Security in Peer-to-Peer Networks
Security Demands in P2P
Threats & Counter Measures
Authentication
Admission Control
Availability
Withstand resource exhaustion attacks
Prevent network poisoning (routing, data)
Authenticity
Prevent impersonation of peers & Sybil attacks
Discover document/data frauds
Admission control
Decentralized solutions?
Anonymity
Security Demands & Threats in P2P
Systems
Resource Exhaustion:
Storage & Retrieval Attacks & Defences
Peer overloading
Threat: massive data injection into one key range
Counter measure: mixing/random choice of IDs, peers must check
Service denial
Threat: node joins & cooperates correctly, but denies data access
Counter measure: individually verifiable data redundancy, not reliant on a single node of responsibility
Resource Exhaustion (2):
Storage & Retrieval Attacks & Defences
Query flooding
Threat: denial of service by massive queries to a (group of) nodes
Counter measure: standard attack without
amplification, avoid IDs to be grouped topologically
Rapid Joins & Leaves (3
rdparty triggered)
Threat: adversary injects arrival/failure reports to trigger reorganization of remote nodes
Counter measure: Verify 3rd party reports prior to reorganization, apply time watermarks
Network Poisoning: Routing Attacks
Incorrect Lookup Routing
Threat: adversary forwards lookups to incorrect nodes
Counter measure (in DHTs): querier can check whether query response gets closer to the requested key
Incorrect Routing Updates
Threat: adversary injects incorrect routes on updates (false, or less efficient, or fellow malicious nodes)
Counter measure: Nodes should check updates for consistency, query with trusted parties
General Problem: Evaluation of reputation & trust in networks with short-term presence of nodes
Network Poisoning: Routing Attacks (2)
Sybil Attacks
Threat: adversary repeatedly joins using different IDs
Counter measures:
(a) identities certified 3rd party (non-autonomous authentication)
(b) add resource overheads (crypto puzzles) to join procedure
Network Partitioning
Vulnerable at bootstrap: a new node may be lead to an incorrect ‘shadow overlay’
Counter measure: Out-of-band trust to bootstrap node Once a node has knowledge of trusted parties (from
bootstrap) it can always check on consistence of routing tables
Network Poisoning: Data Attacks
Forged content flooding
Threat: adversary massively injects ‘worthless’ content (e.g., empty mp3 …)
Counter measures:
Authentication & admission for content submission Initial content evaluation/verification
Authentication of Peers
Node must prove its identity: verifiable ID
Simple approach: Hashing of IP address
(complies with weak authentication of the Internet)
Strong approach: Cryptographic identifiers (in analogy to Cryptographically Generated Addresses (RFC 3972)
draft-baumgart-p2psip-p2pns
Node creates public-private key pair (Ksec ,Kpub )
Generate node ID from hash(Kpub )
(including crypto-puzzle to hinder Sybil attacks)
Sign packets using Ksec
Non-autonomous option: 3
rdparty certificates
Cryptographically Generated Addresses (RFC 3972)
sec parameter increases CGA generation complexity exponentially
Authentication of Documents
Content can be verified with respect to sender (based on CGIs)
Problem: Large content (streams) cannot be efficiently verified by RSA
More difficult:
How to prove that the document is the original?
Option: 3rd party certificates
Also: Approaches proving age of data
Distributed Admission Control
Problem : Controlled P2P environments need to prevent unauthorized access (e.g., licensed software updates) - but central admission control does not scale
Task : Distributed (not delegated) Single Sign-On Service Approach :
Public key cryptography: key pair (Ksec ,Kpub ) for each peer
Maintain bindings between public Kpub and corresp. peer according to some policy at (distributed, trusted)
authentication servers