Resolution of ISAKMP/Oakley Key-Agreement Protocol ... - CiteSeerX

Resolution of ISAKMP/Oakley Key-Agreement Protocol Resistant against Denial-of-Service Attack

Kanta Matsuura and Hideki Imai Institute of Industrial Science, University of Tokyo, Tokyo 106-8558, JAPAN

Abstract|Key-agreement protocol will play an important role as an entrance to secure communication over the Internet. Speci cally, ISAKMP(Internet Security Association and Key Management Protocol)/Oakley key-agreement is currently a leading approach for communication between two parties. Basic idea of ISAKMP/Oakley is an authenticated DieHellman (DH) key-agreement protocol. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-ofService (DoS) attacks. In search of resistance against DoS attacks, this paper rst describes a basic idea on the protection mechanism for authenticated DH keyagreement protocols against DoS attacks. The paper then proposes a DoS-resistant version of three-pass ISAKMP/Oakley's Phase 1 where DoS attacks impose expensive computation on the attackers themselves. The DoS-resistance is evaluated in terms of (1) the computational cost caused by bogus requests and (2) a server-blocking probability. I. Introduction

In order to enjoy secure communication over an open network, how to establish secret session keys is a fundamental problem. Looking at the Internet, ISAKMP(Internet Security Association and Key Management Protocol)/Oakley key-agreement [1] had been a leading approach for communication between two entities. After some modi cation, it has recently reached RFC as the Internet Key Exchange (IKE) [2]. ISAKMP/Oakley or IKE is based on a well-known Die-Hellman (DH) key-agreement protocol [3]. It is also well-known that this protocol on its own is vulnerable to intruder-in-the-middle attack; an attacker may intercept the protocol messages and masquerade as each of the users involved. Protection mechanisms against this attack has long been explored by providing entity authentication [4]. Hence ISAKMP/Oakley is also equipped with Manuscript received October 30, 1998. K. Matsuura, +81-3-3402-6231 (ext. 2325), fax +81-3-3479-1736, [email protected]; H. Imai, +81-3-3402-6231 (ext. 2313), [email protected], http://imailab.iis.u-tokyo.ac.jp/ This work was partly supported by Research for the Future Program (RFTF) by Japan Society for the Promotion of Science (JSPS) under contact no. JSPS-RETF 96P00604.

authentication mechanisms which owe a lot to public-key primitives. Since these primitives are computationally expensive, malicious entities can initiate Denial-of-Service (DoS) attacks; they may launch quite a large number of bogus requests to exhaust the computational or communication resource of the targets who verify each request honestly. The purpose of this paper is to solve this problem of DoS. Speci cally, Section II. introduces our basic strategy [5] for protocol design. Then, after reviewing conventional versions in Section III., we propose a three-pass DoS-resistant version in Section IV. conforming to the strategy. Security consideration of the proposed version is subsequently given in Section V. Finally, Section VI. gives concluding remarks. II. Basic Strategy

As mentioned in the introduction, secure and authenticated DH key-agreement protocols usually cost a lot in computation and/or in communication. In terms of communication complexity, three-pass protocols would be a practical solution. This section describes a design direction to protect three-pass DH protocols from DoS attacks. Let us assume that the initiator I and the responder R can use the same public-key infrastructure where public and secret keys of an entity X are denoted by PK X and SK X , respectively. Then three-pass DH key-agreement protocols can be typically structured as shown in Fig. 1. Our design direction for DoS-resistance is as follows: 1. Do not use heavy computation such as modular exponentiation in Step ((4)). 2. Send a random fresh material by Reply Message ((5)) implicitly in a way that the reconstruction of the material requires heavy computation in Step ((6)). We will refer to this material as \RF material" in the following. 3. Use the RF material for authentication. 4. Carry an acknowledgment material derived from the reconstructed RF material by Acknowledgment Message ((7)). 5. Verify the acknowledgment material at the beginning of Step ((8)). This veri cation must be computationally less expensive than the reconstruction of RF material in Step ((6)).

Step ((1)) ((2)) ((3))

Initiator (I)

Precomputation Computation by using PK R and/or SK I Request Message

Responder (R) Precomputation

=)

((4)) ((5)) ((6)) ((7))

Computation by using PK R and/or SK I (Session-key computation may be included.) Acknowledgment Message

(=

=)

((8)) ((9))

Key establishment

Computation by using PK I and/or SK R (Session-key computation may be included.) Reply Message

Computation by using PK I and/or SK R Key establishment

Fig. 1. Typical structure of three-pass authenticated DH key-agreement protocols with public-key infrastructure.

Once conformed to this direction, the protocol discourages DoS attackers by \falling-together" nightmare; if the attacker and the target have similar level of computational power, the attacker must exhaust his/her resource in order to exhaust that of the target since a bogus acknowledgment material is detected before computationallyexpensive parts of Step ((8)). III. Aggressive Mode of ISAKMP/Oakley

A. Conventional Versions

In the key-management mechanism of IPv6 (Internet Protocol version 6), IKE has several key-agreement modes with dierent numbers of message-passes; Aggressive Mode is a three-pass protocol while Main Mode is a six-pass protocol in Phase 1, for example. In a situation where pre-shared keys are not available, \Aggressive Mode of ISAKMP/Oakley" is authenticated with publickey encryption or with digital signature. We will refer to these two authentication types as PKE-authentication and SIG-authentication, respectively. They are described in Fig. 2 (a) and (b), respectively. In Fig. 2, HDR is an ISAKMP header and the cookies CKY I and CKY R are set up in the header. SA is an SA (Security Association) payload with one or more proposals. A security association is a set of policy and keys used to protect information. The ISAKMP SA is the shared policy and keys used by the negotiating peers to protect their communication; the initiator may provide multiple proposals regarding SA while the responder

must reply with only one. SAb is the entire body of the SA payload (minus the ISAKMP generic header). KE is a key-exchange payload which carries keying materials such as DH public values denoted by gx (generated by the initiator) and g y (generated by the responder). NI is the nonce payload of the initiator while NR is that of the responder. Likewise, ID I and ID R are their identity payloads, and SIG I and SIG R are their digitally-signed hash payloads. The hash payloads are pseudo-randomly computed from their nonces, DH public values, cookies, SAs, and IDs as HASH I = prf (SKEYID ; gx kg y kCKY I kCKY R kSAb kID I ) HASH R = prf (SKEYID ; gx kg y kCKY R kCKY I kSAb kID R )

(1) (2)

where SKEYID is the output of a pseudo-random function; for PKE-authentication, SKEYID = prf (hash (NI kNR ) ; CKY I kCKY R )

while

SKEYID = prf (NI kNR ; g xy )

(3) (4)

for SIG-authentication. k represents concatenation. HASH (1) is a hash of the certi cate which the initiator is using to encrypt his/her nonce and identity. CERT is a certi cate payload and the brackets [3] indicate that the content 3 is optional.

Initiator (I)

HDR ; SA; [HASH (1); ] KE ; ENC PK R (ID I ) ; ENC PK R (NI )



HDR ; HASH I

!

Responder (R) 

!

HDR ; SA; KE ; ENC PK I (ID R ) ; ENC PK I (NR ) ; HASH R

(a) authenticated with public-key encryption (PKE-authentication)

Initiator (I)

HDR ; SA; KE ; NI ; ID I

!

HDR ; [CERT ; ] SIG I

!

Responder (R) 

HDR ; SA; KE ; NR ; ID R ; [CERT ] ; SIG R

(b) authenticated with signatures (SIG-authentication)

Initiator (I)

HDR ; SA; [HASH (1); ] ENC PK R (NI ) EKe I (KE ) ; EKe I (ID I ) ; [EKe I (CERT )] HDR ; HASH I



! !

Responder (R) 

HDR ; SA; ENC PK I (NR ) EKe R (KE ) ; EKe R (ID R ) ; HASH R

(c) authenticated with public-key encryption (revised version: revised PKE-authentication) Fig. 2. ISAKMP/Oakley's Phase 1 authenticated by the use of public-key primitives (Aggressive Mode). ENC PK X indicates an encryption with the public key PK X of an entity X . EK is an encryption function of a private-key cipher where K represents an encryption key. Ke I and Ke R are ephemeral keys derived from the nonces and the cookies.

The result of Aggressive Mode key-agreement is three groups of authenticated keying materials: SKEYID d = prf (SKEYID ; g xy kCKY I kCKY R k0) (5) SKEYID a = prf (SKEYID ; SKEYID d kg xy kCKY I kCKY R k1) (6) SKEYID e = prf (SKEYID ; SKEYID a kg xy kCKY I kCKY R k2) (7) SKEYID e is used by the ISAKMP SA to protect its messages. SKEYID a is used by the ISAKMP SA to authenticate its messages. SKEYID d is used to derive keys for non-ISAKMP SAs. PKE-authentication requires two public-key encryption and decryption operations of both the initiator and the responder. The author of [6] modi es it into a revised PKE-authentication which requires only one public-key encryption and decryption operation of each party while maintaining the security properties. The revised PKEauthentication is described in Fig. 2 (c). Ke I and Ke R are ephemeral keys derived from the nonces and the cookies. The rst step of the derivation is Ne I = prf (NI ; CKY I ) (8) Ne R = prf (NR ; CKY R ): (9) Then, if the desired length of Ke I is at most the length of Ne I , the sucient number of most signi cant bits of

Ne I is used as Ke I . If not, more bits are generated by applying the pseudo-random function prf with Ne I as the key and a byte of 0 as the input. The output of prf is then fed back into itself until sucient number of bits are obtained. For example, if the output of prf is 128-bit long and Ne I needs to be 320-bit long, then Ne I is the most signi cant 320 bits of K , where K = K1 kK2 kK3 = prf (Ne I ; 0)kprf (Ne I ; K1 )kprf (Ne I ; K2 ) (10)

Ke R is derived analogously. B. CPU-Exhaustion DoS Attack

Aggressive Mode shown in the previous subsection is vulnerable to CPU-exhaustion DoS attack. In SIGauthentication, the protocol may require the responder to generate a digital signature with heavy computation before identifying the initiator. For example, RSA public-key primitives are recommended to be supported in ISAKMP/Oakley, and generation of RSA signatures costs much more than their veri cation due to the deployment of a relatively larger exponent in signature generation. This motivates a DoS attacker to launch tremendous number of arbitrary requests. Even if the signature generation is inexpensive, the responder must verify the signature for a fake acknowledgment message.

In PKE-authentication, the protocol requires the responder to decrypt two public-key encrypted payloads before identifying the initiator. Unfortunately, this decryption is also computationally expensive1 and therefore can be abused by an attacker. Although the required number of decryption is reduced to be one, revised PKEauthentication can be attacked in the same scenario. IV. DoS-Resistant Resolution

A. Protocol

We consider how to enhance the resistance of SIGauthentication against DoS attacks. Speci cally, we introduce a modi ed hash payload in the acknowledgment from the initiator. This modi ed hash payload plays a role of the acknowledgment material in our basic strategy; a reconstructed RF material is used in the computation of the modi ed hash. The RF material is originally included in the reply from the responder implicitly. The proposed protocol is outlined in Fig. 3. We will refer to this protocol as revised SIG-authentication, in the following. In contrast to SIG-authentication, revised SIGauthentication is described as follows. 1. The rst message, a request from the initiator, is the same as that in SIG-authentication; the initiator sends ISAKMP header followed by SA, keying material, the initiator's nonce, and his ID. 2. The second message, a reply from the responder, is also the same as that in SIG-authentication but there is one restriction: to generate SIG R , the responder must use a signature scheme with the following properties:

 

Expensive computation in signature generation can be completed in advance independent of the initiator, i.e., as a precomputation before receiving the request. The veri cation procedure includes reconstruction of an RF material Rr .

3. In the computation of digitally-signed hash payloads, SKEYID is replaced with a one-way hashed value SKEYID 0 = hash(NI kNR ) which is random, fresh, but publicly-known. This does not change the security of the signature algorithm itself. If the initiator fears an attack with the replacement of the responder's public key, the certi cate option is available to protect him/her from the attack. SKEYID e , SKEYID a , and SKEYID d are derived from the same SKEYID as in the conventional SIG-authentication. 4. In the computation of the initiator's digitally-signed hash payload, the hash payload is replaced with a modi ed hash payload. The modi ed hash is de ned as HASH 3I = prf (SKEYID 0 ; 1 For

instance, RSA decryption costs much more than RSA encryption due to the deployment of a larger exponent.

gx kg y kCKY I kCKY R kRr kSAb kID I ). The acknowledgment message explicitly includes HASH 3I ; in the third acknowledgment message from the initiator, ISAKMP header is followed by the modi ed hash payload and the initiator's signature on it. A certi cate payload CERT is optional.

5. On receiving the acknowledgment message, the responder rst checks whether the modi ed hash really uses the RF material Rr . Then, if successful, he/she goes on to the signature veri cation procedure. 6. The signature scheme for SIG 3I does not necessarily the same as that for SIG R ; SIG 3I may use public and secret key pair whose relationship is dierent from that of (PK I ; SK I ) in Fig. 3. (PK I ; SK I ) is provided for the case when the initiator plays a responder's role in a dierent session. B. Formal Description

By using the step number speci ed in Fig. 1, a more formal description of the proposed protocol is given as follows.

((Initiator's Keys))

Secret key: SK I 2R [1; 2; 1 1 1 ; q 0 2] Public key: PK I = g SK I mod p

((Responder's Keys))

Secret key: SK R 2R [1; 2; 1 1 1 ; q 0 2] Public key: PK R = g SK R mod p

Step((1)) Each entity precomputes DH public values. Since the signature algorithm has computation steps which can be completed in advance, each entity carries out the precomputation and keeps the resultant RF materials.

Step((2)) The initiator generates a request message as speci ed in SIG-authentication. A precomputed DH public value is used to create KE .

Step((3)) The initiator sends the request message HDR , SA, KE , NI , ID I to the responder.

Step((4)) The responder selects a proposal in SA, if necessary. The responder computes SKEYID 0 = hash(NI kNR ) and his/her hash payload HASH R = prf (SKEYID 0 ; g x kg y kCKY R kCKY I kSAb kID R ).

The responder generates his/her signature SIG R on HASH R . An RF material Rr is used in the signaturegeneration and kept by the initiator to be used later again in Step ((8)). A precomputed DH public value is used to create KE .

Step((5)) The responder sends his/her reply message

HDR , SA, KE , NR , ID R , [CERT ; ] SIG R to the initiator. CERT is an optional certi cate payload of SIG R .

Initiator (I)

Responder (R)

Secret key: SK I 2R [1; 2; 1 1 1 ; q 0 2] Public key: PK I = gSK I mod p HDR ; SA; KE ; NI ; ID I

!

HDR ; [CERT ; ] SIG 3I , HASH 3I

!

Secret key: SK R 2R [1; 2; 1 1 1 ; q 0 2] Public key: PK R = gSK R mod p  HDR ; SA; KE ; NR ; ID R ; [CERT ; ] SIG R

Fig. 3. ISAKMP/Oakley Phase 1 with DoS-resistant authentication (Aggressive Mode). The relationship between secret and public keys is an example for ElGamal-like signatures; p is a large prime and q is a large prime factor of p 0 1. g is a public integer with order q modulo p. SIG 3I , HASH 3I is a digitally-signed modi ed hash payload, which acts as the acknowledgment material in our basic strategy against DoS attack.

Step((6)) According to the selected SA, the initiator veri es the responder's signature SIG R . If successful, the initiator computes SKEYID 0 = hash(NI kNR ) and his/her modi ed hash payload HASH 3I = prf (SKEYID 0 ; gx kg y kCKY I kCKY R kRr kSAb kID I ), where Rr is the RF material obtained in the signature-veri cation procedure. The initiator then computes his/her signature SIG 3I on HASH 3I .

Generation of the responder's signature:

TR = hash (Rr ; HASH R ) SIG R = (s1 ; s2 ) = (xr = (TR + SK R ) mod q; TR )

Veri cation of the responder's signature: ^ r = (g s2 1 PK R )s1 mod p. R

The initiator accepts the signature if and only if s2   is equal to hash R^ r ; HASH R .

Step((7)) The initiator sends the acknowledgment message HDR , [CERT ; ] SIG 3 , HASH 3

Computation of the modi ed hash: SKEYID 0 = hash (NI kNR ) HASH 3I = prf (SKEYID 0 ; g x kg y kCKY I kCKY R kR^ r kSAb kID I )

Step((8)) The responder checks whether HASH 3I is re-

Veri cation of the modi ed hash: The responder accepts the modi ed hash if and only if HASH 3I is equal to prf (SKEYID 0 ; g x kg y kCKY I kCKY R kRr kSAb kID I ).

Step((9)) If everything is successful, keying materials

The second example is based on Schnorr's signature scheme [11].

I

I

to the responder. CERT is an optional certi cate payload of SIG 3I .

ally constructed by using the correct RF material Rr . If successful, the responder veri es the initiator's signature SIG 3I . are nally established; from the DH public values, both the initiator and the responder compute and establish authenticated keying materials SKEYID = prf (NI kNR ; g xy ), SKEYID d = prf (SKEYID ; g xy kCKY I kCKY R k0), SKEYID a = prf (SKEYID ; SKEYID d kg xy kCKY I kCKY R k1); and SKEYID e = prf (SKEYID ; SKEYID a kg xy kCKY I kCKY R k2).

C. Examples

In the following, we show two speci c examples of revised SIG-authentication. The rst one is based on a shortened Digital Signature Standard (SDSS) [7]. As well as the original DSA (Digital Signature Algorithm) [8] or DSS (Digital Signature Standard) [9], the shortened DSS is unforgeable by adaptive attackers under the assumptions that discrete logarithm is hard and that the one-way hash function behaves like a random function [7], [10].

Precomputation by the responder:

xr 2R [1; 2; 1 1 1 ; q 0 2], Rr = gxr mod p

Precomputation by the responder:

xr 2R [1; 2; 1 1 1 ; q 0 2], Rr = gxr mod p

Generation of the responder's signature:

TR = hash (HASH R kRr ) SIG R = (s1 ; s2 ) = (SK R 1 TR + xr mod q; TR )

Veri cation of the responder's signature: ^ r = gs1 PK 0s2 mod p. R R

The initiator accepts the signature if and only if s2 is equal to hash (HASH R kR^ r ).

Computation of the modi ed hash: SKEYID 0 = hash (NI kNR ) HASH 3I = prf (SKEYID 0 ; g x kg y kCKY I kCKY R kR^ r kSAb kID I ) Veri cation of the modi ed hash: The responder accepts the modi ed hash if and only if HASH 3I is equal to prf (SKEYID 0 ; g x kg y kCKY I kCKY R kRr kSAb kID I ).

D. Evaluation

Let us evaluate the DoS resistance in terms of the computational cost. The cost is measured by the total number of modular multiplications required for modular exponentiation. We classify DoS attackers into two types:

(Type 1) An attacker who launches completely fake requests.

(Type 2) An attacker who pays computational cost

which is necessary for imposing modular exponentiation on the responder. In revised SIG-authentication, for example, the attacker should really verify the responder's signature in order to construct a correct modi ed hash.

PKE-authentication, SIG-authentication, and revised PKE-authentication are implemented with famous encryption/signature schemes such as RSA, ElGamal, DSA, and Schnorr [4]. Regarding the cost of RSA, we ignore the cost of encryption or signature veri cation assuming that a relatively small exponent is used in RSA encryption or signature veri cation [7]. This allows better performance in the conventional schemes. Regarding the cost of modular exponentiation in RF-material generation, it is assumed that precomputation is available both for the attacker and for the responder. DH public values are also assumed to be precomputed. The computational cost is determined by the number of non-trivial modular multiplications and each multiplication costs in proportion to the size of the modulus (in bits). In the case of an attacker of Type 1, the computational cost per request is summarized as follows.

Cost on the attacker's side:

PKE-authentication (RSA): PKE-authentication (ElGamal): revised PKE-authentication (RSA): revised PKE-authentication (ElGamal): SIG-authentication (RSA): SIG-authentication (ElGamal): SIG-authentication (DSA): SIG-authentication (Schnorr): revised SIG-authentication (SDSS): revised SIG-authentication (Schnorr):

Cost on the responder's side:

0 0 0 0 0 0 0 0 0 0

PKE-authentication (RSA): 0:375jnj = 384 PKE-authentication (ElGamal): 1:5jpj = 1536 revised PKE-authentication (RSA): 0:375jnj = 384 revised PKE-authentication (ElGamal): 1:5jpj = 1536 SIG-authentication (RSA): 0:375jnj = 384 SIG-authentication (ElGamal): 4:5jpj = 4608 SIG-authentication (DSA): 3jq j = 480 SIG-authentication (Schnorr): 3jq j = 480 revised SIG-authentication (SDSS): 0 revised SIG-authentication (Schnorr): 0

where n is the RSA composite and jnj indicates the size of it (in bits). Recommended sizes are, say, jnj = jpj = 1024 and jq j = 160. The numerical results are based on this assignment. In revised SIG-authentication, dierent from the conventional authentications, the responder does not have to pay expensive cost for the requests from attackers of Type 1 who cannot send a correct modi ed hash. In the case of an attacker of Type 2, the veri cation cost of the responder's signature is estimated by assuming the help of simultaneous multiple exponentiation (SME), which is attributed by ElGamal [12] to Shamir and well summarized in [4]. This assumption reduces the cost on the attacker's side. By contrast, the attacker's signature is not assumed to be veri ed with the help of SME. This is because the responder does not want to pay precomputation cost for SME in preparation for Type 1 attackers. It should be noted that the responder does not know whether the attacker is of Type 1 or of Type 2 in advance. The computational cost per request is then summarized as follows.

Cost on the attacker's side:

PKE-authentication (RSA): 0 PKE-authentication (ElGamal): 0 revised PKE-authentication (RSA): 0 revised PKE-authentication (ElGamal): 0 SIG-authentication (RSA): 0 SIG-authentication (ElGamal): 0 SIG-authentication (DSA): 0 SIG-authentication (Schnorr): 0 revised SIG-authentication (SDSS): 1:75jq j = 280 revised SIG-authentication (Schnorr): 1:75jq j = 280

Cost on the responder's side:

PKE-authentication (RSA): 0:375jnj = 384 PKE-authentication (ElGamal): 1:5jpj = 1536 revised PKE-authentication (RSA): 0:375jnj = 384 revised PKE-authentication (ElGamal): 1:5jpj = 1536 SIG-authentication (RSA): 0:375jnj = 384 SIG-authentication (ElGamal): 4:5jpj = 4608 SIG-authentication (DSA): 3jq j = 480 SIG-authentication (Schnorr): 3jq j = 480 revised SIG-authentication (SDSS): 3jq j = 480 revised SIG-authentication (Schnorr): 3jq j = 480 The attacker of Type 2 does not have to pay computational cost in the conventional authentications, while revised SIG-authentication imposes computational cost which is 1:75jq j = 58:3% 3jq j of that on the responder's side. Thus the attacker must exhaust the same order of computational resource if he/she wants to exhaust the responder's resource.

It should be noted that revised SIG-authentication does not reduce the eciency in a normal situation where no DoS-attackers appear; neither computational load nor communication overhead. In SIG-authentication with Schnorr's signature or DSA, anyway, the initiator constructs hash payload and the responder checks it. The dierence is in whether an intermediate variable obtained during the signature-veri cation procedure is used as an additional input to the initiator's hash payload or not. In conclusion, the revised SIG-authentication is the most DoS-resistant with keeping the eciency of Aggressive Mode.

Ddt

Ddt Rdt

C

Ddt Rdt

Rdt

C 1 Udt

Udt

Udt

Ddt gM

1 (D+R+U)dt

Ddt Rdt Rdt gM 1

A. Assumption

Udt

In the proposed protocol, security of secret keys relies on the hardness of discrete-logarithm (DL) problem. Let us consider whether this requires an additional assumption or not. ISAKMP/Oakley in itself is not devoted to any speci c encryption/signature schemes. However, it is restricted to the use of DH public values for keying. This means that the diculty of DL problem is assumed in the security consideration of ISAKMP/Oakley since the DH problem is at most as hard as the DL problem [13]. Hence we can say that the proposed version does not require any additional assumption regarding the security in that sense.

1 (D+R+U)dt

Udt

Rdt 0

Udt

Udt

1 (D+R+U)dt

1 Udt

Fig. 4. State-transition diagram of a responder in an ingress- ltered network. Each state is represented by the number of available sets of precomputed materials.



C = 10000 as responder's memory capacity for pre-

 

R = 0:001 as rate of valid request, and

computed materials,

M = 256 as the number of bogus requests per attack.

Precomputation power U was kept constant as a time unit. We considered the same security level as in the previous section, i.e., jpj = 1024 and jq j = 160. So if the performance level is in the order of several hundreds Kbps for public-key primitives, C = 10000 corresponds to a few MB memory. In this case, R = 0:001 causes a few valid requests per minute. We can interpret the state-transition diagram into a set of equations as follows. dPC = U PC 01 0 (D + R)PC dt

(11)

dPi = U Pi01 0 (D + R + U )Pi + RPi+1 dt

(12)

(C 0 M < i < C )

(Model)

NIF limits the amount of bogus packets per attack. We assume that the attackers use the same number (M ) of bogus requests per attack. The proposed strategy in keyagreement protocol reduces the damage caused by bogus requests; responders have only to pay for precomputation. We can interpret the cost-reduction eect by replacing M with M where  1. We will refer to as costreduction coecient. For simplicity, the following analysis deals with the most pessimistic situation such that = 1. It should be noted that the falling-together strategy would give better DoS-resistance if the implementation is optimized to reduce the cost-reduction coecient. The analysis considers a statistically equilibrated model whose state-transition diagram is illustrated in Fig. 4. As typical parameter assignment, we use

Rdt CgM Udt Udt

1 (D+R)dt 1 (D+R+U)dt 1 (D+R+U)dt

Rdt

When the responder has sucient memory such that precomputed values are never exhausted, the proposed protocol alone well defeats DoS attacks. When insucient, speci c DoS-resistance is not trivial although the proposed falling-together strategy allows us to assume memory exhaustion is more signi cant than CPU exhaustion. Aiming at DoS-resistance regarding memory exhaustion, we can use network ingress lter (NIF) [14]. NIF routers restrict outgoing trac to known valid pre xes. This subsection studies how signi cantly our proposal and NIF contribute to the system availability.

Rdt

C 2

V. Discussion on Security

B. Memory Exhaustion

Ddt

dPi = U Pi01 0 (D + R + U )Pi + RPi+1 + DPi+ M (13) dt

(0 < i  C 0 M )

M

X dP0 Pj = 0U P0 + RP1 + D dt j =1 C X j =0

Pj = 1

(14) (15)

10 9

Blocking Probability Po [%]

8 7 6 5 4 3 2 1 0 0

0.02

0.04 0.06 Rate of Bogus Request

0.08

0.1

Fig. 5. Blocking probability as a function of rate of attack when each attack is composed of M = 256 bogus requests. The cost-reduction coecient is assumed to be 1.

where Pi is the probability that the server is in state i and D represents the rate of bogus request. When statistically

i equilibrated, we can set each derivative dP dt to be zero. Thus P0 , P1 , 1 1 1, PC can be computed by solving the resultant following linear equations.

U PC 01 0 (D + R)PC = 0 UPi01 0 (D + R + U )Pi + RPi+1 = 0 (C 0 M < i < C )

(16) (17)

on key-agreement protocols but on a lower-layer mechanism. In the development of the next-generation Internet, however, even a network-layer protocol is going to be equipped with security mechanisms including public-key cryptography. This motivated us to modify a currently known versions of ISAKMP/Oakley or IKE in IPv6; the proposed version provides a signi cantly better resistance against CPU-exhaustion attack in IP layer itself. In our analysis, memory exhaustion was also considered in a non-optimized ingress- ltered network. For typical parameter assignment, the responder is usually alive even when attacked by several hundred sets of bogus requests per minute. If the implementation is optimized to make better use of the falling-together strategy for costreduction on the responder's side, DoS-resistance would be more signi cantly improved. References

[1] D. Harkins and D. Carrel, \The resolution of ISAKMP with Oakley," Internet Draft, draft-ietf-ipsec-isakmp-oakley-33.txt [2] D. Harkins and D. Carrel, \The Internet Key Exchange (IKE), " rfc2409, Nov. 1998. [3] W. Die and M. Hellman, \New directions in cryptography," IEEE Trans. Information Theory, vol. IT-22, no. 6, pp. 644{ 654, 1976. [4] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, Florida, 1996. [5] K. Matsuura and H. Imai, \Protection of authenticated keyagreement protocol against a denial-of-service attack," Proceedings of 1998 International Symposium on Information

[6]

UPi01 0 (D + R + U )Pi + RPi+1 + DPi+ M = 0 (18) (0 < i  C 0 M ) C X j =0

Pj = 1

(19)

where Pi is the probability that the responder is in state i. P0 is called blocking probability since precomputed materials are exhausted in state 0.

Results

Figure 5 shows blocking probability P0 as a function of rate of attack D . The blocking probability P0 is lower than 10% even if the rate of attack D is 0.1. This suggests the responder is usually alive even when attacked by several hundred sets of bogus requests per minute. VI. Concluding Remarks

A \falling-together" strategy was used to construct a DoS-resistant resolution of three-pass ISAKMP/Oakley key-agreement (Phase 1). As a result, attackers fear their own resource exhaustion. Thus we obtain a deterrent to DoS attacks. If we consider key-agreement protocols in upper layers, one may argue that DoS protection should rely not

[7]

[8] [9]

[10]

[11] [12] [13]

[14]

Theory and Its Applications (ISITA'98), pp. 466{470, Oct. 1998. R. Canetti, P. Cheng, and H. Krawczyk, \A revised encryption mode for ISAKMP/Oakley," Internet Draft, draft-ietf-ipsecrevised-enc-mode-01.txt, July 1997. Y. Zheng, \Digital Signcryption or How to Achieve Cost(Signature & Encryption)