Security Michael Foukarakis – 13/12/2004 A Survey of Peer-to-Peer Security Issues Dan S. Wallach Rice University, Houston, TX 77005, USA
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Introduction Peer to Peer systems: Gnutella & Napster: mainly for file sharing CAN, Chord, Pastry, Tapestry: structured p2p overlays Designed for various services such as network storage, content distribution, web caching, searching and indexing (use of routing tables)
Introduction These systems are scalable, fault-tolerant and provide effective load balancing Making them secure is a challenge Several types of attack: – Erroneous responses (false data/routes) – Abuse of resources (disk space/bandwidth) – “trust” issues (malicious code) – Other
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Background, models and solution Abstract routing overlay model Nodes and objects have unique identifiers called nodeIds and keys respectively. Keys are mapped to unique live nodes called roots Nodes have routing tables and neighbor sets Replica functions are used to map keys to sets of replica keys
Background, models and solution Pastry Random assignment of nodeIds from a circular 128-bit id space nodeIds and keys are thought of as a sequence of digits in base 2 b (b is usually 4) Routing is based on prefix
Background, models and solution Pastry routing table
Background, models and solution Message Routing Example Source node: 65a1fc Message has key: d46a1c Message arrives at node D467c4 after 4 hops
Background, models and solution System model The system has N nodes Fraction of faulty nodes (f): 0 ≤ f < 1 Faulty nodes form clusters of independent coalitions whose size is bounded by cN where 1/N ≤ c < f Parameter c is coalition independency factor
Background, models and solution System model All IP addresses are static Communication is over Internet connections – Network-level: no routing through the overlay – Overlay-level: routing through the overlay using corresponding protocol Cryptographic techniques are used to prevent data observation and modification
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Routing in p2p systems The problem: a malicious overlay node can corrupt, delete, deny access to or supply stale copies of all replicas of an object We need a secure routing technique – Successful delivery of a message even if some nodes corrupt, drop or misroute it – Successful delivery to all legitimate replica roots for a given key
Routing in p2p systems Secure routing requires: – 1)Securely assigning nodeIds to nodes Attackers can’t choose values of nodeIds assigned to nodes they control – 2)Securely maintaining the routing tables The fraction of faulty nodes in routing tables is less than the fraction of faulty nodes in the entire overlay – 3)Securely forwarding messages At least one copy of a message sent to a key reaches correct replica roots for the key with high probability
Routing in p2p systems 1)Secure nodeId assignment Nodes might choose their identifiers maliciously so that it is easy to censor specific documents or appear on the routing table of a victim node Random assignment of nodeIds is necessary Possible use of a server that is only consulted when new nodes join
Routing in p2p systems 1)Secure nodeId assignment What if a hostile node or coalition of nodes try to get a large number of nodeIds? Best solution: moderate the rate at which nodeIds are given out Other solutions: charging money for nodeId certificates or external authentication requirements
Routing in p2p systems 2)Robust routing primitives Attackers control a fraction f of the nodes in the p2p network For h hops, the probability a route is free of malicious nodes is (1 – f) h Unfortunately, adversaries take advantage from locality and they try to appear more often in their neighbor's routing table Constrained routing tables
Routing in p2p systems 3)Robust routing primitives To increase the odds of a message reaching its destination, we attempt redundant routes In Pastry, source node sends to all its neighbors. Then, each of them forwards the message to the target node If at least one route is successful, the message is considered successfully delivered For f ≤ 30% probability of success is 99.9%
Routing in p2p systems Ejecting misbehaving nodes That is an open problem If a node is accused of cheating, proof needs to be presented It’s not clear how proof can be generated at the routing layer False positives
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Storage Systems should be designed to limit how much remote space one can consume without providing a suitable amount of storage for the use of others The same applies to network bandwidth
Storage – Disk Space A malicious node might choose to claim its storage is full, when it actually has free space What if we use a central authority again, just like in nodeId assignment? Use of quotas That way every request to store a document would require a query to the quota authority Bottleneck
Storage – Disk Space Method 1: Attach Smartcards that provide quota information to each node. – Problem: Impractical, can be hacked Method 2: Ask your neighbors to act as quota managers. Distribute quota information just like sending messages. – Problem: No incentive for the neighbors
Storage – Disk Space Nodes keep two logs – Local list of files that the node is storing on behalf of remote nodes – Remote list of files that other nodes are storing on behalf of the local node Log entries contain IP addresses of remote nodes and file sizes The local list also contains the amount of free disk space available
Storage – Disk Space Of course, feeding false information to nodes is a problem Anonymous communication prevents this This way a node does not know who is checking on it
Storage – Disk Space Cheating chains Example: A claims it’s storing a file for B and B confirms that, but no files are actually stored. The same can happen with more nodes Random audits should be performed with random keys. This way cheaters will be eventually caught, but it is costly
Storage – Network Bandwidth Bandwidth sharing Micropayment systems Perform query→spend a token Receive a query→get a token Surplus of tokens→refuse to service queries High cost of evaluating validity of tokens Data needs to be widely replicated
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Trust in p2p overlays Spoofing of search results is possible Solution: implementation of something like Google’s PageRank technology – For Google, pages linked by “popular” pages are themselves more popular – We could add this notion of popularity in p2p systems using the audit log – Users themselves could rank the files Code → Architecture to safely execute it
Security Introduction Background, models and solution Routing in p2p systems Storage Trust in p2p overlays Conclusions
Summary of security techniques – Cryptography – Redundant routing – Economic methods Diversity of p2p systems → diversity of solutions