Re: [Hipsec] Memory-bound puzzles in BEX
Robert Moskowitz <rgm@htt-consult.com> Fri, 28 May 2010 12:30 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EF533A6781 for <hipsec@core3.amsl.com>; Fri, 28 May 2010 05:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.03
X-Spam-Level:
X-Spam-Status: No, score=-0.03 tagged_above=-999 required=5 tests=[AWL=-0.031, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDHCuAKZvHsW for <hipsec@core3.amsl.com>; Fri, 28 May 2010 05:30:55 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 618343A6822 for <hipsec@ietf.org>; Fri, 28 May 2010 05:30:55 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 9B0E668B94; Fri, 28 May 2010 12:14:20 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flRPBMRadY+I; Fri, 28 May 2010 08:14:09 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id A739F68B4C; Fri, 28 May 2010 08:14:09 -0400 (EDT)
Message-ID: <4BFFB52E.4030804@htt-consult.com>
Date: Fri, 28 May 2010 08:21:02 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-2.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: Miika Komu <mkomu@cs.hut.fi>
References: <5E1C2F4F-6527-4FDC-9ED6-BC5358F7716A@cs.rwth-aachen.de> <4BFE90B5.7080308@cs.hut.fi> <4BFE93AB.8050309@htt-consult.com> <4BFF62A5.7060508@cs.hut.fi>
In-Reply-To: <4BFF62A5.7060508@cs.hut.fi>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] Memory-bound puzzles in BEX
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 12:30:56 -0000
On 05/28/2010 02:28 AM, Miika Komu wrote: > On 27/05/10 18:45, Robert Moskowitz wrote: > > Hi, > >> On 05/27/2010 11:33 AM, Miika Komu wrote: >>> On 27/05/10 15:18, Tobias Heer wrote: >>> >>> Hi Tobias, >>> >>> I'd be leaning a bit towards CPU-bound puzzles but perhaps just >>> because we've been just using them earlier. Big puzzles of both types >>> can be problematic for e.g. sensor devices with limited memory and CPU >>> capabilities, so in that sense it's a tie. Perhaps it's actually >>> battery life (drained by CPU usage) time that seems to suffer from >>> technological advances, so perhaps that could used to promote either >>> of the types. >> >> Some good points. What is memory bound mean to a 8Gb notebook compared >> to a 64K sensor? How do you design a memory bound puzzle that fits each? >> Or does BEX have one and DEX have another? > > I think BEX and DEX should have the same puzzle. Maybe you could > artificially limit the puzzle difficulty in DEX and recommend a > smaller size (independently of what puzzle technology will be used). Can't entirely. DEX does not have a hash primative, nor the HMAC function. Dave McGrew has told me he was looking for a good compress function for HIT generation from a small ECC key, but this will not be good to use for the puzzle as the underlying hash. My plan is to build the puzzle around CMAC. I am not sure about how appropriate CMAC is for this. Another option is to use ECC encrypt function: find a keypair that encrypts a value to generate the puzzle. It would be very short keypairs.... >> Battery drain is a dangerous path to go down. Granted that CPU bound >> SHOULD be harder on a battery than memory bound. >> >> >>> >>> The current CPU-based puzzles are parallelizable which means that a >>> bot net could be used for solving a puzzle in a distributed way. >> >> Does this lead to memory bound puzzles as a way to mitigate botnet >> attacks against a puzzle? >> >>> As an alternative, we could also switch to serialized puzzles. >> >> I am not getting what a serialized puzzle is. > > Brent Waters, Ari Juels, J. Alex Halderman, and Edward W. Felten. > New Client Puzzle Outsourcing Techniques for DoS Resistance. In Pro- > ceedings of the 11th ACM conference on Computer and communications > security CCS ’04, 2004. URL? > > R.L. Rivest, A. Shamir, and D. Wagner. Time-lock puzzles and timed- > release crypto. Technical Report MIT/LCS/TR-684, MIT, 1996. Oh, time based. I THINK I get it. > >>> Anyway, I don't think this has big impact - I guess it's ok to >>> distribute the solving in the end. >>> >>>> Hi everyone, >>>> >>>> RFC5201 states that memory bound puzzles should be reconsidered for >>>> future versions of the document. The exact text is here: >>>> >>>> NOTE: The protocol developers explicitly considered whether >>>> a memory bound function should be used for the puzzle >>>> instead of a CPU-bound function. The decision was not to >>>> use memory-bound functions. At the time of the decision, the >>>> idea of memory-bound functions was relatively new and their >>>> IPR status were unknown. Once there is more experience >>>> about memory-bound functions and once their IPR status is >>>> better known, it may be reasonable to reconsider this >>>> decision. >>>> >>>> I am asking the list if the time for reconsideration has come. Should >>>> we delve deeper into non CPU-bound puzzles for RFC5201-bis or should >>>> we keep this note for future revisions. >>>> Is there anyone with a background on memory-bound puzzles interested >>>> in having them in RFC5201-bis? >>>> >>>> Best regards, >>>> >>>> Tobias >>>> >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >>> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec >
- [Hipsec] Memory-bound puzzles in BEX Tobias Heer
- Re: [Hipsec] Memory-bound puzzles in BEX Miika Komu
- Re: [Hipsec] Memory-bound puzzles in BEX Robert Moskowitz
- Re: [Hipsec] Memory-bound puzzles in BEX Miika Komu
- Re: [Hipsec] Memory-bound puzzles in BEX Robert Moskowitz
- [Hipsec] [hipsec] Simultaneous end-host mobility … HU Zhangfeng