Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr

Published byEsko Viljo Siitonen Modified over 5 years ago

Similar presentations

Presentation on theme: "CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr"— Presentation transcript:

1 CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr. Attila Altay Yavuz Counter Denial of Service Client-Server Puzzles Credits: Dr. Peng Ning and Dr. Adrian Perrig Dr. Attila A. Yavuz

2 Client Puzzles The problem being addressed Three basic constructions
Denial of Service (DoS) attacks Three basic constructions Use pre-image of crypto hash functions Use special image of crypto hash functions

3 An Example Scenario: TCP SYN Flooding
“TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” Buffer

4 Client Puzzle: Intuition
??? O.K. Please solve this puzzle. Table for four at 8 o’clock. Name of Mr. Smith. O.K., Mr. Smith Restauranteur

5 Client Puzzle: Intuition
A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance A legitimate patron can easily reserve a table

6 Client Puzzle: Intuition
??? An attacker has to reserve many tables to have a real impact  too many puzzles to solve

7 The Client Puzzle Protocol
Service request M Server Client Buffer O.K.

8 Puzzle Properties Puzzles are stateless Puzzles are easy to verify
Hardness of puzzles can be carefully controlled Puzzles use standard cryptographic primitives

9 Puzzle Basis (Cont’d) Cryptographic hash functions (e.g., HMAC)
Only way to solve puzzle (X’,Y) is brute force method. (hash function is not invertible) Expected number of steps (hash) to solve puzzle: k / 2 = 2k-1

10 Puzzle Basis: Partial Hash Image
partial-image X’ ? k bits ? pre-image X 160 bits hash image Y Pair (X’, Y) is k-bit-hard puzzle

11 Puzzle Construction Client Server Secret S Service request M

12 Puzzle Construction Server computes: hash Puzzle hash secret S time T
request M hash Puzzle pre-image X hash image Y

13 Sub-puzzle Construct a puzzle consisting of m k-bit-hard sub-puzzles.
Why not use k+logm bit puzzles? Probability of guessing the right solution is different in these two cases. Construct a puzzle consisting of m k-bit-hard sub-puzzles. Increase the difficulty of guessing attacks. Expected number of steps to solve (invert): m×2k-1.

14 Why not use k+logm bit puzzles?
Expected number of trials to invert m×2k-1 But for random guessing attacks, the successful probability One (k+logm)-bit puzzle 2-(k+logm) (e.g., 2-(k+3)) m k-bit subpuzzles (2-k)m = 2-km (e.g., 2-8k)

15 Puzzle Properties Puzzles are stateless Puzzles are easy to verify
Hardness of puzzles can be carefully controlled Puzzles use standard cryptographic primitives

16 A Possible Way to use Client Puzzle
Client puzzle protocol (normal situation) Mi1 : first message of i-th execution of protocol M

17 A Possible Way to use Client Puzzle
Client puzzle protocol (under attack)

18 New Requirements from the Puzzle
Preserve the previous properties The same puzzle can be given to several clients Knowing solution for a client should not help the other (e.g., the adversary) to find another solution Broadcast puzzles! Not one-to-one connection required to initiate. The server should be able to pre-compute the broadcast puzzles. Even faster at online stage Previous: M hash operations per-client (1-1), A client can re-use the same broadcast puzzle to create multiple solutions, multiple access tickets

19 Puzzle Construction S  All clients (broadcast): Digitally sign: k, Ts, NS Client C  S: C, NS, NC, X S: verify h(C, NS, NC, X) has k leading zero’s

Download ppt "CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr"

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.

Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.

Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Socket Lab Info. Computer Network. Requirement Use TCP socket to implement a pair of programs, containing a server and a client. The server program shall.

Socket Lab Info. Computer Network. Requirement Use TCP socket to implement a pair of programs, containing a server and a client. The server program shall.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.

Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.

Similar presentations

Ads by Google