Evaluating Authenticated, DoS Resistant Key Exchange Protocols

1
Evaluating Authenticated, DoS Resistant Key
Exchange Protocols

• J.W. Pope
• CS 589
• December 12, 2003

2
Non-DoS-Resistant Models

• Diffie-Hellman Original model, completely
  unauthenticated.
• Station-to-Station Authenticated, but not DoS
  resistant.
• Internet Key Exchange Complex, inefficient, not
  DoS resistant. (not shown)

3
JFK vs. Client Puzzles

• JFK ensures DoS resistance by allowing the
  responder or server to commit no state and little
  CPU time until the initiator is fully
  authenticated.
• The Client Puzzle model ensures the same by
  allowing the responder to commit no state and
  little CPU time until the client solves a puzzle.

4
Memory-Exhaustion DoS - JFK

• The JFK protocol commits no state until the
  second round.
• In order for an attacker to reach this point, it
  must perform a digital signature, whereas the
  responder need only compute a signed hash.
• Attacker does not need to commit any state.

5
Memory-Exhaustion DoS Client Puzzles

• The Client Puzzle model does not commit any state
  until the second round.
• To reach this point, the attacker must solve a
  puzzle.
• The puzzle involves computing 2k hashes, on the
  average.
• The responder needs only to compute one hash.
• The attacker does not need to commit any state.

6
CPU-Exhaustion Attack Statistics
7
CPU-Exhaustion Attack - JFK

• The first round of JFK requires the responder to
  compute a keyed hash.
• An experiment shows that an arbitrarily chosen
  TCC machine can compute approximately 10,000
  keyed hashes in one second (as compared to 94
  Diffie-Hellman exponentiations!)
• A sustained attack of 10,000 or more spurious
  packets per second will bring down a JFK server.
• An attacker can also complete the first round,
  then force the responder to verify a spurious
  signature (50 per second) in the second round.

8
CPU-Exhaustion Attack Client Puzzles

• In the second round, the responder must compute a
  hash.
• An experiment shows that an arbitrarily chosen
  TCC machine can hash blocks of text the same size
  as expected for the initiators second message at
  a rate of approximately 13,000 per second.
• However, increasing the level of puzzle
  difficulty will not help if the attacker is
  simply submitting random packets!
• An attacker can also solve the puzzle, forcing
  the responder to verify a spurious signature.

9
Other Issues

• We have assumed a public server model for the
  responder.
• Should the same server be distributing puzzles
  and authenticating clients?
• If the same server performs both tasks, then
  during an attack, requestors will not be able to
  contact the server to get a current nonce
  including the attacker!
• If the attacker does not have a current nonce,
  the attack cannot continue.

10
Attempted Simulations

• Some difficulty has been encountered in
  simulating these attacks.
• A TCC machine was used to simulate an attack
  against a STS server (using different processes
  over loopback, to avoid flooding the network)
• The number of packets generated was insufficient
  to impact service.

11
Analysis

• CPU-Exhaustion resistance Client Puzzles enjoys
  a slight edge on JFK. In case of spurious
  signature attack, Client Puzzles is much more
  effective due to adjustable difficulty level.
• Memory-Exhaustion resistance Neither appears to
  hold any particular advantage over the other.

12
Analysis (contd)

• Burdens on client The additional burden placed
  on the initiator by the Client Puzzle model is
  not significant (except during attacks when k gt
  7).
• JFK has a slight security advantage in that it is
  the session key for protocol messages is
  different from the final key, but this innovation
  can be introduced into Client Puzzles.
• Most importantly, both protocols offer massive
  improvements over existing models.

13
JFK vs. Client Puzzles

• When DoS-resistance is of the utmost importance,
  use Client Puzzles
• When DoS-resistance is important, but efficiency
  is as well, use JFK.

14
References

• Aiello, W., S.M. Bellovin, M. Blaze, R. Canetti,
  J. Ionnidis, A.D. Keromytis, O. Reingold,
  Efficient, DoS-Resistant, Secure Key Exchange
  for Internet Protocols, Security Protocols, B.
  Christianson, et al. (Eds.), Lecture Notes in
  Computer Science 2467, pp. 27-39,
  Springer-Verlag, 2002
• Aura, T., P. Nikander, J. Leiwo, DoS-Resistant
  Authentication with Client Puzzles, Security
  Protocols, B. Christianson, et al. (Eds.),
  Lecture Notes in Computer Science 2133, pp.
  170-177, Springer-Verlag, 2001
• Diffie, W., M.E. Hellman, New Directions in
  Cryptography, IEEE Transactions on Information
  Theory, 22 (6), pp. 644-654, November 1976
• Diffie, W., P.C. van Oorschot, M.J. Wiener,
  Authentication and Authenticated Key Exchange,
  Designs, Codes, and Cryptography, 2, pp. 107-125,
  1992
• Harkins, D., D. Carrel, The Internet Key
  Exchange (IKE), Network Working Group RFC 2409,
  Internet Engineering Task Force,
  http//www.ietf.org/rfc/rfc2409.txt, November
  1998
• Krawczyk, H., M. Bellare, R. Canetti, HMAC
  Keyed-Hashing for Message Authentication,
  Network Working Group RFC 2104, Internet
  Engineering Task Force, http//www.ietf.org/rfc/rf
  c2104.txt, February 1997
• Menezes, A., P. van Oorschot, S. Vanstone,
  Handbook of Applied Cryptography, CRC Press, 1996
• Schneier, B., Applied Cryptography, 2nd Edition,
  Wiley, 1996
• Stinson, D.R., Cryptography- Theory and Practice,
  CRC Press, 1995