A denial-of-service resistant public-key authentication and key establishment protocol

Network denial-of-service attacks, which exhaust the server resources, have become a serious security threat to the Internet. Public key infrastructure (PKI) has long been introduced in various authentication protocols to verify the identities of the communicating parties. Although the use of PKI can present difficulty to the denial-of-service attackers, the underlying problem has not been resolved completely, because the use of public-key infrastructure involves computationally expensive operations such as modular exponentiation. An improper deployment of the public-key operations in a protocol allows the attacker to exhaust the server´s resources. This paper presents a public-key based authentication and key establishment protocol integrated with a sophisticated client puzzle, which together provides a good solution for network denial-of-service attacks, and various other common attacks. The joint establishment of session keys by both the client and the server protects the session after the mutual authentication. The basic strategy to protect against denial of service is to impose an adjustable cost on the attacker while launching the attacks. The proposed client puzzle protocol can also be integrated with other network protocols to protect against denial-of-service attacks