Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Similar presentations


Presentation on theme: "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories."— Presentation transcript:

1 Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories

2 The Problem

3 How to take down a restaurant Saboteur Restauranteur

4 Saboteur vs. Restauranteur Saboteur Restauranteur Table for four at 8 oclock. Name of Mr. Smith. O.K., Mr. Smith

5 Saboteur Restauranteur No More Tables!

6 An example: TCP SYN flooding TCP connection, please. O.K. Please send ack. TCP connection, please. O.K. Please send ack. Buffer

7 u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept –New York Times, late Sept –Others Similar attacks may be mounted against , SSL, etc.

8 Some defenses against connection depletion

9 Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?

10 Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is

11 Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client

12 Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client

13 Our solution: client puzzles

14 Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???

15 u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table Suppose:

16 Intuition ??? Would-be saboteur has too many puzzles to solve

17 The client puzzle protocol Buffer Server Client Service request M O.K.

18 What does a puzzle look like?

19 hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits

20 Puzzle basis: (Contd) u Only way to solve puzzle (X,Y) is brute force method. (hash function is not invertible) u Expected number of steps (hash) to solve puzzle: 2 k / 2 = 2 k-1

21 Puzzle construction Client Service request M Server Secret S

22 Puzzle construction Server computes: secret S time T request M hash pre-image X hash image Y Puzzle

23 Sub-puzzle u Construct a puzzle consists of m k-bit-hard sub- puzzles. u Increase the difficulty of guessing attacks. u Expected number of steps to solve: m×2 k-1.

24 Why not use k+logm bit puzzles? u (k+logm)-bit puzzle –Expected number of trials m×2 k-1 u But for random guessing attacks, the successful probability –One (k+logm)-bit puzzle v 2 -(k+logm) (e.g., 2 -(k+3) ) –m k-bit subpuzzles v (2 -k ) m = 2 -km (e.g., 2 -8k )

25 Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives

26 Client puzzle protocol (normal) M i 1 : first message of ith execution of protocol M

27 Client puzzle protocol (under attack) P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T 1 : valid time of puzzle

28 Where to use client puzzles?

29 Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack

30 Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication

31 Conclusions

32 u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control

33 Questions?


Download ppt "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories."

Similar presentations


Ads by Google