Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake
RISE, Swedish ICT, SICS, Security Lab.ORCID iD: 0000-0001-8842-9810
RISE, Swedish ICT, SICS, Security Lab.ORCID iD: 0000-0001-8003-200X
RISE - Research Institutes of Sweden, ICT, SICS.
2017 (English)In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270, Vol. 16, no 2, p. 173-193Article in journal (Refereed) Published
Abstract [en]

DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.

Place, publisher, year, edition, pages
2017. Vol. 16, no 2, p. 173-193
Keywords [en]
Denial of Service, DTLS, Key provisioning, Security, Scalability, Transmission control protocol, Security Architecture, Terms of services, Transport layer security protocols, Unreliable datagram, Denial-of-service attack
National Category
Natural Sciences
Identifiers
URN: urn:nbn:se:ri:diva-30975DOI: 10.1007/s10207-016-0326-0Scopus ID: 2-s2.0-84961634159OAI: oai:DiVA.org:ri-30975DiVA, id: diva2:1138097
Available from: 2017-09-04 Created: 2017-09-04 Last updated: 2018-07-04Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records BETA

Tiloca, Marco

Search in DiVA

By author/editor
Tiloca, MarcoGehrmann, Christian
By organisation
Security LabSICS
In the same journal
International Journal of Information Security
Natural Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 6 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.34.0