Despite the popularity of 802.11 based networks, they suffer several types of DoS attack, launched by an attacker whose aim is to make an access point (AP) unavailable to legitimate users. One of the most common DoS attacks on 802.11 based networks is to deplete the resources of the AP. A serious situation like this can occur when the AP receives a burst of connection requests. This paper addresses this common DoS attack and proposes a lightweight puzzle, based on pattern-matching. Using a pattern-matching technique, this model adequately resists resource-depletion attacks in terms of both puzzle generation and solution verification. Using a sensible series of contextual comparisons, the outcomes were modelled by a simulator, and the security definition and proofs are verified, among other results.
1. Introduction
Despite an unprecedented growth in popularity, using an open shared transmission medium makes wireless LANs (WLAN) extremely vulnerable to many attacks [1]. A series of security extensions to 802.11 have already been ratified to fix some of these vulnerabilities. However, these extensions primarily deal with vulnerabilities related to unauthorized access and confidentiality breaches. As our dependence on wireless access increases, it also becomes essential to consider the issue of availability as another important security requirement [2]. Denial-of-service (DoS) attacks strike against availability, attempting to prevent legitimate users from accessing the network. There are many 802.11-specific DoS vulnerabilities, which have been experimentally demonstrated in the literature of recent years.
Denial-of-service (DoS) attacks are a growing concern to networked services like the Internet. A DoS attack intends to deny access to shared services or resources by legitimate users [3]. A common form of WLAN DoS attack is a resource depletion attack, in which an attacker tries to overload the Access Point’s (AP) resources, such as its memory-hosted association table, rendering the AP unable to service honest clients. A potential way to deal with this problem is for a defending server to identify and segregate malicious traffic as quickly as possible. Other forms of DoS attack are jamming attacks, semantic attacks, and implementation specific attacks.
To deal with DoS attack, a number of methods have been proposed by researchers. Particularly for resource depletion or connection request flooding attack, in [4] a number of countermeasures both in the physical and MAC layers have been discussed. These solutions are cryptographic protection, security protocol repair, intrusion detection systems (IDS), decreasing the retry limit, identifying with signal strength info, and identifying through RF fingerprint.
Client puzzles, also known as proofs of work, have been shown to be a promising tool to thwart DoS attacks on network protocols, particularly on authentication protocols. A puzzle is issued by the server in reply to each request when the server is under attack. After receiving a puzzle, the client has to solve it in order to convince the server to grant access to its resources. The main idea is that puzzle generation and solution verification should be easy for the server, while computing the puzzle solution should be somewhat hard, computationally speaking, for the client.
Many client puzzles have been proposed since they were first introduced by Dwork and Naor in 1992 [5]. An important recent development has been the analysis of client puzzles within the provable security framework [6, 7]. The main contribution of our paper is proposing a faster puzzle in verification and generation phases. Compared to other hash based puzzles, our work consumes at least 30% less resources in both generation and verification phases, all without the need for additional hardware. It also addresses the security definition of Chen et al. [6] and proves that our proposed puzzle is secure.
To emphasize the importance of CRF DoS attacks and to show how they are launched, we shall highlight parts of the 802.11 standard which present malicious users with opportunities to breach secure, fair, and efficient protocol operations.
The following section will describe how connection-request flooding attacks and spoofed disconnect attacks on 802.11 based networks occur. Section 3 will review the methods and approaches proposed by other researchers in the literature. However, more information related to other attacks and issues of network security can be found in [8–32]. More information related to patterns can be found in [33–36]. In Section 4, the details of the proposed puzzle will be discussed. The experimental results will be demonstrated in Section 5. Using security definition of Chen et al. [6] alongside the client puzzle protocol security properties, a security analysis of the proposed approach will be provided prior to the conclusion.
2. CRF DoS Attack on WLANs
Fundamentally, 802.11-based networks operate in two modes: Ad-hoc and Infrastructure. In addition, WLANs are deployed in three architectural models: Independent Basic Service Set (IBSS), Infrastructure BSS, and Extended BSS [37]. This paper will pay special attention to CRF DoS attacks on WLAN in Infrastructure mode, where a Basic Service Set (BSS) is orchestrated by the AP.
To get access eligibility, STAs must initially authenticate themselves to the AP. This is the same sort of operation as connecting a PC to a certain wired network outlet. In order to simplify the attachment of wireless stations (STA) to a network, the connection procedure in wireless networks has been designed without providing an authentication mechanism on MAC frame header fields, [38], particularly in open authentication mode. This security hole makes forging the source address of an MAC frame so easy that identifying the source of traffic is virtually impossible. Sending false connection requests is much cheaper than validating those requests. If the authentication server does not protect the limited-resource AP against false requests (whose aim is to exhaust available resources), the solution becomes challenging.
In addition, the authentication and association procedure has been designed as a stateful process. This means that AP is required to allocate a certain amount of resources—normally memory capacity—for every connection request in order to track the current state, as shown in Figure 1.
Authentication and association states.
Despite the significant benefits of the authentication and association procedure, there is a clear sign that this procedure could easily become a simple route to deny service [39]. An attacker can effortlessly launch a CRF DoS attack by forwarding a burst of bogus connection requests—whether probe, authentication, or association request frame—over a relatively short time, towards an unprotected AP. Consequently, the victimized AP runs out of resources (i.e. association table) quickly, so that legitimate requests remain unanswered [3, 40]. In addition, after making a wireless network disappear, a fake system belonging to an attacker may pose as the legitimate wireless infrastructure, which enables the attacker to launch a man-in-the-middle attack [41].
Even though a number of anti-CRF DoS schemes have already been proposed for wired networks, they are unsuitable to protect resource-limited wireless infrastructure [42].
3. Related Works
Over the past decades, a whole bunch of countermeasures have been proposed by researchers to mitigate or even eliminate the harmful effects of CRF DoS attacks on computer networks. In this section, we review the relevant literature on client puzzles, with an emphasis on hash-based puzzles.
Client Puzzle. The idea of client puzzle protocol is quite simple [43]. When server is not under attack, it follows its normal activity and accepts connection requests. When a server comes under attack, the server forwards a unique puzzle to each client wishing to attach to the network. Solving these puzzles imposes a certain amount of computation and storage cost on clients. If a client submits the valid solution to the server, the server will allocate the required resources to that client. As it turns out, a legitimate client has to undergo an insignificant computational cost when a server comes under attack, while an attacker needs large computational resources to make a noticeable interruption in the network service. The use of puzzles in cryptography was pioneered by Merkle [44], who used puzzles to establish a secret key between parties over an insecure channel. Client puzzles were first proposed by Dwork and Naor [5] as a countermeasure for email spam. The computational problems underlying most puzzles are either number-theoretic [5, 45, 46] or based on hash inversions [6, 47, 48]. Hash-based puzzles are very efficient—generation and verification typically requires only one or two hash function calls—but concrete realizations to date have been shown to be secure only in the random oracle model. Number-theoretic puzzles, on the other hand, have been shown to be secure in the standard model but have tended to be relatively inefficient, typically requiring the server to perform a large-integer modular exponentiation, making it unsuitable for resource-limited WLANs. Hence, some researchers focused on other payment schemes than CPU cycles, for example, memory-bound puzzles [49–51], knapsack puzzles [52], NST puzzles [53], bandwidth puzzles [54, 55], or human interaction with so-called CAPTCHAs [56].
Hash-Based Puzzle. Juels and Brainard (see [57]) employed a cryptographic client puzzle protocol to protect servers against CRF DoS attack.
Aura et al. [48] employed the client puzzle in an authentication protocol. They proposed a CPU-bound puzzle based on partial collision in a one-way hash function, protected by digital signature. The client solves X from the following equation by brute force and sends the signed solution X back to the server:
(1)hC,Ns,Nc,X=000⋯000︷ThekfirstbitsofthehashY.
The authors claimed that their method is a lightweight puzzle and consumes as little CPU-cycle as possible. However, using a public-key signature may increase significantly the likelihood of resource-exhaustion on the authenticator’s side (AP or server), particularly when the network environment is WLAN [58]. Moreover, when using hash-based puzzles, some issues have to be taken into consideration, including the following:
The puzzle difficulty is not fine-grain controlled [59]. In other words, the difficulty grows exponentially while the number of bits needed for partial collision increases.
Like other CPU-bound puzzles, this puzzle suffers from the CPU-power disparity issue [59]. CPU-power disparity issues occur where a puzzle depends on computational power. In such circumstances, clients equipped with high resources are able to solve puzzles in a shorter time than others. Attackers take full advantage of this security hole.
This method is recognized as a parallelizable puzzle, so the attacker can solve the puzzle in a parallel manner using a number of employed clients.
To mitigate the overloading of Aura’s puzzle on APs, Shi and Ma [60] designed a lightweight anti-DoS attack wireless authentication scheme on the basis of a hash function. They put a signature computation only after the puzzle verification. Still, the AP has to generate a puzzle for every client’s request and to store it. To handle a burst of connection requests containing spoofed or unauthenticated MAC addresses, the AP has to exhaust more resources to generate more puzzles. This may lead to memory exhaustion. Moreover, this puzzle still suffers from the hash reversal puzzle issues mentioned above.
To eliminate the Aura puzzle defect, Dong et al. [58] proposed a hash based puzzle to handle two key problems: avoiding the possible memory-exhaustion in the earlier puzzle and combating the CRF attack. They took advantage of beacon frames to distribute the puzzle parameters. This protects the AP against a second DoS attack on puzzle generation where AP faces a sudden burst of puzzle requests. However, this scheme does not provide a solution to the problems raised by hash-based puzzles. The authors in [61] proposed a CPU-bound client puzzle based on extracting square roots. Table 1 exposes the proposed client puzzle in detail.
DoS-resistant authentication based on extracting square roots.
Client
AP
(L,R,D,z)← Beacon Frame
AP periodically decides D (difficulty), generates n = p × q (2 large prime numbers), sets a time limit Δt, and chooses L, R, and zRand(z) ∈{1,2,…,w}, w is the size of n
Client solves X by brute force from equation X2≡a (modn) within Δt
(X,L,R,D,z)→ Authentication Req.
AP verifies that R and L are recentAP computes a′≡X2 (modn)AP verifies that a′ satisfies the conditionAP may now commit resources
By using beacon frames as the puzzle carrier, this puzzle keeps the AP away from a puzzle request flooding attack. Moreover, it is claimed that by choosing two large prime numbers p and q along with Δt, it is ensured that forging multiple solutions in a short time is impossible. Despite these valuable achievements, a number of drawbacks should be taken into consideration:
Using quadratic residue problems imposes a large computational load on an STA, which in the case of a PDA, tablet, or other limited-resource device can be a problem.
Allocating 77 bytes of management frame to a puzzle wastes wireless bandwidth.
Even though the verification is low cost, sending too many fake solutions can overburden the AP.
The results show the puzzle difficulty of this puzzle is poorly granular.
Like other CPU-bound puzzles, this puzzle suffers from CPU-power disparity issue.
As the granularity of hash-based reversal puzzles is too coarse, Feng et al. [62] proposed the idea of a hint-based hash reversal puzzle to allow the granularity to be linear. The behind idea of the proposed puzzle is that the server gives the client a hint about the range within which the solution lies. For example, suppose a randomly generated number x is used as the input to the hash h(x). To generate a puzzle with O(D) difficulty, the server passes the client the hash and a hint, x-u(0,D). Where u(0,D) is a randomly chosen number uniformly distributed between 0 and D. Instead of checking every possible solution, the client starts at the hint and searches the range linearly for the answer. Apart from the last process, all remaining processes are similar to Jules and Brainard’s puzzle. Hence, the simple puzzle generation and verification, as well as the linear granularity for fine grained control are the strengths of this solution. However, it is still susceptible to parallel processing attacks. Also it is suspicious of DoS puzzle attacks on the AP during puzzle-generation, where an attacker sends a burst of puzzle requests and the AP has to produce a unique puzzle for every request. Moreover, like other CPU-bound puzzle, a hint-based hash-reversal puzzle suffers from CPU speed disparity issue.
Similarly, Lei et al. [63] introduced the quasi-partial collision concept to provide a granularity of puzzle difficulty in a more controlled way. The results show a marked improvement on earlier puzzles; however, the hash-based CPU-bound problems still remain.
Number-Theoretic Puzzle. Rivest et al. [64] proposed a nonparallelizable time-lock puzzle based on repeated-squaring to enable time-release cryptography. The idea behind it is that a client has to allocate a certain amount of computational resource time to execute repeated squaring. First, a server calculates roughly how many squaring operations a client is able to run per second: S. Then it specifies the time required by a client to find the puzzle’s solution: T. Considering this information, server computes how many times a client must run the squaring function to find the solution: t=T×S. Finally, the server encrypts a message M into a cipher text C as follows: C=M+XatmodN, given an integer X, an exponent a, a large integer t, and an appropriate semiprime modulus N. To acquire M from C, the client needs to compute Xat mod N given X, a, t, and N in log (at) ≈ t modular multiplications. This computation can be performed efficiently using the trapdoor offered by Euler’s function: XatmodN ≡ XatmodφNmodN. Surprisingly, time-lock puzzles are able to provide a precise and fixed amount of work. To verify the puzzle, the server checks the solution through the trapdoor offered by Euler’s function in O (log(N)) modular multiplications.
Although this nonparallelizable puzzle eliminates the CPU-power disparity problem, there are some fundamental drawbacks which make this puzzle impractical in the real world.
Generating and storing big prime numbers may be resource-exhausting on the server side. As a result, time-lock puzzles meet the inefficiency threshold in puzzle generation in the order of microseconds [65].
To verify the puzzle, the server has to allocate a significant amount of resources to compute e=atmodφN and b=XemodN for every received puzzle solution, which is undesirable in WLANs.
The server has to find out some information, such as CPU-power, from the clients in order to calculate the precise puzzle parameters. Attaining this information from a heterogeneous environment of clients, such as in WLANs, is almost impossible.
To reduce the costs of puzzle verification of Rivest’s puzzle, Karame and Čapkun [45] adapted Rivest’s puzzle by employing an RSA key pair with small private exponent. This puzzle is based on the assumption that it is computationally intractable to compute a small private exponent d when the public exponent e is larger by several orders of magnitude than the modulus N. The server must still perform a modular exponentiation but, given a semiprime modulus N, the number of multiplications is decreased by a factor of |N|/k where k is a security parameter. For example, a factor 12.8 for a 1024 bit modulus results in 120 modular multiplications instead of 1536.
In spite of this significant reduction in the verification and generation cost, still the verification costs remain too high to provide viable DoS protection for WLANs where resources are much limited [66]. In particular, the puzzle setup is extremely costly. Also, this method suffers from difficult granularity issues. Furthermore, this puzzle wastes the network’s bandwidth due to employing large numbers.
Recently, Rangasamy et al. [67] proposed a modular exponentiation-based client puzzle which can be seen as an efficient alternative to Rivest et al.’s time-lock puzzle. Unlike the Rivest et al. and Karame-Čapkun puzzle, Rangasamy et al.’s puzzle does not require the server to perform any online exponentiations. In fact, the server has to perform a total of two hash operations and a few modular multiplications for the puzzle generation and verification. Although it is a significant improvement over the Karame-Ĉapkun puzzle construction, the security of the puzzle does not rely on the standard security assumptions.
Kuppusamy et al. [68] also proposed a DLPuz puzzle based on the interval-discrete logarithm problem. This puzzle is claimed to be efficient while remaining secure in the standard model. Among other number theoretic puzzles, DLPuz puzzles demonstrate an extremely efficient verification algorithm, although the results show a costly puzzle generation which is prone to DoS attack.
4. PatPuz: A Superfast Hash-Based WLAN Puzzle
This section describes our new client puzzle construction PatPuz, which is based on finding a pattern key through reversing a one-way hash function. First, we will review the definition of a client puzzle and then present our construction.
The PatPuz will be able to manage connection requests so that they lose their importance as a valuable target for launching a DoS attack. Furthermore, this puzzle resists bogus puzzle solution flood attack where attackers strive to overload an AP during the puzzle verification stage.
Notation. If n is an integer, then we use |n| to denote the length in bits of n. The puzzle makes use of a family of keyed hash function H∶=Hkk∈K, where each Hk is a function mapping G to 0,1l and k is security parameter. We let x←RS denote an uniformly random choosing of x from S where S is a set. We write x←A(y) to assign the output of algorithm A to x when run with the input y. If k is a security parameter, then negl(k) denotes a function that is negligible in k, namely asymptotically smaller than the inverse of any polynomial in k. Let Px,z(R) be a pattern function and V(pn) denotes the pn-th bit of R, then the following patterns are applied on R:
Extract n values of length l from h(x) as shown in Figure 4.
R changes as follows:
If z=1 then V(p2n)=V(p2n+1) otherwise V(p2n)≠V(p2n+1).
If x=x0,x1,…,xi,…,xj,…,xnis a bit string then we let xi,j denote the substring xi,…,xj. We use y=σs,αx to denote y=σs(x)1,α.
4.1. Client Puzzle Formal Definition
In [6], Chen et al. defines a client puzzle formally as follows.
Definition 1 (client puzzle).
A client puzzle Puz is a tuple consisting of the following algorithms:
Setup(1k): a p.p.t. setup algorithm that generates and returns a set of public parameters params and a secret key s, the former of which includes a puzzle difficulty parameter space QSpace.
GenPuz(s,Q,str): a p.p.t. puzzle generation algorithm which accepts a secret key s, difficulty parameter Q, and a session string str and returns a puzzle puz.
FindSoln(puz,τ): a probabilistic puzzle solving algorithm that returns a potential solution soln for puzzle puz after running time at most τ.
VerAuth(s,puz): a d.p.t. puzzle authenticity verification algorithm that returns true or false.
VerSoln(s,str,puz,soln): a d.p.t. puzzle solution verification algorithm that returns true or false.
For correctness, we require that if (params;s)← Setup(1k) and puz← GenPuz(s,Q,str) then there exists τ∈N such that VerSoln(s,str,puz,soln) is true with probability 1 where soln← FindSoln(puz,τ).
4.2. The PatPuz Puzzle
This scheme aims to provide a unique puzzle for every connection request received by an AP. The task of an STA is to find a pattern key through inversing a one-way hash function and to use that pattern key to create a unique pattern as the puzzle solution. Then, the AP only verifies those patterns. In many scenarios, it is essential that the GenPuz, VerAuth, and VerSoln algorithms be extremely efficient. In a denial-of-service setting, these algorithms are run online by the AP many times, and if they were expensive, then an attacker could induce a second resource depletion attack by asking for many puzzles to be generated or verified.
Setup(1k). The various spaces are chosen; sSpace←K, QSpace←N, strSpace←0,1*, solnSpace←X, paternSpace←P, and puzSpace←QSpace×strSpace×{0,1}k×Y. The value s is chosen as s←$sSpace then output.
GenPuz(s,Q,str). A nonce as a timestamp for current cycle is selected ns←${0,1}k. Let str←MACAP. Next x is computed as x←Fs,Q(Q,ns,str). The value y∈Y is computed as y←φ(x,ns,Q) and the puzzle assigned to be puz=(Q,str,ns,y) and output.
FindSoln(puz,τ). One typical method for a legitimate client to implement the FindSoln algorithm is a brute-force search. While this algorithm is within the allowed number of clock cycles of execution, it randomly samples elements from the set of possible solutions without replacement and for each potential x′∈X computes y′←φ(x′,ns,Q). If y′=y then it computes R′←Px′,z(R) output R’ then halts and otherwise continues with random sampling. If this algorithm reaches the last clock cycle of execution then it outputs an R′ computed from a random element of the remaining unsampled preimage space.
VerAuth(s,x,puz′). For a puzzle puz=(Q′,str′,ns′,x′,y′) this computes x←Fs,Q(Q′,ns′,str′); then if x=x’ this output is true and otherwise the output is false.
VerSoln(puz′,R′). Given a potential solution R’ this checks if R’∈Px and if so outputs are true and otherwise output is false.
Remark 2.
In PatPuz, the AP has to store the short-term secrets x and Px in order to speed up the verification phases. These secrets are expired when a cycle times out and the new values are replaced.
When the pattern sent by the STA passes the verification step, the AP will send an authentication response frame back to the STA and allocates the required resources.
5. Performance Experiment of PatPuz
NS2 simulates our scheme over a core i5 2.27 GHz/4G Ubuntu system. Since our goal is to balance the resource consumption between AP and STA, we focus on the time consumed on the puzzle generation and verification on the one hand and puzzle solving on the other. We will consider the puzzle difficulty Q to be less than 22 for simplicity reasons. The difficulty of a client puzzle gives a measure of the likelihood of an adversary finding a solution to a given puzzle within a given number of clock cycles of execution. Intuitively, the difficulty of solving a puzzle is ensured by the hardness of inverting the one-way function.
Figure 2 demonstrates the link between difficulties and time-consumption in both puzzle generation and solution verification. The obtained results are important for two reasons. First of all, the time the AP spends to generate and verify a new puzzle is considerably shorter. It is less than 0.6 and 0.3 milliseconds in generation and verification procedure, respectively. Secondly, the fluctuation in generation and verification time is almost constant when the difficulty degree goes up or down. Therefore, increasing or decreasing the difficulty degree does not affect the time needed by the CPU for generating and verifying the puzzle.
The curve relationship between difficulties and time-consuming on generating and verifying the puzzle.
Consequently, the proposed scheme eliminates any chance for an attacker to make puzzle generation and verification phases into a valuable target to launch DoS attacks by using fake solutions.
The most important impact of our scheme is to force STAs to cost their resources for every connection request. Therefore, the chance of attacker exhausting AP’s resources by sending a burst of fake connection requests is very small. As shown in Figure 3, the solving time increases considerably, by nearly exponential growth, when difficulty of degree goes up.
The curve relationship between difficulty degree and time-consuming on solving the puzzle.
Extracting the values from h(x) to calculate the correct positions for applying the pattern accordingly.
6. Security Analysis of PatPuz
In this section, we analyse the PatPuz puzzle using the security model of Chen et al. [6]. Chen et al. introduced two security properties that a client puzzle should satisfy: unforgeability and difficulty. We shall give a brief description of these two properties. Intuitively, the unforgeability of PatPuz is ensured by the use of a pseudo-random function and the difficulty of solving PatPuz puzzles is ensured by difficulty of inverting the one-way function.
6.1. Unforgeability
This experiment measures the ability of an adversary to produce a valid client puzzle and force a server to accept it as one that was not originally generated by a server in a probabilistic way. In general, unforgeability can easily be provided by using a message authentication code (MAC) or pseudo-random function to tag puzzles generated by the server, and this is what is done in PatPuz. First we review the formal definition of puzzle unforgeability in the next section. The results show that PatPuz is indeed unforgeable. We shall make use of a sequence of games [69] to prove the security properties.
Let k be a security parameter, A a probabilistic algorithm, and Puz a client puzzle. Define the experiment ExecA,PuzUF(k) as follows:
params,s←Setup(1k).
Run A(params) with oracle access to CreatePuz(·) and CheckPuz(·), which are answered as follows:
CreatePuz(str,Q): puz←GenPuz(s,Q,str). Return Puz to A.
CheckPuz(puz): if puz was not an output for any of the CreatePuz(str) query made previously and VerAuth(s,puz)= true then stop the experiment and output 1. Otherwise, return false to A.
Output 0.
We say that A wins the game if ExecA,PuzUFk=1 and loses otherwise. The advantage of A is defined as:
(2)AdvA,PuzUFk=Pr(ExecA,PuzUFk=1).
A puzzle is said to be unforgeable if this advantage is negligible in k for probabilistic algorithms A running in time polynomial in k.
In this unforgeability experiment, the adversary is allowed to query the CreatePuz oracle by choosing puzzle difficulty level Q at will. This is to ensure that even after seeing puzzles with different difficulty levels, the adversary cannot create a valid looking puzzle.
Theorem 4 (unforgeability of PatPuz puzzle).
The PatPuz puzzle is unforgeable.
Proof.
We prove the theorem using a sequence of games. Let A be a probabilistic algorithm with running time t. Let Si be the event that A wins in game Gi.
Game G0. Let G0 be the original unforgeability game ExpA,PatPuzUFk. Then
(3)Pr(ExecA,ORODUFk′=1)=Pr(S0).
Game G1. In this game, we modify game G0 by replacing the Fs with a truly random function R to compute the pattern key x. This change has a negligible effect on adversary A because of the pseudo-randomness of Fs. Hence,
(4)PrS0-PrS1≤AdvBFsk≤neglk,
where B is an algorithm running in time Ot, and the second inequality follows whenever Fs is a pseudo-random function.
Since the function R in game 1 is truly random, the probability that an adversary without access to R can guess an output is negligible:
(5)PrS1≤12k.
Combining (3) through (5), we obtain the final result that the adversary’s success in forging a puzzle is negligible.
6.2. Difficulty
To prove our puzzle difficulty, we shall mainly focus on generating a valid pattern without having to find. Like the previous property, we shall first define the formal form of the puzzle difficulty presented by Chen et al., then we will show that our puzzle is a difficult puzzle.
Definition 5 (puzzle difficulty).
Let k be a security parameter and let Q be a difficulty parameter which is kept fixed through the experiment. Let A be a probabilistic algorithm and puz be a client puzzle. The game ExecA,PuzQ,DIFFk is defined for each hardness parameter Q∈N as follows:
params,s←Setup(1k)
Run A(params) with oracle access to CreatePuzSoln(·) and Test(·), which are answered as follows:
CreatePuzSoln(str): puz←GenPuzs,Q,str. Find a solution soln such as VerSoln(puz,soln) = true. Return (puz,soln) to A.
Test(str*): This query may ask once, at any point during the game. The challenger generates a puzzle puz*←GenPuzs,Q,str and returns puz* to A. Then A may continue to ask CreatePuzSoln queries.
A output a potential solution soln*.
Output 1 if VerSoln(puz*,soln*) = true and 0 otherwise.
We say that A wins the game if ExecA,PuzQ,DIFFk = 1 and loses otherwise. We define the success of an adversary A against puz as
(6)SuccA,PuzQ,DIFFk=Pr[ExecA,PuzQ,DIFFk=1].
Let ϵk,Qt be a family of functions monotonically increasing in t. A puzzle is ϵk,Q·-difficult if, for all probabilistic algorithm A running in time at most t,
(7)SuccA,PuzQ,DIFFk≤ϵk,Qt.
Theorem 6 (difficulty of PatPuz puzzle).
Let k be a security parameter and let Q be a difficulty parameter. Let H≔Hkk∈K be a family function of keyed hash function, where each Hk is a function mapping 0,1l1 to 0,1l2, and let F be a pseudo-random function. Then PatPuz puzzle is ϵk,Qt-difficult for all probabilistic algorithms A running in time at most τ.
Proof.
Like previous properties, we shall employ a sequence of games to prove our theorem. In game G0 the adversary tries to break our construction whereas in game G1 the adversary works against an idealized version of our construction, where random function F has been replaced with a truly random function. Let A be a probabilistic algorithm with running time τ. Let Si be the event that A wins the game Gi.
Game G0. This game represents the original difficulty game ExecA,PatPuzQ,DIFFk. For clarity, we shall write the full definition of this game:
The challenger C first runs the Setup on 1k and obtains←$sSpace. s is kept secret.
The adversary A will then starts to ask CreatePuzSoln() queries. To answer each C select a random nonce s←${0,1}k and a random number ←${0,1}*. Then computes x through x←Fs,Q(Q,ns,str). Next C computes y←φx,ns,Q and R′←Px′,z(R) then returns puz←(Q,str,ns,y) and soln←R′ to A.
At any time during the game, A is allowed to issue a Test() query for which C generates a puzzle paz*=Q,str,ns*,y* and returns paz* to A.
The adversary A may continue to ask CreatePuzSoln() queries which the challenger C answers as before.
Eventually, after τ clock cycles A outputs a potential solution soln*=R*. If VerSoln(puz*,R*) = true, the adversary A wins and then the challenger C outputs 1 and terminates and otherwise outputs 0 and terminates.
Hence,
(8)PrExecA,PatPuzQ,DIFFk=1=PrS0.
Game G1. Now we transform game G0 into game G1, replacing the pseudo-random function F with a truly random function R. This change is indistinguishable due to the pseudo-randomness of F, so
(9)|PrS0-Pr(S1)|≤neglk.
Game G2. We now transform game G1 into game G2, replacing the hash function φ· with a randomly chosen one, φ†(·): h←${0,1}l. We assume that the family function of hash function H is entropy smoothing. This means that it is hard to distinguish (k,Hkδ) from k,h, where k is a random element of K, δ is a random element of G, and h is a random element of {0,1}l. Algorithmically, game G2 looks like this:
The challenger C first runs the Setup on 1k and obtainss←$sSpace.sis kept secret.
The adversary A will then start to ask CreatePuzSoln() queries. C answers to queries as follows:
CreatePuzSoln(): as in game G1 except replacing φ† to compute y.
At any time during the game, A is allowed to issue a Test() query for which C do the same as G1 except replacing φ† to compute y.
The adversary A may continue to ask CreatePuzSoln() queries which the challenger C answers as before.
Eventually, after τ clock cycles A outputs a potential solution soln*=R*. If VerSoln(puz*,R*) = true, the adversary A wins and then the challenger C outputs 1 and terminates and otherwise outputs 0 and terminates.
In the above game, a truly random function R is input to the function φ† to compute y. As a result the only way A could find a correct solution R′ would be for A to invert the function φ†. Hence we have
(10)PrS2≤AdvA,HOWF≤12n×l×z,
where S2 is the event that A wins the game G2, n is the number of pattern points, l is the length of pattern points such that 2l=|h(x)|, and AdvA,HOWF is defined as below. The second inequality follows the fact that the only way a protected (by our scheme) AP may be attacked is to reveal the pattern. An attacker can reach the correct pattern either through solving the puzzle or guessing the pattern. If he or she chooses the first way, the main goal of our scheme is satisfied. The probability of finding a correct R’ is 1/2n×l×|z| in which in case of n=6, l=7, and z=2 the result would be 1/243 which is negligible.
Definition 7. For an adversary A we define its advantage against a function ψ:X↦Y, where X is fixed and finite, in terms of OWF as
(11)AdvA,ψOWF=Prxx⟵$X;y⟵ψx;x~⟵Ay∧ψx~=y←$.
Let εi:N↦0,1 be a monotonically increasing function. Then the function ψ is an εi·-OWF if for all adversaries A it holds that AdvA,ψOWF≤εiτ.
We also claim that
(12)PrS1-PrS2=ϵhτ,
where ϵh is the h-advantage of some efficient algorithm (which is negligible assuming H is entropy smoothing).
To prove this claim, any difference between PrS1 and PrS2 can be parlayed into a corresponding h-advantage. The following algorithm D interpolates between game G1 and game G2 and so has h-advantage equal to |PrS1-Pr(S2)|.
Algorithm D (k, h)
C first runs the Setup on 1k:s←$sSpace
Run A with oracle access to CreatePuzSoln() and Test(), which are answered as follows:
CreatePuzSoln():
ns←${0,1}k.
R←${0,1}*
x←{0,1}Q*
computey
R′←Px,z(R)
Return puz,soln←(y,R′)
Test(): puz*←y* and return puz*
A outputs a potential solution soln*
A may continue to ask CreatePuzSoln() queries which are answered as before.
Output 1 if VerSoln(puz*,soln*) = true and 0 otherwise.
Based on this indistinguishability assumption, |PrS1-Pr(S2)| is negligible.
Combining (8) through (12) yields the desired result.
6.3. Security Properties
In [70, 71], some general criteria are listed to specify the properties a puzzle must meet to be considered as an effective and efficient anti-DoS approach. Simply put, these criteria prove how secure and powerful the proposed client puzzle protocol is. Here we review these properties with an emphasis on PatPuz puzzle.
Computation Guarantee. Since the hash function is considered to resist preimage and collision attack, the only way to solve a puzzle is to use a brute force method. Hence, STAs have to look up a range of 2k possible solutions to find out the right pattern. Even though this range may be reduced to 2k/2 possible solutions due to a birthday attack [72], the client (and also attacker) still has to spend enough time to find the puzzle’s solution.
Adjustability of Difficulty. In our scheme, the AP adjusts the difficulty degree by increasing or decreasing Q. Note that these variations have no effect on the time spent to generate or verify the puzzle.
Efficiency. Since the puzzle verification is done only by looking for a correct pattern in a puzzle solution R′—a significantly low computational process—the proposed client puzzle protocol resists a puzzle verification attack where an attacker forwards too many bogus puzzle solutions. In addition, a protected AP is required to store only a long-term secret value s, to verify the received solutions. To make the verification phase more efficient, a short-term value, which is a Q-bit length, can be stored by AP.
Correlation Free. The PatPuz puzzle is correlation-free. That means knowing all previous puzzle solutions does not help to solve the current puzzle in any way. This property is provided by the unpredictability feature of the random numbers generated in puzzle generation stage s and puzzle solving R.
Stateless. The proposed client puzzle protocol does not require storing any client’s or puzzle related information, except s, and x. Moreover, the memory allocated to x is cleared after changing the puzzle, meaning that the algorithm utilizes a fixed-size memory to handle the puzzle. Hence, a protected AP in our scheme will face no memory shortage in a relatively short time.
Tamper-Resistance. No STA (attacker) is able to learn x by examining the other STAs’ solutions. Every STA, in our scheme, is required to apply the produced pattern over its own R which is basically random.
7. Conclusion and Future Work
The main consideration for implementing any security protocol in 802.11 based networks is how much cost the proposed algorithm imposes on both the CPU and memory to complete its tasks. This paper proposes a novel puzzle to meet the AP’s constraints and protect wireless network against CRF DoS attacks.
The following items are satisfied by the proposed scheme:
Low-cost generation. The CPU load in our proposed scheme is very low during initial setup and puzzle generation. The simulation output shows that this phase takes less than 6 milliseconds.
Low-cost verification. Like the generation phase, our proposed verification load is very low on the AP’s CPU. Hence, the simulation output shows that the time an AP has to spend to accomplish the verification phase is less than 0.4 milliseconds.
Antireassign DoS attack. Since both generation and verification in our scheme are very cost-effective, the proposed scheme eliminates a second DoS attack on the AP which can be posed by attack-prone security puzzles.
The memory usage of PatPaz puzzle is fixed and very small, so much so as to be almost negligible. Therefore, the proposed puzzle will never suffer from memory exhaustion.
The proposed scheme also defines Texp to limit the puzzle’s solution life. Before Texp expires, all received puzzle solutions are discarded. Hence, launching an effective DoS attack becomes more challenging.
7.1. Future Work
This paper proposes a lightweight method based on a cryptographic client puzzle. Cryptographic puzzles are very low-cost in puzzle generation and verification; however, they pose some problems. First of all, they are naturally solved within a probabilistic time. Secondly, the puzzle may be solved through parallelization. Thirdly, varying the difficulty level in this approach is too coarse. That means the difficulty of solving an n-1 bit puzzle is two times less than solving an n bit puzzle. Thus it is very troublesome to design and implement an appropriate difficulty degree which increases efficiency as much as possible.
Future work can be focused on designing a new puzzle which mitigates (or even eliminates) the aforementioned problems of cryptographic client puzzles. A future study can also focus on finding a smarter mechanism to perceive and apprehend DoS attacks, in order to adjust the puzzle difficulty efficiently.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
The authors would like to express greatest appreciation to Universiti Teknologi Malaysia (UTM) for financial support of the research done in Advanced Informatics School (AIS).
NasreldinM.AslanH.El-HennawyM.El-HennawyA.WiMax securityProceedings of the 22nd International Conference on Advanced Information Networking and Applications Workshops/Symposia (AINA '08)March 20081335134010.1109/WAINA.2008.1902-s2.0-50249162533YuP. H.PoochU. W.A secure dynamic cryptographic and encryption protocol for wireless networksProceedings of the EUROCON 2009 (EUROCON '09)2009St.-Petersburg, RussiaIEEEBicakciK.TavliB.Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networksBicakciK.TavliB.Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networksDworkC.NaorM.ChenL.MorrisseyP.SmartN.Security notions and generic constructions for client puzzlesProceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT '09)2009StebilaD.KuppusamyL.RangasamyJ.BoydC.Gonzalez NietoJ.Stronger difficulty notions for client puzzles and denial-of-service-resistant protocolsAlizadehM.HassanW. H.ZamaniM.KaramizadehS.GhazizadehE.Implementation and evaluation of lightweight encryption algorithms suitable for RFIDAlizadehM.ShayanJ.ZamaniM.KhodadadiT.Code analysis of lightweight encryption algorithms using in RFID systems to improve cipher performanceProceedings of the IEEE Conference on Open Systems (ICOS '12)October 2012Kuala Lumpur, Malaysia10.1109/ICOS.2012.64176412-s2.0-84874242277AmiriE.AlizadehM.KeshavarzH.ZamaniM.KhodadadiT.Energy efficient routing in wireless sensor networks based on fuzzy ant colony optimizationGharooniM.ZamaniM.MansourizadehM.AbdullahS.A confidential RFID model to prevent unauthorized accessProceedings of the 3rd International Conference on Information Science and Engineering2011Yangzhou, ChinaGhazizadehE.ZamaniM.Ab MananJ.-L.AlizadehM.Trusted computing strengthens cloud authenticationGhazizadehE.ZamaniM.Ab MananJ.-L.PashangA.A survey on security issues of federated identity in the cloud computingProceedings of the 4th IEEE International Conference on Cloud Computing Technology and Science (CloudCom '12)December 2012Taipei, Taiwan56256510.1109/CloudCom.2012.64275132-s2.0-84874277109ShohrehH.ZamaniM.RozaH.Dynamic monitoring in ad hoc networkJanbeglouM.ZamaniM.IbrahimS.Redirecting network traffic toward a fake DNS server on a LANProceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT '10)July 2010Chengdu, ChinaIEEE42943310.1109/ICCSIT.2010.55651962-s2.0-77958566221JanbeglouM.ZamaniM.IbrahimS.Redirecting outgoing DNS requests toward a fake DNS server in a LANProceedings of the IEEE International Conference on Software Engineering and Service Sciences (ICSESS '10)July 2010Beijing, China29322-s2.0-7795783002610.1109/ICSESS.2010.5552339JanbeglouM.ZamaniM.IbrahimS.Improving the security of protected wireless internet access from insider attacksKianiF.AmiriE.ZamaniM.KhodadadiT.ManafA. A.Efficient intelligent energy routing protocol in wireless sensor networksAraghiT. K.ZamaniM.Abdul MnafA. B. T.Performance analysis in reactive routing protocols in wireless mobile Ad Hoc networks using DSR, AODV and AOMDVProceedings of the International Conference on Informatics and Creative Multimedia (ICICM '13)September 2013Kuala Lumpur, Malaysia81842-s2.0-8489368170110.1109/ICICM.2013.62Koohpayeh AraghiT.ZamaniM.Abdul ManafA.Kohpayeh AraghiS.An access control framework in an Ad Hoc network infrastructureProceedings of the 1st International Conference on Communication and Computer Engineering2014Malacca, MalaysiaMohebbiK.IbrahimS.ZamaniM.KhezrianM.UltiMatch-NL: a Web service matchmaker based on multiple semantic filtersNikbakhshS.ManafA. B. A.ZamaniM.JanbeglouM.A novel approach for rogue access point detection on the client-sideProceedings of the 26th IEEE International Conference on Advanced Information Networking and ApplicationsMarch 2012Fukuoka, Japan6846872-s2.0-8486072508510.1109/WAINA.2012.108ZeidanlooH. R.ManafA. B.VahdaniP.TabatabaeiF.ZamaniM.Botnet detection based on traffic monitoringProceedings of the International Conference on Networking and Information Technology (ICNIT '10)June 2010Manila, Philippines971012-s2.0-7795563935610.1109/ICNIT.2010.5508552ZeidanlooH. R.ZadehM. J.AmoliP. V.SafariM.ZamaniM.A taxonomy of Botnet detection techniquesProceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT '10)July 2010Chengdu, China15816210.1109/ICCSIT.2010.55635552-s2.0-77958527473SadeghianA.ZamaniM.Detecting and preventing DDOS attacks in Botnets by the help of self triggered black holesProceedings of the Asia-Pacific Conference on Computer Aided System Engineering2014Bali, IndonesiaSadeghianA.ZamaniM.Abdul ManafA.A taxonomy of SQL injection detection and prevention techniquesProceedings of the International Conference on Informatics and Creative Multimedia (ICICM '13)September 2013Kuala Lumpur, Malaysia535610.1109/ICICM.2013.182-s2.0-84893676279SadeghianA.ZamaniM.AbdullahS. M.A taxonomy of SQL injection attacksProceedings of the International Conference on Informatics and Creative Multimedia (ICICM '13)September 2013Kuala Lumpur, Malaysia2692732-s2.0-8489370814610.1109/ICICM.2013.53SadeghianA.ZamaniM.IbrahimS.SQL injection is still alive: a study on SQL injection signature evasion techniquesProceedings of the International Conference on Informatics and Creative MultimediaSeptember 2013Kuala Lumpur, Malaysia2652682-s2.0-8489371144910.1109/ICICM.2013.52SadeghianA.ZamaniM.ManafA. A.SQL injection vulnerability general patch using header sanitizationProceedings of the International Conference on Computer, Communication, and Control Technology2014Langkawi, MalaysiaSadeghianA.ZamaniM.ShanmugamB.Security threats in online social networksProceedings of the International Conference on Informatics and Creative Multimedia (ICICM '13)September 2013Kuala Lumpur, Malaysia25425810.1109/ICICM.2013.502-s2.0-84893642601HematianA.ChupratS.ManafA. A.ParsazadehN.Zero-delay FPGA-based odd-even sorting networkProceedings of the IEEE Symposium on Computers and Informatics (ISCI '13)April 201312813110.1109/ISCI.2013.66123892-s2.0-84886490936DavaniZ. A.ManafA. A.Enhancing key management of ZigBee network by steganography methodProceedings of the 2nd International Conference on Informatics and Applications (ICIA '13)September 2013Łódź, PolandIEEE778110.1109/ICoIA.2013.66502332-s2.0-84891795882ZhangY.WangS.JiG.DongZ.Genetic pattern search and its application to brain image classificationZhangY.WuL.NeggazN.WangS.WeiG.Remote-sensing image classification based on an improved probabilistic neural networkZhangY.WuL.HuocY.WangS.A novel global optimization method- Genetic pattern searchZhangY.WuL.Pattern recognition via PCNN and Tsallis entropyGastM.OrdiH.MousaviB.ShanmugamB.AbbasyM. R.TorkamanM. R. N.A novel proof of work model based on pattern matching to prevent DoS attackBellardoJ.SavageS.802.11 denial-of-service attacks: real vulnerabilities and practical solutionsProceedings of the 12th Conference on USENIX Security Symposium (SSYM '03)2003Washington, DC, USALiuC.-H.HuangY.-Z.The analysis for DoS and DDoS attacks of WLANProceedings of the 2nd International Conference on MultiMedia and Information Technology (MMIT '10)April 201010811110.1109/MMIT.2010.1572-s2.0-77954303411ThapaB.DongQ.GaoL.LiX.A new client-puzzle based DoS-resistant scheme of IEEE 802.11i wireless authentication protocolProceedings of the 3rd International Conference on BioMedical Engineering and Informatics (BMEI '10)October 20102712271610.1109/BMEI.2010.56398182-s2.0-78650666673ChibiaoL.ChuguiX.JinmingQ.ChangjingL.Experimental and theoretical study of authentication request flooding attack on 802.11 WLANMerkleR. C.Secure communications over insecure channelsKarameG. O.ČapkunS.WatersB.JuelsA.HaldermanJ. A.FeltenE. W.New client puzzle outsourcing techniques for DoS resistanceProceedings of the 11th ACM Conference on Computer and Communications Security (CCS '04)October 2004Washington, DC, USA2462562-s2.0-14844300104BackHashcash–a denial of service counter-measure2002AuraT.NikanderP.LeiwoJ.DOS-resistant authentication with client puzzlesRosenthalD. S. H.On the cost distribution of a memory bound functionDworkC.GoldbergA.NaorM.On memory-bound functions for fighting spamDoshiS.MonroseF.RubinA. D.Efficient memory bound puzzles using pattern databasesTritilanuntS.BoydC.FooE.NietoJ. M. G.Toward non-parallelizable client puzzlesMartinovicI.ZdarskyF. A.WilhelmM.WegmannC.SchmittJ. B.Wireless client puzzles in IEEE 802.11 networks: security by wirelessProceedings of the 1st ACM Conference on Wireless Network Security (WiSec '08)April 200836452-s2.0-5204908566410.1145/1352533.1352541JerschowY. I.ScheuermannB.MauveM.Counter-flooding: DoS protection for public key handshakes in LANsProceedings of the 5th International Conference on Networking and Services (ICNS '09)April 200937638210.1109/ICNS.2009.882-s2.0-67650700006WalfishM.VutukuruM.BalakrishnanH.KargerD.DDoS defense by offenseProceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications2006New York, NY, USAvon AhnL.BlumM.HopperN. J.LangfordJ.CAPTCHA: using hard AI problems for securityJuelsBrainardJ.Client PuzzleEMC, 1999, http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/client-puzzles/Client_puzzles.pptDongQ.GaoL.LiX.A new client-puzzle based DoS-resistant scheme of IEEE 802.11i wireless authentication protocolProceedings of the 3rd International Conference on Biomedical Engineering and Informatics (BMEI '10)October 20102712271610.1109/BMEI.2010.56398182-s2.0-78650666673TangQ.JeckmansA.ShiT.-J.MaJ.-F.Design and analysis of a wireless authentication protocol against DoS attacks based on Hash functionDongQ.LiL.LiX.Quadratic residue based client puzzle distributed by beacon frame in dos-resistant wireless access authenticationFengW.-C.KaiserE.LuuA.The design and implementation of network puzzlesProceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '05)March 2005Miami, Fla, USA2372238210.1109/INFCOM.2005.14985232-s2.0-25644445353LeiY.PierreS.QuinteroA.Client puzzles based on quasi partial collisions against DoS attacks in UMTSProceedings of the IEEE 64th Vehicular Technology Conference (VTC '06)September 2006Montreal, CanadaIEEE1510.1109/VTCF.2006.5072-s2.0-34548860915RivestR. L.ShamirA.WagnerD. A.Time-lock puzzles and timed-release crypto1996MIT/LCS/TR-684Cambridge, Mass, USAMIT Laboratory for Computer ScienceHofheinzD.UnruhD.Simulatable security and polynomially bounded concurrent composabilityProceedings of the IEEE Symposium on Security and PrivacyMay 2006Berkeley/Oakland, Calif, USA16918210.1109/SP.2006.362-s2.0-33751038758JerschowY. I.MauveM.Secure client puzzles based on random beaconsRangasamyJ.StebilaD.BoydC.NietoJ. G.Efficient modular exponentiation-based puzzles for denial-of-service protectionProceedings of the International Conference on Information Security and Cryptology (ICISC '11)2011KuppusamyL.RangasamyJ.StebilaD.BoydC.NietoJ. G.Practical client puzzles in the standard modelProceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS '12)May 2012424310.1145/2414456.24144802-s2.0-84871952000ShoupV.Sequence of games: a tool for taming complexity in security proofs20042004/332IACR Cryptology ePrint ArchiveAblizM.ZnatiT.A guided tour puzzle for denial of service preventionProceedings of the 25th Annual Computer Conference Security Applications (ACSAC '09)December 200927928810.1109/ACSAC.2009.332-s2.0-77950803546GrozaB.WarinschiB.Cryptographic puzzles and DoS resilience, revisitedPatarinJ.MontreuilA.Benes and Butterfly schemes revisited3935Proceedings of the 9th International Conference on Information Security and Cryptology (ICISC '05)200692116