Re: security (Re: [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert...)

[hemppah]

Quoting Alatalo Toni <address@hidden>:
> > +As we discussed already in chapter 4, Fenfire's Storm design
> >  uses SHA-1 \footnote{SHA-1 is considered a collision free hash function.
> Therefore, it is
> >  very unlikely that two different Storm scroll blocks would have same
> identifier.}
> 
> doesn't this also guarantee (some degree, or even absolute..?) data
> integrity? i don't know that algorithm yet (or the other, bitzi?, things)

Yes. SHA-1 is discussed in the thesis (in Storm section, in multisource
downloads and hash trees).

> 
> > +throughout the Peer-to-Peer overlay. Our task is to locate and fetch
> > +(i.e. obtain) \emph{all} Storm scroll blocks, associated to a specific
> ''virtual
> > +file'', from Peer-to-Peer overlay as efficiently as possible. In addition
> to
> > +\emph{direct} scroll block obtaining using globally unique identifier of
> Storm block,
> > +we also must support \emph{indirect} obtaining of Storm scroll block using
> pointer blocks.
> 
> are there tradeoffs between that efficiency and security?

Yes, there are. For instance with Spam attack, in which (currently) one have to
trust on majority's opinion. Clearly, this operation requires more messages to
be sent.

> 
> > +In the following sections, we don't respond to security issues. We
> assume
> > +that either system has a reliable techique for identifying invidual
> entities, or
> > +there are no hostile entities in the system.
> 
> those do sound like sane assumptions to me (i.e. there are techniques
> available for those tasks?) for this limited treatment. or? should read
> the whole text to able to see that, of course.

Currently, AFAIK, there is no working security infrastructure for P2P (e.g.
PKI-based). THe most biggest issues with PKIs are key revokation and
distribution of new keys (e.g., from the same entity). However, there is
SDSI/SPKI, but techonology it is not yet mature enough. Initial research has
been done regarding this (ConChord-project). SDSI/SPKI is hierarchical, which
*may* not be suitable for P2P enviroment. Additionally, distinction between
different entities is a major issue (Sybil attack).

Very recently, access control with RDF schemas has been proposed. However, their
current prototype works only with loosely structured systems (Gnutella 
variations).


-Hermanni



-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/