Protecting the Web with Transparent Proof-of-Work

NSF Cyber Trust Principal Investigators Meeting March 16-18, 2008 New Haven, CT Protecting the Web with Transparent Proof-of- Work 1. Problem: Attacks on the Web Wu-chang Feng, Tom Shrimpton, Ed Kaiser (student) {wuchang,teshrim,edkaiser}@cs.pdx.edu New approach • Proof-of-Work without protocol changes • Dynamic embedding of PoW into URLs Comment spam Distributed Denial-of-Service Ticket purchasing robots Click fraud 2. CAPTCHA to the rescue? Problem #1: Inaccessible Problem #2: Economics broken Fixed human workload Outsourced for under $0.01 per CAPTCHA Mechanical Turk, getafreelancer.com Problem #3: Hackers are solving the hard AI problem Yahoo! CAPTCHA broken 1/16/2008 http://network-security-research.blogspot.com/ Windows Live and Google CAPTCHAs broken 2/6/2008 , 2/22/2008 http://www.websense.com/securitylabs/blog/ Many others 3. What about Proof-of-Work (PoW)? Addresses Problem #1: No user-interface issues Addresses Problem #2: Variable workload Addresses Problem #3: Hard cryptographic problem Q: Why is the landscape littered with unused PoW protocols? Hashcash, TLS puzzles, TCP puzzles, IP puzzles, Public work A: PoW requires protocol changes and universal deployment CAPTCHAs do not! 4. mod_kaPoW Apache module for embedding PoW challenges into URLs Leverage ubiquitous JavaScript support to deploy PoW Server dynamically embeds PoWs in embedded URLs Client-side JavaScript solver must calculate answers for access No network protocol changes No web browser changes No web server content changes 5. Example URL w/ valid PoW mod_kaPoW Client s Web Server URL w/ invalid PoW Error Page Content Solution Scripts Error Page Content Research Impact • Deployable alternative to CAPTCHAs • New weapon against today’s web attacks 6. Implementation JavaScript solver (kaPoW.js) “onLoad” event handler to solve PoW challenges for embedded images “onClick” event handler to solve challenges for embedded links Solve routine finds a value A, such that SHA1(N C || URL || A) 0 mod D C D C client-specific server-assigned difficulty N C client-specific server-generated nonce mod_kaPoW Apache module 7. Thwarting DoS 8. Future work Policy module for setting per- client D c Client history Client reputation Client location Request type Resource requested Adding to applications Forums (phpBB) Wikis (MediaWiki) Blogs (WordPress, Slashcode) Web 2.0 / AJAX Economic analysis What is the cost of idle CPU cycles? Markets based on CPU cycles 9. Availability Demo site http://kapow.cs.pdx.edu Non-commercial source release In progress 10. Publications E. Andreeva, G. Neven, B. Preneel T. Shrimpton, “Seven-Property Preserving Iterated Hashing: ROX”, ASIACRYPT 2007. T. Ristenpart, T. Shrimpton, “How to Build a Hash Function From Any Collision-Resistant Function”, ASIACRYPT 2007. W. Feng, E. Kaiser, “The Case for Public Work”, Global Internet 2007. E. Kaiser, W. Feng, “mod_kaPoW: Protecting the Web with Transparent Proof-of-Work”, in submission.

Upload
dewei
Category

Documents
view
35
download
1

Embed Size (px):

description

Protecting the Web with Transparent Proof-of-Work. Web Server. URL w/ valid PoW. Content. Solution Scripts. Content. mod_kaPoW. Clients. URL w/ invalid PoW. Error Page. Error Page. Wu-chang Feng, Tom Shrimpton, Ed Kaiser (student) { wuchang,teshrim,edkaiser}@cs.pdx.edu. - PowerPoint PPT Presentation

Transcript of Protecting the Web with Transparent Proof-of-Work

Page 1: Protecting the Web with Transparent Proof-of-Work

NSF Cyber Trust Principal Investigators MeetingMarch 16-18, 2008

New Haven, CT

Protecting the Web with Transparent Proof-of-Work

1. Problem: Attacks on the Web

Wu-chang Feng, Tom Shrimpton, Ed Kaiser (student){wuchang,teshrim,edkaiser}@cs.pdx.edu

New approach• Proof-of-Work without protocol changes

• Dynamic embedding of PoW into URLs

Comment spam

Distributed Denial-of-Service

Ticket purchasing robots

Click fraud

2. CAPTCHA to the rescue?Problem #1: InaccessibleProblem #2: Economics broken

Fixed human workload Outsourced for under $0.01 per CAPTCHA Mechanical Turk, getafreelancer.com

Problem #3: Hackers are solving the hard AI problem Yahoo! CAPTCHA broken 1/16/2008

http://network-security-research.blogspot.com/ Windows Live and Google CAPTCHAs broken 2/6/2008 , 2/22/2008

http://www.websense.com/securitylabs/blog/ Many others

3. What about Proof-of-Work (PoW)?Addresses Problem #1: No user-interface issuesAddresses Problem #2: Variable workloadAddresses Problem #3: Hard cryptographic problem

Q: Why is the landscape littered with unused PoW protocols? Hashcash, TLS puzzles, TCP puzzles, IP puzzles, Public work

A: PoW requires protocol changes and universal deployment CAPTCHAs do not!

4. mod_kaPoWApache module for embedding PoW challenges into URLs

Leverage ubiquitous JavaScript support to deploy PoW Server dynamically embeds PoWs in embedded URLs Client-side JavaScript solver must calculate answers for access No network protocol changes No web browser changes No web server content changes5. Example

URL w/ valid PoW

mod_kaPoW

Clients

Web Server

URL w/ invalid PoW

Error Page

Content SolutionScripts

ErrorPage

Content

Research Impact• Deployable alternative to CAPTCHAs

• New weapon against today’s web attacks

6. ImplementationJavaScript solver (kaPoW.js)

“onLoad” event handler to solve PoW challenges for embedded images

“onClick” event handler to solve challenges for embedded links

Solve routine finds a value A, such that

SHA1(NC || URL || A) 0 mod DCDC client-specific server-assigned difficulty

NC client-specific server-generated nonce

mod_kaPoW Apache module

7. Thwarting DoS 8. Future workPolicy module for setting per-client Dc

Client history Client reputation Client location Request type Resource requested

Adding to applications Forums (phpBB) Wikis (MediaWiki) Blogs (WordPress, Slashcode) Web 2.0 / AJAX

Economic analysis What is the cost of idle CPU cycles? Markets based on CPU cycles

9. AvailabilityDemo site

http://kapow.cs.pdx.edu

Non-commercial source release In progress

10. Publications E. Andreeva, G. Neven, B. Preneel T. Shrimpton,

“Seven-Property Preserving Iterated Hashing: ROX”, ASIACRYPT 2007.

T. Ristenpart, T. Shrimpton, “How to Build a Hash Function From Any Collision-Resistant Function”, ASIACRYPT 2007.

W. Feng, E. Kaiser, “The Case for Public Work”, Global Internet 2007.

E. Kaiser, W. Feng, “mod_kaPoW: Protecting the Web with Transparent Proof-of-Work”, in submission.

DESY: Transparent Cloud Tiering Proof-of-Conceptfiles.gpfsug.org/presentations/2017/Ehningen/09_-_SSUG17... · 2017. 3. 20. · Janusz Malka | DESY: Transparent Cloud Tiering Proof-of-Concept

Proof Systems and SNARKs - Stanford UniversitySignificant progress in recent years •Kilian’92, Micali’94: succinct transparent arguments from PCP •impractical prover time •GGPR’13,

Optically transparent semiconducting polymer nanonetwork ... · Optically transparent semiconducting polymer nanonetwork for ... This new paradigm for electronic ... Optically transparent

Transparent Identification of Users - Forcepoint · Introduction to Transparent User Identification 2 Websense Web Security Solutions Websense transparent identification agents Transparent

CHIARO II - · PDF fileCHIARO II is a direct/indirect luminaire with a fully transparent poly - carbonate housing which outclasses conventional moisture-proof luminaires: it provides

The DAO the transparent organisation Alexis Roussel – CEO Bity SA · 2016-11-26 · Protecting the DAO A Curator is a failsafe mechanism that indirectly prevents malicious actors

Space for Med Eyre consulting Transparent Forest Transparent Forest Transparent Forest an ESA IAP project.

Transparent Film on Transparent Substrate Measurement

Protecting the Web with Transparent Proof-of-Work• Building applications around kaPoW – Treat CPU cycles as currency and create virtual markets – Use cycles to create incentives

Planar LookThru Transparent OLED Display Content Developer ... · How Transparent OLED Displays Are Different From Transparent LCD Displays If you are familiar with the transparent

RoboCup Standard Platform League (NAO) Rule Book · duct tape. Protecting the ﬁngers with white ﬁnger protectors provided by the manufacturer or with transparent or white duct

Solid colour GZ COLOUR VINYL RECORDS · Transparent colour GZ COLOUR VINYL RECORDS 9. Green transparent 10. Yellow transparent 11. Red transparent 12. Purple transparent 13. Blue

Conducting Archaeogaming & Protecting Digital Heritage ... · archaeogaming offers An Archaeology (Orser, 2015: 6) or simply the proof of the importance of archaeological theory in

$OF TRANSPARENT, SEMI-TRANSPARENT A UNDER … · a si-tdr-62-719 thermal radiation chi" \cteristics of transparent, semi-transparent a traniolucent materials under non-isothermal conditions$

OF TRANSPARENT, SEMI-TRANSPARENT A UNDER … · a si-tdr-62-719 thermal radiation chi" \cteristics of transparent, semi-transparent a traniolucent materials under non-isothermal conditions

ContentsA14C9CCD-28D5-4261...and risk management services, ultimately leading to future-proof sanitation for one million residents. Protecting the natural environment: Davyhulme wastewater

Infusion Disposables:IV Disposables · Transparent drip chamber, with light protecting, relocatable shield 15 μm fluid filter according to ISO 8536 standard PVC free or DEHP free

Wound V.A.C. Dressing Change - health.ucdavis.edu · Wound V.A.C. Dressing Change • Window paning wound edges with transparent drape is not required, but has the advantage of protecting

Independent, trustworthy and transparent....The personnel certificate as proof of competence for customers and a guarantee of compliance with quality standards. Find out how PersCert

Protecting Your Business – Protecting Your Family ...dokusfinancialpartners.com/.../Guardian-BusinessContinuationBroch… · Protecting Your Business – Protecting Your Family

Material Advances for Transparent OLEDs · Material Advances for Transparent OLEDs. What we do ... Large area transparent panel for advertising 2. Medium area transparent panel for

Protecting the Web with Transparent Proof-of-Work

Documents

Transcript of Protecting the Web with Transparent Proof-of-Work