On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake
(2017) In International Journal of Information Security 16(2). p.173-193- Abstract
DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key... (More)
DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.
(Less)
- author
- Tiloca, Marco ; Gehrmann, Christian LU and Seitz, Ludwig
- publishing date
- 2017-04-01
- type
- Contribution to journal
- publication status
- published
- subject
- keywords
- Denial of Service, DTLS, Key provisioning, Security
- in
- International Journal of Information Security
- volume
- 16
- issue
- 2
- pages
- 21 pages
- publisher
- Springer
- external identifiers
-
- scopus:84961634159
- ISSN
- 1615-5262
- DOI
- 10.1007/s10207-016-0326-0
- language
- English
- LU publication?
- no
- id
- 3e952695-e435-4f86-b815-3a1040409d20
- date added to LUP
- 2018-11-21 16:53:31
- date last changed
- 2022-04-25 19:19:01
@article{3e952695-e435-4f86-b815-3a1040409d20,
abstract = {{<p>DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.</p>}},
author = {{Tiloca, Marco and Gehrmann, Christian and Seitz, Ludwig}},
issn = {{1615-5262}},
keywords = {{Denial of Service; DTLS; Key provisioning; Security}},
language = {{eng}},
month = {{04}},
number = {{2}},
pages = {{173--193}},
publisher = {{Springer}},
series = {{International Journal of Information Security}},
title = {{On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake}},
url = {{http://dx.doi.org/10.1007/s10207-016-0326-0}},
doi = {{10.1007/s10207-016-0326-0}},
volume = {{16}},
year = {{2017}},
}