Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John...
-
Upload
jocelyn-compton -
Category
Documents
-
view
230 -
download
2
Transcript of Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John...
![Page 1: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/1.jpg)
Client PuzzlesA Cryptographic Defense Against Connection
Depletion Attacks
Ari Juels and John BrainardRSA Laboratories
![Page 2: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/2.jpg)
The Problem
![Page 3: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/3.jpg)
How to take down a restaurant
Saboteur
Restauranteur
![Page 4: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/4.jpg)
Saboteur vs. Restauranteur
Saboteur
Restauranteur
Table for fourat 8 o’clock. Name of Mr. Smith.
O.K.,Mr. Smith
![Page 5: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/5.jpg)
Saboteur
Restauranteur
No More Tables!
![Page 6: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/6.jpg)
An example: TCP SYN flooding
“TCP connection, please.”
“O.K. Please send ack.”
“TCP connection, please.”
“O.K. Please send ack.”
Buffer
![Page 7: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/7.jpg)
TCP SYN flooding has been deployed in
the real world– Panix, mid-Sept. 1996 (WSJ, NYT)– New York Times, late Sept. 1996– Others
Similar attacks may be mounted against e-mail, SSL, etc.
![Page 8: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/8.jpg)
Some defenses against connection depletion
![Page 9: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/9.jpg)
Throw away requests
Buffer
Server
Problem: Legitimate clients must keep retrying
Client
“Hello?”
“Hello?”
“Hello?”
![Page 10: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/10.jpg)
Request
IP Tracing (or Syncookies)
Buffer
Server
•Can be evaded, particularly on, e.g., Ethernet•Does not allow for proxies, anonymity
Problems:
Client
Hi. My name is 10.100.16.126.
![Page 11: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/11.jpg)
Digital signatures
Buffer
Server
•Requires carefully regulated PKI•Does not allow for anonymity
Problems:
Client
![Page 12: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/12.jpg)
Connection timeout
Problem: Hard to achieve balance between security and latency demands
Server
Client
![Page 13: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/13.jpg)
Our solution: client puzzles
![Page 14: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/14.jpg)
Intuition
Restauranteur
Table for fourat 8 o’clock. Name of Mr. Smith.
Please solve thispuzzle.O.K.,
Mr. SmithO.K.
???
![Page 15: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/15.jpg)
A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance
Intuition
A legitimate patron can easily reserve a table,but:
Suppose:
![Page 16: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/16.jpg)
Intuition
???
??????
???
???
???
Would-be saboteur has too many puzzles to solve
![Page 17: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/17.jpg)
The client puzzle protocol
Buffer
ServerClientService request R
O.K.
![Page 18: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/18.jpg)
What does a puzzle look like?
![Page 19: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/19.jpg)
hash
image Y
Puzzle basis: partial hash inversion
pre-image X160 bits
?
Pair (X’, Y) is k-bit-hard puzzle
partial-image X’ ?k bits
![Page 20: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/20.jpg)
Puzzle construction
Client
Service request R
Server
Secret S
![Page 21: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/21.jpg)
Puzzle constructionServer computes:
secret S time T request R
hash
pre-image X
hash
image Y
Puzzle
![Page 22: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/22.jpg)
Puzzle properties
Puzzles are stateless Puzzles are easy to verify Hardness of puzzles can be carefully
controlled Puzzles use standard cryptographic
primitives
![Page 23: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/23.jpg)
Where to use client puzzles?
![Page 24: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/24.jpg)
Some pros
Avoids many flaws in other solutions, e.g.:
Allows for anonymous connections Does not require PKI Does not require retries -- even under heavy attack
![Page 25: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/25.jpg)
Practical application Can use client-puzzles without special-purpose software
– Key idea: Applet carries puzzle + puzzle-solving code
Where can we apply this?– SSL (Secure Sockets Layer)– Web-based password authentication
![Page 26: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/26.jpg)
Conclusions
![Page 27: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/27.jpg)
Puzzle and protocol description Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing
attack– Don’t really need multiple sub-puzzles as paper suggests
Too
Contributions of paper Introduces idea of client puzzles for on-
the-fly resource access control
![Page 28: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/28.jpg)
Puzzles not new (but client-puzzles are)
Puzzles have also been used for:– Controlling spam (DW94, BGJMM98)– Auditing server usage (FM97)– Time capsules (RSW96)
![Page 29: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/29.jpg)
How to define a puzzle? Search space vs. sequential workload
Can puzzle construction be improved?
More to be done
– Replace hash with, e.g., reduced-round cipher
Can puzzles be made to do useful work?– Yes. Jakobsson & Juels “Bread Pudding”
![Page 30: Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.](https://reader035.fdocuments.in/reader035/viewer/2022081414/5513dcbd5503463a298b569c/html5/thumbnails/30.jpg)
Questions?