Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories

The Problem

How to take down a restaurant Saboteur Restauranteur

Saboteur vs. Restauranteur Saboteur Restauranteur Table for four at 8 oclock. Name of Mr. Smith. O.K., Mr. Smith

Saboteur Restauranteur No More Tables!

An example: TCP SYN flooding TCP connection, please. O.K. Please send ack. TCP connection, please. O.K. Please send ack. Buffer

u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept –New York Times, late Sept –Others Similar attacks may be mounted against , SSL, etc.

Some defenses against connection depletion

Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?

Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is

Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client

Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client

Our solution: client puzzles

Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???

u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table Suppose:

Intuition ??? Would-be saboteur has too many puzzles to solve

The client puzzle protocol Buffer Server Client Service request M O.K.

What does a puzzle look like?

hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits

Puzzle basis: (Contd) u Only way to solve puzzle (X,Y) is brute force method. (hash function is not invertible) u Expected number of steps (hash) to solve puzzle: 2 k / 2 = 2 k-1

Puzzle construction Client Service request M Server Secret S

Puzzle construction Server computes: secret S time T request M hash pre-image X hash image Y Puzzle

Sub-puzzle u Construct a puzzle consists of m k-bit-hard sub- puzzles. u Increase the difficulty of guessing attacks. u Expected number of steps to solve: m×2 k-1.

Why not use k+logm bit puzzles? u (k+logm)-bit puzzle –Expected number of trials m×2 k-1 u But for random guessing attacks, the successful probability –One (k+logm)-bit puzzle v 2 -(k+logm) (e.g., 2 -(k+3) ) –m k-bit subpuzzles v (2 -k ) m = 2 -km (e.g., 2 -8k )

Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives

Client puzzle protocol (normal) M i 1 : first message of ith execution of protocol M

Client puzzle protocol (under attack) P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T 1 : valid time of puzzle

Where to use client puzzles?

Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack

Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication

Conclusions

u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control

Questions?