Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Published byStacey Parfitt Modified over 10 years ago

Similar presentations

Presentation on theme: "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories."— Presentation transcript:

1 Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories

2 The Problem

3 How to take down a restaurant Saboteur Restauranteur

4 Saboteur vs. Restauranteur Saboteur Restauranteur Table for four at 8 oclock. Name of Mr. Smith. O.K., Mr. Smith

5 Saboteur Restauranteur No More Tables!

6 An example: TCP SYN flooding TCP connection, please. O.K. Please send ack. TCP connection, please. O.K. Please send ack. Buffer

7 u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept. 1996 –New York Times, late Sept. 1996 –Others Similar attacks may be mounted against e-mail, SSL, etc.

8 Some defenses against connection depletion

9 Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?

10 Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is 10.100.16.126.

11 Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client

12 Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client

13 Our solution: client puzzles

14 Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???

15 u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table Suppose:

16 Intuition ??? Would-be saboteur has too many puzzles to solve

17 The client puzzle protocol Buffer Server Client Service request M O.K.

18 What does a puzzle look like?

19 hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits

20 Puzzle basis: (Contd) u Only way to solve puzzle (X,Y) is brute force method. (hash function is not invertible) u Expected number of steps (hash) to solve puzzle: 2 k / 2 = 2 k-1

21 Puzzle construction Client Service request M Server Secret S

22 Puzzle construction Server computes: secret S time T request M hash pre-image X hash image Y Puzzle

23 Sub-puzzle u Construct a puzzle consists of m k-bit-hard sub- puzzles. u Increase the difficulty of guessing attacks. u Expected number of steps to solve: m×2 k-1.

24 Why not use k+logm bit puzzles? u (k+logm)-bit puzzle –Expected number of trials m×2 k-1 u But for random guessing attacks, the successful probability –One (k+logm)-bit puzzle v 2 -(k+logm) (e.g., 2 -(k+3) ) –m k-bit subpuzzles v (2 -k ) m = 2 -km (e.g., 2 -8k )

25 Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives

26 Client puzzle protocol (normal) M i 1 : first message of ith execution of protocol M

27 Client puzzle protocol (under attack) P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T 1 : valid time of puzzle

28 Where to use client puzzles?

29 Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack

30 Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication

31 Conclusions

32 u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control

33 Questions?

Download ppt "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories."

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Internet Security Protocols

Internet Security Protocols
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Laboratories To appear in.

A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Laboratories To appear in.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Similar presentations

Ads by Google