300 likes | 462 Views
Client Puzzles. A Cryptographic Defense Against Connection Depletion Attacks. Ari Juels and John Brainard RSA Laboratories. The Problem. How to take down a restaurant. Restauranteur. Saboteur. O.K., Mr. Smith. Table for four at 8 o ’ clock. Name of Mr. Smith.
E N D
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories
How to take down a restaurant Restauranteur Saboteur
O.K., Mr. Smith Table for four at 8 o’clock. Name of Mr. Smith. Saboteur vs. Restauranteur Restauranteur Saboteur
Restauranteur No More Tables! Saboteur
“TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” An example: TCP SYN flooding Buffer
TCP SYN flooding has been deployed in the real world • Panix, mid-Sept. 1996 (WSJ, NYT) • New York Times, late Sept. 1996 • Others • Similar attacks may be mounted against e-mail, SSL, etc.
Client “Hello?” “Hello?” “Hello?” Throw away requests Server Buffer Problem: Legitimate clients must keep retrying
Server Hi. My name is 10.100.16.126. Buffer IP Tracing (or Syncookies) Client Request Problems: • Can be evaded, particularly on, e.g., Ethernet • Does not allow for proxies, anonymity
Server Client Buffer Digital signatures Problems: • Requires carefully regulated PKI • Does not allow for anonymity
Client Connection timeout Server • Problem: Hard to achieve balance between security • and latency demands
O.K., Mr. Smith O.K. Table for four at 8 o’clock. Name of Mr. Smith. Please solve this puzzle. ??? Intuition Restauranteur
Intuition Suppose: • A puzzle takes an hour to solve • There are 40 tables in restaurant • Reserve at most one day in advance A legitimate patron can easily reserve a table, but:
Intuition ??? ??? ??? ??? ??? ??? Would-be saboteur has too many puzzles to solve
Client Service requestR O.K. The client puzzle protocol Server Buffer
Puzzle basis: partial hash inversion pre-image X k bits ? partial-imageX’ hash ? image Y 160 bits Pair (X’, Y) is k-bit-hard puzzle
Puzzle construction Server Client Service requestR Secret S
Puzzle construction Puzzle Server computes: secretS timeT requestR hash pre-imageX hash imageY
Puzzle properties • Puzzles are stateless • Puzzles are easy to verify • Hardness of puzzles can be carefully controlled • Puzzles use standard cryptographic primitives
Some pros Avoids many flaws in other solutions, e.g.: • Allows for anonymous connections • Does not require PKI • Does not require retries -- even under heavy attack
Practical application • Can use client-puzzles without special-purpose software • Key idea: Applet carries puzzle + puzzle-solving code • Where can we apply this? • SSL (Secure Sockets Layer) • Web-based password authentication
Too Contributions of paper • Introduces idea of client puzzles for on-the-fly resource access control • Puzzle and protocol description • Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack • Don’t really need multiple sub-puzzles as paper suggests
Puzzles not new (but client-puzzles are) • Puzzles have also been used for: • Controlling spam (DW94, BGJMM98) • Auditing server usage (FM97) • Time capsules (RSW96)
Replace hash with, e.g., reduced-round cipher More to be done • How to define a puzzle? Search space vs. sequential workload • Can puzzle construction be improved? • Can puzzles be made to do useful work? • Yes. Jakobsson & Juels “Bread Pudding”