Security Michael Foukarakis ([email protected] ) – 13/12/2004 A Survey of Peer-to-Peer Security Issues Dan S. Wallach Rice University, Houston, TX 77005, USA
Jan 01, 2016
Security
Michael Foukarakis ([email protected])– 13/12/2004
A Survey of Peer-to-Peer Security Issues
Dan S. Wallach Rice University, Houston, TX 77005, USA
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Introduction
Peer to Peer systems: Gnutella & Napster: mainly for file sharing CAN, Chord, Pastry, Tapestry: structured
p2p overlays Designed for various services such as
network storage, content distribution, web caching, searching and indexing (use of routing tables)
Introduction
These systems are scalable, fault-tolerant and provide effective load balancing
Making them secure is a challenge Several types of attack:
– Erroneous responses (false data/routes)– Abuse of resources (disk space/bandwidth)– “trust” issues (malicious code)– Other
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Background, models and solution
Abstract routing overlay model Nodes and objects have unique identifiers
called nodeIds and keys respectively. Keys are mapped to unique live nodes called roots
Nodes have routing tables and neighbor sets Replica functions are used to map keys to
sets of replica keys
Background, models and solution
Pastry Random assignment of nodeIds from a
circular 128-bit id space nodeIds and keys are thought of as a
sequence of digits in base 2b (b is usually 4) Routing is based on prefix
Background, models and solution
Pastry routing table
Background, models and solution
Message Routing Example
Source node: 65a1fcMessage has key: d46a1c
Message arrives at nodeD467c4 after 4 hops
Background, models and solution
System model The system has N nodes Fraction of faulty nodes (f): 0 ≤ f < 1 Faulty nodes form clusters of independent
coalitions whose size is bounded by cN where 1/N ≤ c < f
Parameter c is coalition independency factor
Background, models and solution
System model All IP addresses are static Communication is over Internet connections
– Network-level: no routing through the overlay– Overlay-level: routing through the overlay using
corresponding protocol Cryptographic techniques are used to
prevent data observation and modification
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Routing in p2p systems
The problem: a malicious overlay node can corrupt, delete, deny access to or supply stale copies of all replicas of an object
We need a secure routing technique– Successful delivery of a message even if some
nodes corrupt, drop or misroute it– Successful delivery to all legitimate replica roots
for a given key
Routing in p2p systems
Secure routing requires:– 1)Securely assigning nodeIds to nodes
Attackers can’t choose values of nodeIds assigned to nodes they control
– 2)Securely maintaining the routing tables The fraction of faulty nodes in routing tables is less than
the fraction of faulty nodes in the entire overlay
– 3)Securely forwarding messages At least one copy of a message sent to a key reaches
correct replica roots for the key with high probability
Routing in p2p systems
1)Secure nodeId assignment Nodes might choose their identifiers
maliciously so that it is easy to censor specific documents or appear on the routing table of a victim node
Random assignment of nodeIds is necessary Possible use of a server that is only
consulted when new nodes join
Routing in p2p systems
1)Secure nodeId assignment What if a hostile node or coalition of nodes
try to get a large number of nodeIds? Best solution: moderate the rate at which
nodeIds are given out Other solutions: charging money for nodeId
certificates or external authentication requirements
Routing in p2p systems
2)Robust routing primitives Attackers control a fraction f of the nodes in the p2p
network For h hops, the probability a route is free of malicious
nodes is (1 – f)h Unfortunately, adversaries take advantage from
locality and they try to appear more often in their neighbor's routing table
Constrained routing tables
Routing in p2p systems
3)Robust routing primitives To increase the odds of a message reaching its
destination, we attempt redundant routes In Pastry, source node sends to all its neighbors.
Then, each of them forwards the message to the target node
If at least one route is successful, the message is considered successfully delivered
For f ≤ 30% probability of success is 99.9%
Routing in p2p systems
Ejecting misbehaving nodes That is an open problem If a node is accused of cheating, proof needs
to be presented It’s not clear how proof can be generated at
the routing layer False positives
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Storage
Systems should be designed to limit how much remote space one can consume without providing a suitable amount of storage for the use of others
The same applies to network bandwidth
Storage – Disk Space
A malicious node might choose to claim its storage is full, when it actually has free space
What if we use a central authority again, just like in nodeId assignment? Use of quotas
That way every request to store a document would require a query to the quota authority
Bottleneck
Storage – Disk Space
Method 1: Attach Smartcards that provide quota information to each node. – Problem: Impractical, can be hacked
Method 2: Ask your neighbors to act as quota managers. Distribute quota information just like sending messages. – Problem: No incentive for the neighbors
Storage – Disk Space
Nodes keep two logs– Local list of files that the node is storing on behalf
of remote nodes– Remote list of files that other nodes are storing on
behalf of the local node Log entries contain IP addresses of remote
nodes and file sizes The local list also contains the amount of free
disk space available
Storage – Disk Space
Of course, feeding false information to nodes is a problem
Anonymous communication prevents this This way a node does not know who is
checking on it
Storage – Disk Space
Cheating chains Example: A claims it’s storing a file for B and
B confirms that, but no files are actually stored. The same can happen with more nodes
Random audits should be performed with random keys. This way cheaters will be eventually caught, but it is costly
Storage – Network Bandwidth
Bandwidth sharing Micropayment systems Perform query→spend a token Receive a query→get a token Surplus of tokens→refuse to service queries High cost of evaluating validity of tokens Data needs to be widely replicated
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Trust in p2p overlays
Spoofing of search results is possible Solution: implementation of something like
Google’s PageRank technology– For Google, pages linked by “popular” pages are
themselves more popular– We could add this notion of popularity in p2p
systems using the audit log– Users themselves could rank the files
Code → Architecture to safely execute it
Security
Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Conclusions
Summary of security techniques– Cryptography– Redundant routing– Economic methods
Diversity of p2p systems → diversity of solutions