The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Pertukaran Kunci Internet (IKE) adalah sangat penting sebagai pintu masuk untuk menjamin komunikasi melalui Internet. Fasa pertama IKE adalah berdasarkan protokol perjanjian kunci Diffie-Hellman (DH). Memandangkan protokol DH sendiri terdedah kepada serangan man-in-the-middle (MIM), IKE menyediakan pengesahan untuk melindungi protokol daripada MIM. Pengesahan ini banyak berhutang kepada primitif kunci awam yang pelaksanaannya termasuk eksponensi modular. Memandangkan eksponensi modular adalah mahal dari segi pengiraan, penyerang terdorong untuk menyalahgunakannya untuk serangan Denial-of-Service (DoS); beban pengiraan yang disebabkan oleh permintaan berniat jahat boleh meletihkan sumber CPU sasaran. Penyerang DoS juga boleh menyalahgunakan penggunaan Kuki yang tidak sesuai dalam IKE; sebagai token anti-penyumbatan, Cookie mesti menghapuskan keadaan responden semasa pertukaran awal protokol manakala IKE Cookies tidak. Oleh itu, sejumlah besar permintaan berniat jahat mungkin meletihkan sumber memori sasaran. Untuk mencari tentangan terhadap serangan DoS tersebut, kertas kerja ini mula-mula mengkaji rintangan DoS versi semasa IKE dan idea asas tentang perlindungan DoS. Makalah itu kemudiannya mencadangkan versi tahan DoS bagi tiga laluan IKE Fasa 1 di mana penyerang tidak digalakkan oleh pengiraan stateful yang berat yang mereka mesti lakukan sebelum serangan benar-benar membebankan sasaran. Rintangan DoS dinilai dari segi kos pengiraan dan kos memori yang disebabkan oleh permintaan palsu. Hasilnya menunjukkan bahawa versi yang dicadangkan memberikan nisbah terbesar kos penyerang kepada kos responden.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Kanta MATSUURA, Hideki IMAI, "Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks" in IEICE TRANSACTIONS on Information,
vol. E83-D, no. 5, pp. 972-979, May 2000, doi: .
Abstract: Internet Key Exchange (IKE) is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman (DH) key-agreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle (MIM) attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service (DoS) attacks; computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE; as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.
URL: https://global.ieice.org/en_transactions/information/10.1587/e83-d_5_972/_p
Salinan
@ARTICLE{e83-d_5_972,
author={Kanta MATSUURA, Hideki IMAI, },
journal={IEICE TRANSACTIONS on Information},
title={Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks},
year={2000},
volume={E83-D},
number={5},
pages={972-979},
abstract={Internet Key Exchange (IKE) is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman (DH) key-agreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle (MIM) attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service (DoS) attacks; computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE; as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.},
keywords={},
doi={},
ISSN={},
month={May},}
Salinan
TY - JOUR
TI - Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks
T2 - IEICE TRANSACTIONS on Information
SP - 972
EP - 979
AU - Kanta MATSUURA
AU - Hideki IMAI
PY - 2000
DO -
JO - IEICE TRANSACTIONS on Information
SN -
VL - E83-D
IS - 5
JA - IEICE TRANSACTIONS on Information
Y1 - May 2000
AB - Internet Key Exchange (IKE) is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman (DH) key-agreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle (MIM) attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service (DoS) attacks; computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE; as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.
ER -