1. A Cryptographic Defense Against Connection Depletion Attacks
Client Puzzles
A Cryptographic Defense Against Connection Depletion Attacks
Most of slides come from
Ari Juels and John Brainard
RSA Laboratories

2. The Problem

3. How to take down a restaurant
Restauranteur
Saboteur

4. Saboteur vs. Restauranteur
Table for four
at 8 o’clock.
Name of Mr. Smith.
O.K.,
Mr. Smith
Restauranteur
Saboteur
Saboteur vs. Restauranteur

5. Restauranteur
No More Tables!
Saboteur

6. An example: TCP SYN flooding
“TCP connection, please.”
“TCP connection, please.”
“O.K. Please send ack.”
“O.K. Please send ack.”
Buffer

7. TCP SYN flooding has been deployed in the real world
Panix, mid-Sept. 1996
New York Times, late Sept. 1996
Others
Similar attacks may be mounted against , SSL, etc.

8. Some defenses against connection depletion

9. Throw away requests Server Client “Hello?” Buffer
Problem: Legitimate clients must keep retrying

10. IP Tracing (or Syncookies)
Hi. My name is
Buffer
Server
Client
Request
Problems:
Can be evaded, particularly on, e.g., Ethernet
Does not allow for proxies, anonymity

11. Digital signatures Server Client Buffer Problems:
Requires carefully regulated PKI
Does not allow for anonymity

12. Connection timeout Server Client
Problem: Hard to achieve balance between security
and latency demands

13. Our solution: client puzzles

14. Intuition ??? O.K., O.K. Mr. Smith Please solve this Table for four
puzzle.
Table for four
at 8 o’clock.
Name of Mr. Smith.
O.K.,
Mr. Smith
O.K.
Restauranteur

15. A legitimate patron can easily reserve a table
Intuition
Suppose:
A puzzle takes an hour to solve
There are 40 tables in restaurant
Reserve at most one day in advance
A legitimate patron can easily reserve a table

16. Intuition
???
Would-be saboteur has too many puzzles to solve

17. The client puzzle protocol
Service request M
Server
Client
Buffer
O.K.

18. What does a puzzle look like?

19. Puzzle basis: partial hash inversion
partial-image X’ ?
k bits ?
pre-image X
160 bits
hash
image Y
Pair (X’, Y) is k-bit-hard puzzle

20. Puzzle basis: (Cont’d)
Only way to solve puzzle (X’,Y) is brute force method. (hash function is not invertible)
Expected number of steps (hash) to solve puzzle: k / 2 = 2k-1

21. Puzzle construction
Client
Server
Secret S
Service request M

22. Puzzle construction Server computes: hash Puzzle hash secret S time T
request M
hash
Puzzle
pre-image X
hash
image Y

23. Sub-puzzle Construct a puzzle consists of m k-bit-hard sub-puzzles.
Why not use k+logm bit puzzles?
Probability of guessing the right solution is different in these two cases.
Construct a puzzle consists of m k-bit-hard sub-puzzles.
Increase the difficulty of guessing attacks.
Expected number of steps to solve: m×2k-1.

24. Why not use k+logm bit puzzles?
Expected number of trials m×2k-1
But for random guessing attacks, the successful probability
One (k+logm)-bit puzzle
2-(k+logm) (e.g., 2-(k+3))
m k-bit subpuzzles
(2-k)m = 2-km (e.g., 2-8k)

25. Puzzle properties Puzzles are stateless Puzzles are easy to verify
Hardness of puzzles can be carefully controlled
Puzzles use standard cryptographic primitives

26. Client puzzle protocol (normal)
Mi1 : first message of ith execution of protocol M

27. Client puzzle protocol (under attack)
P: puzzle with m sub-puzzles
t: timestamp of puzzle
τ: time to receive solution
T1: valid time of puzzle

28. Where to use client puzzles?

29. Some pros Avoids many flaws in other solutions, e.g.:
Allows for anonymous connections
Does not require PKI
Does not require retries -- even under heavy attack

30. Practical application
Can use client-puzzles without special-purpose software
Key idea: Applet carries puzzle + puzzle-solving code
Where can we apply this?
SSL (Secure Sockets Layer)
Web-based password authentication

31. Conclusions

32. Contributions of paper
Introduces idea of client puzzles for on-the-fly resource access control
Puzzle and protocol description
Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack

33. Questions?