Skip to main content

Lund University Publications

LUND UNIVERSITY LIBRARIES

On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake

Tiloca, Marco ; Gehrmann, Christian LU and Seitz, Ludwig (2017) In International Journal of Information Security 16(2). p.173-193
Abstract

DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key... (More)

DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.

(Less)
Please use this url to cite or link to this publication:
author
; and
publishing date
type
Contribution to journal
publication status
published
subject
keywords
Denial of Service, DTLS, Key provisioning, Security
in
International Journal of Information Security
volume
16
issue
2
pages
21 pages
publisher
Springer
external identifiers
  • scopus:84961634159
ISSN
1615-5262
DOI
10.1007/s10207-016-0326-0
language
English
LU publication?
no
id
3e952695-e435-4f86-b815-3a1040409d20
date added to LUP
2018-11-21 16:53:31
date last changed
2022-04-25 19:19:01
@article{3e952695-e435-4f86-b815-3a1040409d20,
  abstract     = {{<p>DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.</p>}},
  author       = {{Tiloca, Marco and Gehrmann, Christian and Seitz, Ludwig}},
  issn         = {{1615-5262}},
  keywords     = {{Denial of Service; DTLS; Key provisioning; Security}},
  language     = {{eng}},
  month        = {{04}},
  number       = {{2}},
  pages        = {{173--193}},
  publisher    = {{Springer}},
  series       = {{International Journal of Information Security}},
  title        = {{On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake}},
  url          = {{http://dx.doi.org/10.1007/s10207-016-0326-0}},
  doi          = {{10.1007/s10207-016-0326-0}},
  volume       = {{16}},
  year         = {{2017}},
}