SSL (Secure Sockets Layer) protocol and IPSec (Internet Protocol Security) are widely used for identity authentication and communication protection. However, both protocols suffer from intrusion and single-point of compromising as well as DDoS (distributed denial of service) attacks. An innovative Intrusion-Resilient, DDoS-Resistant Authentication System (IDAS) System is proposed to achieve the following goals:

(1) An intrusion-resilient authentication protocol will be able to protect credential information by distributing shared secret to multiple computers and thus eliminates the single point of compromising.

(2) This protocol can readily detect the use of partial credential as a user/computer and indicate which part of secret is exposed; consequently, the compromised computer can be recovered.

(3) Even when an insider compromised all related servers, the credential is only valid for a short period of time and will be self healed in next period.

(4) A DDoS resistant protocol must be stateless and efficient as well as stop botnet attacks and "low and slow" attacks.

(5) This authentication protocol only takes a single round trip time, which is faster than any other authentication protocols and is important to the performance of critical applications in a multi-continent network.

It is difficult to prove the capabilities of IDAS by actually implementing a full scale botnet due to financial constraint. Instead, simulation results are reported in this paper to show that this IDAS protocol can resist DDoS attacks even when thousands of attackers, which is about the same size as the current botnet, are bombarding it. A user will not even sense the extra delay due to the DDoS attacks; thus, the collateral damage is eliminated.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Takamichi SAITO , Ryosuke HATSUGAI , Toshiyuki KIT0, On Compromising Password-Based Authentication over HTTPS, Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), p.869-874, April 18-20, 2006  [doi>10.1109/AINA.2006.244]
	2	J. Franks , P. Hallam-Baker , J. Hostetler , S. Lawrence , P. Leach , A. Luotonen , L. Stewart, HTTP Authentication: Basic and Digest Access Authentication, RFC Editor, 1999
	3	Song, D. dsniff. {Online} http://naughty.monkey.org/~dugsong/dsniff/
	4	Haidong Xia , José Carlos Brustoloni, Hardening Web browsers against man-in-the-middle and eavesdropping attacks, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan  [doi>10.1145/1060745.1060817]
	5	Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124861]
	6	Anthony Y. Fu , Xiaotie Deng , Liu Wenyin , Greg Little, The methodology and an application to fight against Unicode attacks, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143132]
	7	Chun-Hsin Wang , Chang-Wu Yu , Chiu-Kuo Liang , Kun-Min Yu , Wen Ouyang , Ching-Hsien Hsu , Yu-Guang Chen, Tracers placement for IP traceback against DDoS attacks, Proceedings of the 2006 international conference on Wireless communications and mobile computing, July 03-06, 2006, Vancouver, British Columbia, Canada  [doi>10.1145/1143549.1143620]
	8	David G. Andersen, Mayday: distributed filtering for internet services, Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems, p.3-3, March 26-28, 2003, Seattle, WA
	9	Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	10	William G. Morein , Angelos Stavrou , Debra L. Cook , Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, Using graphic turing tests to counter automated DDoS attacks against web servers, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948114]
	11	Angelos Stavrou , Angelos D. Keromytis, Countering DoS attacks with stateless multipath overlays, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102153]
	12	Hikmat Farhat, Protecting TCP services from denial of service attacks, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.155-160, September 11-15, 2006, Pisa, Italy  [doi>10.1145/1162666.1162674]
	13	Alex C. Snoeren , Craig Partridge , Luis A. Sanchez , Christine E. Jones , Fabrice Tchakountio , Beverly Schwartz , Stephen T. Kent , W. Timothy Strayer, Single-packet IP traceback, IEEE/ACM Transactions on Networking (TON), v.10 n.6, p.721-734, December 2002  [doi>10.1109/TNET.2002.804827]
	14	William Aiello , Steven M. Bellovin , Matt Blaze , Ran Canetti , John Ioannidis , Angelos D. Keromytis , Omer Reingold, Just fast keying: Key agreement in a hostile internet, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.242-273, May 2004  [doi>10.1145/996943.996946]
	15	Y. Shiraishi, Y. Fukuta, and M. Moril, "Port randomized VPN by mobile codes," in Proceedings from First IEEE Consumer Communications and Networking Conference, 2004, pp. 671--673.
	16	Leslie Lamport, Password authentication with insecure communication, Communications of the ACM, v.24 n.11, p.770-772, Nov. 1981  [doi>10.1145/358790.358797]
	17	Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
	18	M. Long, and C.-H. Wu, "Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information," IEEE Transactions on Industrial Informatics, vol. 2, issue 1, pp. 40--47, Feb. 2006.
	19	Hovav Shacham , Dan Boneh , Eric Rescorla, Client-side caching for TLS, ACM Transactions on Information and System Security (TISSEC), v.7 n.4, p.553-575, November 2004  [doi>10.1145/1042031.1042034]
	20	Yanjiang Yang , Robert H. Deng , Feng Bao, A Practical Password-Based Two-Server Authentication and Key Exchange System, IEEE Transactions on Dependable and Secure Computing, v.3 n.2, p.105-114, April 2006  [doi>10.1109/TDSC.2006.16]