[noise] DoS resistance

[Tony Arcieri]

On Thu, Jul 16, 2015 at 1:42 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> I can send around 10 gigabits of data per second of illegitimate
> post-handshake data messages, before the CPU is maxed out. That's
> good.
> But, I can only send around 70 megabits per second of handshake
> messages, before the CPU is maxed out. Bad news bears.


For what it's worth, TLS completely punts on this problem. It's known among
other things as the "THC attack", and since it can be used against RSA it's
considerably worse:

https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

There have been attempts at solving this ("client puzzles") but I can't say
I'm really a fan.

70 Mbps of handshake messages (per node) seems good to me?

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150717/8eddb2e6/attachment.html>