1

Security and Trust in P2P systems

2

What is trust

When thinking about security in a system, various entities need to “trust” others to varying degrees

So… what is trustTrust is a bet about the future contingent

actions of others

Trust and Security

Direct validationI need to know whether I can “trust” another

entity within this system Authentication

Indirect validationShould I trust “Alice” because my friend, Bob,

trusts her?RecommendationReputation

3

4

Trust and Security

The “perfect” P2P systemA system with perfectly flat hierarchy, and with

each entity allowing other entities to use local resources

How can we provide security without a centralized entity?

5

Malicious node

A malicious node might give erroneous responses to a requestApplication level

Returning false data

Network levelReturning false routes

May work together, acting in concert, to attack the remainder of the nodes

6

Issues

IdentificationRouting table risk

Victim DataVictim Peer

Content verificationPunishment

7

Identification

IdentityUndesirable to know the identity of other

entitiesPrivacy (

http://www1.businessweekly.com.tw/web/webarticle_45792_p1.html)

Anonymity

However,If you wish to trust entity A, you need to be able

to identify it

8

Identification

Public key infrastructures (PKI)Should be run with somebody!For a PKI to work in this sort of situation, you

need to have a trusted third party

Recommendation systemsChains of trust

Transitive trust

9

Identification

When trust must be transitive, it creates brittleness

In most P2P system, transitive trust is a key component

How to measure “reputation”RolesTime related

10

Secure Routing in p2p systems

Security routing primitive ensures that when a non-faulty nodes sends a message to a key k, the message reaches all non-faulty members in the set of replica roots Rk with very high probability

Security routing guarantees that a replicas are initially placed on legitimate replica roots, and that a lookup message reaches a replica if one exists

11

Three problems

Securely assigning nodeIds to nodesEnsure attackers cannot choose the value of nodeIDs

Securely maintaining the routing tablesEnsure that the fraction of faulty nodes that appear in

the routing tables of correct nodes does not exceed the fraction of faulty nodes in the entire overlay

Securely forwarding messagesEnsure that at least one copy of a message sent to a

key reaches each correct replica root for the key with high probability

12

Secure nodeId assignment

A node might choose its identifier maliciouslyAllocate itself a collection of nodeIds closer to

that document’s key than any existing nodes in the system (Victim Item)Censor a specific document

Choose nodeIds to maximize its chances of appearing in a victim node’s routing tables (Victim Peer)

13

Secure nodeId assignment

Centralized authorityThe server is only consulted when new nodes join and

is otherwise uninvolved in the actions of the p2p systemSybil attacks

Coalition nodes might try to get a large number of nodeIdsEven if those nodeIds are random, a large enough

collection of them would still give the attackers disproportionate control over the network

Moderate the rate at which nodeIds are given outCharging money?By solving little problem?

14

Robust routing primitives

If an attacker controls a fraction f of the nodes in the p2p network, we would expect that each entry in every routing table would have a probability of f of pointing to a malicious node.

If a desired route consumes h hopsThe probability being free of malicious nodes is

(1-f)h

How about Chord with 2m nodes?`

15

Robust routing primitives

Attempt multiple, redundant routes from the source to the destinationCostlyHow to determine “Not found”

16

Content verification

Adversary may spoof the resultsVerification can be done if we have

verification codesSolve by Google’s PageRank technology

Pages that are linked from “popular” pages are themselves more popular

How to add such a notion of popularity into a p2p system

17

Punishment

Remove malicious nodes when they are detected

How to detect malicious nodes?Can we have a global view, who can

punish the misbehave nodes?

Sybil Attack

“Sybil” (1973) by Flora Rheta Schreiber

Attacker creates multiple identities to control a large portion of the network

Identity Validation

John R. Douceur, The Sybil Attack, in Proceedings of 1st International Workshop on Peer-to-Peer Systems (IPTPS), 2002How does an entity know that two identities

come from different entities?Four Lemmas “prove” that Sybil attacks are

always possible without centralized authorityDirect validation (lemmas 1 & 2)Indirect validation (lemmas 3 & 4)

Lemma 1

Because entities are heterogeneous in terms of capabilities, a malicious entity can create several “minimal” identities

Lower-bound on number of identities

Lemma 2

Each correct entity must simultaneously validate all the identities it is presented, otherwise, a faulty entity can counterfeit an unbounded number of identities

Simultaneous identity verification not practical

Lemma 3

If a certain number of identities must vouch for a new identity for it to be accepted, then a set of compromised identities can create any number of new fake identities

A sufficient large set of faulty entities can counterfeit an unbounded number of identities

Lemma 4

All entities in the system must perform their identity validations concurrently; otherwise, a faulty entity can counterfeit a constant number of multiple identities.

Again, simultaneous validation is difficult in real-world networks.

Overview Conclusion

Networks require centralized authority to validate network identities

Without one, Sybil attacks are always a possibility

Mission

If it is hard to avoid, can we limit it?

IdeaModerate the rate at which nodeIds are given out

Charging money?By solving little problem?

25

26

Admission control system (ACS)Property

SecurityProvide resiliency against

EfficiencyShould be simple and does not require a lot of overhead on

participating nodes Fairness

Nodes should do an equal amount of work to join the network Response to attack

Make the attack more difficult while not affecting other legitimate nodes

Scalability

27

It is important that the upper layer nodes are both static and trustworthy

A must gain admission from a sequence of nodes, starting with leaf node B and ending with root X

At each stage, A is required to solve a puzzle presented by B

Decentralized, multi-puzzle scheme

28

Join protocolGet token

A wishes to join the network, it must first discover a leaf node B

To gain admission from B by solving B’s puzzleAfter solving the puzzle, it is given a token and is used

to prove to B’s parent admission by BAt each stage, A is given a token to be used as proof of

previous puzzle solution.When reach the root, a final token format is issued by X

• A’s signature

29

Connect to the networkA must prove to its prospective neighbors that it has

been admitted by the root node XSignature verification is costThe neighboring nodes each require A to solve one

more puzzle challenges protect neighbors from a DoS attack

30

Node UpgradeA must prove its stability before inclusion in the

ACSInitially, A joins the ACS as a leaf node, and

evaluated by its parent nodeTo maintain a balanced tree

A node only upgrades nodes when its number of children has reached the degree of the tree

When it is sufficiently deep to support the join load and achieve the proper security guarantees, no node will be added in the ACS

31

Node departureNot a member of ACS A member of ACS

Leave gracefully• The oldest child is chosen to replace the departing node

Due to a failure• Children must rejoin the network by

Contact its grandparent Or, find another node in the ACS

32

SecurityThe ACS is designed to limit Sybil attacks, not

to prevent them!Attacker is a member of ACS

Easily detected by the parent of the attacker by observing the rate of the token requests

Attacker is not a member of ACSControl a significant fraction of nodesAttack is limited by ensuring only a small number of

tokens are released during a period of time

33

How about patient attackers?

If an attacker is patient enough, it can achieve the required number of IDs to launch a massive attack

Cut-off windowDefine a token expiration time, WHow to determine the value of W

Limit the number of good users that must execute the rejoin process to a small percentage

Startup

The basic protocol provides minimum protection of the network during the startup process when it has small number of nodesAn attacker can obtain a large percentage of

nodes in a shorter timeFor example, if the network has 36 nodes, an

attacker needs to obtain 4 nodes to be in control of 10% of all the nodes. If we assume that it takes 5 minutes to get an ID, the

10% target can be achieved in less than 20 minutes.

34

Startup (method1)

Make the puzzles at the starting phase very difficult, and then decrease the difficulty linearly as nodes join.For example, if the initial puzzle takes an

average of two hours to be solved, then after one node joins the puzzle difficulty is reduced to 1 hour and 50 minutes.

Network initialization time will be high!

35

Startup(method 2)Define a start up window that impacts the

joining process for a finite time. Puzzle difficulty in this scheme decay over time

As opposed to the above scheme which reduces the puzzle difficult as the number of nodes grow.

For examplenodes joining the network at its inception are given

puzzles that take two hours to solve. nodes that join five minutes after inception are given

puzzles that take 1 hour and 55 minutes to solve. This continues until we reach the puzzle difficulty targeted

for the normal join process. 36

Startup(method 2)

The number of node IDs an attacker may obtain during this start up window depends on the arrival rate of the nodeshow much more powerful the attacker is

compared to the average user

much shorter network initialization time compared above scheme

37

38

Analysis

ModelsLegitimate nodes arrive according to a Poisson

distribution with an arrival rate of g

Life time is exponentially distributed with mean of g

Assume an attacker is equal in computational power to the average user

l: Joining difficulty (measured in maximum time)

39

Analysis

Puzzles and fairnessThe distribution of the time to solve the puzzle is uniformSingle puzzle of average time l / 2

n puzzles of difficulty l/n

Example5 mins to solve with a maximum standard deviation of 30

seconds• 9 puzzles and each takes max 33.3 seconds.

40

Analysis

Steady stateThe number of nodes in the network, N

N= g * g

To control fraction f of nodes, an attacker will be required to obtain (f/(1-f))*N IDs

Assume there are n attackersArrival rate of attacker nodes will be a = n / l

The time to launch a successful attack

41

Analysis

Example If λg = 1 node/sec, and µg = 2.3 hours, the

steady state number of nodes is 8280For the attacker to control 10% of the total

nodes in the network it is required to obtain 920 IDs

If the joining process takes on average 5 minutes, a successful attack would take 76 hours which is more than 3 days.

42

Analysis

Cut-off windows (legitimate nodes)P : the percentage of legitimate nodes that will

be required to reacquire fresh tokens

43

Analysis

ExampleIf µg = 2.3 hours and W = 4 hours,

The percentage of Legitimate nodes that will be cut off the network and asked to rejoin is 17.5%.

44

Analysis

Cut-off window (attackers)The combined number of nodes of n attackers

can accumulate is n*W / lExample

If the average join time is 5 minutes and W = 4 hoursThe maximum number of nodes an attacker can

accumulate is 48 nodes

45

Conclusions and Discussions

What we learnTopologies

Centralized p2p system• Search cost is bounded• Single point of failure

Decentralized p2p system• Unstructured p2p system

Flexible Unbounded search

• Structured p2p system Scalibility, bounded search Only support keyword query

• Super peer architecture

46

Conclusions and Discussions Search

Constraint of hashDimension reduction and Document retrieval

• Absolute angle• Rolling index• Locality preserving hashing• idistance

ApplicationBT

• For efficiency downloading • Tit for tat

Skype• Super peer architecture

SecurityACS

47

Conclusions and Discussions

A better topologies?RobustnessScalibilityFlexibleBounded searchFairnessEtc.

48

Conclusions and Discussions

Support general query?The constraint of hashSimilarity searchRange queryContent-based retrieval

Trust without a third party?nodeId assignmentRouting table managementContent management

How to decide the score?