Protocol Engineering for Protection against Denial-of-Service Attacks by Suratose Tritilanunt Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology January 19, 2009
218
Embed
Protocol Engineering for Protection against Denial-of ... · Protocol Engineering for Protection against Denial-of-Service Attacks by ... Another objective is to extend formal analysis
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Protocol Engineering for Protectionagainst Denial-of-Service Attacks
by
Suratose Tritilanunt
Thesis submitted in accordance with the regulations for
the Degree of Doctor of Philosophy
Information Security InstituteFaculty of Information Technology
Queensland University of Technology
January 19, 2009
Keywords
Denial of service attacks, Denial of service resistance, Key establishment proto-
Similar to the original work from Juels and Brainard [62], the complexity is
one or two hash functions for the construction and the verification. However,
the client’s computational cost would be up to k hash operations because the
number of trials is up to k. Thus fast construction and verification as well as
linear granularity for fine grained control are the strengths of this construction.
However, it is still susceptible to distribution and parallel processing attacks, as
is the original hash-based reversal scheme.
2.3.3 Repeated-Squaring: Time-Lock Puzzles
Time-Lock Puzzles were developed by Rivest et al. [112] in 1996. The major
goal of this technique is to defeat the high-end adversaries who attempt to solve
puzzles more quickly by using parallel computers. Time-lock puzzles rely on
the notion that a client has to spend a pre-determined amount of computation
time performing repeated squaring to search for a solution. To achieve this goal,
the responder estimates the performance of a client by the number of squaring
operations a client can perform in a certain period, and determines the amount
of time it expects a client to spend solving the puzzle.
2.3. DoS Defensive Cryptographic Technique in Key Establishment 29
The first step of the construction is an approximation of the client computa-
tion time (t) for calculating a number of repeated squares. Then the responder
chooses a ∈R Zn randomly and computes a2tmod n. To do so efficiently, the re-
sponder first computes e = 2t mod φ(n), where n is a product of a multiplication
of two large primes p and q, then calculates b = ae mod n. Next, the respon-
der computes K + a2tmod n and encrypts a message x with a secret key K by
using a symmetric encryption, for instance RC5. The complete construction is
illustrated in Figure 2.4.
Figure 2.4: Rivest Time-lock Puzzles Construction
To solve the puzzle, the client is required to compute a2tmod n repeatedly
because the client does not know p and q. This computation must be calculated
sequentially so it cannot be distributed and solved in parallel. An alternative
computation of solution would be to factor n instead. If users choose p and q
large enough, computing repeated squaring directly would be more efficient than
such an attack. As a result, the client needs computation of 2t multiplications on
average as specified by the responder. The function of t plays a role as a puzzle
difficulty, so we refer to it as k when comparing to the other puzzles. Hence,
the complexity of Rivest’s puzzles would be O(k). In addition since this value
reflects the granularity of the puzzles, we can conclude that the time-lock puzzles
have a linear granularity.
To sum up, time-lock puzzles provide an inherently sequential and non-
parallelisable characteristic as well as linear granularity. However, the major
concern of this scheme is the high-computation in the construction and verifica-
tion because the underlying technique requires the responder to conduct modular
arithmetic.
2.3.4 Diffie-Hellman based Puzzles
Diffie-Hellman based (DH-based) puzzles were proposed by Waters et al. [136]
in 2004. They investigate numerous techniques for outsourcing the generation
of puzzles in order to remove the computational load of puzzle generation from
30 Chapter 2. Research Background
the responder. The secure entity used as an outsourcing for puzzle generation is
called bastion host as shown in the Figure 2.5.
The construction of puzzles is based on a Diffie-Hellman method. In the
construction, the bastion host selects the first random integer r ∈R Zn, and a
second random value a ∈R Zn in the range r to r + k. Since k serves as puzzle
difficulty, the responder is able to easily control the workload in linear style to
the initiator. The puzzle sent to the initiator contains the values ga and r, where
a generator g is selected from a group of Zq. Hence, the cost of computation for
this construction requires one modular exponentiation.
In puzzle solving, the initiator searches for a solution by testing each candi-
date value in the range r to r + k until it finds c, such that gc = ga. Because
another goal of this implementation is to achieve the feature of per-channel puzzle
distribution and per-channel puzzle solution, the initiator calculates Y a, where
Y is the responder’s Diffie-Hellman public key, in order to submit the solution to
a specific server. The number of trials of the modular exponentiation is k begin-
ning from r and stopping at r + k. As a result, the complexity of this operation
is O(k) modular exponentiations. Considering the non-parallelization feature,
the nature of a given puzzle on the client’s machine is similar to the hint-based
scheme, with k available solutions in a range between A to B. As a result, this
scheme does not support non-parallelization.
Generally, the responder needs a single modular exponentiation to verify the
solution by raising the challenge value to the exponent (X) of its private key i.e.
(ga)X . However, the system proposed by Waters et al. [136] limits puzzles to
a given timeslot. Moreover, the solutions for a given timeslot are precomputed
by the responder, so the puzzle verification is performed by a table lookup for
saving computational load. The summary of DH-based operation is illustrated
in Figure 2.5
Figure 2.5: Diffie-Hellman based Puzzles Constructions
2.3. DoS Defensive Cryptographic Technique in Key Establishment 31
Since the responder generates a puzzle solution at the construction, the puz-
zle verification can be simply done via table lookup. The linear granularity is
another positive characteristic of this scheme. However, expensive computation
due to modular exponentiation as well as the distributable and parallelisable
characteristics are limitations of the DH-based technique.
2.3.5 Trapdoor RSA-based and DLP-based Puzzles
Gao [46] developed two novel puzzle mechanisms, named Trapdoor RSA-based
Puzzles and Trapdoor DLP-based Puzzles. The construction of these schemes is
based on the trapdoor function. To overcome the existing techniques, two specific
algorithms attempt to reduce the overhead of puzzle construction and verification
as well as to support fine granularity in order to mitigate DoS vulnerabilities.
• Trapdoor RSA-based puzzles: The security of the RSA-based tech-
nique is based on the assumption of the hardness of the factorisation prob-
lem; i.e. given N which is a product of two large prime number p and q, it
is infeasible to find e-root in the group of order φ(N) = (p− 1) · (q − 1).
This technique requires the responder to precompute some constants to
reduce the overhead cost of the construction. These constants consist of
time-dependent parameters gt and xt, and puzzle constant τ which requires
one modular exponentiation plus one modular multiplication for construc-
tion. To make an important note, the pre-constructing load depends on the
number of candidate data sets XA and GA stored at the pre-construction
because each candidate requires one exponentiation to generate it. Once
the responder receives requests, it generates a puzzle challenge containing
(ga′ , [A,B]) computed by picking up the pre-computed value from the set
of candidates. The responder also computes a solution x which is secretly
stored in memory for use in the verification, such that the verification pro-
cess is very simple and fast via a single table lookup. Since the range [A,B]
serves as a hint for a puzzle which has k difficulty values, the responder is
able to effectively control the client’s workload in a linear manner similar
to other linear puzzles.
To solve a puzzle, the initiator calculates a corresponding answer (x′) by
using an equation: M = Y · x′e mod n. Given M , e, n as public informa-
tion and Y as a puzzle challenge, the initiator needs to brute-force search
x′ within the range [A,B]. The number of trials depends on the puzzle dif-
ficulty level k determined by the responder. As a result, the upper bound
32 Chapter 2. Research Background
complexity on solving the puzzle would be limited by O(k) modular expo-
nentiations. Like other hint-based puzzles, this puzzle can be distributed
and parallel computed by k high performance computers. The outline of
the operation of these puzzles is shown in Figure 2.6.
Figure 2.6: Trapdoor RSA-based Puzzles
• Trapdoor DLP-based puzzles: The security of this technique is based
on the discrete logarithm problem. Given a large prime p, a generator α of
Z∗p , and a random number β ∈R Z∗
p , it is hard to find x (0 ≤ x ≤ p−2)
such that αx ≡ β (mod p).
Slightly different from the first technique, only candidate data set GA is
pre-calculated and stored at the responder. Moreover, the pre-computation
required at this step is reduced to one modular exponentiation; i.e. to
generate initial constant x−1. Hence, this scheme has a smaller precom-
putational burden than the former one. The puzzle challenge contains
parameters (ga′ , [A,B]) as the RSA-based scheme. The puzzle solution x
is also computed in advance and secretly stored in the memory for veri-
fication. Again, this scheme minimizes the computational burden at the
verification by using a single table lookup for comparing a puzzle solution.
With an equation M = Y · hx′(mod p), a client can compute a correspond-
ing solution x′. Hence, the worst case number of trials to brute-force search
x′ is k modular exponentiations. Similar to the former scheme, the upper
bound complexity on the puzzle solving would be limited by O(k) modular
exponentiation. The trapdoor DH-based scheme is demonstrated in Figure
2.7.
Both trapdoor-function based schemes involve modular computation, so we
evaluate these techniques as having expensive constructions. Although the proto-
col developer suggested to perform some pre-computation to avoid CPU burden
at construction time, puzzle generation still requires to compute with numbers
using modular arithmetic. The advantage of using these mechanisms is that they
2.3. DoS Defensive Cryptographic Technique in Key Establishment 33
Figure 2.7: Trapdoor DLP-based Puzzles
offer fast verification via table lookup as well as linear-grained control for puzzle
difficulty adjustment.
2.3.6 Cryptographic Chaining Puzzles
Client puzzles are non-parallelizable if the solution to the puzzle cannot be com-
puted in parallel. Apart from the characteristic of time-lock puzzles in which
the underlying computation requires the solver to perform sequentially repeated
modular calculation, an alternative method to prevent adversaries from com-
puting puzzles in parallel would be a chaining technique. Since the nature of
chaining requires the previous value for constructing the next consecutive items,
it will defeat those adversaries who attempt to solve puzzles by parallel comput-
ing. Recently, there are two constructions using the chaining technique based on
hash functions proposed by Ma [77] in 2005 and by Groza and Petrica [49] a year
later. The aim of these constructions is slightly different from what we have in
mind, since they are interested in partial solving of the chained puzzles. Nev-
ertheless it is interesting to examine whether they will be useful as stand-alone
puzzles.
Following are short descriptions of these two puzzles and an analysis of their
suitability.
• Ma’s Hash Chain Reversal Puzzles The concept of hash chain puzzles
was introduced by Ma [77] in 2005 as password puzzles for use in the IP
layer. The construction begins with a random number chosen as an initial
value h0. Then the server applies a one-way function to h0 repeatedly to
generate a hash chain h0, h1, . . . , hk where hi+1 = hash(hi) and k is the
desired length of the chain. According to Ma, this computation would lead
to an advantage for the server by storing the entire hash chain for future
use. Because the server knows a corresponding solution in advance, the
server saves computation and time when verifying the puzzle solution by
34 Chapter 2. Research Background
reducing the cost of verification to a single table lookup.
For puzzle solving, given a puzzle challenge containing the last value of a
hash chain (hk) along with an index value k, a client is required to compute
a hash reversal starting from index k back to the beginning point h0 to
obtain the entire hash chain. A characteristic of hash chain operation is
that an output from the former state is required to be fed to the next state
as an input, similar to a recursion in programming. We conclude that this
scheme is a non-parallelizable technique, and the cost of the verification
requires k hash operations similar to the construction.
Figure 2.8: Ma’s Hash Chain Puzzles
This is a simple and intuitive construction, but there are a number of
practical problems. First, it requires the server to store every value of the
entire hash chain in order to be able to verify the solution. Although this
has an advantage in verification effort, this scheme is susceptible to memory
exhaustion attacks. Second, when used with a typical cryptographic hash
function the scheme will be too difficult to invert for even one hash value,
let alone a chain of many values. Therefore some mechanism must be
chosen to make the individual steps in the chain invertible with reasonable
effort. Ma [77] suggested that a hash function be used which has 16-bit
outputs, but this does not seem to be an acceptable requirement since such
a function can be easily stored completely in a look-up table which makes
solving the puzzle as easy as constructing it. A more plausible mechanism
is used in the next construction that we consider.
• Groza and Petrica’s Hash Chain Puzzles This puzzle scheme [49] was
constructed from a hash chain of random numbers. Generally, the idea is
similar to the puzzle auction proposed by Wang and Reiter [133]; i.e. the
more links of the chain computed on a client’s machine, the more services
from a server a client obtains. At the beginning, the server generates
2.3. DoS Defensive Cryptographic Technique in Key Establishment 35
the first element by choosing two state-dependent random numbers, ρ and
r, and concatenating them to obtain a value σ. The first output, P0, is
constructed by double hashing σ0. Hence, the parameter σ0 serves as an
input to the next state of the chain. The rest of the puzzle will be created
by XORing two new state-dependent values with hashed output of σ from
the previous state. Thus, the puzzle elements challenged to the client would
be a series of pairs [(P0, r0), (P1, r1), . . . , (Pn, rn)], where n ≥ 1 is the length
of the hash chain. Meanwhile, the client is required to perform a forward
process of reconstructing the hash chain by searching for ρi values, with σi
= ρi ‖ ri.
Figure 2.9: Groza and Petrica’s Hash Chain Puzzles
Unfortunately, this scheme has a major drawback which risks resource ex-
haustion attacks on the server because it requires three hash operations
per state for producing a series of hashes chained either in the construction
or verification phase. This action requires a similar amount of computa-
tional effort as the solving task on the client’s machine. This circumstance
violates the fundamental requirement; i.e. client puzzles should be easy
to generate and verify by the server but hard to solve by the client. Fur-
thermore, the high-bandwidth consumption required to transmit a puzzle
challenge is another drawback of this scheme.
36 Chapter 2. Research Background
2.3.7 Client Puzzle Summary
In summary, we have seen that the hash chain puzzle has a major strength in
non-parallelizability and linear-grained control because of its structure. Light-
weight verification by one comparison is another interesting potential property.
However, the proposals so far using this technique require high computation
in the construction, high-bandwidth connection for communication, and huge
storage to cache an entire chain for avoiding CPU burden at the verification.
Therefore, currently it seems impractical to use hash chains as client puzzles and
we look for an alternative. Table 2.1 compares key strengths and weaknesses
of individual cryptographic puzzle constructions based on the required criteria
previously discussed.
Table 2.1: Summarization of Strengths and Weaknesses of Client Puzzles
Puzzle Types Key Strengths Weaknesses
Hash-based ReversalSimple and Fast Parrallelizable and
Construction & Verification Exponential Granularity
Hint-Based Hash ReversalSimilar to Hash Reversal
Parrallelizablebut has Linear Granularity
Repeated-SquaringNon-parrallelizable and High Computation to
Linear Granularity Construct & Verify
DH-basedCheap Verification and Parrallelizable and
Linear Granularity Expensive Construction
Trapdoor RSA Cheap Verification and Parrallelizable and
and Trapdoor DLP Linear Granularity Expensive Construction
Hash ChainCheap Verification and Parrallelizable and
Linear Granularity Expensive Construction
The non-parallelizability characteristic plays an important role for defending
against coordinated adversaries who attempt to distribute puzzles to other users
or high-performance machines in order to obtain puzzle solutions quicker than
the specified time without wasting their own resources. Because the weakness of
2.4. Formal Analysis Techniques 37
the hash-based puzzle characteristic in which it might be computed in parallel,
this kind of attacks have been addressed and specified as a strong attack by
Bocan and Cosma [12]. Details of this attack will be given and examined in the
simulation of DoS-resistant protocols later in Chapter 5 and 6.
Since non-parallelizability has not been defined as a primary requirement in
the original work [6,62], most existing techniques lack this characteristic as shown
from the evaluation in Table 2.1. Only repeated-squaring puzzles can thwart this
type of attack strategy, but high computation of the puzzle construction causes
this technique to be susceptible to flooding attacks. As a result, this gap becomes
an interesting point for our research to develop new schemes which achieve non-
parallelizability, meanwhile the puzzle construction and verification should be
simple and cheap as the fundamental requirement.
2.4 Formal Analysis Techniques
The goals of security or cryptographic protocols are to provide various security
services to the protocol entities. Some examples of these security services are
data integrity, confidentiality, data origin authentication, and so on. In order
to provide assurance to users, the protocol developer requires formal analysis
techniques to support the design. However, the protocol design and analysis
has long been considered as a difficult task by the research community. This
is because many proposed protocols were complex and hard to analyse by hand
only. Some security problems in which the protocol has attempted to solve were
slightly subtle and required careful analysis. In addition, abilities to capture all
adversarial techniques attacking to the protocols are significantly difficult because
adversaries are able to constantly modify their techniques to more sophisticated
scenarios once their attacks have been detected and recorded.
Due to these difficulties, research communities have attempted to develop
formal analysis techniques for resolving these problems. Formal methods be-
came popular after the development of the BAN logic [19] in 1989. In formal
methods analysis, the inputs are a set of initial assumptions and the protocol
messages. If these messages satisfy the goal of the protocol, then the protocol is
valid. A good taxonomy on the formal methods for analysis and verification of
security protocols is provided by Meadows [86], and Rubin and Honeyman [113].
With respect to this survey, formal methods can be broadly classified into four
techniques as follows:
1. Modelling and verifying cryptographic protocols using logics based on knowl-
38 Chapter 2. Research Background
edge and belief. These techniques create reason and beliefs of a model of
security protocols using logical statement and formula. One example of
this approach is BAN logic [19];
2. Developing formal model of the algebraic term-rewriting properties of cryp-
tographic systems. This technique models security protocols as an algebraic
system, and reasons such protocols using specified algebraic properties. Ex-
amples of this approach include Dolev and Yao model [36], and Communi-
cating Sequential Processes (CSP) model [114];
3. Developing Expert System to study and investigate possibilities in different
scenarios. One example of this approach is the NRL Protocol Analyzer [85];
and
4. Modelling and verifying cryptographic protocols using methods and tools
which are not specifically developed for security. One example of this ap-
proach is Petri Nets [106].
This section provides some examples of techniques used to verify the correct-
ness and security of cryptographic protocols.
2.4.1 BAN Logic
BAN logic [19] was developed by Burrows, Abadi, and Needham in 1989. The
implementation was designed to focus on the analysis of authentication proto-
cols. The concept behind this approach is to reason about the states of belief
of all participants involved in the protocol. With BAN logic, initial knowledge,
assumptions and the protocol steps are transformed into logical statements or
formula. Finally, the analysis of a protocol is performed by applying the defined
logical rules in order to determine whether the security goals can be derived from
a given set of assumptions or not.
As the BAN logic is primarily about authentication, other security objectives
such as data integrity or confidentiality are disregarded. The protocol analyst
is required to extend the logic or develop new primitive constants to a new
model. This limitation on using BAN logic to reason on the security objectives
in term of secrecy has also been highlighted by Meadows [86]. Other limitations
of BAN logic to model and analyse security protocols were discussed by Boyd
and Mao [15].
2.4. Formal Analysis Techniques 39
2.4.2 Dolev-Yao Model
The Dolev-Yao model [36] is a technique based on an algebraic approach in which
messages and events in the protocol are modelled and transformed using a col-
lection of rules and algebraic expressions. The communicating and exchanging
messages between legitimate participants follow defined rules directly, while ad-
versaries are able to read, modify, create, replay, and delete any messages at any
states during the protocol execution. For example in the symmetrical encryption,
adversaries’ task is to discover a secret key and decrypt corresponding cipher-
text. Hence, the protocol analyst is required to write the rules and algebraic
expressions for transforming this situation into exhaustive search based analysis
to determine whether adversaries could recover the plaintext or not.
Even though the Dolev-Yao model has been successfully applied and found
security flaws in many protocols designed for secrecy, it might not be suitable for
discovering other vulnerabilities in the specific classes of cryptographic protocols,
such as the authentication protocols. Other drawbacks of this model as stated by
Doyle [38] are the failure to model protocol participants’ capability to recognise
the state information, and the difficulty to capture and analyse activities in the
large and complex security protocols.
2.4.3 NRL Analyzer
The Naval Research Laboratories (NRL) protocol analyzer, which was based
on term-rewriting technique of Dolev-Yao approach, was developed as a Pro-
log program by Meadows [85] for analysing cryptographic protocols. Similar to
Dolev-Yao approach, adversaries are able to control any messages of legitimate
participants. On the other hand, the major difference between these two ap-
proaches is that NRL analyzer is able to produce not only protocol messages,
but also message events and beliefs, while Dolev-Yao model can generate only
protocol messages using defined rules and expressions. Hence, the NRL approach
can be applied to analyse a larger variety of cryptographic protocols.
A major advantage of this scheme is that it supports automated analysis
to help the protocol analyst to search vulnerabilities in cryptographic protocols
using a backward reachability test. That means the analysis begins from some
insecure states and runs backward to check whether they can be reached from an
initial state or not. It is important to note that this process is not fully automatic
since it requires participation from the protocol analyst during the protocol exe-
cution. Examples of using the NRL analyzer technique are to successfully analyse
40 Chapter 2. Research Background
a Tatebayashi-Matsuzaki-Neuman (TMN) key exchange protocol [129] by Kem-
merer et al. [67], as well as to discover unknown vulnerabilities in a security
scheme for resource sharing over a network [18].
On the other hand, the major disadvantage of this tool is in the requirement
of high level of user expertise to write accurately source code of evaluating rules
and expressions to evaluate the protocols. Moreover, the backward search pro-
cess might require well-educated users to participate in order to obtain accurate
results during the protocol execution.
2.4.4 Petri Nets
To date, researchers are trying to develop general purpose verification tools to use
in modelling and verifying cryptographic protocols. One famous formal method
based on a simulation approach is Petri Nets [106]. Petri Nets are a graphical
technique based on mathematical methods and can be used for describing and
studying several information processing systems characterised by being concur-
rent, asynchronous, non deterministic, parallel and distributed. Ordinary Petri
Nets are also called Place/Transition systems (PT-systems). The main compo-
nents of PT-nets are the places, transitions and arcs. Places are drawn as ellipses
or circles while transitions are drawn as rectangles. Arcs are directed either from
a place to a transition or from a transition to a place and may have a weight
(positive integer) associated with them (the default weight of an arc is one and
is not shown). Depending on the system to be modelled, places and transitions
can have different interpretations. For example, a place can represent a condition
and a transition an event. Also, a place can represent resources and a transition
a task or job, which requires those resources. Finally, a place can represent the
state of the system and a transition, an action that can be taken, based on that
state. A place can contain one or more tokens. They are drawn as black dots.
A distribution of tokens on the places is called a marking (i.e. marking of the
net). The initial state of the system is called the initial marking. A marking of a
place indicates the number of tokens on a particular place. An example of Petri
nets is illustrated in figure 2.10.
The dynamic behaviour of a PT-system can be seen as the state or marking
of the net changing according to transition occurrences. A transition may have
input places connected by incoming arcs and output places connected by outgoing
arcs. A transition is enabled (i.e. it can occur) if the marking of each input place
consists of as many tokens as indicated by the weight of the input arc, which
2.4. Formal Analysis Techniques 41
Figure 2.10: The Example of Petri Nets
connects the place with the transition. The occurrence of an enabled transition
removes tokens from the input places and adds tokens to the output places. The
number of removed tokens from each input place corresponds to the number of
tokens indicated by the weight of the (input) arc, which connects the place and
the transition. The number of added tokens to each output place corresponds to
the number of tokens indicated by the weight of the (output) arc, which connects
the transition with the place.
Using Petri Nets in an analysis and verification of cryptographic protocols,
a user must specify protocol objectives in term of system states and determine
the conditions which must hold when the protocol terminates. To model at-
tacker capabilities, they might be specified as malicious principals who can read,
intercept, and modify any messages transmitted in the network. One example
of using Petri Nets to identify insecure states is proposed by Stal et al. [127].
Stal et al. recommended an alternative approach in which the analysis begins at
an insecure state, and checks backward through the protocol execution whether
initial state can be reached or not. A problem with this approach is that insecure
states must be known before starting.
As systems become more complex, Petri Net [106] models can become very
large, complex, and probably unreadable. This problem has been overcome by
introducing new kinds of Petri Nets, called High-Level Petri Nets. Coloured Petri
Nets (CPNs) are high-level nets, which is proposed by Behki and Tavares [10].
They incorporate some definitions, such as data types and data values process-
ing that similar to programming languages. Although Petri Nets were developed
since 1962, they have only recently been used to verify cryptographic and secu-
rity protocols [38,94,99]. The challenges to use this approach are how to model
protocol specific security properties and how to provide verification methods.
42 Chapter 2. Research Background
Nowadays, CPNs are introduced through varieties of the service specification for
applications, communication protocols, as well as industrial models [56, 57]. In
term of a supporting tool, there have been many automated tools to support a
modelling and analysis based on CPNs specification and formalism. An example
of an automated tool is CPN Tools [110,130] developed at the department of com-
puter science, University of Aarhus, Denmark. Following provides fundamental
knowledge of Coloured Petri Nets for developing a modelling of cryptographic
protocols.
CPNs Components
In Coloured Petri Nets, places are drawn as ellipses or circles while transitions are
drawn as rectangles as in Ordinary Petri Nets. Each place has an associated type
or colour set which determines the type of data the place may contain. Tokens
are associated with each place. A token is a value (colour), which belongs to the
type of the place. The marking of a place is the multi-set of tokens present on the
place. It is a multi-set, since it may contain several tokens with the same value.
CPNs include the initial state of the system. It is called the initial marking.
Transitions represent the actions of the system which are drawn as a rectangle
and Arcs connect transitions and places. A transition may have input places
connected by incoming arcs and output places connected by outgoing arcs. Arcs
have expressions associated with them. Expressions are located next to arcs
and determine which tokens are removed or added to the places. Figure 2.11
illustrates an example of a CPN model.
Figure 2.11: An Example of a CPN Model
Coloured Petri Nets (CPNs) are state and action oriented, i.e., the modeler
2.4. Formal Analysis Techniques 43
can determine whether to concentrate on states or on actions at the same time.
To construct a model as shown in Figure 2.11, CPNs are created as a graphical
drawing which contain some basic constructions including:
1. State
• Place: Places, which drawn as ellipses or circles, represent states of a
system.
• Type: Types are used to specify the colour set of a token in each place.
• Marking : Marking represents the state of a CPNs. It consists of
a number of tokens positioned on the individual places. Each token
contains a colour which belongs to the type of the place. The marking
of a place can be a multi-set of token values. This means that a place
may have several tokens with the same token value.
2. Action
• Transition: Transitions, which are drawn as rectangles, represent ac-
tions of a system.
• Arc and Arc Expression: Arc connects transitions and places. Each
arc contains a weight value call an arc expression. The arc expression
determines the number of tokens which are removed from the asso-
ciated input place and added to the associated output place during
occurrences of transitions.
3. Dynamic Behavior
• Variable, Binding and Guard : To enable the transition, we need to
bind data values to the variables occurring in the arc expressions on
the incoming arcs attached to this transition. Moreover, we can spec-
ify a boolean expression, called a guard, with variables to each tran-
sition in order to limit the accepted binding values, i.e., only tokens
which have the boolean expression set to true are fired.
• Occurrence: The occurrence of a transition in an enabled binding re-
moves tokens from the input places and adds tokens to the output
places of the transition by evaluating the arc expression on the cor-
responding arc. In the simulation, it may consist of several enabled
binding elements which can be either concurrently enabled or conflict
enabled [57].
44 Chapter 2. Research Background
CPNs Model Construction
To design an effective model, the developer should divide the model into pages by
working with a hierarchical CPN model which is similar to the project browsers
found in programming environments. The basic idea of the hierarchical model
is to allow the developer to construct a large model by using a number of small
CP-nets. This is similar to the situation in which a programmer constructs a
large program by means of a set of modules. When a page gets too many places
and transitions, we can move some of them to a new subpage for simplicity of
the model.
The hierarchical model supports both a bottom-up as well as a top-down de-
sign. The interesting properties of the hierarchical model are that new modules
can be created from existing modules, and modules can be reused in different
parts of the CPN model. These modules are called pages. Figure 2.12 demon-
strates an example of a hierarchical model implemented by using a CPN Tool.
Figure 2.12: A Hierarchical Model
The hierarchical CPN model consists of three main constructions that are
used for implementation. The following details give a brief description of such
constructions. The full definition of the these three constructions have been
2.4. Formal Analysis Techniques 45
provided in Jensen’s book [57].
1. Substitution transitions and subpages
Each substitution transition is marked with an hierarchy and substitution
tag. This tag is attached by the box called hierarchy inscriptions which are
used to define the details of the substitution. Each hierarchy inscription
specifies the subpage corresponding to each substitution transition.
2. Port and socket places
Ports and sockets have similar definitions but ports are used when the
developer assigns them in the subpage, while sockets are assigned in the
top page. They are used for communication to its surrounding transitions.
In order to specify the relationship between a substitution transition and
its subpage, port places related to the socket places of the substitution
transition of the subpage must be allocated by providing a port assignment.
Once a port place is assigned to a socket place, the two places become
identical.
3. Fusion places
Fusion places allow the developer to specify a set of places that are con-
sidered to be identical. When a token is added or removed at one of the
places, an identical token will be simutaneously added or removed at all
the other places in the fusion set.
To construct models of DoS-resistant protocols, we use CPN Tools which
is an interactive and a graphical interface tool for modelling, analysing, and
simulating the protocols. CPN Tools is well-known and widely used not only in
the industry, but also in the system engineering community for modelling and
analysis of various communication protocols [11,50,60], as well as cryptographic
protocols [4, 38, 39, 94, 99, 131]. As stated by Jensen [56], there are several key
benefits of using Colored Petri Nets in the verification of cryptographic protocols.
Some example of key benefits related to the cryptographic protocol modelling and
analysis are listed as following
• CP-Nets are very general and can be used to describe a large variety of
different systems;
• CP-Nets can be extended with a time concept;
• CP-Nets offer interactive simulations where the results are presented di-
rectly on the CPN diagram;
46 Chapter 2. Research Background
• CP-Nets have a large number of formal analysis methods by which prop-
erties of CP-Nets can be proved.
More specific to the modelling and analysis of cryptographic protocols, some
important advantages of using Coloured Petri Nets over other formal modelling
and analysis techniques are the graphical representation for easy to understand
and visualize the dynamic behaviour of systems. Most importantly, graphical
representation of Coloured Petri Nets is able to assist the protocol designer to
prevent some inconsistency or ambiguous of the message sequences communi-
cated among protocol participants in the design of protocols.
In particular, Colored Petri Nets have several advantages over original Petri
Nets. For example, CPNs incorporates data concepts, and is able to handle
large communication networks containing a high number of data set because
CPNs supports a hierarchical modelling concept. Most importantly, Colored
Petri Nets has a feature to reduce the size of the complex model by using a
single place to hold multiple tokens having similar colour sets.
For these reasons, we use Colored Petri Nets for modelling and analysing key
establishment protocol in order to explore DoS vulnerabilities and examine DoS-
resistance in such protocols. More specific detail of CPN Tools and techniques
to model key establishment protocols, as well as a critical analysis of a key
establishment protocol, will be explained and illustrated in Chapter 4.
2.4.5 Meadows Cost-based Framework for DoS-resistance
Formal methods have been widely used to reveal ambiguity, incompleteness, and
inconsistency of a system. They also address problems of who uses it, what it is
used for, when it is used, and how it is used. When users apply formal methods
at the beginning of the system development process, they can reveal design flaws
that might be otherwise discovered only during testing and debugging steps.
Meanwhile, they can help determine the correctness of a system implementation
in the final stage of the system development process. Nevertheless, users might be
able to apply formal methods in all phases of the system development including:
system verification, system validation, and system analysis and evaluation.
Existing protocol analysis tools might not be able to be directly applied to
the problem of DoS attacks because of their special characteristics. Meadows
[89] suggested two possible solutions to apply the formal method into the DoS
problem;
2.4. Formal Analysis Techniques 47
1. The protocol must be analyzed, not only in terms of its final goals, but along
each step of the way. Every time a principal takes part in some action that
requires the use of a significant amount of resources, one must check that
an attacker could not fraudulently cause that principal to reach that step
without spending a significant amount of its own resources ;
2. In order to make that verification possible, it is necessary to have a model,
not only of principal and intruder actions, but of the cost of those actions.
Thus, some sort of formal analysis technique would be beneficial, simply in
order to keep track of this complex multistage analysis.
Many key establishment protocols discussed in the literature use authentica-
tion for assisting the responder to identify malicious activities, and protecting
the responder against DoS attacks. Nevertheless, using authentication might in-
troduce a DoS problem by itself because most authentication processes require
the responder to expend high computational burden.
In this circumstance, successful analysis might depend on the ability to com-
pare the resources expended by an attacker to the resources expended by a
responder. Meadows [88] points out that DoS attacks might occur before parties
are authenticated to each other. Meadows introduced several defenses against
attacks including;
1. Reducing the cost to the potential defender of engaging in the protocol;
2. Increasing the resources of the defender;
3. Introducing some methods of authentication so that a defender could at
least tell where an attack is coming from; and
4. Using weak authentication when the protocol is initiated but strong au-
thentication as it completes.
To construct a formal analysis of DoS-resistant protocols, Meadows has de-
fined the term of denial-of-service resistance [88] in which DoS-resistance is an
ability to resist denial of service attacks in term of how the protocol can withstand
the attacks, and serves the intended parties without degrading the performance
and services. Meadows’ cost-based framework is based on a modification of the
Gong-Syversons fail-stop model [48] of cryptographic protocols. The model has
an output, which can be either success or failure. If the output is success, the
program proceeds to the next step. If the output is failure, the program halts.
48 Chapter 2. Research Background
Normal and accept events always output success while verification events can
output success or failure.
In order to identify the DoS vulnerabilities of protocols, Meadows defined the
steps to analyze the problem including;
1. Computing the cost of several actions over time;
2. Assigning and comparing costs of each actions such as computing digital
signatures, storing data, and impersonating principals;
3. Comparing the ratio of cost to available resources between a server, a client,
and an adversary to identify the risk of DoS attacks on the victim.
More detail of Meadows’ cost-based framework, as well as an example of using
this framework to identify DoS vulnerabilities in key establishment protocols will
be provided and discussed later in Chapter 4.
2.5 Summary
This chapter reviews fundamental knowledge relating to Denial-of-Service (DoS)
and Distributed Denial-of-Service (DDoS) attacks, cryptographic techniques for
preventing denial of service attacks in the key establishment protocols, as well
as some methods to use as a formalising tool to model and examine DoS vulner-
abilities in existing DoS-resistant key establishment protocols.
In term of denial-of-service attacks, Needham classified denial of service at-
tacks into three subcategories including attacks on the server, attacks on the
network, and attacks on the client. This work only focuses on the attack on
the server since our main objective is to develop key establishment protocols for
protecting the server against DoS attacks.
The main objectives of key establishment protocols are to share a secret key
between parties and to provide authentication to those parties, but key establish-
ment protocols themselves might be subjected to denial of service attacks. Most
well-known key establishment protocols are vulnerable to DoS attacks because
they involve digital signatures as expensive operations, at the beginning phase.
To provide a promising defensive technique, as a result, this chapter presents an
example of a cryptographic technique, client puzzles, to assist the responder to
counteract DoS adversaries. The taxonomy of key benefits and weaknesses of in-
dividual puzzle construction is also provided and discussed in order to effectively
implement them for different applications.
2.5. Summary 49
Having discussed the DoS vulnerabilities in the protocols, we have found that
some attacks are difficult to discover at the design phase. Therefore, the protocol
developer should assign some formal verification techniques to DoS-resistant ap-
proaches to ensure that the proposed protocols function properly and are secure
at least against well-known attack strategies before releasing them to public. Al-
though no specific formal technique is able to cover all aspects and figure out all
vulnerabilities in key establishment protocols, we choose CPNs as our formalism
to model and examine DoS-resistant protocols because its graphical representa-
tion and visualized analysis makes our task easier, and adds understandability
to the protocol analyst.
In the next chapter, we will provide strategies and techniques to improve
the resistance of key establishment protocols for defending DoS attacks. More
concrete discussion on seven key establishment protocols proposed to resist denial
of service attacks will be provided. In addition, a critical investigation and
analysis on such key establishment implemented with DoS-resistance built-in
will be demonstrated.
50 Chapter 2. Research Background
Chapter 3
DoS-resistance in Key
Establishment Protocols
Having provided background knowledge used in this research, the focus of this
chapter moves to the defensive mechanisms of denial of service attacks in key
establishment. In this chapter, we provide denial-of-service defending strategies
and techniques to improve the resistance of key establishment protocols to DoS
attacks. In addition, we identify and discuss key establishment protocols that
have denial of service resistance built-in and implement these proposed strategies
and techniques. There are relatively few examples of key establishment proto-
cols implementing denial of service resistance techniques, with our survey of the
literature only identifying seven protocols (see Table 3.2 in Section 3.4 for a sum-
mary list). The protocols presented in this section were selected as they provide
concrete examples of the range of denial of service resistance techniques being
applied to key establishment.
Below we will introduce three strategies and techniques for DoS-resistant
mechanisms. The modified internet key exchange protocol proposed by Mat-
suura and Imai [83] adopts all three strategies for improving denial of service
resistance and includes an elegant proof of work that is reused by the initiator to
complete the protocol execution. The Host Identity Protocol (HIP) also uses all
three proposed strategies and seems to be the latest protocol to implement client
puzzles as the proof of work to defend against denial of service attacks. The
Just Fast Keying (JFK) protocol [3] demonstrates new techniques for gradually
authenticating initiators, and the client-aided RSA proposal by Castelluccia et
al. [20] is the first key establishment protocol to adopt client aided computation
51
52 Chapter 3. DoS-resistance in Key Establishment Protocols
in order to counterbalance computational expenditure.
The main contributions of this chapter are:
• A taxonomy of strategies and techniques to help the responder to defeat
resource exhaustion attacks;
• Concrete examples of use of DoS-resistant mechanisms in key establishment
protocols;
• A critical analysis and investigation of how DoS-resistant mechanisms are
used in key establishment protocols.
To provide some concrete examples of use of DoS-resistant mechanisms in
key establishment protocols, an investigation and critical analysis of seven key
establishment protocols that implement denial of service resistance are discussed
in Section 3.3. Finally, discussion and summary on the practical use of individual
DoS-resistant mechanisms are provided at the end of this chapter.
3.1 DoS-Resistance Strategies
To design an effective DoS-resistant key establishment protocol, it is worthwhile
for a protocol engineer to understand not only the characteristic of denial-of-
service attacks, but the abilities of adversaries as well. In the DoS attacks,
the skillful adversary can prevent the application from performing its intended
task for legitimate initiators by causing the application to exhaust the finite
supply of a specific resource of the target responder. These target resources
of the responder might be: available memory, available computational CPU,
available storage space, and maximum number of simultaneous connections the
application is permitted. Some resources are self-renewing such as computational
CPU cycles, but some resources require operations to recover such as storage
space. If the application cannot automatically recover, then the attacker can do
more harm to the system and make it difficult for the responder to prevent such
actions.
Most well-known denial-of-service (DoS) attacks are performed by using tech-
niques which attack weaknesses of the underlying protocol. For example, the
attacker consumes the responder’s resource by flooding a large number of bogus
requests to the responder. This attack can overwhelm the responder because
the attacker knows that the underlying authentication protocol at the responder
side is based on the expensive computation of public key cryptography. As a
3.1. DoS-Resistance Strategies 53
result, the implementation of key establishment protocols should be developed
with great care.
The requirement for key establishment protocols to achieve some level of
denial-of-service resistance is well recognised by the protocol engineering com-
munity and a number of design strategies have emerged. For example, in the
design of DoS-resistant protocols, Leiwo et al. [73] proposed some suggestions to
design an effective protocol to protect network against DoS attacks including:
• Memory of the responder should be allocated after the initiator
has been authenticated.
• Detecting attacks should be completed before initiator authenti-
cation processes.
• The workload of initiator should be greater than that of the re-
sponder in order to prevent an initiator from launching multiple
attacks to the responder.
• The workload of the initiator should be varied by the responder.
In the case of attacks, the responder could increase computation
for the initiator to guarantee the survivability of the system.
Some additional strategies and mechanisms have been proposed by Mead-
ows [88] in order to implement an efficient DoS-resistance public-key based au-
thentication protocol. These include the following strategies:
• Reducing the cost to the potential defender of engaging in the
protocol.
• Increasing the resources of the defender.
• Introducing some methods of authentication so that a defender
could at least tell where an attack is coming from.
• Using weak authentication when the protocol is initiated but stronger
authentication as it completes.
The strategies for improving resistance to denial-of-service attacks can be
broadly classified into three sub-categories; 1) Preventing CPU exhaustion, 2)
Preventing memory exhaustion, and 3) Gradual authentication.
54 Chapter 3. DoS-resistance in Key Establishment Protocols
3.1.1 Counterbalancing CPU Expenditure
To design a DoS-resistance protocol, poorly designed authentication mechanisms
as well as strong authentication protocols using cryptographic methods may in-
crease the vulnerability of the problem because of their expensive modular arith-
metic operations. If such authentication mechanisms allow the attacker to send
bogus packets to the responder that require computationally expensive cryp-
tographic authentication before the packet can be verified, then this situation
allows the attacker to easily perform the CPU exhaustion attack to the respon-
der. To prevent this situation and achieve our goals, either increasing the cost of
computation to an initiator or reducing the cost of computation to a responder
by having the initiator perform computations on behalf of the responder, should
be included in the protocol specification. Example techniques of this strategy
are a client puzzle [6, 43,62,112,136], and a client-aided RSA computation [20].
3.1.2 Counterbalancing Memory Expenditure
For implementing a protocol resistant against memory exhaustion attacks, one
direct strategy is to reduce storage for the responder during the protocol run.
It means that the responder should maintain a stateless connection until the
authentication process has completed. Cookies are one example defending tech-
nique using cryptographic techniques to preventing memory exhaustion attacks
because the responder does not maintain half-open state. The responder uses
the cookie to complete the connection and as a weak form authentication. The
function of the cookie in this context is to establish a stateless connection as will
be explained in Section 3.2.2. So far, there have been many public-key based au-
thentication protocols which use a cookie strategy to thwart memory exhaustion
attacks, for instance, Photuris [64], Host Identity Protocol (HIP) [95], Internet
Key Exchange (IKE) [51], and Just Fast Keying (JFK) [3].
3.1.3 Gradual Authentication
As initiators must be authenticated at some point during the protocol execution,
strong authentication of the initiator’s requests might introduce another denial-
of-service problem. There are a number of ways in which a protocol could be
strengthened against denial of service attacks. A suggested strategy is introduced
by Meadows [88] to use weak authentication when the protocol is initiated at the
beginning state and gradually increase the level of authentication for proving the
3.2. DoS Defending Techniques 55
user identity in the final state. An example protocol using gradual authentication
framework is Just Fast Keying (JFK) protocol [3]. JFK begins with a form of
weak authentication using nonce and authenticator functioning as a cookie, and
ends up with a signature verification after satisfying a medium-level authenticator
by checking a message authentication code (MAC).
Protocol engineering implementing DoS-resistant key establishment should
adopt at least some of these three strategies in order to ensure that such im-
plementations would not be susceptible to such attacks. The following section
reviews the defending techniques that incorporate some introduced strategies to
achieve the DoS-resistant goals.
3.2 DoS Defending Techniques
Having identified the strategies employed to make responders in key establish-
ment protocols more resistant to denial of service attacks, we now describe the
specific techniques employed by some key establishment protocols (illustrated in
Section 3.3). Some of the techniques are capable of implementing more than one
strategy, and the techniques might be able to be composed in numerous ways
to meet more complex goals such as gradual authentication. For each technique
identified, we discuss the construction, the DoS resistance strategies it is capable
of supporting, and how it might be combined with other techniques. Protocols
implementing the techniques are then identified in Chapter 3.
3.2.1 Stateless Connection
In a stateful protocol, there is a limited number of initiators that the responder
can handle and simultaneously provide the services. To protect the responder
from wasting resources with bogus messages, Aura and Nikander proposed the
concept of a stateless connection [5]. The stateless connection protocol is resilient
to attacks that open connections in a half open state, thus preventing resource
exhaustion attacks. However, it is important to note that a stateless responder
might open a new attack technique, because the responder has no previous state
information of the messages that have been received and processed. Therefore,
it might be possible to attack the connections integrity by replaying connection
states. Using the design principle of authenticating an initiator before commit-
ment of resources, Aura and Nikander suggested that authentication protocols
56 Chapter 3. DoS-resistance in Key Establishment Protocols
should always remain stateless until the initiator has been authenticated or has
shown in some other way its commitment to proper use of the service. After
authentication the responder can change to the stateful mode.
3.2.2 SYN cache and SYN Cookie
SYN cache and SYN cookie [74] are techniques used to reduce the effect of the
flooding attack of the responder by pushing messages to store at the initiator side.
The SYN cache allocates minimal state when an initiator establishes a connection
to a responder. When authentication is completed, only information required by
the responder is kept in responder storage. In contrast, the SYN cookie does not
store any information until initiator authentication has been completed. It sends
a cryptographic packet called a cookie, which records initial connection data of an
initiator. Cookies are time variant, unpredictable data issued by the responder
on receipt of a request for service that can ensure the responder remains stateless
and can initiate gradual authentication of the initiator.
In the implementation of cookies in key establishment protocols, cookies were
first introduced in Photuris [64] (see Section 3.3.1) and subsequently extended
for resisting SYN flooding DoS attacks. Typically a cookie is constructed by
taking some connection specific parameters and transforming them with a time
variant local secret; a keyed hash of the initiator IP address and nonce for exam-
ple. It is vitally important that the responder stores no state when constructing
cookies. In order to remain stateless and thereby prevent memory exhaustion,
any relevant state required by the responder can also be encoded in the cookie
and returned with the next message from the initiator. On receipt of a valid
cookie, the responder is able to reconstruct and validate any state encoded in
the cookie and has weak assurance that it is in round trip communication with
the initiator. Round trip communication implies that the initiator is not using
a spoofed address. This assurance can only be considered weak, as an adver-
sary with control of an intermediary link, between a claimed address and the
responder, would be able to receive cookies for any address they wished to claim.
Unless cookies are carefully constructed the responder may remain vulnerable
to attack even if cookies are used. Simpson [121] identified a state exhaustion
attack, called a cookie crumb attack, in Internet Security Association and Key
Management Protocol (ISAKMP) [84] implementation of cookies. In contrast
to remaining stateless when constructing cookies, ISAKMP cookies required the
storage of a small amount of state on each connection request. Even though
3.2. DoS Defending Techniques 57
the state information stored per request is very small (a crumb) it is easy for
an attacker to initiate a large number of requests, exhausting available memory
resources. In addition to ensuring that no state is stored on the construction of a
cookie, Karn and Simpson [64] identified that the technique used for generating
cookies must also satisfy the following three requirements.
• The cookie must depend on the participating entities ;
• It must not be possible for anyone other than the issuing entity
to generate a cookie that will be accepted by that entity ;
• The cookie generation and verification methods must be compu-
tationally efficient.
The first requirement prevents an attacker from obtaining valid cookies, in-
tended for other initiators, and using those cookies to generate a large number of
requests with spoofed IP addresses. The second requirement secures the cookie
generating process. The use of a secret value in generating the cookie prevents
others from forging cookies and making this value time variant ensures that cook-
ies must be used within a predetermined time frame, preventing the hoarding of
valid cookies. Finally, the third requirement prevents DoS attacks directed at
the cookie mechanism itself.
3.2.3 Proofs of Work (PoW)
Proofs of work, or puzzles, are hard but tractable problems that allow an initiator
to prove to a responder that a verifiable level of computational effort has been
expended. They permit the responder to gain some assurance of the initiator’s
willingness to commit resources to the protocol and provide a mechanism for
counterbalancing computational expenditure in the event that the responder is
exposed to a denial of service attack.
The concept was first proposed by Dwork and Naor [41] to control junk
email by having recipients only accept emails if they were accompanied by a
correct puzzle solution. It has since been extended to protect authentication
protocols [6, 62] and permit initiators to bid for limited service resources [133]
using the difficulty of the puzzle as currency. Jakobsson and Juels [55] formalised
the notion of reusable proofs of work , where the computational effort expended
by the prover in generating the puzzle solution can be reused for some useful
function, and provided a working example of a reusable proof of work.
58 Chapter 3. DoS-resistance in Key Establishment Protocols
Puzzles serving as proofs of work can be constructed from a number of under-
lying problems as previously described in Section 2.3, which introduce a minimal
and configurable overhead for legitimate initiators but result in a significant com-
putational burden for attackers who wish to send large numbers of requests to a
responder.
Proofs of work can be viewed as a way for an initiator to make a payment to
a responder for the services it will provide. The computational effort expended
in generating the proof of work can be: (1) wasted; (2) reused by the initiator
in completing the protocol; (3) reused by the initiator for some other purpose;
(4) reused by the responder in completing the protocol; or (5) reused by the
responder for some other purpose.
The client puzzles employed by the protocols identified in the following sec-
tion, are typically non-reusable proofs of work, so the computational effort ex-
pended in generating the proof of work is wasted. We will see however, that the
modified version of Internet Key Exchange (IKE) proposed by Matsuura and
Imai [83] adopts a reusable proof of work based on signature verification of the
responder, an action that a legitimate initiator will have to perform in order to
complete the protocol.
As identified earlier, Jakobsson and Juels [55] describe a proof of work in
which the computational effort expended in generating the proof of work is reused
by the responder for another application. There are currently no examples of
key exchange protocols implementing this type of reusable proof of work and
unless an initiator implicitly trusts the responder to delegate its computational
resources, initiators must be aware that the computational effort expended in
generating a proof of work may be reused for malicious purposes.
Even though proofs of work are increasingly being adopted by protocols to
aid in the counterbalancing computational expenditure and as a way of authenti-
cating the willingness of an initiator to commit resources to having the protocol
proceed, their use still faces numerous issues. For example, the puzzle con-
structions based on hash function meet many desirable requirements but they
are susceptible to DoS attacks in which adversaries controlling group of machines
are able to distribute puzzles and solve them in parallel. Meanwhile, the repeated
squaring puzzles provide non-parallelized characteristic but they require the re-
sponder to participate with expensive computation of modular arithmetic to
construct puzzles, or verify their puzzle solution. Hence, the protocol developer
implementing DoS-resistant mechanisms should be careful to select appropriate
algorithms depending on applications that they consider to develop.
3.2. DoS Defending Techniques 59
3.2.4 Client-Aided computation
Client-Aided RSA (CA-RSA) computation has been proposed by Castelluccia et
al. [20] for helping the responder in order to reduce computational workload in
the Secure Socket Layer (SSL) handshake protocol. The general idea of a client-
aided computation is modified from the responder-aided computation originally
introduced by Matsumoto [80] and consequently developed by Horng [52] to
use in a smart card technology. Because conventional smart cards only have
limited computational resources, it takes too long for a smart card to perform
some expensive computation. One possible solution is to distribute most of the
computation to a high-performance processor which is capable of performing fast
modular exponentiation.
In typical authenticated versions of the RSA signature, the responder has
to verify the initiator’s signature for authentication. The responder could be
potentially flooded with a large number of bogus requests by the attacker. One
proposed countermeasure is re-ordering by moving some expensive computation
steps to the initiator side. This technique is called client-aided computation.
Client-aided computation is based on the idea of rebalancing the cost of expensive
computation to the initiator when the responder is under a heavy load condition
i.e. a denial-of-service attack, the responder should move some computations to
the initiator side for reducing responder overload.
In the authentication process, one of the main overload factors is the direct
consequence of expensive public key computations performed by the responder
as part of the 3-way handshake protocol. Castelluccia et al. [20] introduce the
client-aided technique and extend it for rebalancing SSL handshakes based on
RSA computation. Because the 3-way handshake is computationally unbalanced
as the encryption process by the initiator is relatively cheaper than the decryp-
tion process by the responder, then, one possible solution is to modify the key
establishment protocol by letting the responder generate and encrypt the session
key. Thus, the initiator task is changed to decryption process. Since the task of
the responder does not include signature verification as in the original version,
this situation might introduce another DoS attack because the responder needs
to verify an initiator via a certified public key instead. The process requires
the responder to verify a certificate chain for each connection, therefore, the
responder could spend long periods and extensive resources in this operation.
This circumstance would be susceptible to resource depletion on the responder’s
machine.
In summary, the concept of rebalancing the authentication step by moving
60 Chapter 3. DoS-resistance in Key Establishment Protocols
some expensive computation to the initiator side could be one possible solution
to protect the responder from resource depletion. However, this concept could
only be applied to specific protocols, such as SSL, for re-positioning the process of
RSA public-key cryptography between an initiator and a responder. On the other
hand, other DoS-resistant mechanisms, such as client puzzles, can be developed
in any general protocols for improving the security and resistance of protocols.
Thus, this research pays more attention to other techniques for combining them
to counteract adversaries rather than using the client-aided computation only in
the implementation.
3.2.5 Gradual Authentication
While the expense of strongly authenticating initiators using digital signatures
will be dependent on many parameters, the computational expense of a signature
verification will not always be prohibitively expensive. Rabin signatures [107]
with a public exponent of 2 or RSA signatures [111] with a public exponent
of 3 can be verified with only one or two modular multiplications respectively.
While the cost of signature verification with these parameters is low, signature
generation is much more expensive, which may not be suitable for all deploy-
ment scenarios. Other signature schemes, RSA with larger public exponents for
example, increase the cost of signature verification, requiring the responder to
perform expensive modular exponentiations. While newly proposed key estab-
lishment protocols can be specified to accommodate cheap signature verification
for responders the requirement to improve resistance to denial of service attack
remains for already deployed protocols and protocols that for other reasons are
restricted in the choice of signature schemes they must implement.
Gradual authentication provides a mechanism for weakly authenticating an
initiator, prior to performing stronger and more expensive cryptographic authen-
tication. While the use of techniques such as cookies, client puzzles, and releasing
hash preimages do not meet strong notions of authentication, when generated
using cryptographically sound primitives they can be combined in ways which
enable a responder to discount a range of denial of service attacks and present
a number of hurdles that must be overcome by an attacker intent on disrupting
the protocol execution. A key characteristic of the techniques used in gradual
authentication is that they are all cheap for the responder to verify, while their
fabrication is relatively expensive for an attacker. Even when signature schemes
that minimize verification costs to a responder are adopted, the cost of verifying
3.3. DoS-resistance in Key Establishment 61
gradual authenticators such as client-puzzles is still cheaper, costing only a single
hash operation.
The idea of combining weak and strong authentication was first introduced
by Meadows [88] and is proposed as a technique to increase resistance to denial of
service attacks by combining weak authentication when the protocol is initiated
and moving to strong authentication as it completes.
Cookies and client puzzles can be considered forms of weak authenticators.
Cookies provide some assurance that the initiator is able to send and receive
packets from the claimed address - implying that the request is not part of
a connection depletion attack, which typically relies on using random spoofed
addresses. Receipt of a correct solution to a client puzzle provides some assurance
to the responder that the initiator is willing to expend her own resources in order
to get the protocol to proceed.
Other cryptographic techniques, such as the use of message authentication
codes and release of hash digest preimages, that allow the responder to cheaply
verify messages are being adopted by recently proposed protocols such as Host
Identity Protocol (HIP) as discussed in Chapter 3.
Key establishment protocols must complete with strong authentication of
the initiator. Having weakly authenticated the initiator, the responder is able to
commit to the computational expenditure associated with strong authentication
with increased assurance that a denial of service attack is not underway. The
gradual authentication technique is employed by several protocols, for instances
the Host Identity Protocol (HIP) and the Just Fast Keying (JFK) protocols,
discussed in more detail in Chapter 3.
3.3 DoS-resistance in Key Establishment
The ability of key establishment protocols to resist denial of service attacks is
defined in terms of how the protocol can withstand the attacks, and serves the
intended parties without degrading the performance and services. This property
is called denial-of-service resistance of the protocol as defined by Meadows [88].
Having introduced strategies and techniques to tackle DoS attacks in the
previous section, this section provides some concrete examples of use of DoS-
resistant mechanisms in key establishment protocols. To make an important
note, some key establishment protocols implement more than one DoS-resistant
strategy, and individual techniques might be able to be composed in numerous
ways to meet more complex goals to defeat adversaries.
62 Chapter 3. DoS-resistance in Key Establishment Protocols
While denial of service attacks can be classified in three subcategories as
previously described in Section 2.2, we limit ourself to consider attacks targeting
the responder and disrupting legitimate traffic. Additionally, we focus on the
defending techniques used to protect the responder against malicious parties as
the impact on the responder, who is a centre to distribute and maintain services
on the system, is far more significant than on the initiator.
For the DoS-resistant protocols presented in this chapter, we focus on those
elements of the protocol that implement denial of service resistance techniques.
Our representation of the protocols is simplified, with references to header infor-
mation and certificate requests, that are not relevant to the discussion of denial of
service resistance, deliberately omitted. For complete descriptions of the proto-
cols, the reader is referred to the full protocol specifications. Table 3.1 represents
a list of notation used in the protocols for the remainder of this chapter.
3.3.1 Photuris
Photuris is a session-key management protocol developed by Karn and Simp-
son [64,122] in 1999. Photuris functions are much simpler than the Internet Se-
curity Association and Key Management Protocol (ISAKMP) [84], and Internet
Key Exchange (IKE) [51]. The security goals of Photuris are defending against
resource exhaustion attacks1, providing forward secrecy of the session-keys, and
protecting privacy for the participants. Photuris establishes short-lived session-
keys for using between two parties without passing the session-keys across the
Internet. These session-keys directly replace the long-lived secret-keys in order
to protect the compromise of long-lived secret key by the adversary. Photuris
publicly distributes a shared value by using a Diffie-Hellman (DH) protocol [34],
and uses an RSA signature for authentication. Figure 3.1 represents the simpler
version of Photuris.
Counterbalancing memory expenditure
Photuris implements a cookie and stateless connection to counterbalance memory
to protect the responder against DoS attacks. A cookie functions as a reachability
test preventing adversaries attempting to launch IP address spoofing attacks as
used in Smurf attacks [24]. Meanwhile, stateless connection is implemented to
protect the responder from exhausting the computational and storage resource
to handle a large number of bogus requests. It can be achieved by keeping
1Oppliger has defined this term as resource clogging attacks in [104]
3.3. DoS-resistance in Key Establishment 63
Table 3.1: Protocol Notation
Messages Notation
I The principal who initiates the request message known as Initiator or client
RThe principal who responds to the request message known as Responder orserver
ID Identity of the principal
IP Network address of principal
H(M) Unkeyed cryptographic hash of the message M
HK(M) Keyed cryptographic hash of the message M with key K
KsSession key generated by key exchange protocol which is used to secure ongoingcommunications
EKs{M} Symmetric encryption of message M with the secret key Ks
{M}KeKa
Encryption of M using symmetric key Ke followed by MAC generation withsymmetric key Ka.
PKR[M ]Asymmetric encryption of the message M by the public key PKR belongingto R
SKR[M ]Asymmetric decryption of the message M by the private key SKR belongingto R
SigI(·) Digital signature signed by the private key SKI belonging to the principal I
SigR(·) Digital signature signed by the private key SKR belonging to the principal R
LSB(t, k) Returns the k least significant bits of an output by taking a string t as input
0k A string consisting of k zero bits
p, q Large prime numbers
n = pq An RSA modulus
i, r A Diffie-Hellman secret parameter of I and R, respectively
gGroup generator of order q used in Diffie-Hellman key exchange and key agree-ment protocol
s A periodically changing secret only known to the responder R
t Digital Timestamp
NI , NR Nonce; a random bit string of principal I and R respectively
HII , HIR The host identity of an initiator and a responder, respectively
HITI , HITRThe host identity tag of I and R created by taking a hash over the host identityHII and HIR
AttAttribute List including Identification, Authentication, and Encapsulationused in Photuris
SPI Security Parameters Index
saICryptographic and service properties of the security association (SA) that theinitiator wants to establish
saR SA information that the responder may need to give to the initiator
puzzle(m,H (M ), k)Initiator puzzle with partial pre-image m, digest of full preimage H(M) anddifficulty level k
solution(J )Solution J to a puzzle of the form puzzle(m,H (M ), k), such that H(J) =H(M)
grpinfoR All groups supported by the responder
x ∈R A Assigns to x an element of the set A chosen uniformly at random
CertRA certificate which contains a responder’s identity and a public key used forauthentication
64 Chapter 3. DoS-resistance in Key Establishment Protocols
the responder stateless until the strong authentication has been successful as
recommended by Meadows [87].
In more detail, once the responder receives an initiation request from the
initiator, the responder creates a cookie by using the source IP address and
some secret data known only to the responder. Then, the responder returns this
cookie to the source IP address of the initiator. At this state, the responder
does not have to store state information as well as does not perform expensive
computation. In order to run any services from the responder, the initiator
needs to return the cookie to the responder within a given time for verification.
If these processes were completed, the responder provides services and allocates
the resource to store the connection status of this IP address.
I R
1)CookieRequest−−−−−−−−−−−−−−→ Cookie = H (IPI , saR1 , s)
2) select saI from saR1Cookie, saR1←−−−−−−−−−−−−−−
3) i ∈R [1, 2, . . . , q − 2]Cookie, saI , g
i
−−−−−−−−−−−−−−→ Cookie?= H (IPI , saR1 , s)
determine saI
r ∈R [1, 2, . . . , q − 2]
4) Kir = H (g ir)Cookie, saI , g
r
←−−−−−−−−−−−−−−v ′I = HKir (Cookie, SPI ,AttI )
Ke = H (Cookie, g i , gr , SPI , g ir)
E1 = EKe{IDI , v′I ,AttI}
sigI = SKI [EKe{IDI , v′I ,AttI}] Cookie, SPI ,
5)E1 , sigI−−−−−−−−−−−−−−→ Cookie
?= H (IPI , saR1 , s)
Kir = H (g ir)
Ke = H (Cookie, g i , gr , SPI , g ir)
decrypt E1
verify sigI
v ′I?= HKir (Cookie, SPI ,AttI )
v ′R = HKir (Cookie, SPI ,AttR, v ′I )
E2 = EKs{IDR, v ′R,AttR}sigR = SKR[EKs{IDR, v ′R,AttR}]
Cookie, SPI , Ks = H (Cookie, v ′R, g ir)
6) Ks = H (Cookie, v ′R, g ir)E2 , sigR←−−−−−−−−−−−−−−
decrypt E2
verify sigR
Figure 3.1: Photuris Protocol [64]
3.3. DoS-resistance in Key Establishment 65
Gradual authentication
Photuris starts with the cookie verification as a weak form of authentication. Us-
ing a cookie in Photuris establishes a stateless connection for protecting resource
consumption attacks. This process involves no expensive operations because the
cookie generation and verification method uses a cryptographic hashing function
which is fast and cheap operation to thwart CPU exhaustion attacks. Once the
responder ensures the validity of the source address, the responder continues to
exchange the Diffie-Hellman key exchange parameters used to compute a shared
secret key. The responder checks information encrypted with this shared secret
key, and verifies the initiator authenticity using public-key encryption as the
strong authentication.
3.3.2 Modified Internet Key Exchange
The Internet Key Exchange (IKE) protocol [51] was designed to perform mutual
authentication and establish a shared secret key for use in an IPsec security as-
sociation. As originally specified, the aggressive, signature based authentication
mode of IKE was vulnerable to CPU and memory exhaustion denial of service at-
tacks. In order to address these vulnerabilities Matsuura and Imai [83] proposed
modifications to improve the protocol’s resistance to both computational and
memory based denial of service attacks. The modified protocol is presented in
Figure 3.2 and adopts techniques that counterbalance computational and mem-
ory expenditure, and implement gradual authentication.
Counterbalancing memory expenditure
To address memory based denial of service attacks, this modified version of IKE
stores no state after the first message. Unlike the original cookie construction
that was vulnerable to a cookie crumb attack [121], the cookie in the modified
protocol is constructed as a hash over request specific parameters, responder
secret s, random fresh material a and Diffie-Hellman exponent r. The session
specific secret parameters a and r are not stored by the responder, instead the
protocol remains stateless by sending an encrypted copy of these parameters to
the initiator.2 In addition to allowing the responder to remain stateless, the
cookie acts as a reachability test for the initiator, providing assurance that a
spoofed address is not being used.
2While not specifically indicated in the protocol specification, we suspect that not onlythe exponent, but the actual Diffie-Hellman value gr must be securely sent to the initiator,otherwise the responder would have to recalculate the value on receipt of message 3.
66 Chapter 3. DoS-resistance in Key Establishment Protocols
responder recovers x by calculating Mpnp + Mqnq (mod N), which is much less
computationally expensive than performing the modular exponentiation yd (mod
N). The responder can now derive the session key Ks.
Counterbalancing computational expenditure
Recognising that while CA-RSA eases the responder’s computational burden it
cannot be used as a proof of work, the protocol is supplemented by the addi-
tion of a Juels and Brainard [62] style client puzzle to ensure that the responder
only attempts to decrypt values from initiators who can provide a proof of work.
Unfortunately the puzzle construction specified is in violation of the guidelines
78 Chapter 3. DoS-resistance in Key Establishment Protocols
specified by Juels and Brainard and is constructed by hashing a random value. A
puzzle construction that does not include: time or rely on a time variant respon-
der secret; or any connection specific parameters, introduces numerous problems.
Firstly, the responder will be unable to know whether the puzzle solution it is
verifying is to a puzzle that it issued3 or if it is a puzzle that has been solved
previously unless it stores state. As mentioned earlier, storing state leaves the
responder vulnerable to memory-based denial of service attacks. Secondly, the
failure to make puzzles time variant provides no mechanism for a responder to
defend itself against an initiator that hoards puzzles, generating solutions at its
convenience, and then flooding the responder with legitimate puzzle solutions.
Finally, the failure to encode connection specific parameters into the puzzle, or
to make use of cookies, prevents the responder remaining stateless after message
1 and results in the responder having no assurance that the initiator is reach-
able at the IP address claimed. Storing state without confirmation of initiator
reachability exposes the responder to anonymous memory-based flooding denial
of service attacks.
Counterbalancing memory expenditure
As with the unmodified version of TLS, CA-RSA does not make use of cookies
to counterbalance memory expenditure. The puzzle construction adopted by
the protocol is inadequate to replace the function of a cookie for allowing the
protocol responder to remain stateless and serve as a reachability test. Two
consequences of this are that the responder must store state on each connection
request, making it vulnerable to a memory-based denial of service attack, and
secondly, the responder has no way of assessing whether the initiator is using a
spoofed IP address.
Gradual authentication
Assuming that the responder maintains the significant amount of state required
to keep track of issued puzzles, the receipt of a valid puzzle solution could provide
some assurance that the initiator has committed computational resources to
having the protocol proceed.
While this protocol attempts to counterbalance computational expenditure,
the combination of a poorly constructed proof of work, a failure to counter-
balance memory expenditure leaves the protocol vulnerable to denial of service
3If an initiator can choose its own puzzles to solve independently of the responder, therewould be a great risk of the initiator precomputing a large number of puzzle solutions to usein a denial of service attack.
3.4. Discussion and Conclusion 79
attacks. To counterbalance memory expenditure, the responder should adopt
the use of cookies, or use a puzzle construction that is consistent with meeting
the functional requirements of a cookie.
3.4 Discussion and Conclusion
Having classified several promising mechanisms and defending techniques in
Chapter 2, as well as identified desirable properties of DoS-resistance in key
establishment protocols, Table 3.2 provides a summary of the seven protocols
in terms of DoS-resistant mechanisms and strategies. We note that the number
of key exchange protocols implementing denial of service resistance techniques
is limited, with our review of the literature revealing only seven protocols. Of
those protocols implementing denial of service resistance techniques only three,
Modified IKE, Host Identity Protocol (HIP), and Lee & Fung’s protocol, use
techniques supporting all three strategies: counterbalancing computational ex-
penditure; counterbalancing memory expenditure; and gradual authentication.
Nevertheless, those protocols implementing all three strategies do not appear to
be significantly more complex than the protocols implementing only a subset of
the strategies.
Key establishment protocols are particularly vulnerable to denial of service
attacks owing to the significant resources they must expend in authenticating ini-
tiators and generating the cryptographic keys used for securing ongoing commu-
nications. The goal of denial of service resistance in key establishment protocols
is to ensure that attackers cannot prevent a legitimate initiator and responder
deriving cryptographic keys without expending resources beyond a responder
determined threshold.
In this chapter, we have explored the strategies and techniques that permit re-
sponders to counterbalance memory expenditure, counterbalance computational
expenditure, and to gradually authenticate initiators, thereby determining the
level of resources an attacker must commit to disrupting the key establishment
protocol and improving the responders resistance to denial of service attacks.
The adoption of denial of service resistance techniques in seven key establish-
ment protocols was critically analysed.
Cookies were identified as a technique that can counterbalance memory ex-
penditure and initiate gradual authentication. Correctly constructed cookies
allow the protocol responder to remain stateless and serve as a reachability test,
providing the responder with assurance that an initiator is able to send and re-
80 Chapter 3. DoS-resistance in Key Establishment Protocols
Table 3.2: Summary of DoS Resistance Techniques used by Protocols
Key Establishment Protocol Mechanisms Strategies
Photuris [64] Cookie Rebalancing Memory
Cookie → EK{message} → Signature Gradual Auth.
Modified IKE [83] Cookie Rebalancing Memory
PoW Rebalancing CPU
Cookie → HASH ∗I → Signature Gradual Auth.
IKEv2 [65] Cookie Rebalancing Memory
Cookie → MAC → Signature Gradual Auth.
JFK [3] Cookie Rebalancing Memory
Nonce → Cookie → MAC → Signature Gradual Auth.
HIP [95] Cookie Rebalancing Memory
PoW Rebalancing CPU
Cookie → PoW → Signature Gradual Auth.
Lee & Fung [72] PoW Rebalancing memory
PoW Rebalancing CPU
Cookie → Signature Gradual Auth.
CA-RSA [20] Client-Aided Comp. Rebalancing CPU
PoW Rebalancing CPU
PoW → Decrypt secret seed Gradual Auth.
ceive messages from a claimed address. Cookie generation must not lead to any
state creation, as this will expose the responder to a “cookie crumb” attack.
Proofs of work can be used to counterbalance computational expenditure at
the responder and authenticate the commitment of initiator to expending re-
sources to having the protocol proceed. While proofs of work can be constructed
from a range of underlying problem, proofs of work based on hash-based con-
structions are the most prevalent as they are simple to construct and can be
verified cheaply.
The notion of gradual authentication was introduced as a strategy for allow-
ing responders to gain assurance that an attack is not underway and that an
initiator is willing to commit computational and memory resources to having
the protocol proceed. Specific techniques for gradually authenticating initiators
were presented and discussed. A common characteristic of each of the techniques
3.4. Discussion and Conclusion 81
is that they all afford the responder the ability to cheaply verify some aspect of
a received message, while fabrication of a message that can pass the responders’
check is expensive for an attacker.
In summary, the goal of protocol designers to strengthen key establishment
protocols to withstand DoS adversaries is to ensure that those malicious users
should not easily disrupt the service between legitimate user and the respon-
der. In practice, the general concept to counteract DoS adversaries could be
to increase the computational tasks and required resources to the adversaries
who attempt to mount attacks. In the meantime, this implementation should be
able to ensure that legitimate users should not expend their resources beyond
an acceptable threshold. At least, this will guarantee that the proposed DoS-
resistant protocols are able to withstand those attacks and serve the intended
users properly without service disruption.
Having identified the characteristic as well as key strengths and weaknesses
of individual DoS-resistant protocols, the next chapter will discuss a formal tech-
nique used to examine and explore DoS vulnerabilities in key establishment pro-
tocols, namely Meadows’ cost based framework. In addition, the next chapter
will provide a technique to model and use automated analysis for examining DoS-
resistance in key establishment by using Coloured Petri Nets. For modelling and
analysing the characteristic of denial of service resistance of key establishment
protocols, we select HIP as an example because HIP is the latest DoS-resistant
key establishment protocol that incorporates all proposed defending mechanisms.
82 Chapter 3. DoS-resistance in Key Establishment Protocols
Chapter 4
Denial of Service Model for Key
Establishment
Formal methods are an effective tool to analyze whether the design of crypto-
graphic protocols is secure or not. Formal methods became popular after the
development of the BAN logic (Section 2.4.1) in 1989. In formal methods analy-
sis, a set of participant’s confidence is generated from a set of initial assumptions
and the protocol messages. If these messages satisfy the goals of the protocol,
then the protocol is valid.
In the case of denial of service attacks, it is a little complicated to model
a framework of adversaries executing DoS attacks because of the complexity of
such attacks and abilities of adversaries. One promising way has been introduced
by Meadows [87,88]. Meadows has proposed a solution to model a DoS-resistant
framework in cryptographic protocols by comparing cost to the attacker and cost
to the responder in execution the protocol, defined as a cost set. To model the
protocol framework, we need to calculate the cost of sequence actions comparing
between an attacker and a responder. However, there has been a small gap in
this technique in order to analyse the DoS-resistant protocols more accurately.
To fulfill this lack, we introduce the way for refining and calculating the cost of
actions based on the cryptographic benchmark and the technique for comparing
them during the protocol runs.
Surprisingly, there has been little interest in the research community in apply-
ing Meadows’ framework to different protocols. Moreover, the limited application
so far has suffered from two significant shortcomings which make the results of
restricted value. Firstly, the cost analysis in the original work has only taken
83
84 Chapter 4. Denial of Service Model for Key Establishment
into account honest runs of the protocol. In principle, the adversary (typically
the client in a client-server protocol) can deviate arbitrarily from the protocol
in order to achieve an attack. By only taking into account honest behaviour
it is quite likely the logical attacks will be missed. While Meadows certainly
recognised this fact, there has only been a few researches has yet examined the
effectiveness of the framework in detecting such potential attacks. One exam-
ple has been done in an examination of DoS-resistance in the Just Fast Keying
(JFK) protocol by Smith et al. [125]. Secondly, Meadows used only a coarse
measure of computational cost, with three levels denoted as cheap, medium or
expensive. In practice it can be quite difficult to classify and compare operations
in such a limited way. For example, in Meadows’ classification digital signature
generation and verification are counted as of equal cost, yet in practice an RSA
signature generation may take 2 or 3 order of magnitude more effort than RSA
signature verification.
The formal tool that we use to develop DoS-resistant models of key estab-
lishment protocols based on the concept of Meadows’ cost-based framework
is Coloured Petri Nets (CPNs) [11, 57, 58]. Over many years, cryptographic
and security protocols have been modeled and verified using Coloured Petri
Nets [4, 38, 39, 59, 94, 99]. To the best of our knowledge, however, there is no
implementation of CPNs focusing on an exploration of vulnerabilities based on
unbalanced computation that might lead to DoS attacks in key establishment
protocols. As a result, this problem leads us as a challenge of using CPNs in
DoS attacks modelling and analysis.
Motivated by the above limitations, this chapter provides a refinement of
Meadows’ cost-based framework. For our sample protocols we use the Host
Identity Protocol (HIP) [95], which has built-in DoS resistance and implements
all strategies and techniques mentioned in Chapter 3. To develop a formal frame-
work of such protocols, we use CPN Tools [130] which is a general-purpose ver-
ification tool for modeling and analysing Coloured Petri Nets. Using CPNs as
our formalism, we provide a formal specification of two protocols to allow auto-
matic searching of adversary and victim cost under different adversarial attack
strategies.
The main contributions of this chapter are
• An investigation the usefulness of using Meadows’ cost-based framework
and Coloured Petri Nets for modeling and analysing key establishment
protocols;
4.1. Meadows’ Cost-based Framework 85
• A refinement of Meadows’ cost-based framework to more accurately repre-
sent the cost of typical cryptographic algorithms;
• An examination of the denial of service vulnerabilities in Host Identity
Protocol (HIP) by using Meadows’ cost-based framework and Coloured
Petri Nets;
• An automated model constructed in the CPN Tools for analysing cost of
computation between initiators and a responder in order to identify the
vulnerabilities based on the concept of Meadows;
In the remainder of this chapter, Section 4.1 provides the definition and ex-
ample use of Meadows’ cost-based framework to examine the DoS resistance
in the HIP protocol. In addition, the proposed technique to refine the defini-
tion of computational cost in the Meadows’ framework is demonstrated in this
section. Section 4.3 describes the technique to implement Coloured Petri Nets
for modelling and analysing cryptographic protocols. An experiment of Host
Identity Protocol (HIP) cost-based analysis is setup and examined in this sec-
tion. Finally, discussion on the advantages and disadvantages of using Meadows’
cost-based framework and CPN Tools is provided in Section 4.5.
4.1 Meadows’ Cost-based Framework
Design of key establishment protocols has long been considered a delicate prob-
lem, but the analysis of a protocol becomes even harder when DoS prevention
is an additional requirement. Meadows [88] introduced a systematic framework
to evaluate DoS resistance of a protocol by computing the cost incurred by both
parties at each step in key establishment protocols. Meadows analysed the STS
protocol (a protocol without special DoS resistance properties) and later Smith
et al. [125] used Meadows’ framework to analyse the JFK protocol [3] in order
to evaluate its DoS prevention capabilities.
Meadows framework [87, 89] works by comparing the cost to the attacker
and cost to the responder in execution a protocol, defined using a cost set. To
model the Meadows’ cost-based framework, we need to calculate the cost of
sequence actions comparing between an attacker and a responder. However, we
need to find the appropriate technique to refine the cost set of these actions and
the technique for comparing them because during the protocol runs each action
could use different resources for computing, i.e. CPU or memory. One possible
86 Chapter 4. Denial of Service Model for Key Establishment
solution that we use in our model is the cryptographic benchmark [32]. We
replace the original cost set; cheap, medium, and expensive, with the CPU usage
of individual cryptographic operations tested on different platforms. Details will
be discussed later in Section 4.2.
4.1.1 Definition
To analyse the protocol specification, we begin with the notation and definitions
introduced by Meadows [88]. The protocol framework uses the Alice-and-Bob
notation to represent message sequences communicated between an initiator and
a responder.
Definition 1. The sequence of messages sent from the principal A to the prin-
cipal B in the protocol is written in the form
A → B : T1, . . . , Tk ‖ M ‖ O1, . . . , On
• Ti are the operations performed by the principal A for preparing the message
M , whereas the sequence T1, . . . , Tk represents the order steps to construct
message M by the principal A.
• M is the sent message from the principal A and subsequently received by
the intended recipient B.
• Oi are the operations performed by the principal B for processing the mes-
sage M , whereas the sequence O1, . . . , On represents the order steps to pro-
cess message M by the recipient B.
Definition 2. An event in the operation A → B : T1, . . . , Tk ‖ M ‖ O1, . . . , On
is one of:
• an operation in Ti or an operation Oj.
• an operation in Ti, and A sends M to B are said to occur at A; or
• an operation in Oj, and B receives M from A are said to occur at B.
There are three types of events:
1. Normal events appear at both principals and always succeed and are fol-
lowed by the next events.
2. Verification events appear only at the recipient side and can be either
success or failure.
4.1. Meadows’ Cost-based Framework 87
3. Accept events appear at the end of the operations Oj indicating the com-
pletion of the process.
Definition 3. A cost set C is a set with operation + with partial order ≤ such
that
x ≤ x + y and y ≤ x + y for all x, y ∈ C.
Definition 4. Event cost function (δ) and message processing cost function (δ′)
• δ is an event cost function that transfers sets of operations in the protocol
into the cost set C and is 0 in case of accept events.
• δ′ is a message processing cost function related to δ defined on verification
events {Vi} ⊂ {Oj} such that
for A → B : T1, . . . , Tk ‖ M ‖ O1, . . . , On
if {Vi} = {Oj}, then δ′(Vi) = δ(O1) + . . . + δ(Oj)
In general, a message processing cost δ′ is a total computational cost that the
message receiver involves from the beginning of receipt of a message until a final
verification of this message has been done.
Definition 5. Responder protocol engagement cost function (∆)
• ∆(On) is the sum of all operational costs appearing at the responder B up
to the accept event On, plus operational costs of processing the response
message related to such accept event On.
In particular, the protocol engagement cost function ∆ includes all operating
cost at the responder to perform a message verification. If the responder reaches
to an accept event, it needs to prepare a response. In this case, the protocol
engagement cost function must include this preparing operational cost of the
replied message. Undoubtedly, most protocols require the responder to process
digital signature generation, which requires the responder to spend expensive
computation, in order to prepare a response. Therefore, this could cause the
responder to be susceptible to denial-of-service attacks.
Definition 6. Attacker event cost function φ, attacker cost function Φ, and
attack cost function Θ are defined as follows
• φ is a function used to map attacker actions to attacker costs.
88 Chapter 4. Denial of Service Model for Key Establishment
• Φ is a sequence of attacker actions, in which
Φ({x1, . . . , xn}) = φ(x1) + . . . + φ(xn)
where xi are the attacker’s capabilities.
• Θ regards to each event E of the system such that an attacker interferes
with any message desirably-preceding E, then neither E nor any events
desirably-after E will occur, unless the cost of the capabilities which the
attacker uses for interfering with any messages is at least Θ(E).
According to the definition described by Meadows, we say that Ej is desirably-
after Ei if Ei desirably-precedes Ej, for i < j. Events that are occurred under
the desirably-preceding and desirably-after notations allow the principal to in-
corporate with the spoofed, redirected, or altered actions. The full detail of
desirably-preceding and desirably-after have been described by Meadows’ Defini-
• τ ⊂ C × G; consists of all pairs (c, g) such that the attacker cannot
force a responder to expend resources of cost c or greater without expending
resources of cost g or greater. Therefore, the protocol is secure under the
condition that (c′, g′) is within the tolerance relation τ = (∆(E), Θ(E)) if
there is a (c, g) ∈ τ such that c′ ≤ c and g′ ≥ g.
4.1.2 Cost sets and Tolerance relation
Once we have translated the actions from the protocol into the computational
costs of the principal, then, we can compare all actions of the protocol run
between the initiator and the responder. The protocol is secure against Denial-
of-Service attacks, if the final cost is great enough from the point of view of the
attacker in comparison with the cost of engaging in the events up to an accepted
action from the point of view of the responder. Otherwise, it concludes that the
protocol is insecure against Denial-of-Service attacks. Table 4.1 provides cost of
protocol executions and table 4.2 provides a conclusion of the cost of an attacker
during a protocol execution.
To assess that the investigated protocol is secure against DoS or not, we need
to examine the tolerance relation τ as defined in definition 6. From the Meadows’
original work, the cost sets C and the attacker cost set G are defined as:
4.1. Meadows’ Cost-based Framework 89
Table 4.1: Cost of protocol executions
Action Cost
1) pre X : preprocessing of an oper-ation X
= Cheap
2) create: create a message = Cheap
3) exp: compute an exponentialfunction
= Cheap
4) determine: determine a message = Cheap
5) compute: compute a mathemati-cal operation
= Cheap to Medium
6) HASH
6.1) compute = Cheap to Expensive (depended on
difficulty level of a client puzzle)
6.2) verify = Cheap to Medium
7) Symmetrical Encryption
7.1) computekey = Medium
7.2) encrypt = Medium
7.3) decrypt = Medium
8) Asymmetrical Encryption
8.1) sign = Medium
8.2) verifysig = Expensive
expensive > medium > cheap > 0
In term of the tolerance relation τ , it contains the subset of the cost sets Cand the attacker cost set G. The protocol is secure against DoS attacks if the
subset (C, G) lies within acceptable tuples including:
90 Chapter 4. Denial of Service Model for Key Establishment
Table 4.2: Cost to an Attacker [88]
Action Cost
1) Sending a legitimate message= The cost of computing the mes-sage
2) Forging a return address = Cheap
3) Reading messages = Medium
4) Creating a new message out of oldones
= Cost of deconstructing the oldmessage + Cost of creating the newmessage
5) Disabling of a legitimate principal = Medium
6) Substituting bogus messages forgenuine ones in real time (man-in-the-middle attack)
= Very expensive
7) Breaking cryptosystem = Maximal
8) Inducing a principal to initiatecommunication with a bogus, dis-abled, or dishonest principal
The units that we use in Table 4.3 are cycles per block (note that block size
varies for different algorithms) for hash function and symmetrical encryption, and
1000 cycles per operation for public key encryption and key exchange algorithms.
This allows direct comparison of CPU usage and may be expected to be similar on
processors with different clock speeds. This entails conversion from the original
data which uses direct time measurements.
From the table, we can estimate the CPU usage in cycles per block for com-
mon hash functions and the symmetric key encryption, and cycles per key lengths
in bits for the public-key encryption and Diffie-Hellman key exchange algorithm.
Once we get a result, we scale it down by a factor of 1000 and apply these costs
4.3. CPNs Simulation and Performance Analysis 97
in our formal specification and analysis. Before we can export these values into
CPN Tools we round them into an integer representation because CPN Tools
allows only integers in the simulation process.
4.3 CPNs Simulation and Performance Analy-
sis
The simulation of a CPN can be seen as an occurrence sequence consisting of
markings that are reached and steps. For a transition to be enabled in the current
marking, it must be possible to bind data values to the variables appearing on
the surrounding arc expressions and in the guard and the following conditions
must be met. Firstly, each of the input arc expressions evaluates to tokens that
are present on the corresponding input places. Secondly, if there is any guard, it
must evaluate to true. The occurrence of a transition removes tokens from the
input places and adds tokens to the output places. The removed tokens are the
result of evaluating the expressions on the corresponding incoming arcs, while
the values of the added tokens are the result of evaluating the arc expressions on
the corresponding outgoing arcs.
Simulations allow the user to understand and to debug the model. The
CPN simulator supports execution of CPN models and provides two fundamental
modes of simulation that are suitable for different purposes.
1. Interactive simulation
In an interactive mode, the developer can make a detailed investigation
of the behavior of the individual transitions or small parts of the model.
The user can control, set breakpoints, choose between enabled binding ele-
ments, change markings of places, and study the token in detail as a single
step debugging in a programming language. The purpose is to investigate
whether the individual components work as expected or not. However,
interactive simulations are very slow.
2. Automatic simulation
The automatic mode of the simulator is suitable for investigate the over-
all behavior of the full model. In this case, the simulator makes random
choices between enabled binding elements. The developer is in control
of automatic simulations by means of stop options. However, the token
is not displayed during automatic simulations. Therefore, this technique
98 Chapter 4. Denial of Service Model for Key Establishment
typically represents less information than expectation. A way to obtain
information is to use the simulation report which is a text file containing
detailed information about all the bindings of transitions which occurred.
In this technique, it is possible to obtain the result much faster than an
interactive simulation.
To achieve the formal proof of the security protocol not only the simulation
techniques can be used to explore the vulnerabilities of the protocol, but the
state space analysis can be used to check the security and correctness of the
protocol specification as well. In this research, we limit our scope to use the
performance analysis at the final step in order to evaluate the protocol’s behavior
from different types of workloads from DoS adversaries. An addition purpose of
the performance analysis in our work is to determine which parts of our new
protocols might be able to optimize speed and memory usage.
The performance analysis1 is used the time concept of CPNs by conducting
simulation of systems called Timed CPNs2. The concept is based on the using
of a global clock which is either integer or real value. In addition, the system
allows each token to carry a time value called a time stamp. The time stamp
describes the earliest model time at which the token can be added or removed by
the occurrence of a binding element in which the time stamps of the tokens to
be removed must be less than or equal to the current model time. The execution
of a timed CPNs is time driven. It works in a similar way to the event queues
that used in many other programming languages for discrete event simulation.
Once applying the performance analysis in a system, some mechanism is
needed to generate the workload or traffic for using as input for evaluating the
performance of the system. There are a number of techniques which can be
applied when generating the workload. One technique is to make a CP-net
which is part of the CPN model, and which is responsible for generating the
workload. In other cases the workload may be available from a text file which
can then be read into the CPN model. A third technique is a combination of the
two former techniques in which a separate CPN model is created which generates
the workload and writes it into a text file. Then, this text file can be used as
input for the actual CPN model.
Simulation based on performance analysis might consist of a large number of
statistical data during a process. To make it simple to collect data during such
simulations, the CPN simulator implements a number of high-level primitives
1The performance analysis will be applied to our new approach in Chapter 62The Timed CPNs concept will be used in the modelling of HIP later in Chapter 5 and 6
4.4. Formal Modelling and Performance Analysis of HIP 99
and data structures for data collection. The collected data are stored in data
structures called data collections. Moreover, data collections offer operations for
computing the average, standard deviation, and minimum and maximum of the
observed values. The output of the process can be written to a performance re-
port which provides a quick summary of the observed values and the performance
of the system. The data to be collected depend on the performance measures
of interest, for example, the throughput and the delay of the communication
protocol. This issue regarding to performance analysis will be discussed again in
Chapter 6.
4.4 Formal Modelling and Performance Analy-
sis of HIP
As the cryptographic protocol and the attack strategy becomes more compli-
cated, the protocol engineering requires some automated analysis techniques
and tools to help in the design and analysis process. CPN Tools is well-known
and widely used in the system engineering community for modelling and anal-
ysis of communication protocols. In this section, we demonstrate the results of
modelling and analysis by simulation of the Host Identity Protocol (HIP) [95],
which implements DoS-resistant strategies. The major purpose of simulation is
to search for unbalanced computational states and to compare computational
costs between an initiator and a server in order to find system flaws based on
resource exhaustion attacks.
4.4.1 Adversaries’ Ability
For the analysis of the adversary capacity, we consider four types of adversary.
Type 1 adversary computes a valid first message (may be pre-computed in
practice), and then takes no further action in the protocol.
Type 2 adversary completes the protocol normally until the third message
is sent and takes no further action after this. The computations of this
adversary include searching a correct client puzzle solution J , generating a
session key Ke and encrypting a public key PKI , and finally computing a
digital signature SigI .
Type 3 adversary completes the protocol step one and two with the exception
that the adversary does not verify the server signature sigR1. The adversary
100 Chapter 4. Denial of Service Model for Key Establishment
searches for a correct client puzzle solution J but randomly chooses the
remaining message elements: an encrypted element Ke{HII} and a digital
signature sigI . The adversary takes no further action in the protocol.
Type 4 adversary is like an adversary type 3, except that the client puzzle
solution J is now also chosen randomly.
In more details, the fundamental objective of a Type 1 adversary is to over-
whelm the server’s storage by sending a large number of requested packets, for
example, a denial-of-service attack via ping [22] and SYN flooding attack [23],
while the major goal of a Type 2, 3, and 4 adversary is to force the server to
waste computational resources up to the final step of the digital signature veri-
fication and digital signature generation which are expensive operations. There
are three possible situations to cause a server to waste computational resources
by the adversary;
1. All values of the third message including a puzzle solution J , an encrypted
part Ke{HII}, and a digital signature sigI are valid. This process requires
adversaries type 2 to participate in the round trip communication up to the
completion of step 3 on the client side. This output will force the server to
process a gradual authentication and complete the final step of the com-
munication. However, the tolerance relation of this attack is (expensive,
expensive), which is an acceptable outcome. Thus, HIP can resist against
this attack strategy.
2. Only the client puzzle solution J is valid. This process requires adver-
saries type 3 to participate in the round trip communication up to puzzle
solving in the step 3 on the client side. This bogus message causes the
server to involve the puzzle solution verification, the symmetrical key de-
cryption, and the signature verification. Even though the server can detect
the bogus signature from adversaries, the server has already involved with
an expensive operation. As a result, the tolerance relation of this attack
is (expensive, medium), which is an unacceptable range. This situation
leads to an achievement of the type 3 adversary to denial the service on
the server.
3. The client puzzle solution J is invalid, so the server computes only a cheap
hash function to verify the solution and then this connection will be termi-
nated whether the remaining messages are valid or not. Even though Type
4.4. Formal Modelling and Performance Analysis of HIP 101
4 adversary spends only cheap process to craft bogus messages, the server
can detect the attack at the cheap state. As a result, Type 4 adversary
fails to mount DoS attacks on the server machine because the tolerance
relation is in the secure location, which is (cheap, cheap).
4.4.2 Tolerance Relation (τ)
In order to evaluate the DoS-resistance of HIP from the CPNs cost-based simu-
lation, we need to define the tolerance relation of the protocol. From Meadows’
original work, a tolerance relation τ is defined in term of an ability of DoS-
resistant protocols to resist denial of service attacks, and serves the intended
parties without degrading the performance and services. Meanwhile, Aiello et
al. define this term in the JFK protocol (Section 3.3.4) such that the protocol
can resist DoS attacks if the responder does not incur any expensive computation
before the attacker identity has been revealed.
In our HIP modelling and simulation using CPNs, we define a tolerance rela-
tion τ and DoS-resistance such that the protocol is able to withstand DoS attacks
if the difference between the computational cost of the responder to engage in
the protocol and the computational cost of the attacker to force the responder
to process its messages is not greater than an acceptable threshold (Thres). This
threshold can refer to an expensive operation on the server, digital signature veri-
fication for instance. To assess the protocol by comparing the cost of an attacker
to the responder, the tuples of a cost set in a tolerance relation of Meadows’
framework are defined somewhat subjectively as cheap, medium, and expensive
as provided in Section 4.1.2. The objective of defining these tuples is to make
sure that the attacker is not able to expend only cheap or medium operation,
while it can force the responder to spend computation somewhat expensive to
respond to this attack.
As we replace the notation (cheap, medium, expensive) with the crypto-
graphic benchmark, the computational cost comparing between an attacker and
a responder will be more accurate. While the main goal of our analysis is sim-
ilar to the Meadows’ technique, we need to examine whether the attacker can
mount DoS attacks with cheap operation to cause the responder to engage in
some expensive operations such as digital signature generation and verification
or not. By analysing with an automated simulation tool; CPN Tools, we can
easily gather the attacker cost and the responder protocol engagement cost for
evaluating whether it lies in a subset of acceptable tuples of the tolerance relation
102 Chapter 4. Denial of Service Model for Key Establishment
or not. Following is a definition of our tolerance relation.
where Thres is an acceptable threshold defined as the computational cost of
digital signature verification.
4.4.3 A Cost-based Model of HIP in CPNs
HIP is a four-packet exchange protocol which allows the initiator I on the IP
address IPI and server R on the IP address IPR to establish an authenticated
communication (full protocol of HIP base exchange is illustrated in Figure 3.5).
Both I and R hold long-term keys to generate signatures sigI(·) and sigR(·)respectively. A public key PKI of the initiator and PKR of the server are
represented in the form of host identifiers (HI). HIT represents the host identity
tag created by taking a cryptographic hash over a host identifier HI.
A one-way hash function H(·) is used to form the puzzle, while HKs represents
a keyed hash function using session key Ks to generate a hash-MAC (HMAC).
The value s is a periodically changing secret only known to the server. LSB(t, k)
takes as input a string t and a parameter k and returns the k least significant
bits of t. 0k is a string consisting of k zero bits. EKe(·) and DKe(·) denotes
a symmetric encryption and decryption respectively under session key Ke. To
generate session keys Ke and Ks, HIP employs Diffie-Hellman key agreement
protocol. Parameters used to generate these keys consist of large prime numbers
p and q, a generator g, a server’s secret value r, and an initiator’s secret value i.
HIP adopts a proof-of-work scheme proposed by Jakobsson and Juels [55]
for countering resource exhaustion attacks. In a proof-of-work, HIP extends
the concept of a client puzzle, first implemented by Juels and Brainard, and
later proposed an alternative construction by Aura et al. (Section 2.3.1) for
protecting the server against DoS attacks in authentication protocols. Moreover,
HIP allows the additional feature of the client puzzle that helps the server to
delay state creation [5] until the checking of the second incoming message and
the user authentication has been done in order to prevent the server against
resource exhaustion attack.
Experiment 1: Host Identity Protocol (HIP)
The purpose of the first experiment is to compare computational cost of the
protocol execution based on the concept of Meadows’ cost-based analysis between
4.4. Formal Modelling and Performance Analysis of HIP 103
all principals, as well as four specified adversaries. Since HIP incorporates a client
puzzles mechanism, we investigate computational cost between all principals with
some possible ranges of puzzle difficulty (k) including easiest value k = 1 when
the server has a normal load, intermediate values k = 10 and k = 20 when the
server becomes medium loaded, and k = 40 for a hardest value as instructed in
HIP specification. In this simulation, we allow individual initiators to initiate a
request token only once and wait for a replied message, while the server is able
to flexibly adjust the puzzle difficulty within previously mentioned ranges. Once
the simulation has arrived to the final step, we record the total computational
cost of individual user comparing to the server on specified ranges of k.
T h e r e s p o n d e r s h o u l d s e l e c t k t o f o r c e t h e i n i t i a t o rt o s p e n d t i m e m o r e t h a n t i m e u s a g e i n M S G 3 R & 4 RR e s p o n d e rI n i t i a t o r
F i n i s hF i n i s h
M S G 1M S G 1 M S G 2N e t w o r kM S G 4 _ IM S G 4 _ IM S G 3 _ IM S G 3 _ I M S G 4 _ RM S G 4 _ R
M S G 2 _ RM S G 2 _ RM S G 3 _ RM S G 3 _ RM S G 2 _ IM S G 2 _ I
M S G 4N e t w o r kM S G 3N e t w o r k
M S G 1 _ RR e c e i v e rM S G 1 _ IS e n d e rR e j e c t e d 3F u s i o n R e j 3R e j e c tR e j e c t e d 1F u s i o n R e j 1R e j e c t
R e j e c t e dF u s i o n R e j e c t dR e j e c t C o m p l e t e dD o n e
R e s o u r c e I1 ` h c U s e rP u z z l eT i m eT I M E D r k M S G
c o s t R 4C O S Tc o s t I 4C O S T c o s t R 3C O S Tc o s t I 3C O S T c o s t R 2C O S Tc o s t I 2C O S T c o s t R 1C O S Tc o s t I 1C O S T
O u t p u tM S G M 4M S G 1FU s e r R e c e i v e dM S G 1
I 4M S GI 3M S G M 3 M S GM 1 M S GM 2M S G
R 4M S GR 2M S GR 3M S GR 1M S GI 1M S G 1
I 2M S G
F u s i o n R e j e c t d
F u s i o n R e j 1F u s i o n R e j 3
S e n d e r R e c e i v e rN e t w o r kN e t w o r k
M S G 2 _ IM S G 3 _ RM S G 2 _ RM S G 4 _ RM S G 3 _ IM S G 4 _ I
N e t w o r kM S G 1
F i n i s h
H I P C o s t , b a s e d M o d e l
Figure 4.2: HIP Cost-based Model
Figure 4.2 shows the designed page of the HIP protocol. The HIP protocol
is modelled hierarchically as graphical representation for simplicity of the sim-
ulation, such that all nodes in the top page are related to individual subpages
defined by the HIP specification. There are three main network components on
the top page including the initiator network on the left (it could be either the
honest client who performs as a protocol specification or the adversary who does
not play honestly), the server of the protocol on the right, and the communi-
cation network in the middle. To make an important note for this experiment,
we run a single round simulation and do not allow the adversary to reuse the
104 Chapter 4. Denial of Service Model for Key Establishment
previous messages to attack the server because our objective of this experiment
is to record the computational cost of individual principals only.
HIP is modelled using the cost-based framework, such that each states has
the computational cost place to record and display the computational cost of that
state in the protocol execution. The HIP network contains six types of users;
an honest client (hc), an adversary type one (ad1), an adversary type two (ad2),
an adversary type three (ad3), an adversary type four (ad4), and a server (sv).
In addition, individual message tokens consist of six colour sets including user
types, arrival time of messages, departure time of messages, data, computational
cost, and message sequence number. It is important to note that the display cost
at each state shows the total operation cost of that corresponding state only, not
an accumulation cost of all state. The reason behind this choice is that it is
easy for the protocol analyst to compare the cost of processing the message by
the initiator and then, subsequently, processing by the server at each step of the
protocol as suggested in Meadows’ cost-based framework.
At the beginning of the protocol simulation, an honest client sends a request
message traveling along with bogus messages from each adversaries to the server.
Upon the receipt of these requests, the server chooses the puzzle difficulty de-
pending on the workload condition and returns messages to initiators. When the
initiator receives the replied messages, the initiator first verifies the HIT element.
At this state, there are two possible outputs after verification depending on the
user field; 1) if the user is not an adversary type 1 (ad1), it will accept and the
cost is equal to the action at this step, 2) if the user is an adversary type 1 (ad1),
it will fail because an Type 1 adversaries do not take any further actions after
the first message has been sent. Moreover, this transition will send a notification
to the adversary type 1 to start flooding the new bogus messages, if applicable.
Upon receipt of a replied message from the server, the initiator’s tasks includes
the brute-force search to find the puzzle solution, the session key generation, and
a digital signature generation. In the model, we set up some different values
of the difficulty value (k = 1, 10, 20, 40) as specified above. Therefore, these
mentioned costs are displayed depending on the difficulty level for a honest client
and individual types of adversaries. Recall that only Type 4 adversaries do not
attempt to solve the puzzle, therefore the puzzle difficulty does not affect the
computational cost to this type of adversary.
4.4. Formal Modelling and Performance Analysis of HIP 105
Experimental Result:
During the protocol execution, the initiator sends a request message to the server
using the host identity tag (HITR) which is a hash of the host identifier (HI ) used
in HIP payload and to index the corresponding state in the end hosts. Therefore,
the initiator only employs cheap operations at the beginning step. We assume
that the computation at this step can be precomputed, so the cost at the first
operation would be negligible. Once the server receives the requested message,
the server requires a hash operation and some values from the precomputation
for returning to the initiator in the second step. Even though these operations
are a cheap operation, it costs a few computation to the server. However, the
computational burden of the server at this state is in a reasonable threshold
comparing to the initiator’s cost.
When the initiator receives the replied message, only honest clients partici-
pate in the verification of HIT and server’s signature, so the cost is equal to the
HIT verification plus signature verification. In the case of ad1, it does not take
any further actions after the first message, therefore the computational cost is
zero for the second stage. The operations in message three of the initiator in-
clude the brute-force search to find the puzzle solution, and the key generation.
The cost of solving a puzzle depends on the value of k in the puzzle message
field. However, only an hc, ad2, and ad3 is required to solve the puzzle solution.
Similarly to ad1, the ad4 does not attempt to solve the puzzle. As a result the
puzzle difficulty does not affect computational cost on this type of adversary.
Considering the processing task on the server’s machine when it receives mes-
sage three from the initiator, the server begins to validate the puzzle solution
which is defined as a cheap operation because the server performs only one hash
calculation. If it is invalid, the process will stop and the server will drop the
corresponding packet from the connection queue (the system will return a re-
source to the server). Otherwise, the server performs the decryption to obtain
an initiator’s public key. The server finally verifies the signature by using the
initiator’s public key obtained in the previous step. At this phase, only honest
clients’ and Type 2 adversaries’ packets can pass through to the next step. After
the authentication has been completed, the server and the initiator will perform
a key confirmation and start to exchange information.
Table 4.4 summarizes the computational cost when the puzzle difficulty is set
to k=1 or k=10 comparing between particular principals (honest client and ad-
versaries) and the server. The experimental result shows that the most effective
adversary is ad3 (the greatest different threshold between ad3 and the server)
106 Chapter 4. Denial of Service Model for Key Establishment
because ad3 can force the server to engage in the expensive tasks, i.e. digital sig-
nature verification. As a result, the total computational cost comparing between
(R,hc), (R,ad1), (R,ad2), (R,ad3), and (R,ad4) would be the pair of (3770,3901),
(1,0), (3770,3769), (988,2), and (2,0), respectively.
Table 4.4: Comparison of Computational Cost of HIP with k=1 and k=10
The experimental result demonstrated in Table 4.4 compares computational
cost of the protocol execution based on the key concept of Meadows’ cost-based
analysis between all principals with two fixed range of client puzzle difficulty; k
= 1 and k = 10. Notice that Type 1 adversaries spend nothing to generate bogus
requests for asking the server to reply with some work. Since the server has to
do some minimal work in checking the first message, it may not be possible to do
better than this. To prevent the attack at this state, the implementor develops
the protection to an alternative resource, known as a memory or storage resource.
HIP mitigates this problem by integrating a stateless connection mechanism to
prevent the server from exhausting storage spaces to keep attacked messages
before they can be detected. Considering Type 3 adversaries, if the server selects
an unsuitable value of k, for example, minimum k=1, the adversary can exhaust
the server by spending only minimal work (2k−1 hashes in average) but be able
to force the server to process the bogus packets up to the signature verification
(see Table 4.4). In case of Type 4 adversaries, even though they spend nothing
to flood bogus messages at higher state than Type 1 adversaries, the server is
able to detect these bogus packets at puzzle verification and remove them from
the communication at a little cost higher than cost from Type 1 adversaries.
Figure 4.3 illustrates the computational cost of hc, ad2, and ad3, respectively
(we do not illustrate the computational cost of ad1, and ad4 because both of them
do not incorporate with client puzzles). We set up the experiment to measure
the computational cost of the protocol execution between such participants with
the technical range of puzzle difficulty (k) including easiest value k = 1 for using
4.4. Formal Modelling and Performance Analysis of HIP 107
(a) Computational Cost between hc and a server
(b) Computational Cost between ad2 and a server
(c) Computational Cost between ad3 and a server
Figure 4.3: Computational Cost on HIP with different ranges of k
108 Chapter 4. Denial of Service Model for Key Establishment
in the normal situation, intermediate values k = 10 and k = 20 for medium
loaded situation, and k = 40 as a hardest value defined in HIP specification. In
this simulation, the server is able to flexibly adjust the puzzle difficulty within
specified range mentioned above. Once the simulation stops, we record the total
computational cost of individual user comparing to the server on different ranges
of k.
Comparison between Figures 4.3(a) and 4.3(b) shows that hc and ad2 incur
similar computational costs for the same value of k chosen. This illustrates well
the effectiveness of HIP in achieving its aims in resisting DoS attacks, at least
against this type of adversary. On the other hand, ad3 and ad4 spend very small
computational resources compared with the server because both adversaries use
some random message elements. This situation would bring the server to the risk
of DoS attacks if the value of k is not chosen properly. Figure 4.3(c) indicates
that a value of k chosen at least 10 would be appropriate to ensure that ad3 uses
as much computation as the server.
4.5 Discussion and Conclusion
Based on the experimental results of cost-based analysis of HIP, the Meadows’
framework is able to model and capture the cost incurred during the protocol ex-
ecution. However, implementing Meadows’ cost-based framework in CPN Tools
for automated simulation and analysis has more advantages when the proto-
cols and adversaries’ capabilities become more complex. In addition, graphical
representation from the CPNs model can help the protocol analyst to remove
inconsistency and carefully investigate the protocol behaviour as well as some
vulnerabilities more easier than other techniques.
Considering the limitation of the cost-based analysis, one obvious example
could be found at the experimental result from CPNs model (Table 4.4). When
adjustable puzzles are used in the protocol simulation, the cost-based framework
might not be able to well represent this issue as in the simulation approach
because the cost of the initiator is varied as it is a puzzle-difficulty-dependent
parameter. In addition, the protocol analyst could consider either Type 3 or
Type 4 adversaries as the most effective strategies to degrade the throughput of
HIP. If the analyst interprets the result as the ratio between the computational
cost of adversaries and the server, Type 4 adversaries become the most effective
attacker to disrupt the service since they do nothing but cause the server to
always spend some computation. Similarly, the increasing of puzzle difficulty
4.5. Discussion and Conclusion 109
might be able to make the different between Type 3 adversaries and the server
getting smaller, while the gap between Type 4 and the server is still the same.
However if we consider the cost-based definition more carefully, the tolerance
relation could be the difference of the computational cost set instead of ratio.
As a result, the ambiguous to interpret the result, for example in case of Type 3
and Type 4 adversaries, might be another concern of this analysis technique.
Another issue based on the effectiveness of modelling system that relates to
temporal aspects, for instance, when the server becomes heavily loaded and later
decides to adjust puzzle difficulty to delay the incoming traffic, the cost-based
model might not be able to examine this issue properly. In addition, another at-
tacking technique defined as coordinated attacks [125], in which adversaries can
reduce the timeframe of solving the puzzles, can be applied to the system imple-
mented with hash-based puzzles because such schemes are solvable in parallel.
This kind of attack based on the weaknesses of hash-based construction is also
defined as strong attack by Bocan and Cosma [12]. Hence, the protocol analyst
requires another appropriate tools to examine this issue more effectively. Fortu-
nately, CPN Tools provides the time feature and allows the user to effectively
model the protocol related to time issue.
In summary, the experiment in this chapter demonstrates that we have achieved
the aims of extending the Meadows’ framework to provide a more accurate repre-
sentation of computational cost. Furthermore, this chapter demonstrates the po-
tential and usefulness of using automated tools to apply the Meadows analysing
technique to model and evaluate DoS vulnerabilities in Host Identity Protocol
(HIP).
Even though different methods are able to be applied in the analysis of cryp-
tographic protocols, we focus on using CPNs approach due to its feature to
represent protocols as graphical representation similar to the design flowchart
for providing visual analysis to the protocol analyst. In addition, this facil-
ity brings more understandable of complex and large-scale protocols, as well as
removes some inconsistency of the protocol using informal drawing during the
design state to be more practical and efficient.
Meadows’ cost based framework is the first technique so far to identify DoS
vulnerabilities in the cryptographic protocol, Station-to-Station protocol. In ad-
dition, this technique has been successfully used to analysed and discovered DoS
vulnerabilities in the Just Fast Keying (JFK) protocol a few years later after
the introduction of this tool. However, lacking of an automated ability for an
analysis as well as limitation of the assignment to the operational cost in the
110 Chapter 4. Denial of Service Model for Key Establishment
complex protocol that consists of large instances and various interactions of ad-
vanced attacking techniques are somewhat concern of this technique. Motivated
by the above limitations, the next chapter will provide technique to model strong
attack and demonstrate the experiment based on time constant provided in CPN
Tools.
Chapter 5
Simulation and Analysis of HIP
in Timed CPNs
The previous chapter described the modelling and analysis of key establishment
protocols using Meadows’ cost-based framework implemented in Coloured Petri
Nets. The outcome illustrated that these protocols can require the associated
server to spend some expensive computational efforts, such as modular exponen-
tiation in the case of Diffie-Hellman and RSA digital signature algorithm, while
the initiator is only required to perform computations which are cheaper than
for the server. This circumstance leads to DoS vulnerabilities on the server’s
machine because adversaries can mount DoS attacks to deplete resources of the
server before the server can detect the attack.
Even though the cost-based framework is able to identify some DoS vul-
nerabilities in HIP, it has been a limitation when it comes to examine advanced
attacking techniques that requires an ability to model time parameter. The mod-
elling of strong attacks (See Section 5.1.2) for instance, might be another issue
of this technique. As the adversaries’ capability becomes more skillful, protocol
designers require more advanced formal analysis tools for exploring flaws in the
implementation. Since Meadows’ cost based framework considers only the cost
function of the protocol participants, it might limit the ability of the analyst to
explore and identify new DoS vulnerabilities. Moreover as we have seen from
the CPNs cost-based construction, the result of Experiment 1 from Section 4.4
illustrated that HIP is susceptible to resource exhaustion attacks at state 3 if the
adversaries are able to find a correct solution and force the server to verify the
signature. Even though the server can delay the attack by increasing the puzzle
111
112 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
difficulty, if Type 3 adversaries are able to run parallel searching to find a correct
solution faster than the specified period, the server is still vulnerable to such
DoS attack. To analyse this circumstance, we need to incorporate time in the
simulation. Fortunately, CPN Tools provides us a time feature for evaluation.
In this chapter, we propose an alternative technique to model and analyse
protocols using the time function provided by CPN Tools. Our formal model
is developed based on Timed Coloured Petri Nets (Timed CPNs) and analysed
the DoS-resistance by using a simulation approach provided in CPN Tools. The
model is used to explore vulnerabilities of DoS-resistant protocols by examining
unbalanced computation that leads to resource exhaustion attacks in HIP. Our
new Timed CPNs model can be considered as a parametric model because we
only insert and tune some parameters of the model from the previous experiment
in Chapter 4. This is an attractive example of using CPNs to model and analyse
DoS-resistant protocols.
Simulation approaches have been valued in the research community for ex-
ploring vulnerabilities in cryptographic protocols. Using simulation approaches
has several benefits over other techniques; for instance, simulation provides flex-
ibility to the developer to choose, examine and adjust parameters for evaluating
the system. In addition, simulation provides visualization to users who can see
and learn what is happening during the simulation of cryptographic protocols to
gain more understanding for evaluating the correctness of those protocols.
Using Timed Coloured Petri Nets as our formalism to model HIP, we have
found that HIP can mitigate the effect of DoS attacks because of the adjustable
client puzzle mechanism. However, an inability to protect against coordinated
adversaries who are capable of running parallel search on a hash-based puzzle
causes the server to be susceptible to resource exhaustion attacks at the signature
verification phase. As a result, we propose an enhanced approach by replacing
hash-based puzzles with non-parallelizable cryptographic puzzles. Once the non-
parallelizable cryptographic puzzles is implemented, the effect of coordinated
attacks will be removed and the throughput from legitimate users will return to
the desirable level as shown in Section 5.1.2.
The main contributions of this chapter include:
• a formal specification of HIP using Timed Coloured Petri Nets as our for-
malism to model time-dependent attacking techniques targeting weaknesses
of hash-based puzzle construction;
• an evaluation of the tolerance of HIP under different levels of puzzle diffi-
5.1. Simulation of HIP using Timed CPNs 113
culty;
• a simulation of the coordinated adversarial strategy and validation of the
analysis performed by Smith et al. [125] using the Meadows framework;
• an evaluation of the most effective attack strategies by measuring the suc-
cessful throughput of the successful packets from legitimate users in order
to compare the result with the examination from Meadows’ cost based
framework;
• identification of a vulnerability caused by the hash-based puzzle schemes
in HIP;
• a proposed technique to improve the DoS-resistance in HIP to tackle the
problem of parallelization in hash-based puzzles, and to prevent coordi-
nated adversaries who try to overwhelm the server’s resource by computing
a puzzle solution in parallel.
Section 5.1 describes an experiment using CPN Tools to formally construct
HIP in the Timed CPNs specification and provides the experimental results of
such a model. Moreover, an enhanced version of HIP using non-parallelizable
puzzles to protect against coordinated adversaries will be provided in Section 5.2.
A discussion on the experimental results of time based analysis compared with
Meadows’ cost based framework is provided in Section 5.3. Finally, a summary
and some open problems are presented.
5.1 Simulation of HIP using Timed CPNs
In this section, we propose a more accurate and realistic model by applying
the concept of time into the HIP time-based simulation and analysis, such that
every cryptographic process requires some amount of time calculated by using
cryptographic benchmarks of Crypto++ library [32].
In Timed CPNs, the concept of the simulated time or the model time1, which
is represented by the system clock in the tool, has been introduced. Once we have
attached the system time into tokens, we can see the sequence or action of states
that tokens move to as a temporal analysis. It means that only tokens which
hold the current time as presented on the clock can be traversed to the next
1More formal descriptions are available on the official website of CPN Tools, http://wiki.daimi.au.dk/cpntools/cpntools.wiki
114 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
position, while the others have to wait until the system clock reaches their value.
This feature provides us more abilities to model and examine the behaviour of
the participants as well as the system more accurately.
Figure 5.1: An Example of Timed CPNs Model
Figure 5.1 shows an example of how Timed-CPNs works. In this example,
the concept of a server’s resource and a time-out period of the message has been
implemented. The transition Check processes the token having the current time
at an input place, and checks the current resource and a time-out period of the
token. If the server has resources available to handle a packet and the current
time-out period of that packet has not expired, the system moves that packet to
an accept transition for processing the next step. Otherwise, the system drops a
packet.
5.1.1 Modelling of HIP using Timed CPNs
To develop a time-based model on CPN Tools, HIP is constructed hierarchically
for simplicity of the model and simulation. A new time-based construction is
an extension of a HIP cost-based model from the previous chapter, such that no
re-design is needed for the new construction. We only insert time parameter and
change some parameters for a time-based compatible simulation.
In the time-based model, all nodes in the top page are related to individual
5.1. Simulation of HIP using Timed CPNs 115
subpages defined by the HIP specification2 and all cryptographic processes re-
quire some amount of time calculated by using the cryptographic benchmark of
Crypto++ library developed by Wei Dai (Table 4.3). This construction also in-
volves cost-based places such that each state has the computational cost place to
display the total cost of that state during the protocol simulation. Furthermore,
the concepts of resource and time-out are used in this evaluation. It means that
when the server has to deal with requests, the server spends a queue resource
to handle an individual request. If incoming packets exceed the server capacity,
those packets need to wait in the server’s queue until the server becomes idle
again. However, if the time-out of each packet is reached, the client gives up or
is required to re-send a request.
In our HIP time-based simulation model, we initially configure an individual
message to contain six coloured sets; 1) User who initiates the messages, 2) AT
which is an arrival time of the messages, 3) DT which is a departure time of
the messages, 4) DATA which indicates the string of messages, 5) COST which
is used to display the computational cost when the message is traveling to each
operation, and 6) NUM which represents the sequence number of each messages
in the protocol. Similar to the cost-based models examined in Section 4.4 of
Chapter 4, the display cost at each state shows the total operation cost of that
corresponding state only, not an accumulation cost of all state. If the adversaries
are able to force the responder to reach the accept state and process the next
operation for returning the message to adversaries, the total computational cost
of the responder will include the cost displayed at the cost place at the next
state. The top page of HIP Timed-CPNs is constructed as illustrated in Figure
5.2.
From Figure 5.2, the top page consists of three major segments; 1) an ini-
tiator’s network, 2) a communication channel, and 3) a server’s network. Each
transition represents a stage of protocol execution, which consists of four stages
in each principal because HIP is a four message protocol, corresponding to a
specified subpage. Each stage consists of CPN elements constructed as specified
in the HIP protocol specification. An example of a server’s subpage at the first
stage is demonstrated in Figure 5.3
The server subpage consists of two main important transitions; the first one
named Queue is used for ordering received messages; the second transition named
Check HIT R is used for verifying the validity of the responder’s host identity
tag (HITR). It is important to note that the process of ordering the incoming
2full description is provided in Section 3.3.5
116 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
T h e r e s p o n d e r s h o u l d s e l e c t k t o f o r c e t h e i n i t i a t o rt o s p e n d t i m e m o r e t h a n t i m e u s a g e i n M S G 3 R & 4 R
R e s p o n d e rI n i t i a t o r K e y E s t a b l i s h m e n t P r o t o c o l
n 1 ! 1n 1 1 ` ( u 1 )1 ` ( u 1 , a t 1 , d t 1 , x , i , n u m 1 )M S G 3N e t w o r k
F i n i s h
M S G 1M S G 1 M S G 2N e t w o r kM S G 4 _ IM S G 4 _ IM S G 3 _ IM S G 3 _ I M S G 4 _ RM S G 4 _ R
M S G 2 _ RM S G 2 _ RM S G 3 _ RM S G 3 _ RM S G 2 _ IM S G 2 _ I
M S G 4N e t w o r k
M S G 1 _ RR e c e i v e rM S G 1 _ IS e n d e r
R e sF u s i o n C o u n t1 ` 0 N U M R e s o u r c eF u s i o n R e s o u r c eR e s o u r c eN U ME x p i r e d P u z z l eE x p i r e d P u z z l eP u z z l e
R e j e c t e d 1F u s i o n R e j 1R e j e c t
R e j e c t e dR e j e c t e dR e j e c t C o m p l e t e dD o n e
R e s o u r c e I2 0 ` h c + +2 0 0 ` a d 4 T I M E DP u z z l eT i m eC O S T r k M S G _ u n t i m e d
c o s t R 4C O S Tc o s t I 4C O S T c o s t R 3C O S Tc o s t I 3C O S T c o s t R 2C O S Tc o s t I 2C O S T c o s t R 1C O S Tc o s t I 1C O S T
O u t p u tM S G
R e c e i v e dM S G _ u n t i m e d
I 4M S G _ u n t i m e dI 3M S G M 3 M S GM 1 M S GM 2M S G
R 4M S GR 2M S GR 3M S G _ u n t i m e dR 1M S GI 1M S G _ u n t i m e d
I 2M S G _ u n t i m e d
R e j e c t e d
F u s i o n R e j 1E x p i r e d P u z z l e
F u s i o n R e s o u r c eF u s i o n C o u n t
S e n d e r R e c e i v e r
N e t w o r kM S G 2 _ I
M S G 3 _ RM S G 2 _ RM S G 4 _ RM S G 3 _ IM S G 4 _ I
N e t w o r kM S G 1
N e t w o r k
Figure 5.2: Hierarchical Construction of HIP Model
messages into the queue, if multiple requested messages arrive to this transition
simultaneously, is non-deterministic because these packets have been arranged
randomly based on a random function of CPN Tools. The purpose of Queue and
Count components in the first transition is to measure the number of arriving
requested packets in order for the server to flexibly and appropriately adjust the
puzzle difficulty according to the level of workload.
Considering the second transition, CheckHITR, in this subpage, in order to
process the job the server has to have available memory resource which is pre-
specified at the place Resource. Note that each packet requires only one resource
(one connection queue) during the process at the server’s machine. Once those
messages are processed and removed from the connection queue, they will return
resource tokens to the server’s machine. If the server is busy processing the
current jobs, incoming requests have to wait at the Busy place until the server
has at least one resource available or the server becomes idle again. Since we
implement the time-out in this construction, all requests have some specified
waiting period before they expire. If the attacker can force the server to waste
its resource to process all bogus packets until the time-out of legitimate users’
5.1. Simulation of HIP using Timed CPNs 117
i f ( w t 1 > = T i m e O u t )t h e n 1 ` ( u 1 )e l s e e m p t yi f ( w t 1 > = T i m e O u t )t h e n 1 ` ( n + 1 )e l s e 1 ` nn i f ( w t 1 < T i m e O u t )t h e n 1 ` ( u 1 , a t 1 , d t 1 , x , 0 , n u m 1 )e l s e e m p t yi f ( w t 1 > = T i m e O u t )t h e n ( n 2 � 1 )e l s e n 2n 2i f ( w t 1 > = T i m e O u t )t h e n ( n 1 � 1 )e l s e n 1n 1
i f ( w t 1 > = T i m e O u t )t h e n e m p t ye l s e 1 ` ( u 1 )1 ` ( u 1 , a t 1 , d t 1 ,x , i , n u m 1 ) i f ( w t 1 < T i m e O u t )t h e n 1 ` ( u 1 , I n t I n f . t o I n t ( t i m e ( ) ) , d t 1 , x , i , n u m 1 )e l s e e m p t y
i f ( w t 1 < T i m e O u t )t h e n 1 ` ( u 1 , 0 )e l s e e m p t yi f ( w t 1 < T i m e O u t )t h e n 1 ` ( u 1 , I n t I n f . t o I n t ( t i m e ( ) ) , d t 1 , x , i , n u m 1 )e l s e e m p t y
1 ` u 1 1 ` u 1n � 1n
n 1 + 1 n 1 1 ` ( u 1 , a t 1 ,d t 1 , x , i , n 1 + 1 )1 ` ( u 1 , a t 1 , d t 1 , x , i , n u m 1 ) C h e c kH I T _ Ri n p u t ( a t 1 ) ;o u t p u t ( w t 1 ) ;a c t i o n( I n t I n f . t o I n t ( t i m e ( ) ) � a t 1 ) ;
F a i lQ u e u e[ n > 0 ]
T i m e o u t R e j e c tM 1O u t M S GM e m o r yF u s i o n M e m o r y1 ` 0I N T 1
U s e r F u s i o n U s e rU s e rB u s yM S G
R e t u r nF u s i o n R e t u r nU s e rR e s o u r c eF u s i o n R e s o u r c eR e s o u r c e N U M
R e j e c t e dF u s i o n R e j 1R e j e c t R e c e i v e d 2F u s i o n R c v 2 M S G _ u n t i m e dC o u n tF u s i o n C o u n t1 ` 0 N U M
c o s t I 1O u tC O S TR 1I n M S G
R e c e i v e dO u t M S G _ u n t i m e dO u tI n O u t
F u s i o n C o u n t F u s i o n R c v 2F u s i o n R e j 1
F u s i o n R e s o u r c eF u s i o n R e t u r n F u s i o n U s e rF u s i o n M e m o r yO u t
@ + 1Figure 5.3: The Server’s Subpage at the First Stage
packets expire, the attacker wins the game and achieves the goal of DoS attacks.
In addition to the resource, the quantity at the resource place represents not
only available connection queue, but indirectly represents CPU usage on the
server’s machine as well. It is important to note that the server’s connection
queue is a finite number that is defined at the initial configuration before the
simulation starts. We shall explain the concept of a server’s resource by giving
an example. Compare two messages in which message one is in step one, while
message two is in step three. The server has to spend a similar amount of
connection queue, a token per message, for serving both of them. However,
in the case of CPU usage, the server has to waste more capacity and time for
message two than message one because the main task at stage three is to verify
the puzzle solution and the signature, while the task at stage one is only choosing
the puzzle difficulty and returning it to the initiator. By specifying the time
usage from Table 4.3 for individual cryptographic transitions, we can infer that
the longer period that the message is processed in the server’s machine, the more
CPU usage it takes from the server.
To model adversaries’ packets, all individual adversaries have a specified num-
ber of requested tokens at the beginning during the protocol execution. That
means adversaries have the power to constantly flood a huge number of bogus
118 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
messages to deplete the connection queue, simultaneously with the legitimate
users’ packets. Some may argue that any limitation of adversaries’ packets might
not be fair and realistic; however, allowing this unlimited ability to adversaries
might cause unrealistic advantages over honest clients and a server because ad-
versaries are able to mount such attacks to deny services to any websites by
constantly flooding bogus messages with unlimited rate until the server gets
congested and terminates. If we do not limit such attack capability, the server
is always in a full-load condition and unable to serve any legitimate users dur-
ing the simulation. Therefore, we are unable to measure the tolerance of key
exchange protocols for resisting DoS attacks.
In our construction, adversaries are able to perform a number of attacks
depending on the available resources specified at the initial state during the
protocol simulation. Before launching new attacks, adversaries have to wait for a
return message (token/available resource) from the server. In normal situations,
the number of returned messages will be equivalent to the number of messages
that the server receives. That means adversaries still have the same level of
capability to perform DoS attack as long as the server can serve those packets.
However, once the server is in a full-loaded condition, the server is unable to
accept or queue the incoming messages. This causes adversaries to lose their
packets (tokens) from the system, similarly to those packets from legitimate
users.
In the HIP protocol execution, there are three possible circumstances to cause
a server to waste computational resources by the adversaries.
1. All values of the third message including a puzzle solution J , an encrypted
part Ke{HII}, and a digital signature sigI are valid. This will force the
server to process a gradual authentication and waste its resources to com-
plete the final step, which is key confirmation, of the protocol.
2. Only the client puzzle solution J is valid. This situation also causes the
server to perform the puzzle solution verification, decryption, and the sig-
nature verification. The server can detect the attack only at the final step
of authentication.
3. The client puzzle solution J is invalid, so the server computes only a cheap
hash function to verify the solution and then this connection will be ter-
minated whether the remaining messages are valid or not.
To make an important note on the first attacking scenario, this type of attack
may not be a threat or does not exist in some particular applications. For
5.1. Simulation of HIP using Timed CPNs 119
example, the HIP protocol specification defines that if the initiator’s signature
is valid, the user belonging to this message is authenticated and identified as a
legitimate user.
From these three attacking scenarios, we set up five different adversarial
strategies to attack the server running HIP as an underlying algorithm for key
exchange in order to explore the DoS vulnerabilities on HIP, as well as the pro-
tecting capability of client puzzles integrated in HIP to deal with resource deple-
tion attacks. We have previously described the first four attacking strategies for
each adversary capacity in Section 4.4. An additional adversary allowed in the
experiment of the time-based simulation is called Coordinated Type 3 adversary.
The attacking technique of this adversary is similar to Type 3 adversaries, except
that Coordinated Type 3 adversaries are able to control a group of compromised
machines to solve puzzles in parallel for obtaining the solution with a certain
period.
Having introduced our time-based construction, the next subsection provides
the experiment and result of the original HIP protocol implemented with hash-
based reversal puzzles to protect the server against resource exhaustion attacks.
5.1.2 Experiment
To obtain experimental results, we set up two different experiments, Experiment
2 and Experiment 3, in order to measure tolerance of the server under resource
exhaustion attacks. In Experiment 2, the server is unable to control the puzzle
difficulty. On the other hand, Experiment 3 allows the server to be able to adjust
puzzle difficulty within specified ranges between 1 (the client is required to search
for input that the first bit of output is zero) for the light-load condition and 10
(the client is required to search for input that the first ten bits of output are
zero) for the heavy-load condition. This allows us to pinpoint the key benefit
of adjustable client puzzles, as well as to define an appropriate range of puzzle
difficulty in different circumstances.
Experimental Setup
We set up the experiment simulating on a Pentium 4 processor running at 3
GHz of central processor unit (CPU) speed with 1 GB of random access mem-
ory (RAM). For the software, we use Microsoft Windows XP Professional ver-
sion 2002 service pack 2 as the operating system, and model DoS-resistant pro-
tocols using CPN Tools version 2.2.0, which was released in September 2006
120 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
and implemented at the CPN group of the University of Aarhus, Denmark
(http://wiki.daimi.au.dk/cpntools/cpntools.wiki).
To assess the DoS-resistant protocol, there are different actions from initiators
and the server during the protocol simulation. Honest clients initiate a request
only once and keep waiting to process the next steps. Processing time of the
protocol and delay is assigned by means of Timed CPNs, i.e. every transition
which relates to cryptographic operations is defined as a timed process. Dur-
ing the simulation, we first specified the number of available resources on the
server’s machine such that the server has a certain capacity and is able to handle
only that specified number of incoming packets at a certain period. Further-
more, we assume that the server is able to process requests only one message
at a time, such that a concept of the server queue is implemented for arranging
an order of incoming packets. All remaining requests that exceed the server’s
capacity have to wait in the queue until the server becomes idle or has available
resources to serve. If requests from honest clients have been rejected under DoS
circumstances, honest clients give up to open another session.
Considering the adversary circumstance, there are two different situations in
which packets from adversaries are rejected by the server; 1) the server detects
the bogus messages during the verification steps, and 2) the server does not have
enough resources for serving any requests and the time-out of these requests
expire. Once the server detects the attack and rejects those packets, adversaries
lose the game and those packets will be removed from the system.
Slightly different from Experiment 1 in Chapter 4, we allow another type of
adversaries in the time-based simulation to mount the attacks on the system.
The new adversary is called Coordinated Type 3 adversaries or Co ad3. Coordi-
nated Type 3 adversaries are similar to Type 3 adversaries, who solve the puzzle
solution but do not process the remaining of the protocol, except that those
Coordinated Type 3 adversaries are able to control multiple machines to run
parallel search on the puzzles for obtaining the solution faster than the expected
period. In the simulation, Coordinated Type 3 adversaries reduce puzzle solving
time k to k/n, where n is the number of machines controlled by these Co ad3.
The characteristic of Co ad3 is similar to strong attacks as defined by Bocan and
Cosma [12] in which adversaries control a group of compromised machines used
to solve the puzzles in parallel to obtain corresponding solutions much faster
than the expected solving period. Once the server authenticated these puzzles
and received more requests, the server gradually increases the puzzle difficulty
to increase the client’s workload and delay the incoming requests. This situa-
5.1. Simulation of HIP using Timed CPNs 121
tion can cause the denial-of-service attack to legitimate clients who cannot solve
puzzles having the maximum puzzle difficulty issued by the server.
To make our simulation and experimental result more reliable, we run indi-
vidual types of adversaries a hundred times and average them to obtain a final
throughput of successful services. The standard deviation (STD) of each simu-
lation is also provided in the table of the experimental results. Parameters used
in our experiment are summarised in Table 5.1.
Table 5.1: Experimental Setup Parameters
Parameter Value
1) Server’s capacity 20 units of resource
2) Honest Client’s packets 20 packets
3) Bogus packets’ from individualadversaries
1) low load at 50 packets (2.5 times greater than Server’s capacity)
2) high load at 500 packets (25 times greater than Server’s capacity)
4) Packet time-out period 50000 units of time
5) Puzzle difficulty1) low load: k minimum required 1 unit of time to solve, and usedwhen server’s load is under server’s capacity (20)
2) medium load: k medium required 500 unit of time to solve, andused when server’s load is higher than server’s capacity (20) butless than 5 times (100)
3) heavy load: k maximum required 5000 unit of time to solve, andused when server’s load is higher than 5 times (100)
6) Cryptographic operations Cryptographic benchmark as shown in Table 4.3, Section 4.2
The reason why we simulate the server’s capacity and honest client’s packets
at 20 units is that we have tested several data set and recorded the running time
of a hundred simulation for particular data sets. If we allow the honest client’s
packets and server’s capacity to be greater than 20, the total running time of the
simulation takes an excessive period that will limit our simulation to examine
a small number of bogus messages initiated by different types of adversaries.
Meanwhile, the number of bogus messages that we set up in the simulation
consists of two sizes; 50 and 500. When adversaries are able to generate attacking
traffic greater than 500 packets at 20 units of the server’s capacity, the throughput
becomes saturate and drops to 0. We are unable to make a comparison and
investigate the tolerance of the system.
Having introduced the experimental parameters and rules, we demonstrate
the experiment and result in the remainder of this chapter. The result may be
compared with Experiment 1 described in Section 4.4.3.
122 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
Experiment 2: Non-adjustable Client Puzzles
The purpose of the this experiment is to examine the minimal DoS-resistant
mechanism. To achieve this, we run the simulation under five specified attacks
with the non-adjustable client puzzle. We initially fix k=1, which is an easiest
value of the puzzles, that requires nothing expensive to solve for establishing a
connection under normal circumstances. Once we have examined the server’s
tolerance under the minimum defensive mechanism, we set up another experi-
ment to examine the system under a higher value of puzzle difficulty (k = 10) in
order to compare the result with the minimum assessment.
Different from Experiment 1 in Chapter 4, we allow a server to participate
with requests from honest clients coming together with adversary’s packets. We
assume that the server has to deal with different strategies from five types of
adversary, as well as different amounts of packets which consist of both legitimate
and bogus messages. Considering the number of packets, legitimate users initiate
the amount of requests at the full server’s capacity (20 packets), meanwhile a
single type of adversary can flood the amount of bogus requests (Z) at 50 and
500 requests, which is 2.5 times and 25 times greater than the server’s capacity,
respectively. To examine the tolerance of HIP protocol under different attack
strategies, each adversary has been made a pair with an honest client to initialise
requests simultaneously to the server during the protocol execution. Finally, by
inserting places for displaying the number of completed and rejected messages at
the server’s network, the number of successful legitimate requests that the server
can serve under different adversary’s abilities is measured as a percentage for the
protocol evaluation.
The Experimental Results:
Table 5.2 and Figure 5.4 represents the percentage of successful legitimate con-
nections compared among two different amounts of bogus messages (Z=50, and
Z=500 packets) from five adversarial strategies. Undoubtedly when we prohibit
the server’s ability to adjust puzzle difficulty k, the percentage of successful
messages from honest clients hc to obtain service will drop drastically once ad-
versaries increase the number of bogus messages to the system.
Considering Type 1 adversaries, they cannot achieve DoS attacks and cause
any disruption to the server. This is because HIP implements stateless connec-
tions as the first line of defense to protect the server under flooding attacks at
the initial step. Moreover, the ability to easily generate puzzles at the first step
helps the server to deal with this kind of attack as well. One possibility is that
5.1. Simulation of HIP using Timed CPNs 123
Table 5.2: Percentage of Throughput with Non-adjustable Client Puzzles
Based on the formal modelling and analysis of HIP cost-based construction in
Chapter 4, the result of Experiment 1 from Section 4.4 illustrated that HIP can
resist flooding attacks at message 1 because HIP uses stateless connection as
a first line of defense. However, HIP is still susceptible to resource exhaustion
attacks at state 3 if the adversaries are able to find a correct solution and force
138 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
the server to verify the signature. Even though HIP incorporates the gradual
authentication mechanism and client puzzles (as defined in Section 3.2 of Chap-
ter 2) at message 3 to protect the server against resource exhaustion attacks,
the evaluation from Meadows’ cost based framework identified the DoS threat
when Type 3 adversaries are able to compute the correct puzzle solution with
bogus signature to force the server to engage with expensive digital signature
verification to waste its resources.
When the server is unable to adjust puzzle difficulty, the experimental result
from Meadows’ cost-based framework identifies attacks from Type 3 adversaries
as the most effective strategy when the puzzle difficulty is chosen at a minimum
value (Table 4.4 from Section 4.4 in the column k=1). This is because Type 3
adversaries spend a tiny computational cost to force the server to compute up
to the digital signature verification phase. In the case of Type 4 adversaries who
do not spend any computation, the server requires only a cheap computation for
detecting and discarding those bogus messages. This evaluation from Meadows’
cost based framework is similar to the experimental result from simulation and
analysis using Timed CPNs model as shown in Experiment 2 (Figure 5.4).
Once we set up the experiment of adjustable puzzle difficulty (Figure 5.5),
Type 3 adversaries are still the most effective technique in the Timed CPNs
simulation-based analysis (excluding coordinated Type 3 adversaries), while the
cost-based framework is unable to identify the vulnerabilities in the case of Type 3
adversaries because the cost difference between the server and Type 3 adversaries
becomes smaller and lies in tolerance relation. Although Type 4 adversaries
can cause the largest difference of computational cost between the adversary
computation and the server, this different gap is not large enough to justify
that this is a vulnerability of the protocol as the cost difference lies within the
tolerance relation (similar to the conclusion of Meadows’ cost-based analysis
as the tolerance relation (cheap, cheap)). Considering the computational cost
of Type 3 adversaries, when the server increases puzzle difficulty, eventually
the computational cost of puzzle solving becomes approximately equivalent to
the computation on the server operation at step 3. Hence, the different gap of
computational cost between Type 3 adversaries and the server becomes narrow,
such that the cost set C will be located within reasonable tolerance relation τ . As
a result, the cost-based framework might be unable to identify the vulnerability
of DoS attacks in this circumstance because all defender cost sets are allocated
in the secure location within tolerance relation.
Due to more complex system as well as more sophisticated attacking scenario
5.4. Summary 139
from advanced adversaries, the limitation of the Meadows’ cost-based framework
might not be able to estimate some hidden factors that cause service disruption
on the system. Contrasting from the experimental result of Meadows’ cost-based
framework and the Timed CPNs simulation, the cost-based analysis considers
only the cost to an individual adversary to perform a set of identified actions
to a certain point of the protocol execution compared to the cost of protocol
engagement by the server’s machine. The simulation-based analysis is able to
identify more sophisticated techniques of the adversary as well as to involve
a large amount of packets launched by multiple participants. Moreover, some
hidden parameters, such as time as examined by Chan et al. [29], can be included
and evaluated in the analysis. As a result, lack of ability to model realistic
events related with time factors and to handle large amount of messages could
be a limitation for analysing DoS-resistant protocols in Meadows’ cost-based
framework.
Finally, the most obvious benefit from the simulation-based analysis is that
we can observe not only the behaviour of adversaries, but also the consequence
of attacks to the system during the protocol execution. In addition, the ana-
lyst is able to more easily understand and evaluate the final outcome even by
using single step analysis to investigate the behaviour either in the complicated
situation, or in the large system that consists of a large amount of communicat-
ing traffic. In contrast, the analyst has to take extra care in order to consider
and identify adversary capability in the cost-based evaluation. Furthermore, the
effect of complex attacks might generate ambiguous output. For example, the
result of Type 3 adversaries and Type 4 adversaries under cost-based analysis
from Table 4.4 might lead to the conclusion that the most effective strategy is
performed by Type 3 adversaries because the total cost difference between the
server and such adversaries is the most. However, it is also arguable that Type
4 adversaries should be the most destructive scenario because the ratio of com-
putational effort between the server and such adversaries is infinity no matter
what the chosen value of puzzle difficulty is.
5.4 Summary
In this chapter, we propose the first formal specification of HIP using time-based
coloured petri nets as the formalism. CPN Tools is a versatile and powerful tool
that allows us to model complex protocols, as well as the advanced attacking
techniques targeting the server by reducing the time for puzzle solving. Fur-
140 Chapter 5. Simulation and Analysis of HIP in Timed CPNs
thermore, we have demonstrated a simulation and analysis of HIP under normal
conditions and five scenarios of DoS attacks. Tolerance of the system represented
as the percentage of successful throughput under different adversarial strategies
has been examined and analysed. Although our range of adversarial actions
is limited to five different strategies, we have found weaknesses of using hash-
based client puzzles and proposed the technique to strengthen such parallizable
vulnerability in a hash-based puzzle construction.
Even though the experimental results of simulation 2 and 3 demonstrate
that puzzle difficulty can mitigate the problem of resource exhaustion attacks,
coordinated adversaries can employ an alternative technique to attack hash-
based puzzles and cause the server to participate in the signature verification as
discussed in Section 5.2. In order to prevent such attacks, we replace hash-based
puzzles with the generic model of non-parallelizable cryptographic puzzles and
set up another experiment to validate our assumption.
According to our investigation of individual cryptographic puzzles proposed
in Section 2.3 of Chapter 2, only time-lock puzzles and hash chain puzzles have
non-parallelizability characteristic. Although the integration of these puzzles is
able to mitigate the problem of coordinated Type 3 adversaries to speed up the
process of searching a solution by distributing a puzzle to other high-performance
machines, the underlying computation for constructing such puzzles is a major
concern. Puzzle generation entails the calculation of modular exponentiation in
the case of time-lock puzzles3, or the sequential generation of hash operation in
the case of hash chain puzzles, which has greater magnitude than hash-based
reversal schemes.
To address the problem of parallelizable client puzzles, the next chapter will
propose a new construction having characteristics comparable to time-lock puz-
zles and hash chain puzzles but the new scheme requires less computation in
the puzzle construction and verification. The new technique also provides non-
parallelizable property which should be an additional characteristic added to
desirable characteristics of good puzzles.
3Some other example uses of time-lock puzzles have been evaluated and identified by Mao[78], Back [7], and Feng et al. [44] which all suffer from the same problem.
Chapter 6
Subset Sum Cryptographic
Puzzles
Hash-based constructions meet many of the desirable properties of proofs of work
(puzzles), but they also have the property that exhaustive searching of a pre-
image search space is a parallelizable task. Using such a technique in the presence
of an adversary with access to distributed computing resources may leave key
establishment protocols exposed to denial of service. Adopting alternate puzzle
constructions, such as time lock puzzles that are inherently sequential and non-
parallelizable, may need to be considered for protocols that are to be used in an
environment where the adversarial model assumes that significant resources are
available to the attacker.
A client puzzle is non-parallelizable if the solution to the puzzle cannot be
computed in parallel. Non-parallelizable client puzzles can be used to defend
against distributed denial-of-service (DDoS) attacks, where a single adversary
can control a large group of compromised machines and launch attacks to the
targeted server from those machines. If the client puzzle is parallelizable, such
an adversary could distribute puzzles to other compromised machines to obtain
puzzle solutions faster than the time expected by the server. This kind of attack
is identified as strong attacks previously described in Chapter 5. In addition, non-
parallelizable client puzzles could prevent high-end users gaining more advantage
of using multicore processors to obtain puzzle solutions faster than the period
specified by the server. The latter issue leads to another concern on the fairness
property, which is defined by Boyd and Foo [14] as follows.
141
142 Chapter 6. Subset Sum Cryptographic Puzzles
An exchange or payment protocol is considered fair if neither of the
two parties exchanging items or payment at any time during the pro-
tocol has a significant advantage over the other entity.
An alternative construction to prevent adversaries from distributing and com-
puting a puzzle in parallel is a chaining technique. Since the characteristic of
chaining requires the previous value for constructing the next consecutive items,
it will defeat those coordinated adversaries who attempt to solve puzzles by par-
allel computing. To date, there have been two constructions using the chaining
technique based on hash functions proposed by Ma in 2005 and by Groza and
Petrica in 2006 (see Section 2.3.6). Although the construction of hash chain
puzzles can prevent parallel searching techniques, both of them require high
computational burden on the server to construct the puzzles as same as on the
client.
In this chapter, we propose a new puzzle construction based on the subset
sum problem. The primary strengths of this puzzle over others are the simple and
cheap construction and verification for the server, as well as non-parallelizability.
The main contributions of this chapter are:
• to provide the background of knapsack problems, and discuss a character-
istic of LLL lattice reduction, which is a polynomial time algorithm used
to successfully break knapsack cryptographic protocols;
• to propose a new client puzzle construction, called Subset Sum Client Puz-
zles ;
• to provide performance analysis of new proposed algorithm in order to
guarantee that our technique functions effectively under specified DoS at-
tacks.
The structure of this chapter is that Section 6.1 provides general background
knowledge of subset sum or knapsack problems, which are used as an underlying
technique to construct our new puzzles. Section 6.2 presents the polynomial time
algorithm called LLL Lattice Reduction, which is used to successfully break or
solve the subset sum problems within polynomial time. Our new puzzle scheme
including puzzle construction, puzzle solving, and puzzle verification, as well as
the experimental results are provided and discussed in Section 6.3. Performance
analysis on the statistical output using CPN Tools is shown in Section 6.4. Fi-
nally, Section 6.5 provides a discussion and some open problems for future work.
6.1. Knapsack or Subset Sum Problems 143
6.1 Knapsack or Subset Sum Problems
A knapsack system associates a given set of items which have a known weight and
value, and a knapsack which can carry the number of items no more than a certain
weight. Slightly different from knapsack problems, subset sum problems or so
called value independent knapsack problems [79] are considered as a subcategory
of knapsack problems. The subset sum problems are a 0-1 knapsack problem,
in which the solver is asked to search whether there is a subset of a finite set
whose elements sum up to a certain value or not. In general, given the finite set
of items with a specific weight and a target outcome, the solver requires to select
items to obtain the total weight exactly equivalent to a specified target.
Definition 8 ( [90]). Given a set (a1, a2, . . . , an) of positive integers, called a
knapsack set, and a positive integer s, determine whether or not there is a subset
of the aj that sum to s. Equivalently, determine whether or not there exists xi ∈(0, 1), 1 ≤ i ≤ n, such that
∑ni=1 aixi = s.
The subset sum problem is a decision problem, which is NP-complete, similar
to knapsack problems. That means the subset sum problem is computationally
equivalent to its computational version which is to determine the xi such that∑ni=1 aixi = s provided that such xi exist. From the fact that no polynomial
algorithm can break the NP-completeness problems within polynomial time, as
a result, the knapsack problem was identified in the 1970s as a promising ap-
proach to be used as an underlying technique for constructing a public-key based
cryptosystem.
The complexity of subset sum problems depends on two parameters which are
n and b. The former parameter, n, represents the number of decision variables,
meanwhile the latter parameter, b, represents the number of chosen items to
obtain the solution. Particularly if either n or b are a very small number, the
problem becomes very easy to solve. The solver is able to run exhaustive search
for the solution in practical time. Once both of them are of the same order and
large, the solution becomes more difficult.
Considering exhaustive search on the subset sum problems having size n, the
solver needs to run through all possible items of n numbers. Also, the solver
has to check every one of them to find whether its total value is correct or not.
Hence, the running time is of order O(2nn), since there are 2n subsets and, to
check each subset, we need to sum at most n elements.
In 1974, Horowitz and Sahni [53] proposed an improved version of exponential
time algorithm which runs in time O(2n/2n). The algorithm splits the n elements
144 Chapter 6. Subset Sum Cryptographic Puzzles
into two sets of a half size. For each of these two sets, it calculates sums of all
2n/2 possible subsets of its elements and stores them in a memory of length 2n/2
in decreasing order for the first half, and in increasing order for the second half.
Once the elements are in suitable order, the algorithm can check whether an item
in the first set and an item in the second set sum up to the target weight c in
time O(2n/2). If two items with the summation c are found, it stops. Otherwise,
the algorithm moves to the next items in the first set, if the output is greater
than the target s, or moves to the next items in the second set, if the output
is less than the target s. This algorithm is also known as meet-in-the-middle
algorithm for subset sum problems. This is an exponential-time algorithm and
so far known as the fastest method for the general subset sum problem [90].
Using subset sum algorithms for construction of public-key cryptosystems
was firstly introduced Merkle and Hellman [91] in 1978. The construction of this
cryptosystem was based on a super-increasing sequence and a trapdoor function
which was used to transform an easy set of weights to a difficult (pseudo-random)
set. The first version of the Merkle’s protocol used a single iteration of modular
multiplication as a trapdoor function in order to conceal the set of easy problems
from the cryptanalysis. A few years later, Merkle improved the security of the
first version by increasing the number of iterations in the trapdoor function
because a single iterative version was broken by Shamir [120]. However, Brickell
[17] proposed a method to break a multiple iterative Merkle’s protocol in a
system of 40 iterations. We encourage the reader interested in more detail of the
knapsack cryptosystem history to read the papers by Desmedt and Skwirzynski
[33] and Lai [70].
6.2 LLL Lattice Reduction on Subset Sum Cryp-
tosystems
As more implementations of subset sum cryptosystems were proposed to improve
the security of the Merkle’s scheme, many researchers attempted to analyse and
explore vulnerabilities of such systems. One famous tool that was used to suc-
cessfully break those approaches is the lattice reduction technique. A lattice is
a discrete version of a vector space. The reduction algorithm attempts to deter-
mine the smallest non-zero vector in a lattice. There are several lattice reduction
algorithms but the best method so far for breaking the subset sum problems is
the LLL or L3 algorithm which was developed by Lenstra et al. [75] in 1982.
6.2. LLL Lattice Reduction on Subset Sum Cryptosystems 145
L3 lattice basis reduction is a polynomial time algorithm. The concept was
originally used to solve the shortest vector problem (SVP) and closest vector
problem (CVP) of a lattice. Adleman [2] seems to have been the first researcher
to apply LLL lattice basis reduction as a cryptanalysis tool to successfully break
the subset sum problem. By using the LLL algorithm, users simply treat the
subset sum schemes as a lattice problem. In 1985, Lagarias and Odlyzko [69]
announced the first successful attack on a low density1 subset sum cryptosystem;
i.e. a density below 0.6464 in approximately. A few years later, Coster et al. [31]
proposed the improved version of the Lagarias and Odlyzko technique. They
claimed that their method was able to break almost all subset sum problems
having density below 0.9408 in polynomial time.
To provide a brief history on the development of L3 lattice reduction, we
broadly consider two research directions; 1) Performance represents the improv-
ing of the computation complexity, and 2) Accuracy represents the correctness
of the L3 algorithm when dealing with large instance problems.
In term of performance, Kaltofen [63] modified the calculation of Gram-
Schmidt coefficient2 (µ) and claimed that the complexity of this proposed tech-
nique was n6 log2 B +n5 log3 B, where n is the item size and B is the item weight
in bits. This was reduced from n6 log3 B which is the complexity of an original
LLL version [75] re-analysed by Nguyen [101]. Later on, Storjohann [128] con-
structed L3 problems and fed them as a matrix. The algorithm then performed
unimodular row operations that reduced the computation complexity to n3 log B
arithmetic steps. In 2005, Nguyen [100] found an instability due to floating
point errors in the Schnorr’s LLL version [118] that caused the program not to
terminate in some instances. Thus, Nguyen proposed a revised version called
L2 algorithm [100] in which the complexity was n5(n + log B) log B arithmetic
steps. In 2006, Schnorr [117] reconstructed the floating point scheme by adopt-
ing the segmentation technique for speeding up the calculation of Gram-Schmidt
coefficient. This new implementation minimizes the complexity of the basic one
to n3 log n which is recently considered to be the fastest algorithm for reducing
lattice bases.
In term of accuracy, Lagarias and Odlyzko [69] announced the first successful
attack on a low density subset sum cryptosystems; i.e. a density below 0.6464
approximately. In 1988, Radziszowski and Kreher [108] set up an experiment to
run a performance test of L3 on the subset sum problems that have n between 26
1The density is defined as n/ log(max an), where n is a number of items and max an is amaximum item value.
2The definition of this parameter will be provided in Definition 10.
146 Chapter 6. Subset Sum Cryptographic Puzzles
and 98 with different density. Furthermore, they replaced a reduced step by using
multiprecision algorithm to accelerate the job. The experimental result showed
that when n grows up to 98, their implementation succeeded at density below 0.3
which is lower than the theoretic value proposed in Lagarias and Odlyzko [69].
A few years later, however, Coster et al. [31] extended Lagarias and Odlyzko’s
work and proposed the improved version of such technique. They claimed that
their method was able to break almost all subset sum problems having density
below 0.9408 in polynomial time. In 1991, LaMacchia [71] combined Seysen’s
algorithm [119] with the L3 lattice reduction for increasing the accuracy of the
algorithm. They set up an experiment similar to the one used by Radziszowski
and Kreher [108], however, their improved version was able to reach up at n = 106
with density 0.3. In the meantime, Schnorr and Euchner [118] proposed a way to
speed up the reduction step by using floating point instead of integer arithmetic
in the original L3, plus adding the deep insertion technique to their scheme. In
comparison with LaMacchia [71], they claimed that their experimental result had
higher success rate at the same data range.
LLL lattice basis reduction algorithm has been widely used in breaking subset
sum cryptosystems [61, 102, 103] because the algorithm is able to terminate in
polynomial time. Moreover, it is highly sequential because the underlying pro-
gram requires recursive computation. From this perspective, LLL is a promising
technique to fulfill our requirement in terms of non-parallelizability and thwart
coordinated adversaries from distributing the client puzzle to calculate the solu-
tion in a parallel manner. To explain the LLL lattice basis reduction, we refer
to materials provided in Smart’s book: Cryptography: An Introduction (2nd edi-
tion) [123].
Definition 9. Let {b1, b2, . . . , bn} be a set of vectors in Zn that are linearly inde-
pendent over R. Then the set of all integer linear combinations of {b1, b2, . . . , bn}is called an integer lattice. In a formula:
B =
{n∑
i=1
ai · bi | ai ∈ Z, 1 ≤ i ≤ n
}(6.1)
Definition 10. The Gram-Schmidt algorithm transforms a given basis {b1, b2, . . . , bn}into a basis {b∗1, b∗2, . . . , b∗m} which is pairwise orthogonal. The algorithm uses
equations
µi,j =
⟨bi, b
∗j
⟩⟨b∗j , b
∗j
⟩ for 1 ≤ j < i ≤ n (6.2)
6.2. LLL Lattice Reduction on Subset Sum Cryptosystems 147
where µi,j is called a Gram-Schmidt coefficient.
b∗i = bi −i−1∑j=1
µi,j b∗j (6.3)
Definition 11. A basis {b1, b2, . . . , bm} is called LLL reduced if the associated
Hint-Based Hash Reversal - 1 hash 1 hash O(k) hash No Linear
Repeated-Squaring - 2 mod mul 2 mod mul O(k) mod mul Yes Linear
DH-based - 1 mod exp 1 comparison O(k) mod exp No Linear
Trapdoor RSA1 mod exp 3 mod mul
1 comparison O(k) mod exp No Linear1 mod mul 2 additions
2 mod mul
Trapdoor DLP 1 mod exp 1 comparison O(k) mod exp No Linear3 additions
Hash Chain - k hash 1 comparison O(k) hash Yes Linear
Subset Sum n hash 1 hash 1 hash L3 reduction Yes Polynomial
6.6. Summary 169
6.6 Summary
Cryptographic puzzles or client puzzles shed light on defeating resource exhaus-
tion denial of service (DoS) attacks. By including this DoS-resistant mechanism
into cryptographic protocols, the responder ensures that the client spends suf-
ficient resources before committing its own resources. From the adversaries’
point of view, the major aim of using client puzzles is to penalize dishonest users
attempting to perform illegal actions by forcing them to conduct additional com-
putation. Client puzzles are also used to delay incoming requests when the re-
sponder comes under DoS attack, and to deal with resource exhaustion attacks
when adversaries attempt to defeat the number of connection queues that the
responder can handle.
Recently, there have been a variety of client puzzles proposed to resolve DoS
attacks in computer networks. Having examined and analysed the practical use
of existing cryptographic puzzles, we have found that most of them are suscep-
tible to coordinated attacks because they do not support the non-parallelization
characteristic. With regard to lacking of the parallelism characteristic in existing
client puzzles, therefore, this chapter proposes a new puzzle construction based
on the subset sum problem. Undoubtedly, the primary strength of this puzzle
over others is non-parallelization. In addition, another key strength is that the
puzzle construction and verification requires simple and fast computation on the
server as shown in the performance analysis (see Section 6.4). Evaluation and
investigation by using performance analysis under five performance parameters
and the percentage of successful service shows that our new approach slightly
improves the throughput in comparison with hash-based reversal technique from
Experiment 3 and 4 in Chapter 5. This is because the puzzle verification of
our new algorithm can be done slightly quicker than hash reversal techniques,
even though the puzzle generation of new scheme requires one step longer than
original technique.
On the other hand, a weakness with this construction is that it does not
provide linear granularity for puzzle difficulty adjustment. As a result, an open
problem for future research is to explore alternative techniques for improving
the new puzzle mechanisms which support all the defined properties as shown in
Table 6.1. Such a puzzle would be more effective for defending the server against
DoS and DDoS attacks.
170 Chapter 6. Subset Sum Cryptographic Puzzles
Chapter 7
Conclusion and Future Work
The main objective of this research is to design denial-of-service resistant mecha-
nisms in key establishment protocols and extend formal security techniques into
a new implementation to examine the security and performance of DoS-resistant
key establishment protocols. We hope that the new construction as well as
all proposed DoS-resistant strategies and techniques might be able to help the
computer security community to develop effective protocols in the future. The
following is a summary of our work related to these proposed objectives.
7.1 Summary of Contribution
We revisit the five aims of the research originally listed in Chapter 1.
1) To identify denial of service vulnerabilities in key establishment
protocols.
• We study the denial of service characteristics in Chapter 2, and seven key
establishment protocols implementing DoS-resistant mechanisms in Chap-
ter 3. We identify vulnerabilities relating to resource exhaustion at the
authentication process of key establishment protocols.
• In Chapter 5, we identify vulnerabilities in client puzzles that are used in
HIP to counterbalance the computational usage and delay the incoming
requests from clients when the server becomes heavily loaded.
171
172 Chapter 7. Conclusion and Future Work
2) To propose improved strategies and techniques to resist denial of
service attacks in key establishment protocols.
• In Chapter 2, we introduce strategies and techniques to help the server
to improve the security against denial of service attacks. Some of these
strategies and techniques have never been implemented, or are otherwise
inappropriately used in currently proposed key establishment protocols.
• Chapter 3 provides critical analysis and evaluation on the implementation
of DoS-resistant strategies and techniques proposed in Chapter 2. Only
three candidates; Modified IKE [83], Host Identity Protocol (HIP) [95],
and Lee & Fung’s protocol [72], use techniques supporting all three DoS-
resistant strategies.
• Applying the time-based model and a coordinated attacking strategy in
Chapter 5, we identify a vulnerability in hash-based puzzles relating to their
parallelizable characteristic. We propose to replace this construction with a
generic model of non-parallelizable client puzzles. The experimental result
shows that an enhanced protocol can help the server to resist coordinated
attacks.
3) To extend Meadows’ cost-based framework for modelling and analysing
key establishment protocols that have DoS-resistant built-in mecha-
nisms.
• In our evaluation in Chapter 3, we identify key strengths of HIP and se-
lect this protocol for modelling and analysis with Meadows’ cost-based
framework in Chapter 4. Because HIP implements client puzzles as the
defensive tool to counteract adversaries attempting to flood bogus mes-
sages, the cost-based framework identifies that HIP can effectively resist
four specified types of DoS adversaries.
• Using CPN Tools for simulating DoS-resistant protocols in Chapter 5, we
model and simulate the coordinated adversarial strategy, as well as validate
the analysis performed by Smith et al. [125] using the Meadows framework.
• From the experimental result of a HIP time-based model in Chapter 5,
we identify a limitation of Meadows’ cost-based framework for modelling
7.1. Summary of Contribution 173
and identify resource exhaustion vulnerabilities resulting from coordinated
parallelized attacks.
4) To evaluate and examine DoS-resistant protocols by using formal
simulation techniques.
• In Chapter 4, we examine a HIP cost-based model by constructing it in
Coloured Petri Nets and using simulation techniques to identify resource
exhaustion vulnerabilities. We use simulation techniques rather than math-
ematical proofs for modelling and verifying the complex protocols due to
large instances and various interactions between protocol entities.
• Once we can identify the attack on HIP that relates to puzzle difficulty
and puzzle solving time, Chapter 5 introduces an alternative technique to
construct a HIP time-based model in CPN Tools. From this construction,
we identify one major flaw in client puzzles in which coordinated adversaries
might be able to mount a strong attack [12] on the server.
5) To design new DoS-resistant mechanisms and evaluate their security
and performance using a formal security approach.
• In Chapter 6, we study the subset sum problems and the algorithm used
to solve such problems in polynomial time. This solving algorithm is called
LLL lattice reduction whose key benefit is in a non-parallelizable and poly-
nomial solving time characteristic.
• We design a new client puzzle mechanism based on the construction of sub-
set sum problems. The key strengths of our scheme are a cheap construction
and verification, as well as a non-parallelizable characteristic. Experimen-
tal results under DoS attacks and performance evaluation ensure that our
subset sum puzzles satisfy fundamental requirements of good puzzles. In-
tegrating our mechanism into HIP can help the server to resist the five
specified adversarial strategies as shown in the experimental results. In
addition, the performance analysis confirms that our puzzle construction
and verification can be performed as quickly as hash-based puzzles, such
that this new approach does not introduce other attacks to the protocol
entities.
174 Chapter 7. Conclusion and Future Work
7.2 Open Problems and Future Work
Some problems in this research area have been left open during this work. These
open problems could be useful to study and investigate for future work. The
following are some possible directions to be extended;
1. Since this research only focusses on two-party key establishment protocols,
one promising future work is to extend formal analysis to multi-party key
establishment protocols to explore some denial-of-service vulnerabilities.
Several multi-party key establishment protocols have been introduced in
the past several years. Few of them have been formally analysed and veri-
fied, while the problem of denial of service attacks in multi-party protocols
is almost entirely unexplored;
2. In the taxonomy of client puzzles, we only evaluate client puzzles based
on processor bound functions for puzzle constructions. In the past few
years, there have been new puzzle constructions based on memory bound
functions developed by Dwork et al. [40], Abadi et al. [1], Naor [96], Coelho
[30], and Doshi et al. [37]. These schemes have been proposed to overcome
the large speed differentiation between high-end processors and light weight
devices such as mobile phones or personal digital assistants (PDA). It will
be interesting to find whether this different class of puzzles can be applied
in the ways explored in this thesis;
3. The simplicity and performance of the existing LLL schemes is another
concern for deploying subset sum puzzles in general applications. Several
experiments have shown the failure of original LLL in dealing with the large
instances (n over 100) and high density problems (d over 0.90). The com-
bination of other algorithms such as dynamic approximation and heuristic
technique [8] to speed up the reduction process and make it more accurate
is one possible direction to be investigated;
4. Satisfying both non-parallelization and linear granularity in the same con-
struction is another open area for future research. As stated by Naor [96],
new implementations of puzzles based on memory bound functions could
be immune to parallel attacks. As a result, more research should consider
algorithms relying on memory, such that the new construction would be
able to provide not only non-parallelization and linear granularity, but also
to reduce the contrast of CPU speed in the client’s machine; and
7.2. Open Problems and Future Work 175
5. The criteria to select puzzle difficulty (k) for different workload condition
would be another interesting area for future research direction. This can
lead to improvement of overall throughput when the server has more avail-
able range of puzzle difficulty and is able to select these values more appro-
priately for precisely controlling the incoming rate of requests. An example
technique to adjust puzzle difficulty based on the server’s workload crite-
ria was proposed by Beal and Shepard [9] for deamplifying the impact of
DoS attacks in HIP. Another technique based on an analysis of queue man-
agement to prevent DoS attacks has been introduced in [13, 68, 135]. This
mechanism would be an interesting research area not only for organising in-
coming requests and effectively managing the queue resource of the server,
but also appropriately assigning puzzle difficulty to users for delaying the
number of requests once the server becomes fully loaded.
176 Chapter 7. Conclusion and Future Work
Appendix A
HIP Model
k i s V a r i e d
T h e r e s p o n d e r s h o u l d s e l e c t k t o f o r c e t h e i n i t i a t o rt o s p e n d t i m e m o r e t h a n t i m e u s a g e i n M S G 3 R & 4 R
H I P t i m e d V a r i e d K h a s h . c p n > s a v e s a s f r o m H I P t i m e d V a r i e d 0 5 . c p n1 ) A d v e r s a r i e s f l o o d o n l y o n c e > n o r e t u r n t o k e n t o f i r s t s t e p2 ) d o n ' t a d d t i m e t o a t 1 a t I n i t i a t o r M S G 2 _ I a n d M S G 3 _ I > H C _ P r o c e s s i n g T i m e = T i m e a t 13 ) t i m e : 1 a t M S G 1 a n d 2 a t M S G 3 ( f a s t e r t h a n S u b s e t S u m a t M S G 1 b u t s l o w e r a t M S G 3 ) R e s p o n d e rI n i t i a t o r K e y E s t a b l i s h m e n t P r o t o c o l
n 1 1n 1 1 ` ( u 1 )1 ` ( u 1 , a t 1 , d t 1 , x , i , n u m 1 )M S G 3N e t w o r k
F i n i s h
M S G 1M S G 1 M S G 2N e t w o r kM S G 4 _ IM S G 4 _ IM S G 3 _ IM S G 3 _ I M S G 4 _ RM S G 4 _ R
M S G 2 _ RM S G 2 _ RM S G 3 _ RM S G 3 _ RM S G 2 _ IM S G 2 _ I
M S G 4N e t w o r k
M S G 1 _ RR e c e i v e rM S G 1 _ IS e n d e r
R e sF u s i o n C o u n t1 ` 0 N U M R e s o u r c eF u s i o n R e s o u r c eR e s o u r c eN U ME x p i r e d P u z z l eE x p i r e d P u z z l eP u z z l e
R e j e c t e d 1F u s i o n R e j 1R e j e c t
R e j e c t e dR e j e c t e dR e j e c t C o m p l e t e dD o n e
R e s o u r c e I2 0 ` h c + +5 0 0 ` a d 2 T I M E DP u z z l eT i m eC O S T r k M S G _ u n t i m e d
c o s t R 4C O S Tc o s t I 4C O S T c o s t R 3C O S Tc o s t I 3C O S T c o s t R 2C O S Tc o s t I 2C O S T c o s t R 1C O S Tc o s t I 1C O S T
O u t p u tM S G
R e c e i v e dM S G _ u n t i m e d
I 4M S G _ u n t i m e dI 3M S G M 3 M S GM 1 M S GM 2M S G
R 4M S GR 2M S GR 3M S G _ u n t i m e dR 1M S GI 1M S G _ u n t i m e d
I 2M S G _ u n t i m e d
R e j e c t e d
F u s i o n R e j 1E x p i r e d P u z z l e
F u s i o n R e s o u r c eF u s i o n C o u n t
S e n d e r R e c e i v e r
N e t w o r kM S G 2 _ I
M S G 3 _ RM S G 2 _ RM S G 4 _ RM S G 3 _ IM S G 4 _ I
N e t w o r kM S G 1
N e t w o r k
Figure A.1: Top Page of HIP CP-Net
177
178 Appendix A. HIP Model
Figure A.2: Colour Sets and Values
S e n d e r S u b p a g eu 1 u 1u 1 ( u 1 , k )( u 1 , I n t I n f . t o I n t ( t i m e ( ) ) , d t 1 , x , i , n u m 1 )( u 1 , a t 1 , d t 1 , x , i , n u m 1 ) 1 ` ( u 1 , I n t I n f . t o I n t ( t i m e ( ) ) , d t 1 , " H I T i , H I T r " , k , n u m 1 )f r o mR e c e i v e r H a s hi n p u t ( i ) ;o u t p u t ( k ) ;a c t i o n( i + 0 ) ;R e t u r nF u s i o n R e t u r nU s e rR e s p o u r c e II n T I M E D c o s t I 1O u t C O S TI 1 O u tM S G _ u n t i m e d
s e n d e r1 ` ( h c , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )+ + 1 ` ( a d 1 , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )+ + 1 ` ( a d 2 , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )+ + 1 ` ( a d 3 , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )+ + 1 ` ( a d 4 , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )+ + 1 ` ( C o _ a d 3 , I n t I n f . t o I n t ( t i m e ( ) ) , 0 , " H I i , H I r " , 0 , 0 )M S GO u tO u tI n
F u s i o n R e t u r nFigure A.3: Initiator Subpage for Request Generation
179M S G 2 _ R s u b p a g en 1 ` ( u 1 , a t 1 , I n t I n f . t o I n t ( t i m e ( ) ) + d t 2 , y , k , n u m 1 )n + 11 ` ( u 1 , a t 1 ,I n t I n f . t o I n t ( t i m e ( ) ) + d t 2 ,y , k , n u m 1 ) n 1 n 1 1 ` ( u 1 , y , a t 2 , d t 2 )1 ` ( u 1 , a t 1 , d t 1 , x , i , n u m 1 )
( u 1 , k ) u 1n � 1n ( n 1 )( n 1 ) i f ( ( n 1 ) < k )t h e n 1 ` ( u 1 , " k _ m i n " , I n t I n f . t o I n t ( t i m e ( ) ) , p z 1 + 2 0 0 4 )e l s e i f ( n 1 < 5 * l i m i t )t h e n 1 ` ( u 1 , " k _ m e d " , I n t I n f . t o I n t ( t i m e ( ) ) , p z 2 + 2 0 0 4 )e l s e 1 ` ( u 1 , " k _ m a x " , I n t I n f . t o I n t ( t i m e ( ) ) , p z 3 + 2 0 0 4 )k kP u z z l e@ + 1 i n p u t ( i ) ;o u t p u t ( k ) ;a c t i o n( i + 1 ) ; D e c i s i o n [ n > 0 ]
r k O u tM S G _ u n t i m e dU s e rF u s i o n U s e rU s e rM e m o r yF u s i o n M e m o r y1 ` 0 I N T 1
R e s o u r c eF u s i o n R e s o u r c eR e s o u r c eN U MC o u n tF u s i o n C o u n t1 ` 0N U M
kP u z z l eL i m i t l i m i tI N T 1
M 1I nM S GR 2O u tM S Gc o s t R 2O u tC O S TO u t
O u t I nF u s i o n C o u n t
F u s i o n R e s o u r c e
F u s i o n M e m o r y F u s i o n U s e rO u t
Figure A.4: Responer Subpage for Puzzle Generationp u z z l eI n M S GI n
p 1O u t M S GO u tH I TI n M S GI n
c o s t s o l v e JC O S T
k _ m i nM S GA d v e r s a r yP o o l M S G
T i m e s o l v e JO u t C O S TO u t
k _ m e dM S G k _ m a xM S GC o s t I 3O u tC O S TO u t O 1O u t M S GO u tH a s h 1 i n p u t ( j ) ;o u t p u t ( l ) ;a c t i o n( j + 1 * 1 ) ;
d e c i d e k
H a s h 2 i n p u t ( j ) ;o u t p u t ( l ) ;a c t i o n( j + 5 0 0 * 1 ) ; H a s h 3 i n p u t ( j ) ;o u t p u t ( l ) ;a c t i o n( j + 5 0 0 0 * 1 ) ;D e c i d e kD e c i d e kD e c i d e k1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 )
1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 )i f ( u 1 = C o _ a d 3 ) o r e l s e ( u 1 = a d 3 )t h e n e m p t ye l s e i f ( s u b s t r i n g ( y , 0 , 5 ) = " k _ m i n " )t h e n ( 1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 ) )e l s e e m p t yi f ( u 1 = C o _ a d 3 ) o r e l s e ( u 1 = a d 3 )t h e n ( 1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 ) )e l s e e m p t yi f ( u 1 = C o _ a d 3 ) o r e l s e ( u 1 = a d 3 )t h e n e m p t ye l s e i f ( s u b s t r i n g ( y , 0 , 5 ) = " k _ m e d " )t h e n ( 1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 ) )e l s e e m p t y i f ( u 1 = C o _ a d 3 ) o r e l s e ( u 1 = a d 3 )t h e n e m p t ye l s e i f ( s u b s t r i n g ( y , 0 , 5 ) = " k _ m a x " )t h e n ( 1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 ) )e l s e e m p t y1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 ) 1 ` ( u 1 , a t 1 , d t 1 , y , j , n u m 1 )1 ` ( u 1 , a t 2 , d t 2 , z , k , n u m 1 ) 1 ` ( u 1 , a t 2 , d t 2 , z , k , n u m 1 ) 1 ` ( u 1 , a t 2 , d t 2 , z , k , n u m 1 )
( u 1 , 1 * 1 ) ( u 1 , 1 * 5 0 0 * 1 ) ( u 1 , 1 * 5 0 0 0 * 1 ) ( u 1 , a t 1 , d t 2 , y , l , n u m 1 )@ + 5 0 0 0( u 1 , a t 1 , d t 2 , y , l , n u m 1 )@ + 5 0 0( u 1 , a t 1 , d t 2 , y , l , n u m 1 )@ + 1( u 1 , l ) ( u 1 , l ) ( u 1 , l )
P u z z l e _ 3 I S u b p a g e R e u s e d P u z z l e S o l u t i o n
Figure A.5: Initiator Subpage for Puzzle Solving
180 Appendix A. HIP Model
Appendix B
Pseudo-code of Subset Sum
Experiments
181
182 Appendix B. Pseudo-code of Subset Sum Experiments
B.1 Backtracking Algorithm
Backtracking or Brute Force Searching is a recursive technique to gathers all
possible solutions and then checks for one satisfying the solution of subset sum
problems. This guarantees that it will always return an optimal solution. How-
ever, this technique consumes high CPU power and running time because it
requires to test all 2n solutions, where n is the amount of items. The following
is pseudocode of the backtracking algorithm.
Backtracking Algorithm [79]
• Solution is a set of (b1,. . .,bn), where bi ∈ {0,1}
• There are 2n possible solutions stored at each leaf nodes of binary
tree
• Check whether the current value is the solution M or not
• Otherwise, backtrack to other choices
Backtracking Pseudocodefunction SubsetSum(int k, int CurrentSum)
/* global array b[1 . . . k] contains binary vector of 1 to k */
/* CurrentSum = sum of previous values */
1) if (k = n)
2) { if CurrentSum = M; return Solution has been found }3) else { /* explore all remaining leaf nodes */
4) b[k+1] = 0;
5) SubsetSum(k+1, CurrentSum);
6) b[k+1] = 1;
7) SubsetSum(k+1, CurrentSum + x[k+1]);
8) }
B.2. Branch & Bound Algorithms 183
B.2 Branch & Bound Algorithms
The bounding technique or branch & bound algorithm is a technique to avoid
the time-consuming brute force searching by inserting some pruning schemes.
The pruning algorithm can save the running time by avoiding some unnecessary
nodes during the searching process by storing and traveling only to states whose
total weight does not exceed the limit. It specifies an upper bound on the output,
so any descendant tracks having value above or not below their ascendant node
will be eliminated from the possible solution.
Branch & Bound Algorithms [97]
• When a node that represents a subset whose sum equals the desired
solution M , terminate
• When a node that represents a subset whose sum exceeds the de-
sired solution M , backtrack (do not enter its subtrees, go back to
parent node instead)
• Keep a variable r that gives the summation of the numbers not yet
considered
• When moving to a right child, check if (CurrentSum + r ≥ M).
Otherwise, backtrack
Branch & Bound Pseudocode1) initialize (PQ);
2) v = root of Tree;
3) best = value(v);
4) insert(PQ, v);
5) while ( 6= empty (PQ)) // Remove node with best branch
6) remove(PQ, v);
7) if (branch(v) is better than best value)
8) for(each child u of v)
9) if(value(u) is better than best value)
10) best value = value(u);
11) if(branch(u) is better than best value)
12) insert(PQ, u);
13) return best value;
184 Appendix B. Pseudo-code of Subset Sum Experiments
Bibliography
[1] M. Abadi, M. Burrows, M. Manasse, and T. Wobber. Moderately Hard,
Memory-bound Functions. In the 10th Annual Network and Distributed
System Security Symposium, San Diego, California, USA, 6–7 Feb 2003.
[2] L M. Adleman. On Breaking Generalized Knapsack Public Key Cryptosys-
tems. In the 15th Annual ACM Symposium on Theory of Computing, pages
402–412, New York, USA, 1983.
[3] W. Aiello, S. M. Bellovin, M. Blaze, J. Ioannidis, O. Reingold, R. Canetti,
and A. D. Keromytis. Efficient, DoS-resistant, secure key exchange for
internet protocols. In The 9th ACM Conference on Computer and Com-
munications Security, pages 48–58, Washington, DC, USA, 2002. ACM
Press.
[4] I. Al-azzoni. The Verification of Cryptographic Protocols using Coloured
Petri Nets. Master of Applied Sciences Thesis, Department of Software