Аннотация:Network security protocol design is important aspectof network security research. DoS/DDoS is very seriousattack in wired and wireless network. DoS/DDoS attack depletes memory/cpu of service provider, so legitimate user can't gain normal service. According to anti-DoS attack strategy of network security protocols, we give and discuss three mechanisms (stateless connection, Fail-together and Subset Sum Client-Puzzle) on design of a key exchange protocol against denial of service attack for ISO/IEC1170-3 key exchange protocol. Subset SumClient-Puzzle has simple structure, Non-Parallelizable speciality and fast verification. N Subset Sum Client-Puzzles' difficulties are sum of n Subset Sum Client-Puzzle's difficulty. Based on analysis of new key exchange protocol, we compare initiator and responder for computation resource, memory depletion and anti-DoS/DDoS. ISO/IEC1170-3 key exchange protocol on Subset Sum Client Puzzle, which is non-parallelizable, easy construction and verification, has the good property against DoS/DDoS attack. It provides a very good reference for network security protocol design with anti-DoS/DDoS attack.
