TY - GEN
T1 - Cloud password shield: A secure cloud-based firewall against DDoS on authentication servers
AU - Fu, Yue
AU - Au, Man Ho
AU - Du, Rong
AU - Hu, Haibo
AU - Li, Dagang
N1 - Funding Information:
ACKNOWLEDGEMENT Corresponding author: Dagang Li. This work was supported by National Natural Science Foundation of China (Grant No: U1636205, 61572413), the Research Grants Council, Hong Kong SAR, China (Grant No: 15238116, 15222118, 15218919 and C1008-16G).
Publisher Copyright:
©2020 IEEE
PY - 2020/11
Y1 - 2020/11
N2 - —Password-based authentication is essential to any online service. It is normally powered by a database of user credentials, for example a RADIUS server. However, even with various indexing techniques (e.g., B+-tree), password-based authentication can still be resource-consuming on large-scale systems (e.g., Internet and IoT), and is thus vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we propose a cloud-based firewall that uses Bloom filters to pre-screen and reject suspicious requests with wrong password before they reach the authentication server. The main challenge is the security of the firewall because it can be operated by a third party, so the Bloom filters might be accessed by adversaries to assist their brute-force password guessing. To ensure security, we start with the assumption of trusted cloud server and design a key-based semantic secure Bloom filter (KSSBF) for the best efficiency. We then design a generically secure Bloom filter (GSBF) for non-trusted cloud servers, which is key-independent and with strictly provable security. Through theoretical and empirical analysis, we show both of them can mitigate malicious requests without compromising the security of passwords.
AB - —Password-based authentication is essential to any online service. It is normally powered by a database of user credentials, for example a RADIUS server. However, even with various indexing techniques (e.g., B+-tree), password-based authentication can still be resource-consuming on large-scale systems (e.g., Internet and IoT), and is thus vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we propose a cloud-based firewall that uses Bloom filters to pre-screen and reject suspicious requests with wrong password before they reach the authentication server. The main challenge is the security of the firewall because it can be operated by a third party, so the Bloom filters might be accessed by adversaries to assist their brute-force password guessing. To ensure security, we start with the assumption of trusted cloud server and design a key-based semantic secure Bloom filter (KSSBF) for the best efficiency. We then design a generically secure Bloom filter (GSBF) for non-trusted cloud servers, which is key-independent and with strictly provable security. Through theoretical and empirical analysis, we show both of them can mitigate malicious requests without compromising the security of passwords.
KW - Bloom filter
KW - DDoS
KW - Firewall
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85101965202&partnerID=8YFLogxK
U2 - 10.1109/ICDCS47774.2020.00154
DO - 10.1109/ICDCS47774.2020.00154
M3 - Conference article published in proceeding or book
AN - SCOPUS:85101965202
T3 - Proceedings - International Conference on Distributed Computing Systems
SP - 1209
EP - 1210
BT - Proceedings - 2020 IEEE 40th International Conference on Distributed Computing Systems, ICDCS 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 40th IEEE International Conference on Distributed Computing Systems, ICDCS 2020
Y2 - 29 November 2020 through 1 December 2020
ER -