Attackers, Packets, and Puzzles: On Denial-of-Service Prevention in Local Area Networks
作者: Jerschow , Yves Igor
DOI:
关键词: Cryptographic protocol 、 Authentication 、 Computer security 、 Cryptography 、 Public-key cryptography 、 Message authentication code 、 Digital signature 、 Symmetric-key algorithm 、 Computer science 、 Computer network 、 Denial-of-service attack
摘要: In this thesis, we tackle the problem of securing communication in Local Area Networks (LANs) and making it resistant against Denial-of-Service (DoS) attacks. The main vulnerability wired wireless LANs is lack initial address authenticity. It enables an attacker to take on different identities inject faked packets bearing a foreign or bogus sender address. For reason existing DoS countermeasures developed mitigate attacks Internet have drawbacks when being applied LANs. Our first contribution Cryptographic Link Layer (CLL) -- comprehensive security protocol that provides authentication confidentiality between neighboring hosts from link layer upwards. CLL employs public-key cryptography identify all Ethernet LAN based their IP/MAC pairs. Unicast IP traffic safeguarded by means block cipher message code. extends ARP DHCP handshakes with protect these protocols various kinds Beginning handshake, two exchange certificates cryptographic parameters, authenticate each other, negotiate symmetric keys establish association. has been implemented both Windows Linux achieves very competitive performance. Verifying digital signatures handshake phase other rely expensive task compared symmetric-key operations. Thus, may become target for where adversary floods victim host signature trying overload it. We introduce countermeasure flooding LANs, called counter-flooding. A benign initiate system suffers attack reacts aggression itself multiple copies its packet short period. key idea verify only fixed number per time period without becoming overloaded select those verification largest duplicates. provide bounds counter-flooding succeed show experimentally switched reasonable fair bandwidth division concurrent flows usually ensured. well-known resource exhaustion are client puzzles. However, puzzle schemes either parallelizable, coarse-grained, can be used interactively. Interactive puzzles drawback parameters sent server lacks authentication. Especially mount counterattack clients injecting fake pretend come defending server. propose novel scheme computation square roots modulo prime. Modular root non-parallelizable, employed interactively particularly non-interactively, polynomial granularity. Benchmark results demonstrate feasibility our approach 1 even 10 Gbit networks. Furthermore, efficiency raised adding small bandwidth-based cost factor client. By introducing secure architecture solid basis safely employ non-interactive overcomes issue interactive prevents precomputation architecture, puzzles, e.g., modular hash-reversal non-interactively constructed periodically changing, random beacon. beacons generated advance longer span regularly broadcasted special beacon All obtain signed fingerprint package consisting digests beacons. easy takes single hash operation performed at line speed hosts. To guarantee robust service, develop sophisticated techniques which synchronization aspects especially deployment fingerprints. final contribution, pursue beyond protection application area timed-release cryptography. non-parallelizable RSA time-lock required encrypt arbitrarily tuned artificially enlarging public exponent. Based present offline submission protocol. author currently commit document before deadline continuously solving submit past just upon regaining connectivity. correct solution serves as proof accepting institution fact completed time. applicability scheme, platform-independent tool performs parts
amazon.com参考文章(77)
Daisuke Suzuki, How to Maximize the Potential of FPGA Resources for Modular Exponentiation cryptographic hardware and embedded systems. pp. 272- 288 ,(2007) , 10.1007/978-3-540-74735-2_19
Ari Juels, John G. Brainard, Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. network and distributed system security symposium. ,(1999)
Carl A. Gunter, Kaijun Tan, Sanjeev Khanna, Santosh S. Venkatesh, DoS Protection for Reliably Authenticated Broadcast. network and distributed system security symposium. ,(2004)
Liqun Chen, Paul Morrissey, Nigel P. Smart, Bogdan Warinschi, Security Notions and Generic Constructions for Client Puzzles international conference on the theory and application of cryptology and information security. pp. 505- 523 ,(2009) , 10.1007/978-3-642-10366-7_30
Ciaran Mclvor, Maire McLoone, John V McCanny, None, Fast Montgomery modular multiplication and RSA cryptographic processor architectures asilomar conference on signals, systems and computers. ,vol. 1, pp. 379- 384 ,(2003) , 10.1109/ACSSC.2003.1291939
Henri Cohen, A Course in Computational Algebraic Number Theory ,(1993)
Martin Petraschek, Helmut Hlavacs, Thomas Hoeher, Joachim Zottl, Wilfried N. Gansterer, Hannes Schabauer, Oliver Jung, Enhancing ZRTP by Using Computational Puzzles Journal of Universal Computer Science. ,vol. 14, pp. 693- 716 ,(2008) , 10.3217/JICS-014-05-0693>
Yves Igor Jerschow, Christian Lochert, Björn Scheuermann, Martin Mauve, CLL: A Cryptographic Link Layer for Local Area Networks security and cryptography for networks. pp. 21- 38 ,(2008) , 10.1007/978-3-540-85855-3_3
Wenbo Mao, Timed-Release Cryptography selected areas in cryptography. pp. 342- 358 ,(2001) , 10.1007/3-540-45537-X_27
Giovanni Di Crescenzo, Rafail Ostrovsky, Sivaramakrishnan Rajagopalan, Conditional oblivious transfer and timed-release encryption theory and application of cryptographic techniques. pp. 74- 89 ,(1999) , 10.1007/3-540-48910-X_6