Client Puzzles

1
Client Puzzles

• A Cryptographic Defense Against Connection
  Depletion Attacks

Most of slides come from Ari Juels and John
Brainard RSA Laboratories
2
The Problem

3
How to take down a restaurant
Restauranteur
Saboteur
4
Saboteur vs. Restauranteur
Restauranteur
Saboteur
5
Restauranteur
No More Tables!
Saboteur
6
An example TCP SYN flooding
Buffer
7

• TCP SYN flooding has been deployed in the real
  world
• Panix, mid-Sept. 1996
• New York Times, late Sept. 1996
• Others
• Similar attacks may be mounted against e-mail,
  SSL, etc.

8
Some defenses against connection depletion

9
Throw away requests
Server
Buffer
Problem Legitimate clients must keep retrying
10
IP Tracing (or Syncookies)
Client
Request
Problems

• Can be evaded, particularly on, e.g., Ethernet
• Does not allow for proxies, anonymity

11
Digital signatures
Problems

• Requires carefully regulated PKI
• Does not allow for anonymity

12
Connection timeout
Server
Problem Hard to achieve balance between security
and latency demands
13
Our solution client puzzles

14
Intuition
Restauranteur
15
Intuition
Suppose

• A puzzle takes an hour to solve
• There are 40 tables in restaurant
• Reserve at most one day in advance

A legitimate patron can easily reserve a table
16
Intuition
Would-be saboteur has too many puzzles to solve
17
The client puzzle protocol
Server
Buffer
18
What does a puzzle look like?

19
Puzzle basis partial hash inversion
160 bits
Pair (X, Y) is k-bit-hard puzzle
20
Puzzle basis (Contd)

• Only way to solve puzzle (X,Y) is brute force
  method. (hash function is not invertible)
• Expected number of steps (hash) to solve puzzle
  2k / 2 2k-1

21
Puzzle construction
22
Puzzle construction
Server computes
secret S
time T
request M
hash
pre-image X
hash
image Y
23
Sub-puzzle

• Construct a puzzle consists of m k-bit-hard
  sub-puzzles.
• Increase the difficulty of guessing attacks.
• Expected number of steps to solve m2k-1.

24
Why not use klogm bit puzzles?

• (klogm)-bit puzzle
• Expected number of trials m2k-1

• But for random guessing attacks, the successful
  probability
• One (klogm)-bit puzzle
• 2-(klogm) (e.g., 2-(k3))
• m k-bit subpuzzles
• (2-k)m 2-km (e.g., 2-8k)

25
Puzzle properties

• Puzzles are stateless
• Puzzles are easy to verify
• Hardness of puzzles can be carefully controlled
• Puzzles use standard cryptographic primitives

26
Client puzzle protocol (normal)

• Mi1 first message of ith execution of protocol M

27
Client puzzle protocol (under attack)

• P puzzle with m sub-puzzles
• t timestamp of puzzle
• t time to receive solution
• T1 valid time of puzzle

28
Where to use client puzzles?

29
Some pros

• Avoids many flaws in other solutions, e.g.
• Allows for anonymous connections
• Does not require PKI
• Does not require retries -- even under heavy
  attack

30
Practical application

• Can use client-puzzles without special-purpose
  software
• Key idea Applet carries puzzle puzzle-solving
  code

• Where can we apply this?
• SSL (Secure Sockets Layer)
• Web-based password authentication

31
Conclusions

32

Contributions of paper

• Introduces idea of client puzzles for on-the-fly
  resource access control

• Puzzle and protocol description
• Rigorous mathematical treatment of security using
  puzzles -- probabilistic/guessing attack

33
Questions?