1 / 32

Client Puzzles

Client Puzzles. A Cryptographic Defense Against Connection Depletion Attacks. Most of slides come from Ari Juels and John Brainard RSA Laboratories. The Problem. How to take down a restaurant. Restauranteur. Saboteur. O.K., Mr. Smith. Table for four at 8 o’clock. Name of Mr. Smith.

lavanya-bimal
Download Presentation

Client Puzzles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories

  2. The Problem

  3. How to take down a restaurant Restauranteur Saboteur

  4. O.K., Mr. Smith Table for four at 8 o’clock. Name of Mr. Smith. Saboteur vs. Restauranteur Restauranteur Saboteur

  5. Restauranteur No More Tables! Saboteur

  6. “TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” An example: TCP SYN flooding Buffer

  7. TCP SYN flooding has been deployed in the real world • Panix, mid-Sept. 1996 • New York Times, late Sept. 1996 • Others • Similar attacks may be mounted against e-mail, SSL, etc.

  8. Some defenses against connection depletion

  9. Client “Hello?” “Hello?” “Hello?” Throw away requests Server Buffer Problem: Legitimate clients must keep retrying

  10. Server Hi. My name is 10.100.16.126. Buffer IP Tracing (or Syncookies) Client Request Problems: • Can be evaded, particularly on, e.g., Ethernet • Does not allow for proxies, anonymity

  11. Server Client Buffer Digital signatures Problems: • Requires carefully regulated PKI • Does not allow for anonymity

  12. Client Connection timeout Server • Problem: Hard to achieve balance between security • and latency demands

  13. Our solution: client puzzles

  14. O.K., Mr. Smith O.K. Table for four at 8 o’clock. Name of Mr. Smith. Please solve this puzzle. ??? Intuition Restauranteur

  15. Intuition Suppose: • A puzzle takes an hour to solve • There are 40 tables in restaurant • Reserve at most one day in advance A legitimate patron can easily reserve a table

  16. Intuition ??? ??? ??? ??? ??? ??? Would-be saboteur has too many puzzles to solve

  17. Client Service requestM O.K. The client puzzle protocol Server Buffer

  18. What does a puzzle look like?

  19. Puzzle basis: partial hash inversion pre-image X k bits ? partial-imageX’ hash ? image Y 160 bits Pair (X’, Y) is k-bit-hard puzzle

  20. Puzzle basis: (Cont’d) • Only way to solve puzzle (X’,Y) is brute force method. (hash function is not invertible) • Expected number of steps (hash) to solve puzzle: 2k / 2 = 2k-1

  21. Puzzle construction Server Client Service requestM Secret S

  22. Puzzle construction Puzzle Server computes: secretS timeT requestM hash pre-imageX hash imageY

  23. Sub-puzzle • Construct a puzzle consists of m k-bit-hard sub-puzzles. • Increase the difficulty of guessing attacks. • Expected number of steps to solve: m×2k-1.

  24. Puzzle properties • Puzzles are stateless • Puzzles are easy to verify • Hardness of puzzles can be carefully controlled • Puzzles use standard cryptographic primitives

  25. Client puzzle protocol (normal) Mi1 : first message of ith execution of protocol M

  26. Client puzzle protocol (under attack) P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T1: valid time of puzzle

  27. Where to use client puzzles?

  28. Some pros Avoids many flaws in other solutions, e.g.: • Allows for anonymous connections • Does not require PKI • Does not require retries -- even under heavy attack

  29. Practical application • Can use client-puzzles without special-purpose software • Key idea: Applet carries puzzle + puzzle-solving code • Where can we apply this? • SSL (Secure Sockets Layer) • Web-based password authentication

  30. Conclusions

  31. Contributions of paper • Introduces idea of client puzzles for on-the-fly resource access control • Puzzle and protocol description • Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack

  32. Questions?

More Related