Mitigation of application-level distributed denial-of-service attacks

摘要

A system and method, implementable using an authenticating device, are provided for authenticating requesting devices such as mobile devices and other communication devices over a network. At least one group shared secret is provisioned on a plurality of requesting devices, which are further provided with other authentication credentials such as a shared secret for full authentication by the authenticating device. When authentication is sought, the requesting device transmits a pre-authentication request comprising one of the group shared secrets to the authenticating device, which verifies that group shared secret. The group shared secrets may be stored in volatile memory at the authenticating device. If the group shared secret is verified, the authenticating device will authenticate that same device in response to a subsequent authentication request.

主权项

1. A method implemented at an authenticating device, the method comprising:
storing, prior to receiving any authorization requests, a plurality of group shared secrets in memory accessible to the authenticating device, the plurality of group shared secrets comprising at least a first group shared secret and a second group shared secret,
the first group shared secret being also stored in memory of each of a first plurality of requesting devices prior to transmission of any authorization request by any of the first plurality of requesting devices to the authenticating device;the second group shared secret being also stored in memory of each of a second plurality of requesting devices prior to transmission of any authorization request by any of the second plurality of requesting devices to the authenticating device,the first plurality of requesting devices and the second plurality of requesting devices each comprising different subsets of a set of requesting devices while also including at least one common requesting device from the set of requesting devices; receiving a pre-authentication request comprising at least a reference for the first group shared secret of the plurality of group shared secrets, the pre-authentication request being transmitted from a first requesting device of the first plurality of requesting devices; verifying, at the authenticating device, the received pre-authentication request using said first group shared secret; receiving an authentication request comprising proof of knowledge of a secret shared exclusively between the authenticating device and the first requesting device; and when the authentication request is determined to have been transmitted from said first requesting device, authenticating the first requesting device in response to the authentication request.