An integrated approach to cryptographic mitigation of denial-of-service attacks
Abstract
Gradual authentication is a principle proposed by Meadows as a way to tackle denial-of-service attacks on network protocols by gradually increasing the confidence in clients before the server commits resources. In this paper, we propose an efficient method that allows a defending server to authenticate its clients gradually with the help of some fast-to-verify measures. Our method integrates hash-based client puzzles along with a special class of digital signatures supporting fast verification. Our hash-based client puzzle provides finer granularity of difficulty and is proven secure in the puzzle difficulty model of Chen et al. (2009). We integrate this with the fast-verification digital signature scheme proposed by Bernstein (2000, 2008). These schemes can be up to 20 times faster for client authentication compared to RSA-based schemes. Our experimental results show that, in the Secure Sockets Layer (SSL) protocol, fast verification digital signatures can provide a 7% increase in connections per second compared to RSA signatures, and our integration of client puzzles with client authentication imposes no performance penalty on the server since puzzle verification is a part of signature verification.
Reference
Jothi Rangasamy, Douglas Stebila, Colin Boyd, and Juan Gonzalez Nieto. An integrated approach to cryptographic mitigation of denial-of-service attacks. In Ravi Sandu and Duncan S. Wong, editors, Proc. 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS) 2011, pp. 114—123. ACM, 2011.Download
- Publisher’s website: PDF (the publisher’s version is freely available without a subscription due to ACM’s Author-izer service)
