FPAC: fast, fixed-cost authentication for access to reserved resources
Proceedings - IEEE INFOCOM - Tập 2 - Trang 1049-1058 vol.2
Tóm tắt
Enhanced network services often involve allocating resources (bandwidth/buffer space) preferentially to packets belonging to certain flows or traffic classes. Such services are vulnerable to denial-of-service attacks if packet classification is based on information that can be forged, such as source and destination addresses and port numbers. Traditional message authentication codes (MACs), often considered the only solution to this problem, are really not designed to solve it. In particular, their per-packet costs are so high that they enable another form of denial-of-service attack based on overwhelming the verification mechanism. We describe the problem of denial of access to reserved resources and the inadequacies of conventional solutions. We then observe that it is reasonable to trade some of the strong security guarantees provided by conventional MACs for a lower per-packet cost. We propose a new packet authentication algorithm, designed to solve the problem of protecting reserved resources, with a very low, fixed per-packet cost. While it cannot replace conventional MACs for end-to-end authentication, we argue that it is a better solution for the problem considered here. We present measurements from a prototype implementation that can verify a packet of arbitrary size in as few as 1000 machine cycles on an Intel architecture machine.
Từ khóa
#Costs #Computer crime #Resource management #Bandwidth #Telecommunication traffic #Message authentication #Security #Algorithm design and analysis #Protection #Size measurementTài liệu tham khảo
touch, 0, Performance analysis of MD5, Proceedings ACM SIGCOMM '95 Symposium Cambridge USA September 1995, 77
wroclawski, 1997, Specification of the controlled-load network element service, 10.17487/rfc2211
campbell, 2001, Building a dynamic interoparable security architecture for active networks
wroclawski, 1997, The use of RSVP with IETF integrated services, 10.17487/rfc2210
shenker, 1997, Specification of guaranteed quality of service, 10.17487/rfc2212
10.1109/65.806981
braden, 1994, Integrated services in the internet architecture: An overview, 10.17487/rfc1633
kent, 1998, Security architecture for the internet protocol, 10.17487/rfc2401
hardjono, 2000, IP multicast security: Issues and directions, Ann Telecomm, 324
0, Resource reservation protocol (RSVP) - Version 1 functional specification
black, 1999, UMAC: Fast and secure message authentication, CRYPTO'99 1999, 1666, 216
krawcyk, 1997, HMAC: Keyed-hasing for message authentication, 10.17487/rfc2104
kent, 1998, IP encapsulating security payload (ESP), 10.17487/rfc2406
10.1145/383059.383060
kent, 1998, Security architecture for the internet protocol, 10.17487/rfc2401
houle, 2001, Trends in denial of service attack technology (v1.0)
blake, 1998, An architecture for differentiated service, 10.17487/rfc2475
schneier, 1996, Applied Cryptography
savage, 0, Practical network support for IP traceback, Proceedings of ACM SIGCOMM 2000 Symposium August 2000, 295