Re: [TLS] TLS Client Puzzles
Erik Nygren <erik+ietf@nygren.org> Thu, 02 July 2015 22:33 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC101AC400 for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 15:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUucZI2KXqRf for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 15:33:53 -0700 (PDT)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A51DC1AC3EE for <tls@ietf.org>; Thu, 2 Jul 2015 15:33:53 -0700 (PDT)
Received: by ieqy10 with SMTP id y10so66552973ieq.0 for <tls@ietf.org>; Thu, 02 Jul 2015 15:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=y7WUnyTXZVdlHBSi0TWPRWp33edyPuAuZ8xhxk4F6To=; b=V0m310iaZK/DwYbKDcRp3Jd7STOHlXPVjM73oGv6rB/CBwIoDAGeEZeD5uryLaR5Dx oE5loWSEUNNwrbw1y6RGdN3b5Myyw3oz/x5v+xdBBUcmcJnvqoEr4vAMBlPyYx6rnWEx 6D06dNsxB/agi9vbidvHPQu/Ylxjc0EFDOCCjwzA1zm1T1Do2kuVU6YfsXPGH0beZS5B P1q8rBcUUMkDTUJh+w/3aGUXUIg+zObbGmo1+bveYXBCYr7qyaA2Bjf4crQ/Nwgs1IgE O2htKq0W1gRtCwIe8y9EDg4Aj42yE9EKnYJYL7n9WGjbLxqtciLhjF/BOku1W/RvvGoi /9yg==
MIME-Version: 1.0
X-Received: by 10.42.144.131 with SMTP id b3mr15228215icv.35.1435876432969; Thu, 02 Jul 2015 15:33:52 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.79.104.193 with HTTP; Thu, 2 Jul 2015 15:33:52 -0700 (PDT)
In-Reply-To: <8471B245-2B66-4F4D-8675-3A0F64E5681F@gmail.com>
References: <CAKC-DJjfq_Lw6ovX=sVFt3=4q_4CYo_N79PZFx+LrGj7DbLK+w@mail.gmail.com> <8471B245-2B66-4F4D-8675-3A0F64E5681F@gmail.com>
Date: Thu, 02 Jul 2015 18:33:52 -0400
X-Google-Sender-Auth: u5OhkgNTSahehLj_dVXeQ85lqwY
Message-ID: <CAKC-DJj1B92s=ZgRcXbajEvZftdQM=stWVi+Uk+uS5=XcWJmMg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="90e6ba1efd28ba88c80519ec080d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/kFg_yFbAoLFfABdPitFyEk8Gcag>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Client Puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 22:33:56 -0000
Hi, Yoav. Brandon Williams pointed that IPsecME doc out to me earlier today and it's linked from later on in the draft. I was proposing something very similar using a SHA256 or HMAC-SHA256 as a starting point. Based on discussion here last year, I let the puzzle level parameter be specified directly (rather than as an exponent) as that allows servers to scale difficulty more linearly. I believe that for this proposed puzzle, the average solution time should be half the worst-case time for a given client (but the best case could be better). Incorporating a puzzle with a memory-hard component (I give one poor example where that component is symmetric) may be an option for mobile clients who are more CPU constrained than memory-bandwidth constrained. We have some other ideas here we're still exploring. Thanks, Erik On Thu, Jul 2, 2015 at 6:23 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > Hi, Erik > > You might be interested in the similar work we’re doing at IPsecME: > https://tools.ietf.org/html/draft-ietf-ipsecme-ddos-protection-01#section-3 > > After discussing multiple puzzle schemes, we (for now) settled on a puzzle > that uses a MAC function such as HMAC-SHA256. > > The server sets the puzzle level to n and generates a calculable challenge > (for TLS it could be random). The client finds a key k for the MAC function > such the result of MAC(k,challenge) has at least n trailing zero bits. > > The expected time to solve such a puzzle is 2^n invocations of the MAC > function. There are two issues: > 1. The time it takes to find a key that works varies a lot. A puzzle > that takes on average 1 second to solve could take an unlucky client half a > minute. > 2. Clients are diverse. Mobile phones and embedded devices are far > weaker than desktop computers. What’s hard enough for one machine is too > hard for another. > > We can solve #1 by increasing the number or required distinct solutions > while reducing the number of zero bits: > http://www.ietf.org/mail-archive/web/ipsec/current/msg09844.html > > We don’t know how to solve #2. > > Yoav > > On Jul 3, 2015, at 12:40 AM, Erik Nygren <erik+ietf@nygren.org> wrote: > > Following a discussion last year in Denver, I've written up a proposal > for a TLS Client Puzzles extension. It is specific to TLS 1.3 in that > it is constructed using the HelloRetryRequest request flow (although > it could be adapted to HelloVerifyRequest with prior versions of DTLS). > > The puzzles here are placeholders meant as a starting-point for discussion > (and also take in some feedback from discussions on this list last year) > and will likely evolve. > > Erik > > > ---------- Forwarded message ---------- > From: <internet-drafts@ietf.org> > Date: Thu, Jul 2, 2015 at 5:30 PM > Subject: New Version Notification for > draft-nygren-tls-client-puzzles-00.txt > To: Erik Nygren <erik+ietf@nygren.org> > > > > A new version of I-D, draft-nygren-tls-client-puzzles-00.txt > has been successfully submitted by Erik Nygren and posted to the > IETF repository. > > Name: draft-nygren-tls-client-puzzles > Revision: 00 > Title: TLS Client Puzzles Extension > Document date: 2015-07-02 > Group: Individual Submission > Pages: 12 > URL: > https://www.ietf.org/internet-drafts/draft-nygren-tls-client-puzzles-00.txt > Status: > https://datatracker.ietf.org/doc/draft-nygren-tls-client-puzzles/ > Htmlized: > https://tools.ietf.org/html/draft-nygren-tls-client-puzzles-00 > > > Abstract: > Client puzzles allow a TLS server to defend itself against asymmetric > DDoS attacks. In particular, it allows a server to request clients > perform a selected amount of computation prior to the server > performing expensive cryptographic operations. This allows servers > to employ a layered defense that represents an improvement over pure > rate-limiting strategies. > > Client puzzles are implemented as an extension to TLS 1.3 > [I-D.ietf-tls-tls13] wherein a server can issue a HelloRetryRequest > containing the puzzle as an extension. The client must then resend > its ClientHello with the puzzle results in the extension. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > >
- [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Yoav Nir
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Douglas Stebila
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Tony Arcieri
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Dave Garrett
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Martin Thomson
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Martin Thomson