Engage interact inform peer advisors as a key to successful academic advisement
1 Security and Trust in P2P systems. 2 Trust and Security Peer-to-Peer systems require different...
-
Upload
kory-sullivan -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Security and Trust in P2P systems. 2 Trust and Security Peer-to-Peer systems require different...
1
Security and Trust in P2P systems
2
Trust and Security
Peer-to-Peer systems require different entities to decide how to interact or whether to interact with others Security decisions
I need to know whether I can “trust” another entity within this system
Should I trust “Alice” because my friend, Bob, trusts her?
3
Trust and Security
The “perfect” P2P system A system with perfectly flat hierarchy, and with
each entity allowing other entities to use local resources
How can we provide security without a centralized entity? Infrastructure The model of interaction between entities!
4
What is trust
When thinking about security in a system, various entities need to “trust” others to varying degrees We say “trusted hardware”, or “trust
administrators
So… what is trust Trust is a bet about the future contingent
actions of others
5
Malicious node
A malicious node might give erroneous responses to a request Application level
Returning false data Network level
Returning false routes
May work together, acting in concert, to attack the remainder of the nodes
6
Outline
IdentificationRouting table risk
Victim Data Victim Peer
Content verificationPunishment
7
Identification
Identity Undesirable to know the identity of other
entities Privacy Anonymity
However, If you wish to trust entity A, you need to be able
to identify it
8
Identification
Public key infrastructures (PKI) Should be run with somebody! For a PKI to work in this sort of situation, you
need to have a trusted third party
Recommendation systems Chains of trust
Transitive trust Trust should be granted directly.
9
Identification
When trust must be transitive, it creates brittleness
In most P2P system, transitive trust is a key component
How to measure “reputation” Roles Time related
10
Secure Routing in p2p systems
Security routing primitive ensures that when a non-faulty nodes sends a message to a key k, the message reaches all non-faulty members in the set of replica roots Rk with very high probability
Security routing guarantees that a replicas are initially placed on legitimate replica roots, and that a lookup message reaches a replica if one exists
11
Three problems
Securely assigning nodeIds to nodes Ensure attackers cannot choose the value of nodeIDs
Securely maintaining the routing tables Ensure that the fraction of faulty nodes that appear in th
e routing tables of correct nodes does not exceed the fraction of faulty nodes in the entire overlay
Securely forwarding messages Ensure that at least one copy of a message sent to a ke
y reaches each correct replica root for the key with high probability
12
System model
N nodes f (0<f<1) : fraction of faulty nodes
Faulty nodes can behave arbitrarily and they may not all necessarily be operating as a single conspiracy
The set of faulty nodes is partitioned into independent coalitions, which are disjoint sets with size bounded by cN (1/N<= c <= f) Consider the case: c < f
13
Secure nodeId assignment
A node might choose its identifier maliciously Allocate itself a collection of nodeIds closer to t
hat document’s key than any existing nodes in the system
Censor a specific document Choose nodeIds to maximize its chances of app
earing in a victim node’s routing tables
14
Secure nodeId assignment
Centralized authority The server is only consulted when new nodes join and i
s otherwise uninvolved in the actions of the p2p system Sybil attacks
Coalition nodes might try to get a large number of nodeIds
Even if those nodeIds are random, a large enough collection of them would still give the attackers disproportionate control over the network
Moderate the rate at which nodeIds are given out Charging money? By solving little problem?
15
Admission control system (ACS) Property
Security Provide resiliency against attacks that work by creating shadow
nodes Efficiency
Should be simple and does not require a lot of overhead on participating nodes
Fairness Nodes should do an equal amount of work to join the network
Response to attack Make the attack more difficult while not affecting other legitimate
nodes Scalability Verifiability
Allow any node in the system to verify that it is communicating with a node that was legitimately admitted to the network
16
It is important that the upper layer nodes are both static and trustworthy
A must gain admission from a sequence of nodes, starting with leaf node B and ending with root X
At each stage, A is required to solve a puzzle presented by B
Decentralized, multi-puzzle scheme
17
Join protocol Get token
A wishes to join the network, it must first discover a leaf node B
To gain admission from B by solving B’s puzzle After solving the puzzle, it is given a token and is used to
prove to B’s parent admission by B At each stage, A is given a token to be used as proof of
previous puzzle solution. When reach the root, a final token format is issued by X
• A’s signature
18
Connect to the network A must prove to its prospective neighbors that it has
been admitted by the root node X Signature verification is cost The neighboring nodes each require A to solve one
more puzzle challenges protect neighbors from a DoS attack
19
Node Upgrade A must prove its stability before inclusion in the
ACS Initially, A joins the ACS as a leaf node, and
evaluated by its parent node To maintain a balanced tree
A node only upgrades nodes when its number of children has reached the degree of the tree
When it is sufficiently deep to support the join load and achieve the proper security guarantees, no node will be added in the ACS
20
Node departure Not a member of ACS A member of ACS
Leave gracefully• The oldest child is chosen to replace the departing node
Due to a failure• Children must rejoin the network by
Contact its grandparent Or, find another node in the ACS
21
Security The ACS is designed to limit Sybil attacks, not
to prevent them! Attacker is a member of ACS
Easily detected by the parent of the attacker by observing the rate of the token requests
Attacker is not a member of ACS Control a significant fraction of nodes Attack is limited by ensuring only a small number of
tokens are released during a period of time
22
How about patient attackers?
If an attacker is patient enough, it can achieve the required number of IDs to launch a massive attack
Cut-off window Define a token expiration time, W How to determine the value of W
Limit the number of good users that must execute the rejoin process to a small percentage
23
Analysis
Models Legitimate nodes arrive according to a Poisson
distribution with an arrival rate of g
Life time is exponentially distributed with mean of g
Assume an attacker is equal in computational power to the average user
l: Joining difficulty (measured in maximum time)
24
Analysis
Puzzles and fairness The distribution of the time to solve the puzzle is uniform Single puzzle of average time l / 2
n puzzles of difficulty l/2n
Example 5 mins to solve with a maximum standard deviation of 30
seconds• 9 puzzles and each takes max 33.3 seconds.
25
Analysis
Steady state The number of nodes in the network, N
N= g * g
To control fraction f of nodes, an attacker will be required to obtain (f*N)/(1-f) IDs
Assume there are n attackers Arrival rate of attacker nodes will be a = 2*n / l The time to launch a successful attack
26
Analysis
Example If λg = 1 node/sec, and µg = 2.3 hours, the stead
y state number of nodes is 8280 For the attacker to control 10% of the total node
s in the network it is required to obtain 920 IDs If the joining process takes on average 5 minute
s, a successful attack would take 76 hours which is more than 3 days.
27
Analysis
Cut-off windows (legitimate nodes) P : the percentage of legitimate nodes that will
be required to reacquire fresh tokens
28
Analysis
Example If µg = 2.3 hours and W = 4 hours, The percentage of Legitimate nodes that will be
cut off the network and asked to rejoin is 17.5%.
29
Analysis
Cut-off window (attackers) The combined number of nodes of n attackers
can accumulate is 2*n*W / l Example
If the maximum join time is 10 minutes and W = 4 hours
The maximum number of nodes an attacker can accumulate is 48 nodes
30
Robust routing primitives
If an attacker controls a fraction f of the nodes in the p2p network, we would expect that each entry in every routing table would have a probability of f of pointing to a malicious node.
If a desired route consumes h hops The probability being free of malicious nodes is
(1-f)h
How about Chord with 2m nodes?`
31
Robust routing primitives
Locality-based attacks The adversary could take advantage of its locality to
a given victim node to get more entries in that node’s routing table
Increase its odds of controlling any given route that uses the victim node
Attempt multiple, redundant routes from the source to the destination Costly How to determine “Not found”
32
Content verification
Adversary may spoof the resultsVerification can be done if we have verifica
tion codesSolve by Google’s PageRank technology
Pages that are linked from “popular” pages are themselves more popular
How to add such a notion of popularity into a p2p system
33
Punishment
Remove malicious nodes when they are detected
Can we have a global view, who can punish the misbehave nodes?
Unstructured p2p Do it by yourself
Structured p2p Should convince other nodes Or by yourself!
34
35
Conclusions and Discussions
What we learn Topologies
Centralized p2p system• Search cost is bounded• Single point of failure
Decentralized p2p system• Unstructured p2p system
Flexible Unbounded search
• Structured p2p system Scalibility, bounded search Only support keyword query
• Super peer architecture
36
Conclusions and Discussions Search
Constraint of hash Dimension reduction and Document retrieval
• Absolute angle• Rolling index• Locality preserving hashing• idistance
Application BT
• For efficiency downloading • Tit for tat
Skype• Super peer architecture
Security Identification Secure nodeId assignment and routing
37
Conclusions and Discussions
A better topologies? Robustness Scalibility Flexible Bounded search Fairness Etc.
38
Conclusions and Discussions
Support general query? The constraint of hash Similarity search Range query Content-based retrieval
Trust without a third party? nodeId assignment Routing table management Content management
How to decide the score?