Network cryptographic services are provided by network devices to secure the secrecy, authenticity, integrity, or some combination of these properties, for messages sent over a network between communicating parties. The challenges of providing network cryptographic services are increased when the network includes components or users not trusted by the communicating parties. The Internet is a widely used network that includes components and users not trusted for secure communications.
Several cryptographic protocols have been developed for providing cryptographic services for messages transmitted over networks, such as the Internet, with non-trusted components and users. For example, an IPsec protocol has been promulgated to support virtual private networks (VPNs) on the Internet. IPsec is an open standard protocol for secure data transfer over the Internet as described in Request For Comments (RFC) 2401, among others, available at the time of this writing on the World Wide Web (www) at domain ietf.org.
A cryptographic protocol typically involves transforming “plaintext,” understandable by anyone using public information, into an encrypted message, also called “ciphertext.” As used here, plaintext includes data in data formats used by commercial software. The sender encrypts the plaintext with an encryption algorithm to generate the ciphertext. The ciphertext is not practically interpreted by anyone except the intended recipient. The interpretation by the intended recipient is usually accomplished using a secret shared with the sender, such as a long integer called a “key.”
The cryptographic protocol includes, in a data packet, the ciphertext along with a cryptographic header portion that describes parameters of the cryptographic protocol. The data packet is transferred over the network using a standard network protocol. For example, the packet is transferred using the Internet Protocol (IP). Anyone on the network can determine the network address that originated the packet and the address of the intended recipient from the IP packet, and can even determine the cryptographic protocol being used from the cryptographic header portion. However, no one but the intended recipient can determine the plaintext from the ciphertext in a practical period of time. The recipient can decrypt the message using a decryption algorithm and the secret.
In some protocols, a successful decryption ensures that the data has not been modified or that the source of the message is authentic or both. For example, an IPsec packet includes an IPsec header, a first ciphertext section of variable length containing the data being sent and the transport protocol identifying the process to receive the data, and a second section of fixed length, called a message authentication code (MAC). When the MAC is verified, it is determined that the message originated at an authentic source and has not been altered. A MAC can be formed using a pseudorandom hash function and a secret key. The MAC in the second ciphertext section is verified if it equals the value obtained by inputting the first ciphertext section into the hash function and adding the secret key known only to the sender and receiver. A verified MAC indicates both that the data has not been modified (data integrity authentication) and that the sender is the source of the data (origin authentication).
In many systems, a trusted network device, such as a trusted router or trusted gateway server, on or near the boundary with a non-trusted portion of the network, performs the encryption and decryption for the security protocol. In such systems, unencrypted messages are included in data packets sent along trusted portions of the network.
A property of many cryptographic protocols is that the encryption algorithms or the decryption/verification algorithms, or both, consume considerable amounts of computational resources, including processing cycles and computer memory. Consequently, many such algorithms are implemented in circuitry that works on large numbers of binary digits (bits) at each clock cycle. Even so, the execution of the encryption and decryption circuits can limit the throughput (bits of plaintext transferred per second) of the network device providing the cryptographic service.
Cryptographic protocols are vulnerable to denial of service (DoS) attacks. A DoS attack is one in which a deluge of unwanted network traffic is directed at a particular network device, the “victim,” in an attempt to overwhelm the victim's computational resources and render the victim incapable of performing its normal functions. DoS attacks are a serious threat on the Internet due to the difficulty in tracing such attacks and due to the abundance of non-trusted hosts, which can be subverted and used without the knowledge of the hosts' operators. An influx of spurious messages claiming to be utilizing a cryptographic protocol can be generated by several subverted hosts. The spurious messages consume much of a victim's computational resources to perform the decryptions, only to determine that each message is not sensible, or has been tampered with, or is not from an authentic source. Legitimate messages from a sender may be boxed out from being processed by the victim; that is, the cryptographic service offered by the victim has been denied to the user of the service, the legitimate sender.
For example, a large number of spurious IPsec messages each with a reasonable IPsec header and great length can be generated by subverted hosts. The victim does not detect that any message is spurious until the MAC block fails to be verified. Attempting to verify the MAC consumes resources that increase with the length of the first ciphertext section. The network device providing the IPsec service becomes overwhelmed and might not respond to every legitimate IPsec message. Thus, a denial of service occurs.
One approach to protecting a network device from a DoS attack is to trace and track the spurious messages to determine the sources of the spurious messages, and then to filter out data packets from those sources. However, such an approach does not prevent the DoS attack but merely reacts to the attack after the DoS has occurred. Thus, tracing and tracking does not provide any guarantee for the availability of the cryptographic service.
Another approach is to force each sender to perform a significant amount of work for each message sent. For example, a client puzzle method proposed by RSA Data Security, Inc. defines a keyless challenge-and-response mechanism for the Transport Control Protocol (TCP) in client/server communications. This approach discourages a potential attacker from generating enough messages to swamp the victim. However, this approach uses a collision-resistant hash function on the challenge and response messages. The use of the collision-resistant hash is approximately as computationally intense as employing the MAC verification procedure that is already part of many conventional cryptographic protocols.
Based on the foregoing, there is a clear need for protection against DoS attacks aimed at cryptographic services, which protection is less computationally intense than verifying a message authentication code.
In general, there is a need for protection against DoS attacks aimed at resource intensive services, which protection is less resource intensive than performing the services.