Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.

Published byJocelyn Compton Modified over 11 years ago

Similar presentations

Presentation on theme: "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories."— Presentation transcript:

1 Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories

2 The Problem

3 How to take down a restaurant Saboteur Restauranteur

4 Saboteur vs. Restauranteur Saboteur Restauranteur Table for four at 8 oclock. Name of Mr. Smith. O.K., Mr. Smith

5 Saboteur Restauranteur No More Tables!

6 An example: TCP SYN flooding TCP connection, please. O.K. Please send ack. TCP connection, please. O.K. Please send ack. Buffer

7 u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept. 1996 (WSJ, NYT) –New York Times, late Sept. 1996 –Others Similar attacks may be mounted against e-mail, SSL, etc.

8 Some defenses against connection depletion

9 Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?

10 Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is 10.100.16.126.

11 Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client

12 Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client

13 Our solution: client puzzles

14 Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???

15 u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table, but: Suppose:

16 Intuition ??? Would-be saboteur has too many puzzles to solve

17 The client puzzle protocol Buffer Server Client Service request R O.K.

18 What does a puzzle look like?

19 hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits

20 Puzzle construction Client Service request R Server Secret S

21 Puzzle construction Server computes: secret S time T request R hash pre-image X hash image Y Puzzle

22 Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives

23 Where to use client puzzles?

24 Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack

25 Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication

26 Conclusions

27 u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack –Dont really need multiple sub-puzzles as paper suggests Too Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control

28 Puzzles not new (but client-puzzles are) u Puzzles have also been used for: –Controlling spam (DW94, BGJMM98) –Auditing server usage (FM97) –Time capsules (RSW96)

29 u How to define a puzzle? Search space vs. sequential workload u Can puzzle construction be improved? More to be done –Replace hash with, e.g., reduced-round cipher u Can puzzles be made to do useful work? –Yes. Jakobsson & Juels Bread Pudding

30 Questions?

Download ppt "Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Similar presentations

Ads by Google