Novel ways of authentication and identification of users in wireless networks
Cryptographic client puzzles have been widely proposed for mitigating the rising denial-of-service (DoS) attacks in internet networks. It introduces a promising approach, fundamentally different from the classical DoS defence mechanisms. Users requesting for a web service must first solve a puzzle b...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
2012
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/10356/50843 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | Cryptographic client puzzles have been widely proposed for mitigating the rising denial-of-service (DoS) attacks in internet networks. It introduces a promising approach, fundamentally different from the classical DoS defence mechanisms. Users requesting for a web service must first solve a puzzle before being serviced by the server. There exists a variety of puzzle algorithms for such purposes but most of them will require a puzzle difficulty parameter to determine the amount of time needed by users to solve the puzzle. However, the important issue of how to set this puzzle difficulty value has yet to be completely addressed by researchers. Thus, in this project, we propose using a generic leaky bucket rate limiting queue mechanism to determine the puzzle difficulty according to a queue delay. Specifically, by manipulating the puzzle difficulty parameter adaptively, the proposed mechanism will allow the server to rate limit the amount of incoming requests that it will have to serve per unit time. As a result, the server will not be overloaded by requests, while a potential DoS attacker has to spend more resources and time to solve harder puzzles, reducing their rate of request. Our leaky bucket mechanism can be easily applied to most existing client puzzles but we applied it into two popular client puzzle algorithms, the hash reversal and repeated squaring puzzles. The hash reversal puzzle requires solvers to find a missing input pre-image given the hash output and a partial pre-image while the repeated squaring puzzle requires the computation of a fixed number of modular exponentiations. We then used the puzzles in the Transport Layer Security (TLS) protocol to provide DoS resistances. We compared the two puzzle schemes and demonstrated through the experiments and simulations that the latter together with our leaky bucket mechanism is more effective in mitigating DoS attempts as it ensures a lower server CPU load. Furthermore, repeated squaring puzzles have many desirable properties such as being non-parallelizable, provides finer granularity and does not unfairly penalize mobile device users much. Therefore, our leaky bucket mechanism can allow existing client puzzle schemes to fully utilize their puzzle difficulty parameter to provide better DoS resistances. |
|---|