[Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert...

[Hermanni Hyytiälä]

CVSROOT:        /cvsroot/gzz
Module name:    gzz
Changes by:     Hermanni Hyytiälä <address@hidden>      03/03/24 05:15:33

Modified files:
        Documentation/misc/hemppah-progradu: masterthesis.tex 
                                             progradu.bib 

Log message:
        Updates

CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/gzz/Documentation/misc/hemppah-progradu/masterthesis.tex.diff?tr1=1.173&tr2=1.174&r1=text&r2=text
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/gzz/Documentation/misc/hemppah-progradu/progradu.bib.diff?tr1=1.114&tr2=1.115&r1=text&r2=text

Patches:
Index: gzz/Documentation/misc/hemppah-progradu/masterthesis.tex
diff -u gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.173 
gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.174
--- gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.173      Fri Mar 
21 11:23:01 2003
+++ gzz/Documentation/misc/hemppah-progradu/masterthesis.tex    Mon Mar 24 
05:15:32 2003
@@ -845,29 +845,38 @@
 
 \section{Security problems in Peer-to-Peer}
 
-In this section we discuss security problems related to Peer-to-Peer domain.
+In this section we describe security problems related to Peer-to-Peer domain. 
First, we discuss attacks 
+and lack of trust in Peer-to-Peer systems. Then, we describe anonymity, access 
control, hostile entities
+and secure query routing problems. Finally, we briefly cover external security 
threats.
 
 \subsection{Attacks}
 
+As stated in \cite{naor03simpledht}, an important aspect is that when it comes 
to different attack models in 
+any Peer-to-Peer system, there should be a clear distinction between attacks 
on the 
+algorithms assuming the construction of the overlay is correct, and attacks on 
the construction itself. Clearly, Sybil
+and Spam attacks belong to the first category, and the rest of the attacks to 
the latter category.
+
 There are five known attack models against Peer-to-Peer systems: the Sybil 
attack \cite{douceur02sybil},
 the Fail-stop attack, the Spam attack \cite{naor03simpledht}, the Byzantine 
attack \cite{357176} and \cite{296824}, and
 the Distributed Denial of Service attack. 
 
 In the Sybil attack model \cite{douceur02sybil}, a hostile entity presents 
multiple 
-entities. Therefore, one hostile entity can control a large fraction of 
Peer-to-Peer system. Possible solution against 
-the Sybil attack would be that the system could distinguish entities of the 
system reliably. Unfortunately,
-currently there are no realizable techniques for this task. Partial solutions 
for the Sybil attack is to replicate
-and fragment data items randomly among several participating peers. However, 
this suggestion assumes that two different 
-remote entities are actually different; Sybil attacks are still possible and 
therefore would need centralized 
-authority for reliable authentication. Without centralized authority, 
-Sybil attacks are always possible in a Peer-to-Peer system except under 
extreme and unrealistic assumptions of 
-resource parity and coordination among entities \cite{douceur02sybil}.
+entities, i.e., when a peer selects a subset of entities to perform a 
operation, a peer can select the same
+hostile entity multiple times. Therefore, one hostile entity can control a 
large fraction of Peer-to-Peer system thereby
+repressing the redundancy of the system. Unfortunately, currently there are no 
realizable techniques for against the Sybil
+attack: without a centralized authority, Sybil attacks are always possible in 
a Peer-to-Peer 
+system except under extreme and unrealistic assumptions of resource parity and 
coordination among entities \cite{douceur02sybil}.
+Castro et al. \cite{castro02securerouting} suggest the use of cryptographic 
content hashes in the creation process of peer identifier
+against the Sybil attack. According to authors, in this technique the IP 
address of a peer can be verified by the other peer. 
+They call this method as a one form of \emph{self-certifying data}. 
+ 
  
-In the Fail-stop attack model, cited in \cite{naor03simpledht}, a faulty peer 
is deleted from the Peer-to-Peer system.
-The reason for the faultiness of a peer can be a software failure or a hostile 
attack. 
-The Byzantine attack model \cite{357176} is closely related to Fail-stop 
model. Byzantine model can be seen as more 
-severe than Fail-stop model as there are no restrictions over the behavior of 
faulty peers. A practical 
-solution for the Byzantine failures have been proposed by Castro et al. 
\cite{296824}. 
+In the Fail-stop attack model, cited in \cite{naor03simpledht}, a faulty peer 
is deleted from the Peer-to-Peer system. Thus,
+a specific data item can be lost from the system temporaraly (or permanently). 
The reason for the faultiness of a peer can be a 
+software failure or a hostile attack. The Byzantine attack model \cite{357176} 
is closely related to Fail-stop model. The Byzantine model can 
+be seen as more severe than Fail-stop model as there are no restrictions over 
the behavior of faulty peers; for instance,
+the cooperation between multiple malicious faulty peers is possible  
\cite{357176}. A practical solution for the Byzantine failures have been 
+proposed by Castro et al. \cite{296824}. 
 
 The Spam generating attack \cite{naor03simpledht} is an another known attack 
model against Peer-to-Peer system. In the Spam
 attack, a hostile or faulty peer may produce false information of the data, or 
refuses to (or is not able to) reply to requests. 
@@ -877,35 +886,34 @@
 the previously mentioned solution doesn't work. Naor et al. 
\cite{naor03simpledht} have proposed a partial solution against Spam attack
 in a \emph{faulty} peer environment (not hostile).
 
-Traditional overloading of targeted peers is the best known form of 
distributed Denial of Service attack (DDoS) (see, e.g., \cite{372148}). 
-For example, a hostile entity can attempt to burden targeted peers with 
garbage network packets. As an implication, peers may act
-incorrectly or stop working. The DDoS attack may be very severe, especially if 
the rate of replication and caching 
-in the Peer-to-Peer system is low. This may lead to data loss in the 
Peer-to-Peer system. Daswani et al. 
-\cite{daswani02queryflooddos} suggest efficient load balancing 
-policies for Peer-to-Peer system in order to prevent massive system failures. 
Sit et al. \cite{sit02securitycons} 
+Overloading of targeted peers is a form of Distributed Denial of Service 
attack (DDoS) (see, e.g., \cite{372148}). For instance, 
+a hostile entity can attempt to burden targeted peers with garbage network 
packets. As a consequence, peers may act incorrectly or 
+stop working. Daswani et al. \cite{daswani02queryflooddos} suggest efficient 
load balancing 
+policies for Peer-to-Peer system in order to prevent massive system failures. 
They suggest a traffic model 
+that can be used to understand the effects of DDoS attacks. Sit et al. 
\cite{sit02securitycons} 
 suggest that identifier assignment algorithm for peers would assign identifier 
with respect to network topology 
 and replicas should be located physically to different locations.
 
-As stated in \cite{naor03simpledht}, an important aspect is that when it comes 
to different attack models in 
-any Peer-to-Peer system, there should be a clear distinction between attacks 
on the 
-algorithms assuming the construction of the overlay is correct, and attacks on 
the construction itself. Clearly, Sybil
-and Spam attacks belong to the first category, and the rest of the attacks to 
the latter category.
 
-\subsection{Trust, data authenticity and integrity}
+\subsection{Trust management, data authenticity and integrity}
 
-Trust in Peer-to-Peer systems is based on \emph{reputation}. Proposed 
reputation methods focus either
-on the semantic properties or the data management properties of the trust 
model. Some research has been 
-done on reputation models in Peer-to-Peer systems, such as 
\cite{aberer01trust}, \cite{cornelli02reputableservents}. 
-One implementation include Advogato \cite{advogatourl}. None of the current 
proposals or implementations 
-based on reputation address trust in a reliable, practical way.
+According to \cite{aberer01trust}, mutual trust ''...allows agents to 
cooperate in a game-theoretic situation that corresponds 
+to the repeated prisoners dilemma and leads in the long term to an increased 
aggregated utility for the participating agents''. 
+They define \emph{trust management} as a mechanism that allows to establish 
mutual trust. Furthermore, \emph{reputation} is a measure
+that is derived from knowledge on interactions in the past 
\cite{aberer01trust} In this subsection, we discuss mechanisms to maintain
+trust in Peer-to-Peer systems.
+
+Trust in Peer-to-Peer systems is based on \emph{reputation}. Little research 
has been done on reputation models in Peer-to-Peer 
+systems, such as \cite{aberer01trust}, \cite{cornelli02reputableservents}. In 
\cite{aberer01trust}, authors present a scalable
+trust management model, which can be used in Peer-to-Peer enviroment. Authors 
in \cite{cornelli02reputableservents}
+suggest techniques to keep track and share information about the reputation of 
a peer with others peers. 
 
-Optimal solution for trust in Peer-to-Peer systems would be certificate based 
security models.
 Quite recently, widely used Public Key Infrastructure (PKI) has been deployed 
in distributed
 systems \cite{rivest96sdsi}, \cite{spkiworkinggroup}. PKI is a reliable 
technology for securing
-data in rather \emph{static} computing systems, such as the Internet. However, 
in Peer-to-Peer 
-networks, the problem of key-based security mechanism is the maintenance of 
the keys as participating
-peers constantly join and leave the system. These include the revocation of 
keys and the distribution of
-new keys in a hostile environment.
+data in computing systems, such as the Internet. However, in Peer-to-Peer 
+networks, the problem of key-based security mechanism may be the maintenance 
of keys as participating
+peers constantly join and leave the system, i.e., the revocation of keys and 
the 
+distribution of new keys in a hostile environment \cite{KohMau99}.
 
 ConChord \cite{ajmani02conchord} is the first Peer-to-Peer system which has a 
support for PKI based
 security infrastructure. Still, however, ConChord \cite{ajmani02conchord} is 
in early phase of development and lacks
@@ -913,46 +921,36 @@
 (SDSI) \cite{rivest96sdsi} and Simple Public Key Infrastructure (SPKI) 
\cite{spkiworkinggroup} may be a problem for 
 Peer-to-Peer systems, in which hierarchy is intentionally missing.
 
-For data integrity, on the other hand, there are few working solutions. 
Cryptographic content hashes
+For data integrity, on the other hand, there are working techniques. 
Cryptographic content hashes
 \cite{fips-sha-1}, their variations \cite{merkle87hashtree} and implementation 
techniques \cite{mohr02thex}
-are efficient and reliable methods for identifying the integrity of data in 
Peer-to-Peer systems. One
-possible application of cryptographic content hashes may be in the creation 
process of peer identifier, in which
-the IP address of a peer can be verified by the other peer. This is one form 
of \emph{self-certifying data}. 
-
+are efficient and reliable methods for identifying the integrity of data in 
Peer-to-Peer systems.
 
 \subsection{Anonymity}
 
-According to \cite{dingledine00free}, there exist several kinds of anonymity. 
Author-anonymity is a form
-of anonymity in which no one can link the author to a specific document. In 
publisher-anonymity system,
-no one is able to link the publisher to a specific document. Reader-anonymity 
means that a specific
-document cannot be linked to the readers of a document. This form of anonymity 
protects the privacy of
-the users of the system. Furthermore, peer-anonymity means that no peer can be 
linked to a specific document, i.e.,
-no one is able to determine the peer, where the document was originally 
published. Document-anonymity
-means that a peer doesn't know which data it is currently hosting. Finally, 
query-anonymity is a form
+According to \cite{dingledine00free}, there exist several kinds of anonymity: 
author-anonymity, 
+publisher-anonymity, reader-anonymity, peer-anonymity and query-anonymity. 
Author-anonymity is a form
+of anonymity in which no one can link the author (who created the document) to 
a document. 
+In publisher-anonymity system, no one is able to determine the publisher (how 
published the document into
+the system) of a document. Reader-anonymity means that a document cannot be 
linked to its readers.
+With peer-anonymity, no one is able to determine the peer, where the document 
was originally published.
+Document-anonymity means that a peer doesn't know which data it is currently 
hosting. Query-anonymity is a form
 of document-anonymity; when other peers perform data lookups, a peer doesn't 
know which data it serves
 to the data lookup originators. As the authors cite in 
\cite{dingledine00free}, some forms of anonymity 
 may imply each other and possible issues raised by this property is one area 
of future work.
 
-With regard to anonymity in Peer-to-Peer systems, much research has been done 
both at the network 
-level layer \cite{tarzan:ccs9} and at the application level layer 
\cite{reiter98crowds}, \cite{mixminionurl}.
-Anonymity outside of Peer-to-Peer context has also been researched 
\cite{352607}, \cite{293447}.
-
 Obviously, existance of several types of anonymity often conflicts with other 
key properties of
 Peer-to-Peer systems. Let us consider anonymity and efficient data lookup. In 
efficient data lookup, we must know
 the peers responsible for given data. Of course, when we know the peers 
responsible
 for the data, the anonymity of peer is lost. Fortunately, there are partial 
solutions to these kinds of
-situations, such as pseudonymity which is a partial form of anonymity. For 
instance, pseudonymity can be used for 
-addressing peer-anonymity by providing anonymous-like identifiers to peers 
(e.g., peer identifiers of a tightly 
-structured system).
-
-Anonymity is widely used in a Peer-to-Peer system in which data publication 
and non-censorship are important properties
-of the system. These include
-Freenet \cite{clarke00freenet}, Publius \cite{pub00}, Free Haven 
\cite{dingledine00free}, Crowds \cite{reiter98crowds},
-Tangler \cite{502002} and upcoming Mnet \cite{mneturl}. Forwarding proxies are 
used in Freenet, Crowds and 
-Free Haven in order to provide various types of anonymity. Tangler and Publius 
use cryptographic
-sharing methods to split data into fragments \cite{Shamir1979a}. Mix mailer 
networks, such as
-\cite{mixminionurl}, are commonly used in distributed systems, which are able 
to provide some level
-of anonymity.
+situations, such as pseudonymity which is a partial form of anonymity 
\cite{daswani03openproblems}. 
+For instance, pseudonymity can be used for addressing peer-anonymity by 
providing anonymous-like identifiers to 
+peers (e.g., peer identifiers of a tightly structured system).
+
+Anonymity is widely used in a Peer-to-Peer system in which data publication 
and non-censorship are important. These include
+Forwarding proxies are used in Freenet \cite{clarke00freenet}, Crowds 
\cite{reiter98crowds} and Free Haven \cite{dingledine00free} 
+in order to provide various types of anonymity. Tangler \cite{502002} and 
Publius \cite{pub00} use cryptographic sharing methods 
+to split data into fragments \cite{Shamir1979a}. Mix mailer networks, such as 
\cite{mixminionurl}, are commonly used in 
+distributed systems, which are able to provide some level of anonymity.
 
 Even if many existing Peer-to-Peer systems are able to provide some of the 
types of anonymity, there is no
 such a system which is able to provide all kinds of anonymity as listed above. 
Specifically, the conflicts
Index: gzz/Documentation/misc/hemppah-progradu/progradu.bib
diff -u gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.114 
gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.115
--- gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.114  Thu Mar 20 
08:04:20 2003
+++ gzz/Documentation/misc/hemppah-progradu/progradu.bib        Mon Mar 24 
05:15:33 2003
@@ -2184,3 +2184,15 @@
 }
 
 
address@hidden,
+    author     = {Reto Kohlas and Ueli Maurer},
+    title      = {Reasoning about Public-key Certification - on Bindings 
Between Entities and Public Keys},
+    editor     = {Matthhew Franklin},
+    booktitle  = {Proceedings of Fincancial Cryptography 99 (FC99)},
+    series     = {Lecture Notes in Computer Science},
+    volume     = 1648,
+    year       = 1999,
+    month      = Feb,
+    publisher  = {Springer-Verlag}
+}
+