002, Datenschutz und Datensicherheit.

[15]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[16]  C. Petri Kommunikation mit Automaten , 1962 .

[17]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[18]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[19]  Douglas Stebila,et al.  Performance analysis of elliptic curve cryptography for SSL , 2002, WiSE '02.