Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories

The Problem

How to take down a restaurant Saboteur Restauranteur

Saboteur vs. Restauranteur Saboteur Restauranteur Table for four at 8 oclock. Name of Mr. Smith. O.K., Mr. Smith

Saboteur Restauranteur No More Tables!

An example: TCP SYN flooding TCP connection, please. O.K. Please send ack. TCP connection, please. O.K. Please send ack. Buffer

u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept (WSJ, NYT) –New York Times, late Sept –Others Similar attacks may be mounted against , SSL, etc.

Some defenses against connection depletion

Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?

Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is

Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client

Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client

Our solution: client puzzles

Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???

u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table, but: Suppose:

Intuition ??? Would-be saboteur has too many puzzles to solve

The client puzzle protocol Buffer Server Client Service request R O.K.

What does a puzzle look like?

hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits

Puzzle construction Client Service request R Server Secret S

Puzzle construction Server computes: secret S time T request R hash pre-image X hash image Y Puzzle

Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives

Where to use client puzzles?

Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack

Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication

Conclusions

u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack –Dont really need multiple sub-puzzles as paper suggests Too Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control

Puzzles not new (but client-puzzles are) u Puzzles have also been used for: –Controlling spam (DW94, BGJMM98) –Auditing server usage (FM97) –Time capsules (RSW96)

u How to define a puzzle? Search space vs. sequential workload u Can puzzle construction be improved? More to be done –Replace hash with, e.g., reduced-round cipher u Can puzzles be made to do useful work? –Yes. Jakobsson & Juels Bread Pudding

Questions?