p2p taxonomy and security concerns ryan lackey cto, havenco, ltd. [email protected] rsa conference...
TRANSCRIPT
![Page 1: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/1.jpg)
P2P Taxonomy and
Security Concerns
Ryan LackeyCTO, HavenCo, [email protected]
RSA Conference 2002 San Jose0900 20-02-2002
![Page 2: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/2.jpg)
Introduction
• Variety of P2P systems• P2P is not a new thing
![Page 3: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/3.jpg)
Types of Systems
• “Traditional” p2p File Sharing• Email• Proxies• Chat systems• Infrastructure systems
![Page 4: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/4.jpg)
Major File Systems
NapsterGnutellaKaZaA/Fasttrack/MorpheusFreenetMojonation
![Page 5: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/5.jpg)
Traditional Email
• SMTP is peer to peer• Deployed with “supernodes” with
smtp/pop3 and inter-realm communication via supernodes
![Page 6: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/6.jpg)
Cypherpunks-style remailers
• 35 or so nodes• “Onion routing”
![Page 7: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/7.jpg)
Chat Systems
• IRC isn’t really p2p• AIM/ICQ with centralized presence• Gale, Jabber, IMPP proposals
![Page 8: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/8.jpg)
Infrastructure Protocols
• DNS• NTP• PKI Certification Authorities
![Page 9: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/9.jpg)
Design Comparison
• Target applications• Transport• Interactivity• Degree of centralization• Design/compile-time organization or
install/configuration or runtime/evolving• Security: traffic encryption, DoS
protection, • Replication for reliability
![Page 10: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/10.jpg)
Implementation Comparison
• “Official” vs. covert adoption• Importance of “network effects”
for minimal utility• Legal issues (content, copyright
controls)• Administrative control – what
functionality is possible, who exercises it?
![Page 11: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/11.jpg)
Security Issues
• Users provided an incentive to violate security model
• System not designed to be compatible with non-P2P restrictions
• Modifies underlying assumptions about connectivity
![Page 12: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/12.jpg)
Observations
• “Old” p2p systems (email, etc.) seem to be designed into security models, so newer systems can emulate
• Power ultimately wins over security
• Systems can be re-deployed internally for security
![Page 13: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/13.jpg)
Summary
Since P2P applications have been popular, and continue to be popular, security practices must take them into account
Deployment choices are as important as implementation choices; even unsafe technologies can be wrapped in a security model
![Page 14: P2P Taxonomy and Security Concerns Ryan Lackey CTO, HavenCo, Ltd. ryan@havenco.com RSA Conference 2002 San Jose 0900 20-02-2002](https://reader036.vdocument.in/reader036/viewer/2022082819/56649e295503460f94b17249/html5/thumbnails/14.jpg)
Q&A