byzantine fault tolerant public key authentication in peer-to-peer systems

Byzantine Fault Tolerant Byzantine Fault Tolerant Public Key Authentication Public Key Authentication in Peer-to-peer Systemsin Peer-to-peer Systems

Vivek Pathak and Liviu IftodeVivek Pathak and Liviu IftodeDepartment of Computer ScienceDepartment of Computer Science

Rutgers UniversityRutgers University

5/9/65/9/6 Byzantine Fault Tolerant Public Key Authentication in Peer-to-peer SystemsByzantine Fault Tolerant Public Key Authentication in Peer-to-peer Systems 22 of 39 of 39

OutlineOutline IntroductionIntroduction

Public key authenticationPublic key authentication Existing modelsExisting models

Motivation for Peer-to-peer authenticationMotivation for Peer-to-peer authentication Other solutions Other solutions

Byzantine fault tolerant authentication Byzantine fault tolerant authentication Security modelSecurity model Outline of correctness and performanceOutline of correctness and performance

Future workFuture work


Public Key EncryptionPublic Key Encryption Public-private key pairPublic-private key pair Bootstrap shared secret encryptionBootstrap shared secret encryption Validation of digital signatureValidation of digital signature


Authentication of Public Authentication of Public KeysKeys

Mapping identities to public keysMapping identities to public keys Trusted third parties (TTP)Trusted third parties (TTP)

Certificate authority (CA)Certificate authority (CA) Web of trust Web of trust

PGPPGP


Authentication through CAAuthentication through CA Provide public key certificateProvide public key certificate

Use secure channel for bootstrapping Use secure channel for bootstrapping


Authentication through CAAuthentication through CA


Authentication through CAAuthentication through CA Represent centralized aggregation of trustRepresent centralized aggregation of trust

Long lived CA keysLong lived CA keys Single point of failureSingle point of failure

Public key revocation Public key revocation Scalability with number of certified keysScalability with number of certified keys


Web of TrustWeb of Trust Informal human authenticationInformal human authentication

PGP key ringsPGP key rings Levels of trustLevels of trust


Web of TrustWeb of Trust Peers take on the role of CAPeers take on the role of CA Decentralized trustDecentralized trust

No single point of failure No single point of failure Key authentication depends on human Key authentication depends on human

connectionsconnections How to apply to autonomous systemsHow to apply to autonomous systems

Sophisticated usersSophisticated users


Characteristics of Peer-to-peer Characteristics of Peer-to-peer SystemsSystems

Heterogeneous peers Heterogeneous peers Lack of trusted third partiesLack of trusted third parties Hierarchical Certificate AuthoritiesHierarchical Certificate Authorities

Large scale peer-to-peer systemsLarge scale peer-to-peer systems Need decentralized solutionNeed decentralized solution Administrative burden on CA Administrative burden on CA Scalability of key revocation Scalability of key revocation


Characteristics of Peer-to-peer Characteristics of Peer-to-peer SystemsSystems

Autonomous operationAutonomous operation Unsophisticated usersUnsophisticated users Sensors and devicesSensors and devices Web of trust depends on constant human Web of trust depends on constant human

feedbackfeedback Short lived public keysShort lived public keys

Peers may be attacked and recoverPeers may be attacked and recover Public key certificates require secure channelPublic key certificates require secure channel

Malicious peersMalicious peers


Other SolutionsOther Solutions Threshold encryption systemsThreshold encryption systems

Share the secret among a set of partiesShare the secret among a set of parties Defend against a few compromised partiesDefend against a few compromised parties

Secure initialization phaseSecure initialization phase Crypto based network IDsCrypto based network IDs

Choose network ID as function of public keyChoose network ID as function of public key Depends on the routing infrastructureDepends on the routing infrastructure


System ModelSystem Model Mutually authenticating peersMutually authenticating peers

Associate network end-point to Associate network end-point to public keypublic key

Asynchronous networkAsynchronous network No partitioning No partitioning Eventual delivery after Eventual delivery after

retransmissionsretransmissions Disjoint message transmission Disjoint message transmission

pathspaths Man-in-the-middle attack on Ø Man-in-the-middle attack on Ø

fraction of peersfraction of peers


Attack ModelAttack Model Malicious peersMalicious peers

Honest majority Honest majority At most At most tt of the of the nn peers are faulty or malicious peers are faulty or malicious

peers where peers where tt = = 1-6Ø1-6Ø//3 3 nn Passive adversariesPassive adversaries Active adversariesActive adversaries

Relax network-is-the-adversary modelRelax network-is-the-adversary model Unlimited spoofingUnlimited spoofing Limited power to prevent message deliveryLimited power to prevent message delivery


Authentication ModelAuthentication Model Challenge-response protocolChallenge-response protocol

No active attacksNo active attacks Man in the middle attackMan in the middle attack

Limited number of attacksLimited number of attacks

Proof of possession of KProof of possession of Kaa

{b,a,Challenge,K{b,a,Challenge,Kaa(r)}(r)}b b , {a,b,Response,r}, {a,b,Response,r}aa

B AKA

KA(NB)

NB


Authentication ModelAuthentication Model Distributed AuthenticationDistributed Authentication

Challenge response from multiple peers Challenge response from multiple peers Gather proofs of possessionGather proofs of possession

Lack of consensus on authenticityLack of consensus on authenticity Malicious peersMalicious peers Man-in-the-middle attackMan-in-the-middle attack

C

A

D

B

FE

C

A

D

B

FE


Authentication CorrectnessAuthentication Correctness Validity of proofs of possessionValidity of proofs of possession

{e,a,Challenge,K{e,a,Challenge,Kaa(r)}(r)}e e , {a,e,Response,r}, {a,e,Response,r}aa

All messages are signedAll messages are signed Required for proving malicious behavior Required for proving malicious behavior Recent proofs stored by the peersRecent proofs stored by the peers

C

A

D

B

FEFrom peersFrom peers PPBB PPCC PPDD PPEE PPFF

From AFrom A PPBB PPCC PPDD PPEE PPFF


Byzantine Agreement Byzantine Agreement OverviewOverview

Publicize lack of consensusPublicize lack of consensus Authenticating peer sends proofs of Authenticating peer sends proofs of

possession to peerspossession to peers Each peer tries to authenticate AEach peer tries to authenticate A

Sends its proof-of-possession vector Sends its proof-of-possession vector to every peerto every peer

Byzantine agreement on Byzantine agreement on authenticity of Kauthenticity of KAA

Majority decision at every peerMajority decision at every peer Identify malicious peersIdentify malicious peers Complete authenticationComplete authentication

From BFrom B 11 11 00 11 11

From CFrom C 11 11 11 11 11

From DFrom D 11 11 11 11 11

From EFrom E 11 11 00 11 11

From FFrom F 11 11 00 11 11


Byzantine Agreement Byzantine Agreement Correctness Correctness

OverviewOverview Consider proofs received at a peer PConsider proofs received at a peer P

Set of Peers of P

t malicious peersΦn on compromised

path to A

Φn on compromisedpath to P


Byzantine Agreement Byzantine Agreement Correctness Correctness

OverviewOverview t + 2Øn may not arrivet + 2Øn may not arrive

P receives at least n-t-2Øn proofsP receives at least n-t-2Øn proofs t + 2Øn may be faultyt + 2Øn may be faulty

P receives at least n-2t-4Øn correct agreeing P receives at least n-2t-4Øn correct agreeing proofsproofs

P decides correctly by majority if n-2t-4Øn > t P decides correctly by majority if n-2t-4Øn > t + 2Øn+ 2Øn

Agreement is correct if t < Agreement is correct if t < 1-6Ø1-6Ø//3 3 nn


Trust GroupsTrust Groups Execute Authentication on smaller Trust groupsExecute Authentication on smaller Trust groups

Quadratic messaging costQuadratic messaging cost Peer interestPeer interest

Trusted group Trusted group Authenticated public keysAuthenticated public keys Not (overtly) maliciousNot (overtly) malicious

Probationary group Probationary group Un-trusted groupUn-trusted group

Known to be maliciousKnown to be malicious


Growth of Trust GroupsGrowth of Trust Groups Governed by Governed by

communication communication patternspatterns

Discovery of new peersDiscovery of new peers Authentication of Authentication of

discovered peersdiscovered peers Addition to trusted setAddition to trusted set

Discovery of un-trusted Discovery of un-trusted peerspeers


Evolution of Trust GroupsEvolution of Trust Groups Covertly malicious peersCovertly malicious peers

May wait until honest majority is violatedMay wait until honest majority is violated Lead to incorrect authentication Lead to incorrect authentication

Periodic pruning of trusted groupPeriodic pruning of trusted group Unresponsive peersUnresponsive peers Remove older trusted peers from trust groupRemove older trusted peers from trust group

Reduce messaging costReduce messaging cost Randomize trusted group membershipRandomize trusted group membership

Group migration eventGroup migration event Probability of violating honest majorityProbability of violating honest majority


Bootstrapping Trust GroupBootstrapping Trust Group Authentication needs an honest trust Authentication needs an honest trust

groupgroup Initialize a Bootstrapping trust groupInitialize a Bootstrapping trust group Needed for cold startNeeded for cold start Authenticate each bootstrapping peerAuthenticate each bootstrapping peer

Size of bootstrapping trust groupSize of bootstrapping trust group Recover from trusting a malicious peerRecover from trusting a malicious peer

n > n > 33//1-6Ø1-6Ø


Public Key InfectionPublic Key Infection Optimistic trustOptimistic trust

Lazy authenticationLazy authentication Reduced messaging costReduced messaging cost

Cache of undelivered messagesCache of undelivered messages Use peers for epidemic propagation of messagesUse peers for epidemic propagation of messages Anti-entropy sessions eventually deliver messagesAnti-entropy sessions eventually deliver messages Infect peers with new undelivered messagesInfect peers with new undelivered messages


Public Key Infection Public Key Infection Use logical and vector timestamps Use logical and vector timestamps

Determine messages to exchange for anti-Determine messages to exchange for anti-entropyentropy

Detect message deliveryDetect message delivery Double exponential drop in number of Double exponential drop in number of

uninfected peers with timeuninfected peers with time Number of cached messages is in O(nlogn)Number of cached messages is in O(nlogn)


SimulationSimulation Implemented Byzantine Fault Tolerant Implemented Byzantine Fault Tolerant

Authentication as a C++ libraryAuthentication as a C++ library Simulation programSimulation program

Make library calls and keeps countersMake library calls and keeps counters Study effects of Study effects of

Group sizeGroup size Malicious peersMalicious peers


Effects of Group SizeEffects of Group Size Constant Cost for Constant Cost for

trusted peerstrusted peers Probationary peers Probationary peers

process O(nprocess O(n22) ) messagesmessages

Trust graph does Trust graph does not affect the costnot affect the cost Randomized Randomized

trusted sets from trusted sets from Bi-directional trustBi-directional trust


Effects of Malicious PeersEffects of Malicious Peers Rapid increase of Rapid increase of

messaging costmessaging cost With group sizeWith group size With proportion of With proportion of

malicious peersmalicious peers Byzantine agreement Byzantine agreement

has quadratic has quadratic messaging costmessaging cost


ConclusionConclusion Autonomous authentication without trusted third partyAutonomous authentication without trusted third party

Incremental approach to securityIncremental approach to security Suited for low value peer-to-peer systemsSuited for low value peer-to-peer systems

Tolerate malicious peersTolerate malicious peers Suited for applications spanning multiple administrative Suited for applications spanning multiple administrative

domainsdomains

Scalable to large peer-to-peer systemsScalable to large peer-to-peer systems Eliminate total trust and single point of failureEliminate total trust and single point of failure Made feasible by using stronger network assumptionsMade feasible by using stronger network assumptions

Network adversary is not all powerfulNetwork adversary is not all powerful


Future Work Future Work Applications Applications

Provide key authentication capability to Open-Provide key authentication capability to Open-SSHSSH

SSH daemons can authenticate their peersSSH daemons can authenticate their peers Provide a concise authentication summary to the Provide a concise authentication summary to the

useruser Why the public key of the server is believed/not Why the public key of the server is believed/not

believed to be what is statedbelieved to be what is stated


Future WorkFuture Work Applications contd. …Applications contd. …

Spam identification through public key Spam identification through public key authenticationauthentication

Existing solutionsExisting solutions Filtering: Machine learning to classify contentsFiltering: Machine learning to classify contents

Results in misspellings in spam messagesResults in misspellings in spam messages False positive rate independent of sender importanceFalse positive rate independent of sender importance

Postage: Sender pays to send emailPostage: Sender pays to send email End-to-end argumentEnd-to-end argument

Safe sender listsSafe sender lists Need to authenticate senderNeed to authenticate sender


Future WorkFuture Work Sender AuthenticationSender Authentication

Piggyback authentication protocol on email messagesPiggyback authentication protocol on email messages Messages are signedMessages are signed

They can be delivered to peers indirectlyThey can be delivered to peers indirectly SMTP allows extension fieldsSMTP allows extension fields

Authenticate senders with existing infrastructureAuthenticate senders with existing infrastructure Incremental deploymentIncremental deployment

Use digital signature to verify messages from Use digital signature to verify messages from authenticated sendersauthenticated senders

Allow messages from safe senders pass throughAllow messages from safe senders pass through Eliminate false positives from spam filtersEliminate false positives from spam filters


Future Work Future Work Enhancements to the mechanismEnhancements to the mechanism

Address denial of serviceAddress denial of service Keep track of work done on behalf of any peerKeep track of work done on behalf of any peer Peers are authenticatedPeers are authenticated

Agreement on work done on behalf of peersAgreement on work done on behalf of peers Use authenticated load information to prevent denial of Use authenticated load information to prevent denial of

serviceservice Need economic modelNeed economic model

Avoid expensive public key cryptographyAvoid expensive public key cryptography


Future Work Future Work Enhancements to the modelEnhancements to the model

Authenticate public keys in Ad-hoc network Authenticate public keys in Ad-hoc network Lack the network IDs assumedLack the network IDs assumed

Apply to vehicular computingApply to vehicular computing Does the public key belong to the car on GWB?Does the public key belong to the car on GWB? Working on Geographical AuthenticationWorking on Geographical Authentication

Study hybrid trust modelsStudy hybrid trust models Hierarchical, peer-to-peer, web of trust Hierarchical, peer-to-peer, web of trust


Q&AQ&A


Authentication ProtocolAuthentication Protocol


ObjectiveObjective Security is an increasing concernSecurity is an increasing concern

Privacy Privacy AuthenticityAuthenticity Fault toleranceFault tolerance

Secure communication across the internetSecure communication across the internet

Distributed computation with semi-trusted Distributed computation with semi-trusted principals : Smart messagesprincipals : Smart messages

Cost effective securityCost effective security


PrivacyPrivacy EncryptionEncryption

Computational costComputational cost Energy requirementsEnergy requirements

Our approach: nearly complete privacyOur approach: nearly complete privacy Weakened keys, shortened key lifetimeWeakened keys, shortened key lifetime Tradeoff key lifetime for computational cost at constant securityTradeoff key lifetime for computational cost at constant security

Cost effective encryption on commodity hardwareCost effective encryption on commodity hardware


TrustTrust Trusted third party modelTrusted third party model

Used in Used in mostmost security implementations security implementations Single-point of security failureSingle-point of security failure

Our model : distributed trustOur model : distributed trust Authentication of public key is done by a vote of peersAuthentication of public key is done by a vote of peers Addition of new participantsAddition of new participants Assumption: majority can not be corruptedAssumption: majority can not be corrupted


PerformancePerformance Lazy authentication protocol for updating the Lazy authentication protocol for updating the

public keys to peerspublic keys to peers Uses distributed trust to authenticate the new keys Uses distributed trust to authenticate the new keys Allows admission of new peersAllows admission of new peers

Dynamical encryption in Linux kernelDynamical encryption in Linux kernel Interrupt free processingInterrupt free processing Choose key lifetime based on system limitationsChoose key lifetime based on system limitations


Status and PlanStatus and Plan Implemented encryption server on LinuxImplemented encryption server on Linux

Preliminary point to point performance evaluationPreliminary point to point performance evaluation

Investigating security of distributed trust with Investigating security of distributed trust with dynamic membershipdynamic membership

Paper in preparationPaper in preparation

Targeting active networks and mobile agentsTargeting active networks and mobile agents

byzantine fault tolerant public key authentication in peer-to-peer systems

Documents