Download presentation
Presentation is loading. Please wait.
Published byGaston Larocque Modified over 6 years ago
1
A Cryptographic Defense Against Connection Depletion Attacks
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories
2
The Problem
3
How to take down a restaurant
Restauranteur Saboteur
4
Saboteur vs. Restauranteur
Table for four at 8 o’clock. Name of Mr. Smith. O.K., Mr. Smith Restauranteur Saboteur Saboteur vs. Restauranteur
5
Restauranteur No More Tables! Saboteur
6
An example: TCP SYN flooding
“TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” Buffer
7
TCP SYN flooding has been deployed in the real world
Panix, mid-Sept. 1996 New York Times, late Sept. 1996 Others Similar attacks may be mounted against , SSL, etc.
8
Some defenses against connection depletion
9
Throw away requests Server Client “Hello?” Buffer
Problem: Legitimate clients must keep retrying
10
IP Tracing (or Syncookies)
Hi. My name is Buffer Server Client Request Problems: Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity
11
Digital signatures Server Client Buffer Problems:
Requires carefully regulated PKI Does not allow for anonymity
12
Connection timeout Server Client
Problem: Hard to achieve balance between security and latency demands
13
Our solution: client puzzles
14
Intuition ??? O.K., O.K. Mr. Smith Please solve this Table for four
puzzle. Table for four at 8 o’clock. Name of Mr. Smith. O.K., Mr. Smith O.K. Restauranteur
15
A legitimate patron can easily reserve a table
Intuition Suppose: A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance A legitimate patron can easily reserve a table
16
Intuition ??? Would-be saboteur has too many puzzles to solve
17
The client puzzle protocol
Service request M Server Client Buffer O.K.
18
What does a puzzle look like?
19
Puzzle basis: partial hash inversion
partial-image X’ ? k bits ? pre-image X 160 bits hash image Y Pair (X’, Y) is k-bit-hard puzzle
20
Puzzle basis: (Cont’d)
Only way to solve puzzle (X’,Y) is brute force method. (hash function is not invertible) Expected number of steps (hash) to solve puzzle: k / 2 = 2k-1
21
Puzzle construction Client Server Secret S Service request M
22
Puzzle construction Server computes: hash Puzzle hash secret S time T
request M hash Puzzle pre-image X hash image Y
23
Sub-puzzle Construct a puzzle consists of m k-bit-hard sub-puzzles.
Why not use k+logm bit puzzles? Probability of guessing the right solution is different in these two cases. Construct a puzzle consists of m k-bit-hard sub-puzzles. Increase the difficulty of guessing attacks. Expected number of steps to solve: m×2k-1.
24
Why not use k+logm bit puzzles?
Expected number of trials m×2k-1 But for random guessing attacks, the successful probability One (k+logm)-bit puzzle 2-(k+logm) (e.g., 2-(k+3)) m k-bit subpuzzles (2-k)m = 2-km (e.g., 2-8k)
25
Puzzle properties Puzzles are stateless Puzzles are easy to verify
Hardness of puzzles can be carefully controlled Puzzles use standard cryptographic primitives
26
Client puzzle protocol (normal)
Mi1 : first message of ith execution of protocol M
27
Client puzzle protocol (under attack)
P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T1: valid time of puzzle
28
Where to use client puzzles?
29
Some pros Avoids many flaws in other solutions, e.g.:
Allows for anonymous connections Does not require PKI Does not require retries -- even under heavy attack
30
Practical application
Can use client-puzzles without special-purpose software Key idea: Applet carries puzzle + puzzle-solving code Where can we apply this? SSL (Secure Sockets Layer) Web-based password authentication
31
Conclusions
32
Contributions of paper
Introduces idea of client puzzles for on-the-fly resource access control Puzzle and protocol description Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack
33
Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.