An authentication question

Adam Fields fields at surgam.net
Mon Aug 5 17:03:46 EDT 2002 

On Mon, Aug 05, 2002 at 04:44:28PM -0400, Jack Lloyd wrote:
> In the second version, any random user (or script) could upload very large
> files, wasting your bandwidth, and also CPU time when you check the sig. Or
> lots and lots of really small files, which would swamp your CPU(s) trying
> to check 500 sigs a second (makes for a good DDOS).

Hmmm... wouldn't this make for a >less< effective DDOS attack?
Ostensibly, the purpose of a DOS attack is twofold - to block access
to a service, but also to cost money. CPU time is cheaper than
bandwidth in most cases, and hosing the CPU would actually cause the
machine to stop responding with less bandwidth used, doing "less"
damage than a pure network overload attack.

So the real question - is this actually any worse a target for a DOS
attack? (I don't really know.)

> I don't see a difference from the standpoint of what ends up being stored
> in the server, though. The second version is (mostly) safe from password
> guessing, which is good. The first is easier for most users to figure out,
> which is also good.
>   -Jack
> 
> On Mon, 5 Aug 2002, Adam Fields wrote:
> 
> > If you were going to open up an interface to allow known parties to
> > upload files to you via web form submission, would you want to 1)
> > distribute passwords to them and let them sign in to a page where they
> > could upload the files over SSL, or 2) allow anyone to upload files
> > and require that authorized parties sign (and/or encrypt) the files
> > before uploading them, rejecting any that weren't signed with a valid
> > key?
> >
> > Are these two scenarios equivalent from a security standpoint?
> >
> 

-- 
				- Adam

-----
Adam Fields, Managing Partner, fields at surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.
Ask about Vignette maximization: http://www.surgam.net/vignette.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list