Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks(Special Issue on Next Generation Internet Technologies and Their Applications)

概要

論文の詳細を見る
Internet Key Exchange(IKE)is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman(DH)keyagreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle(MIM)attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service(DoS)attacks;computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE;as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.
社団法人電子情報通信学会の論文
2000-05-25

Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks(Special Issue on Next Generation Internet Technologies and Their Applications)

スポンサーリンク

概要

著者

関連論文

スポンサーリンク