Authentication and key establishment protocols are the foundation of secure commu-nication in volatile environments. The goal of authentication and key establishment protocol is to enable two parties to authenticate each other and establish crypto-graphic keys using insecure environments. These protocols are usually vulnerable to DoS attacks that exhaust the system resources as they are required to perform expensive operations.
Several authentication and key establishment protocols with DoS-resistance have been proposed. A detailed review study of Dos-resistance strategies and techniques in key establishment protocols was presented in [324,340]. In this section, we briey
2This table is based on and extends [340, Table 2.1] and [342, Table 1].
Client Puzzle Strengths Drawbacks Hash-based
rever-sal Simple and fast
construc-tion and vericaconstruc-tion Exponential granularity, Par-allelizable
present those strategies and techniques, then we list the key establishment protocols with DoS-resistance a long with DoS-resistance that it implements.
4.5.1 DoS Resistance Strategies
Usually DoS attacks utilize some vulnerabilities of the underlying protocol. An example ooding attacks, which aim to exhaust the resources of the target victim by sending a large number of bogus requests. In case of authentication and key establishment protocols, an attacker may ood the target server with a large number of requests forcing it to compute expensive cryptographic operations in order to consume its CPU cycles.
However, protocol engineering community has realized the requirement that authentication and key establishment protocols should achieve a level of DoS-resistance. Hence, number of design strategies have emerged. For example, Leiwo et
al. [234] and Meadows [260,261] proposed several design principles for developing DoS-resistant protocols. Those strategies can be broadly classied into three classes [324]: preventing CPU exhaustion, preventing memory exhaustion and gradual au-thentication.
Preventing CPU Exhaustion
Normally, the server responds to many clients requests. In order to prevent the computational resources of the server and prevent clients from launching ooding attacks, the client workload should consume those resources used to carry out the attack [234]. Achieving this goal requires either increasing the cost of computation to the client or reducing the cost of computation to the server. This can be carried out by articially increasing the computational cost of the client (e.g., solving a puzzle) or by having the client perform computations on behalf of the server. Client puzzles [305, 216, 51, 107] and a client-aided RSA computation [99] are example techniques of this strategy.
Preventing Memory Exhaustion
To counteract the memory attacks, a direct strategy is to reduce the memory usage for the server during the protocol run. This can be insured by allowing the server to maintain a stateless connection while the authentication process has being not completed. Using Cookie strategy is an example defending technique preventing memory exhaustion attacks [235]. Nowadays, cookies is widely used by authentica-tion protocols designers. There are many authenticaauthentica-tion protocols which use cookies as a defense against memory exhaustion attacks, such as, Photuris [217] and Internet Key Exchange (IKE) [199,256].
Gradual Authentication
A client that requests a service must be authenticated at some point during the protocol run, strong authentication of the client might be used to carry out a DoS attack. This happens due to the use of expensive operations to provide strong authentication. A proposed strategy to resolve this problem is to use weak authen-tication at the starting of the protocol and gradually increase the authenauthen-tication level ending up with a strong authentication at the completion of the protocol [260].
The Just Fast Keying (JFK) [32] protocol is an example protocol that uses gradual authentication. JFK starts with using a nonce and an authenticator as a cookie, then using MAC and nally completes the protocol with a signature verication.
4.5.2 DoS Resistance Techniques
The primitive DoS-resistance techniques used to implement the aforementioned strategies are; cookies, client puzzles, client-aided computation, and gradual au-thentication. A brief description of these techniques is given as following.
Cookies
While receiving a service request by the server, it issues unpredictable time variant data that allow it to remain stateless and gradually initiate the authentication pro-cess to the client. This data are called cookies. Cookies have been used widely as a DoS-resistance technique, as an example, in defending SYN ooding DoS attacks [235] and in Photuris protocol [217].
Usually, a cookie consists of some connection parameters cryptographically transformed using time variant secret such as: keyed hash of the client IP and nonce. For preventing the memory exhaustion attacks and remain stateless, the server may include any state required parameters in the cookie which can be re-turned by the client in the next message. The state required data can be veried by the server when the received cookie is valid.
Puzzles
Puzzles are typically constructed using cryptographic functions (one-way hash func-tions). They allow the client to prove to the server that an amount of resources has been expended, in order to ensure his/her willingness to commit resources. At rst, puzzle was introduce to control junk email [164], later have been extended to be used to protect authentication protocol from DoS attacks [216,51]. Several schemes have been proposed for constructing puzzles, which already explained in section4.3.
Client-Aided Computation
The idea of client-aided computation is to have the client to perform computa-tions on behalf or to ease the computation burden of the server. Usually, such computations are performed before the client fully authenticated, thus the client computations at this time should be restricted to those that can be veried cor-rectly. This technique is implemented in the client-aided RSA protocol [99] which is a modication of SSL protocol.
Gradual Authentication
Strongly authenticate clients at the beginning of the protocol using computationally expensive operations might be costly to verify these operations also for the server.
This can cause the server goes under DoS attack. In order to remedy this situation, the gradual authentication is proposed [260,261]. Gradual authentication provides a mechanism for weakly authenticating the client before performing expensive op-erations. The idea is to use a weak authenticators likes cookies or client puzzles at the beginning of the protocol and moving to strong authentication gradually at the protocol completion.
Cookies, client puzzles, message authentication codes and release of hash digest preimage can be considered as forms of weak authenticators. The key strength of these techniques of weak authentication is that their verication is cheap for the
server comparing to their fabrication by the attacker. Furthermore, the verica-tion of the gradual authenticators such as client puzzles remains cheaper than the verication of the signature schemes that can minimize the verication cost to the server.
As an example of authentication protocols that employed the gradual authen-tication; the Just Fast keying and the modied Internet Key Exchange (IKE) protocols.
Many authentication and key establishment protocols have been proposed to provide DoS-resistance goal by implementing some of the above mentioned DoS resistance strategies and techniques. In [324, 340], seven authentication and key establishment protocols that implement DoS-resistance mechanism were discussed.
They are: Photuris [217], Modied IKE [256], IKEv2 [218], JFK [32], HIP [274], Lee & Fung [233] and Client-Aided RSA (CA-RSA) [99].
In the next section, we will give a brief overview of the formal methods that have been proposed for analyzing the DoS-resistance mechanisms.