[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert...
From: |
Hermanni Hyytiälä |
Subject: |
[Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert... |
Date: |
Mon, 24 Mar 2003 05:15:33 -0500 |
CVSROOT: /cvsroot/gzz
Module name: gzz
Changes by: Hermanni Hyytiälä <address@hidden> 03/03/24 05:15:33
Modified files:
Documentation/misc/hemppah-progradu: masterthesis.tex
progradu.bib
Log message:
Updates
CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/gzz/Documentation/misc/hemppah-progradu/masterthesis.tex.diff?tr1=1.173&tr2=1.174&r1=text&r2=text
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/gzz/Documentation/misc/hemppah-progradu/progradu.bib.diff?tr1=1.114&tr2=1.115&r1=text&r2=text
Patches:
Index: gzz/Documentation/misc/hemppah-progradu/masterthesis.tex
diff -u gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.173
gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.174
--- gzz/Documentation/misc/hemppah-progradu/masterthesis.tex:1.173 Fri Mar
21 11:23:01 2003
+++ gzz/Documentation/misc/hemppah-progradu/masterthesis.tex Mon Mar 24
05:15:32 2003
@@ -845,29 +845,38 @@
\section{Security problems in Peer-to-Peer}
-In this section we discuss security problems related to Peer-to-Peer domain.
+In this section we describe security problems related to Peer-to-Peer domain.
First, we discuss attacks
+and lack of trust in Peer-to-Peer systems. Then, we describe anonymity, access
control, hostile entities
+and secure query routing problems. Finally, we briefly cover external security
threats.
\subsection{Attacks}
+As stated in \cite{naor03simpledht}, an important aspect is that when it comes
to different attack models in
+any Peer-to-Peer system, there should be a clear distinction between attacks
on the
+algorithms assuming the construction of the overlay is correct, and attacks on
the construction itself. Clearly, Sybil
+and Spam attacks belong to the first category, and the rest of the attacks to
the latter category.
+
There are five known attack models against Peer-to-Peer systems: the Sybil
attack \cite{douceur02sybil},
the Fail-stop attack, the Spam attack \cite{naor03simpledht}, the Byzantine
attack \cite{357176} and \cite{296824}, and
the Distributed Denial of Service attack.
In the Sybil attack model \cite{douceur02sybil}, a hostile entity presents
multiple
-entities. Therefore, one hostile entity can control a large fraction of
Peer-to-Peer system. Possible solution against
-the Sybil attack would be that the system could distinguish entities of the
system reliably. Unfortunately,
-currently there are no realizable techniques for this task. Partial solutions
for the Sybil attack is to replicate
-and fragment data items randomly among several participating peers. However,
this suggestion assumes that two different
-remote entities are actually different; Sybil attacks are still possible and
therefore would need centralized
-authority for reliable authentication. Without centralized authority,
-Sybil attacks are always possible in a Peer-to-Peer system except under
extreme and unrealistic assumptions of
-resource parity and coordination among entities \cite{douceur02sybil}.
+entities, i.e., when a peer selects a subset of entities to perform a
operation, a peer can select the same
+hostile entity multiple times. Therefore, one hostile entity can control a
large fraction of Peer-to-Peer system thereby
+repressing the redundancy of the system. Unfortunately, currently there are no
realizable techniques for against the Sybil
+attack: without a centralized authority, Sybil attacks are always possible in
a Peer-to-Peer
+system except under extreme and unrealistic assumptions of resource parity and
coordination among entities \cite{douceur02sybil}.
+Castro et al. \cite{castro02securerouting} suggest the use of cryptographic
content hashes in the creation process of peer identifier
+against the Sybil attack. According to authors, in this technique the IP
address of a peer can be verified by the other peer.
+They call this method as a one form of \emph{self-certifying data}.
+
-In the Fail-stop attack model, cited in \cite{naor03simpledht}, a faulty peer
is deleted from the Peer-to-Peer system.
-The reason for the faultiness of a peer can be a software failure or a hostile
attack.
-The Byzantine attack model \cite{357176} is closely related to Fail-stop
model. Byzantine model can be seen as more
-severe than Fail-stop model as there are no restrictions over the behavior of
faulty peers. A practical
-solution for the Byzantine failures have been proposed by Castro et al.
\cite{296824}.
+In the Fail-stop attack model, cited in \cite{naor03simpledht}, a faulty peer
is deleted from the Peer-to-Peer system. Thus,
+a specific data item can be lost from the system temporaraly (or permanently).
The reason for the faultiness of a peer can be a
+software failure or a hostile attack. The Byzantine attack model \cite{357176}
is closely related to Fail-stop model. The Byzantine model can
+be seen as more severe than Fail-stop model as there are no restrictions over
the behavior of faulty peers; for instance,
+the cooperation between multiple malicious faulty peers is possible
\cite{357176}. A practical solution for the Byzantine failures have been
+proposed by Castro et al. \cite{296824}.
The Spam generating attack \cite{naor03simpledht} is an another known attack
model against Peer-to-Peer system. In the Spam
attack, a hostile or faulty peer may produce false information of the data, or
refuses to (or is not able to) reply to requests.
@@ -877,35 +886,34 @@
the previously mentioned solution doesn't work. Naor et al.
\cite{naor03simpledht} have proposed a partial solution against Spam attack
in a \emph{faulty} peer environment (not hostile).
-Traditional overloading of targeted peers is the best known form of
distributed Denial of Service attack (DDoS) (see, e.g., \cite{372148}).
-For example, a hostile entity can attempt to burden targeted peers with
garbage network packets. As an implication, peers may act
-incorrectly or stop working. The DDoS attack may be very severe, especially if
the rate of replication and caching
-in the Peer-to-Peer system is low. This may lead to data loss in the
Peer-to-Peer system. Daswani et al.
-\cite{daswani02queryflooddos} suggest efficient load balancing
-policies for Peer-to-Peer system in order to prevent massive system failures.
Sit et al. \cite{sit02securitycons}
+Overloading of targeted peers is a form of Distributed Denial of Service
attack (DDoS) (see, e.g., \cite{372148}). For instance,
+a hostile entity can attempt to burden targeted peers with garbage network
packets. As a consequence, peers may act incorrectly or
+stop working. Daswani et al. \cite{daswani02queryflooddos} suggest efficient
load balancing
+policies for Peer-to-Peer system in order to prevent massive system failures.
They suggest a traffic model
+that can be used to understand the effects of DDoS attacks. Sit et al.
\cite{sit02securitycons}
suggest that identifier assignment algorithm for peers would assign identifier
with respect to network topology
and replicas should be located physically to different locations.
-As stated in \cite{naor03simpledht}, an important aspect is that when it comes
to different attack models in
-any Peer-to-Peer system, there should be a clear distinction between attacks
on the
-algorithms assuming the construction of the overlay is correct, and attacks on
the construction itself. Clearly, Sybil
-and Spam attacks belong to the first category, and the rest of the attacks to
the latter category.
-\subsection{Trust, data authenticity and integrity}
+\subsection{Trust management, data authenticity and integrity}
-Trust in Peer-to-Peer systems is based on \emph{reputation}. Proposed
reputation methods focus either
-on the semantic properties or the data management properties of the trust
model. Some research has been
-done on reputation models in Peer-to-Peer systems, such as
\cite{aberer01trust}, \cite{cornelli02reputableservents}.
-One implementation include Advogato \cite{advogatourl}. None of the current
proposals or implementations
-based on reputation address trust in a reliable, practical way.
+According to \cite{aberer01trust}, mutual trust ''...allows agents to
cooperate in a game-theoretic situation that corresponds
+to the repeated prisoners dilemma and leads in the long term to an increased
aggregated utility for the participating agents''.
+They define \emph{trust management} as a mechanism that allows to establish
mutual trust. Furthermore, \emph{reputation} is a measure
+that is derived from knowledge on interactions in the past
\cite{aberer01trust} In this subsection, we discuss mechanisms to maintain
+trust in Peer-to-Peer systems.
+
+Trust in Peer-to-Peer systems is based on \emph{reputation}. Little research
has been done on reputation models in Peer-to-Peer
+systems, such as \cite{aberer01trust}, \cite{cornelli02reputableservents}. In
\cite{aberer01trust}, authors present a scalable
+trust management model, which can be used in Peer-to-Peer enviroment. Authors
in \cite{cornelli02reputableservents}
+suggest techniques to keep track and share information about the reputation of
a peer with others peers.
-Optimal solution for trust in Peer-to-Peer systems would be certificate based
security models.
Quite recently, widely used Public Key Infrastructure (PKI) has been deployed
in distributed
systems \cite{rivest96sdsi}, \cite{spkiworkinggroup}. PKI is a reliable
technology for securing
-data in rather \emph{static} computing systems, such as the Internet. However,
in Peer-to-Peer
-networks, the problem of key-based security mechanism is the maintenance of
the keys as participating
-peers constantly join and leave the system. These include the revocation of
keys and the distribution of
-new keys in a hostile environment.
+data in computing systems, such as the Internet. However, in Peer-to-Peer
+networks, the problem of key-based security mechanism may be the maintenance
of keys as participating
+peers constantly join and leave the system, i.e., the revocation of keys and
the
+distribution of new keys in a hostile environment \cite{KohMau99}.
ConChord \cite{ajmani02conchord} is the first Peer-to-Peer system which has a
support for PKI based
security infrastructure. Still, however, ConChord \cite{ajmani02conchord} is
in early phase of development and lacks
@@ -913,46 +921,36 @@
(SDSI) \cite{rivest96sdsi} and Simple Public Key Infrastructure (SPKI)
\cite{spkiworkinggroup} may be a problem for
Peer-to-Peer systems, in which hierarchy is intentionally missing.
-For data integrity, on the other hand, there are few working solutions.
Cryptographic content hashes
+For data integrity, on the other hand, there are working techniques.
Cryptographic content hashes
\cite{fips-sha-1}, their variations \cite{merkle87hashtree} and implementation
techniques \cite{mohr02thex}
-are efficient and reliable methods for identifying the integrity of data in
Peer-to-Peer systems. One
-possible application of cryptographic content hashes may be in the creation
process of peer identifier, in which
-the IP address of a peer can be verified by the other peer. This is one form
of \emph{self-certifying data}.
-
+are efficient and reliable methods for identifying the integrity of data in
Peer-to-Peer systems.
\subsection{Anonymity}
-According to \cite{dingledine00free}, there exist several kinds of anonymity.
Author-anonymity is a form
-of anonymity in which no one can link the author to a specific document. In
publisher-anonymity system,
-no one is able to link the publisher to a specific document. Reader-anonymity
means that a specific
-document cannot be linked to the readers of a document. This form of anonymity
protects the privacy of
-the users of the system. Furthermore, peer-anonymity means that no peer can be
linked to a specific document, i.e.,
-no one is able to determine the peer, where the document was originally
published. Document-anonymity
-means that a peer doesn't know which data it is currently hosting. Finally,
query-anonymity is a form
+According to \cite{dingledine00free}, there exist several kinds of anonymity:
author-anonymity,
+publisher-anonymity, reader-anonymity, peer-anonymity and query-anonymity.
Author-anonymity is a form
+of anonymity in which no one can link the author (who created the document) to
a document.
+In publisher-anonymity system, no one is able to determine the publisher (how
published the document into
+the system) of a document. Reader-anonymity means that a document cannot be
linked to its readers.
+With peer-anonymity, no one is able to determine the peer, where the document
was originally published.
+Document-anonymity means that a peer doesn't know which data it is currently
hosting. Query-anonymity is a form
of document-anonymity; when other peers perform data lookups, a peer doesn't
know which data it serves
to the data lookup originators. As the authors cite in
\cite{dingledine00free}, some forms of anonymity
may imply each other and possible issues raised by this property is one area
of future work.
-With regard to anonymity in Peer-to-Peer systems, much research has been done
both at the network
-level layer \cite{tarzan:ccs9} and at the application level layer
\cite{reiter98crowds}, \cite{mixminionurl}.
-Anonymity outside of Peer-to-Peer context has also been researched
\cite{352607}, \cite{293447}.
-
Obviously, existance of several types of anonymity often conflicts with other
key properties of
Peer-to-Peer systems. Let us consider anonymity and efficient data lookup. In
efficient data lookup, we must know
the peers responsible for given data. Of course, when we know the peers
responsible
for the data, the anonymity of peer is lost. Fortunately, there are partial
solutions to these kinds of
-situations, such as pseudonymity which is a partial form of anonymity. For
instance, pseudonymity can be used for
-addressing peer-anonymity by providing anonymous-like identifiers to peers
(e.g., peer identifiers of a tightly
-structured system).
-
-Anonymity is widely used in a Peer-to-Peer system in which data publication
and non-censorship are important properties
-of the system. These include
-Freenet \cite{clarke00freenet}, Publius \cite{pub00}, Free Haven
\cite{dingledine00free}, Crowds \cite{reiter98crowds},
-Tangler \cite{502002} and upcoming Mnet \cite{mneturl}. Forwarding proxies are
used in Freenet, Crowds and
-Free Haven in order to provide various types of anonymity. Tangler and Publius
use cryptographic
-sharing methods to split data into fragments \cite{Shamir1979a}. Mix mailer
networks, such as
-\cite{mixminionurl}, are commonly used in distributed systems, which are able
to provide some level
-of anonymity.
+situations, such as pseudonymity which is a partial form of anonymity
\cite{daswani03openproblems}.
+For instance, pseudonymity can be used for addressing peer-anonymity by
providing anonymous-like identifiers to
+peers (e.g., peer identifiers of a tightly structured system).
+
+Anonymity is widely used in a Peer-to-Peer system in which data publication
and non-censorship are important. These include
+Forwarding proxies are used in Freenet \cite{clarke00freenet}, Crowds
\cite{reiter98crowds} and Free Haven \cite{dingledine00free}
+in order to provide various types of anonymity. Tangler \cite{502002} and
Publius \cite{pub00} use cryptographic sharing methods
+to split data into fragments \cite{Shamir1979a}. Mix mailer networks, such as
\cite{mixminionurl}, are commonly used in
+distributed systems, which are able to provide some level of anonymity.
Even if many existing Peer-to-Peer systems are able to provide some of the
types of anonymity, there is no
such a system which is able to provide all kinds of anonymity as listed above.
Specifically, the conflicts
Index: gzz/Documentation/misc/hemppah-progradu/progradu.bib
diff -u gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.114
gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.115
--- gzz/Documentation/misc/hemppah-progradu/progradu.bib:1.114 Thu Mar 20
08:04:20 2003
+++ gzz/Documentation/misc/hemppah-progradu/progradu.bib Mon Mar 24
05:15:33 2003
@@ -2184,3 +2184,15 @@
}
address@hidden,
+ author = {Reto Kohlas and Ueli Maurer},
+ title = {Reasoning about Public-key Certification - on Bindings
Between Entities and Public Keys},
+ editor = {Matthhew Franklin},
+ booktitle = {Proceedings of Fincancial Cryptography 99 (FC99)},
+ series = {Lecture Notes in Computer Science},
+ volume = 1648,
+ year = 1999,
+ month = Feb,
+ publisher = {Springer-Verlag}
+}
+
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., (continued)
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/20
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/20
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/20
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/20
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/20
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/21
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/21
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/21
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/21
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/21
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert...,
Hermanni Hyytiälä <=
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/24
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/25
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/25
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/25
- [Gzz-commits] gzz/Documentation/misc/hemppah-progradu mastert..., Hermanni Hyytiälä, 2003/03/25