Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks(Special Issue on Next Generation Internet Technologies and Their Applications)
スポンサーリンク
概要
- 論文の詳細を見る
Internet Key Exchange(IKE)is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman(DH)keyagreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle(MIM)attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service(DoS)attacks;computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE;as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.
- 社団法人電子情報通信学会の論文
- 2000-05-25
著者
-
IMAI Hideki
The author is with Institute of Industrial Sience, the University of Tokyo
-
Matsuura Kanta
The Authors Are With Institute Of Industrial Science The University Of Tokyo
-
Imai Hideki
The Authors Are With Institute Of Industrial Science The University Of Tokyo
関連論文
- An Algorithm for Cryptanalysis of Certain Keystream Generators Suitable for High-Speed Software and Hardware Implementations : Special Section on Cryptography and Information Security
- A Digital Signature Scheme on ID-Based Key-Sharing Infrastructures : Special Section on Cryptography and Information Security
- Improving the Secure Electronic Transaction Protocol by Using Signcryption
- Optimal Unconditionally Secure ID-Based Key Distribution Scheme for Large-Scaled Networks : Special Section on Cryptography and Information Security
- Realizing the Menezes-Okamoto-Vanstone (MOV) Reduction Efficiently for Ordinary Elliptic Curves
- Hierarchical Coding Based on Multilevel Bit-Interleaved Channeles
- Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks(Special Issue on Next Generation Internet Technologies and Their Applications)
- An Image Correction Scheme for Video Watermarking Extraction : Special Section on Cryptography and Information Security
- Development of Cryptology in the Nineties : Special Section on the 10th Anniversary of Trans. Fundamentals : Last Decade and 21st Century