IETF Logo Mail Archive

Re: [TLS] TLS Client Puzzles

Erik Nygren <erik+ietf@nygren.org> Thu, 02 July 2015 22:33 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC101AC400 for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 15:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUucZI2KXqRf for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 15:33:53 -0700 (PDT)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A51DC1AC3EE for <tls@ietf.org>; Thu, 2 Jul 2015 15:33:53 -0700 (PDT)
Received: by ieqy10 with SMTP id y10so66552973ieq.0 for <tls@ietf.org>; Thu, 02 Jul 2015 15:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=y7WUnyTXZVdlHBSi0TWPRWp33edyPuAuZ8xhxk4F6To=; b=V0m310iaZK/DwYbKDcRp3Jd7STOHlXPVjM73oGv6rB/CBwIoDAGeEZeD5uryLaR5Dx oE5loWSEUNNwrbw1y6RGdN3b5Myyw3oz/x5v+xdBBUcmcJnvqoEr4vAMBlPyYx6rnWEx 6D06dNsxB/agi9vbidvHPQu/Ylxjc0EFDOCCjwzA1zm1T1Do2kuVU6YfsXPGH0beZS5B P1q8rBcUUMkDTUJh+w/3aGUXUIg+zObbGmo1+bveYXBCYr7qyaA2Bjf4crQ/Nwgs1IgE O2htKq0W1gRtCwIe8y9EDg4Aj42yE9EKnYJYL7n9WGjbLxqtciLhjF/BOku1W/RvvGoi /9yg==
MIME-Version: 1.0
X-Received: by 10.42.144.131 with SMTP id b3mr15228215icv.35.1435876432969; Thu, 02 Jul 2015 15:33:52 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.79.104.193 with HTTP; Thu, 2 Jul 2015 15:33:52 -0700 (PDT)
In-Reply-To: <8471B245-2B66-4F4D-8675-3A0F64E5681F@gmail.com>
References: <CAKC-DJjfq_Lw6ovX=sVFt3=4q_4CYo_N79PZFx+LrGj7DbLK+w@mail.gmail.com> <8471B245-2B66-4F4D-8675-3A0F64E5681F@gmail.com>
Date: Thu, 02 Jul 2015 18:33:52 -0400
X-Google-Sender-Auth: u5OhkgNTSahehLj_dVXeQ85lqwY
Message-ID: <CAKC-DJj1B92s=ZgRcXbajEvZftdQM=stWVi+Uk+uS5=XcWJmMg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="90e6ba1efd28ba88c80519ec080d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/kFg_yFbAoLFfABdPitFyEk8Gcag>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Client Puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 22:33:56 -0000

Hi, Yoav.  Brandon Williams pointed that IPsecME doc out to me earlier today
and it's linked from later on in the draft.

I was proposing something very similar using a SHA256 or HMAC-SHA256 as a
starting point.
Based on discussion here last year, I let the puzzle level parameter be
specified directly
(rather than as an exponent) as that allows servers to scale difficulty
more linearly.
I believe that for this proposed puzzle, the average solution time should
be
half the worst-case time for a given client (but the best case could be
better).

Incorporating a puzzle with a memory-hard component (I give one poor example
where that component is symmetric) may be an option for mobile clients who
are more CPU constrained than memory-bandwidth constrained.  We have
some other ideas here we're still exploring.

Thanks, Erik



On Thu, Jul 2, 2015 at 6:23 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> Hi, Erik
>
> You might be interested in the similar work we’re doing at IPsecME:
> https://tools.ietf.org/html/draft-ietf-ipsecme-ddos-protection-01#section-3
>
> After discussing multiple puzzle schemes, we (for now) settled on a puzzle
> that uses a MAC function such as HMAC-SHA256.
>
> The server sets the puzzle level to n and generates a calculable challenge
> (for TLS it could be random). The client finds a key k for the MAC function
> such the result of MAC(k,challenge) has at least n trailing zero bits.
>
> The expected time to solve such a puzzle is 2^n invocations of the MAC
> function. There are two issues:
>   1. The time it takes to find a key that works varies a lot. A puzzle
> that takes on average 1 second to solve could take an unlucky client half a
> minute.
>   2. Clients are diverse. Mobile phones and embedded devices are far
> weaker than desktop computers. What’s hard enough for one machine is too
> hard for another.
>
> We can solve #1 by increasing the number or required distinct solutions
> while reducing the number of zero bits:
> http://www.ietf.org/mail-archive/web/ipsec/current/msg09844.html
>
> We don’t know how to solve #2.
>
> Yoav
>
> On Jul 3, 2015, at 12:40 AM, Erik Nygren <erik+ietf@nygren.org> wrote:
>
> Following a discussion last year in Denver, I've written up a proposal
> for a TLS Client Puzzles extension.  It is specific to TLS 1.3 in that
> it is constructed using the HelloRetryRequest request flow (although
> it could be adapted to HelloVerifyRequest with prior versions of DTLS).
>
> The puzzles here are placeholders meant as a starting-point for discussion
> (and also take in some feedback from discussions on this list last year)
> and will likely evolve.
>
>         Erik
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Thu, Jul 2, 2015 at 5:30 PM
> Subject: New Version Notification for
> draft-nygren-tls-client-puzzles-00.txt
> To: Erik Nygren <erik+ietf@nygren.org>
>
>
>
> A new version of I-D, draft-nygren-tls-client-puzzles-00.txt
> has been successfully submitted by Erik Nygren and posted to the
> IETF repository.
>
> Name:           draft-nygren-tls-client-puzzles
> Revision:       00
> Title:          TLS Client Puzzles Extension
> Document date:  2015-07-02
> Group:          Individual Submission
> Pages:          12
> URL:
> https://www.ietf.org/internet-drafts/draft-nygren-tls-client-puzzles-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-nygren-tls-client-puzzles/
> Htmlized:
> https://tools.ietf.org/html/draft-nygren-tls-client-puzzles-00
>
>
> Abstract:
>    Client puzzles allow a TLS server to defend itself against asymmetric
>    DDoS attacks.  In particular, it allows a server to request clients
>    perform a selected amount of computation prior to the server
>    performing expensive cryptographic operations.  This allows servers
>    to employ a layered defense that represents an improvement over pure
>    rate-limiting strategies.
>
>    Client puzzles are implemented as an extension to TLS 1.3
>    [I-D.ietf-tls-tls13] wherein a server can issue a HelloRetryRequest
>    containing the puzzle as an extension.  The client must then resend
>    its ClientHello with the puzzle results in the extension.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>

v2.23.0 | Report a Bug | By Email