IETF Logo Mail Archive

Re: [IPsec] DDoS puzzle: PRF vs Hash

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sun, 01 February 2015 18:39 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57861A8AEA for <ipsec@ietfa.amsl.com>; Sun, 1 Feb 2015 10:39:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.911
X-Spam-Level:
X-Spam-Status: No, score=-13.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zt1nnwmR9TAR for <ipsec@ietfa.amsl.com>; Sun, 1 Feb 2015 10:39:02 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D5311A8AE3 for <ipsec@ietf.org>; Sun, 1 Feb 2015 10:39:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4301; q=dns/txt; s=iport; t=1422815942; x=1424025542; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=A85WS1pXYTWiCHG31rfItAhjByoZAgvI5xPMk+9L1GE=; b=g1RDQu24zwA4BkLhGUEQX3C6hfWo3bKYVea+mHujwQZz669SjJSy7AdT BTS0JkLo8H+LZcFVyF3+Rou9Bo8PzjxXtMb+ZoRKIHPbQkZiQ3MMGCsYy tMj0xEGyCLpIBgVbiH1hV9BeeMkGpaIhwqw/hqXN6fRVfFY0pBPWAWWXC Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnMFAFNyzlStJV2T/2dsb2JhbABbgwZSWQTEUQqFcQKBEkMBAQEBAX2EDAEBAQQBAQE3NAsMBAIBCBEEAQEBChQJByEGCxQJCAIEAQ0FCBOHfgMRDcw9DYVQAQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSNToF5MQcGgxCBEwWPCYdfgl2LSIJAgz0iggEdgVBvgUR+AQEB
X-IronPort-AV: E=Sophos;i="5.09,503,1418083200"; d="scan'208";a="392582945"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-4.cisco.com with ESMTP; 01 Feb 2015 18:38:45 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t11IciPg013755 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 1 Feb 2015 18:38:44 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.3]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0195.001; Sun, 1 Feb 2015 12:38:44 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] DDoS puzzle: PRF vs Hash
Thread-Index: AQHQPApmyeO+d1j/8UOVDEGtNVHlU5zYCYeAgAAdRoCAAGCfSYAAeYGAgAAPeQCAAJYfAIACTaCAgAAARYCAAINdgP//op6g
Date: Sun, 01 Feb 2015 18:38:44 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340420BEAB24A@xmb-rcd-x04.cisco.com>
References: <E3BB1487-8C5F-461B-9E9D-02F856131FDF@gmail.com> <54CAACAF.60806@gmail.com> <44373351-D8EB-454F-8BCC-8CD5CD0C32E2@gmail.com> <1DFDD936EE8A4C08BBCD6621F93D1D8F@buildpc> <A4A75C75-0224-4108-90E4-8DB18289918B@gmail.com> <54CB8932.8010406@gmail.com> <C421438B-46B0-47B3-93C3-0868A2C1774F@gmail.com> <54C75880-8F6C-40AA-9F30-754D16BAD46D@gmail.com> <22BD2882-D15D-4280-AE2B-07C060FC1DE5@gmail.com> <54CE6429.2020800@gmail.com>
In-Reply-To: <54CE6429.2020800@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.240.219]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/30_tZekTBxdYPFVc6B1bXaEMtEQ>
Cc: IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] DDoS puzzle: PRF vs Hash
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 18:39:05 -0000

If you want to tighten up the time between worse case and average case time taken by the problem solver, might I suggest this:

- When the verifier is asked to generate a problem, it pick a nonce N, and use it to compute m k-bit values S_1, S_2, ..., S_m (for example, S_1 || S_2 || ... || S_m =  AES_key(N), where the AES key is secret to the verifier), and publish k, N, HASH(N, S_1), HASH(N, S_2), ..., HASH(N, S_m)

- To solve the problem, the solver needs to produce the values S_1, S_2, ..., S_m, and send back N, S_1, S_2, ..., S_m

- The verifier verifies that the value N was what was originally given (for example, the nonce might include the solver's IP address and a timestamp), and that the values S_1 ||  S_2 || ... || S_m  = AES_key(N||0), (or alternatively, that those values produces the hashes it sent).

The solver can always solve the problem by computing 2**k hashes; with moderate m, we can make it unlikely that it can be done with significantly fewer hashes; I would suggest m=4.

Of course, the cost of doing this is a) larger messages, and b) larger up-front cost generating the problem (which, IMHO, isn't too bad -- one AES encryption, and m hash computations; however, you are free to disagree).

-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Sunday, February 01, 2015 12:37 PM
To: Yoav Nir
Cc: IPsecME WG; Valery Smyslov
Subject: Re: [IPsec] DDoS puzzle: PRF vs Hash

Hi Yoav,

This is good, but I'm not sure if it's good enough. The ratio between min and max (which I trust more than the "mean +/- 3s" rule, because this is not a normal distribution) is consistently around 4. So if you have to design your timeouts on a particular machine, you would still have a lot of uncertainty. For comparison, could you try again with 64 replacing the 16 tries, and with lower bit lengths?

Thanks,
	Yaron

On 02/01/2015 11:46 AM, Yoav Nir wrote:
> And now it's really attached.
>
>
>
>
>> On Feb 1, 2015, at 11:45 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>>
>>
>>> On Jan 31, 2015, at 12:35 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>>>
>>>
>>>> On Jan 30, 2015, at 3:37 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>>>>
>>>> What I would suggest is: we give the client a single puzzle, and ask it to return 16 different solutions. Indeed each puzzle then should be 16X easier. The nice thing is, the server should only check *one* of them, at random. The client would still need to solve all of them because it doesn't want to risk the exchange being rejected because some solutions are invalid (the game theory is probably more complex than that, but I think what I'm saying is still close to the truth).
>>>>
>>>> So: the client does the same amount of work, the server does the same amount of work, but the client run-time is still much more deterministic.
>>
>> <snip />
>>
>>> Note that these are still single core results, and most laptops can do twice or four times as much. Now, I know that what I SHOULD be doing is to randomly generate 100 "cookies" and then calculate the times for different bit lengths for each of them, and then calculate mean and standard deviation. But just by looking, it looks like it's much closer to what we want. 16 bits would be a fine puzzle level for my laptop. No idea about a phone, although I could try to compile this and run it on an ARM-based appliance, which should match phones.
>>
>> OK. Now I have done it right. See attached. The data suggests that 15 or 16 bits is the level of puzzle that for this kind of hardware is challenging but not too onerous. Add another bit if we assume (probably correctly) that the vast majority of laptops have dual cores at least.
>>
>> I would like to run a similar test on an ARM processor, though. The capabilities of phones and tablets are all over the place, what with different versions of ARM processors and devices having anything from dual to octo-core, but it would be nice to get ballpark figures.
>>
>> Yoav
>>
>

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email