Re: Clogging attacks

[ashar@osmosys.incog.com (Ashar Aziz)]

> From hugo@watson.ibm.com Fri Jan  6 15:19 PST 1995
>> Jim Hughes' initial proposal for key management (around 5/94) already
> mentioned and dealt with the issue of clogging attacks and denial of service.
> 
> Our spec, MKMP, (to which you refer above), *does* talk about defenses
> against clogging attacks.
> In our proposal this defense was achieved in a very satisfactory way:
> just by taking advantage of the cheap signature verification in RSA,
> an attacked host only pays with two multiplications to test the validity
> of the incoming message. Moreover, there are *no additional* operations or
> flows that the (honest) parties need to pay in order to stand
> eventual clogging attacks.
> The other solutions we have discussed in this list (Photuris's and the one
> described by Amir) both have extra cost also for honest parties.

Whereas I sympathize with the goal of not paying additional
operations or flows for honest parties, I think there are many
who believe that RSA signature verification *is* susceptible to
clogging attacks (much more so than hash function tests).

This isn't all that important, really. Specs aren't perfect even
when they go to standards status, and certainly not when they
come out in -00.txt form. The whole point of the open review process
is to find deficiencies in the proposals so they can be improved
in future revisions. We need to get on with the task of identifying
the correct solutions and not get stuck on whether first issue drafts 
were perfect.

I thank you (and others) who have pointed out issues that need to be 
addressed in my draft.

Regards,
Ashar.

---

• Prev by Date: weak devices
• Next by Date: Re: Proposal: Perfect forward SECURITY
• Prev by thread: Clogging attacks
• Next by thread: weak devices
• Index(es):
  • Main
  • Thread