Abstract
Many cryptographic key exchange and management protocols involve computationally expensive operations, such as modular exponentiations, and are therefore vulnerable to resource clogging attacks. This paper overviews and discusses the basic principles and the rationale behind an anti-clogging mechanism that was originally designed and proposed to protect the Photuris Session Key Management Protocol against resource clogging attacks. The mechanism was later approved by the IETF IPsec WG to be included into the Internet Key Management Protocol (IKMP) or Internet Key Exchange (IKE) protocol respectively. The paper introduces and discusses the Photuris anti-clogging mechanism, derives some design considerations, and elaborates on possibilities to use similar techniques to improve an existing HTTP state management protocol and to protect TCP/IP implementations against TCP SYN flooding attacks.
Chapter PDF
Similar content being viewed by others
Keywords
References
R.J. Atkinson. Toward a More Secure Internet. IEEE Computer, January 1997, pp. 57 - 61
M. Bellare, R. Canetti, and H. Krawczyk. Keyed Hash Functions and Message Authentication. Proceedings of CRYPTO ’96, pp. 1-15
W. Diffie, P.C. van Oorshot, and M.J. Wiener. Authentication and Authenticated Key Exchanges. Designs, Codes and Cryptography, 1992, pp. 107 - 125
L. Gong. Using One-Way Functions for Authentication. ACM Computer Communication Review, Vol. 19, No. 5, October 1989, pp. 8 - 11
H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997
D. Kristol and L. Montulli. HTTP State Management Mechanism. RFC 2109, February 1997
P. Kam, and W.A. Simpson. Photuris: Session-Key Management Protocol. Internet Draft, February 1998, work in progress
J. Lowe. A Grant of Rights to Use a Specific IBM patent with Photuris. RFC 1822, August 1995
R. Oppliger. Security at the Internet Layer. IEEE Computer,September 1998
R. Oppliger. Security at the Internet Layer. IEEE Computer, September 1998
R. Oppliger. Internet and Intranet Security. Artech House Publishers, Norwood, MA, 1998
C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram, and D. Zamboni. Analysis of a Denial of Service Attack on TCP. Proceedings of IEEE Symposium on Security and Privacy, May 1997, pp. 208 - 223
G. Tsudik. Message Authentication with One-Way Hash Functions. ACM Computer Communication Review, Vol. 22, No. 5, October 1992, pp. 29 - 38
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Oppliger, R. (1999). Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks. In: Preneel, B. (eds) Secure Information Networks. IFIP — The International Federation for Information Processing, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35568-9_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-35568-9_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6487-1
Online ISBN: 978-0-387-35568-9
eBook Packages: Springer Book Archive