On 6/27/06, Marcel Pierer <[EMAIL PROTECTED]> wrote:
... Let's assume we build a standardised and open Peer-to-Peer network
ok,
based on Chord, implemented with a secured DHT and NAT/Firewall mechanism (Turn / Stun).
a secured Chord DHT? securing a DHT is actually a hot topic since the trade-off's made in favor of performance drastically impact the resilience against malicious / coordinated attackers. TURN/STUN are just one technique among many for NAT busting, but let's continue...
Any application, whether IM Tools, Voice over IP, Video over IP .... could use the network / DHT and its services (NAT traversal, ...) over specified interface and protocols.
what "specified interface and protocols"? rework all existing apps to take advantage of it? this sounds simple, but really this is complicated and bound up into external factors like network popularity and protocol / API friendliness.
First approaches were made with known filesharing tools (Gnutella, BitTorrent) or Voice over IP applications like Skype. Unfortunaltely these approaches aren't fully decentralised, not open source and lack on the known security issues.
hey, gnutella was fully decentralized :)
Filesharing applications try to overcome security issues like malicious nodes, authenticity of files with various trust and reputation systems. Some research papers seek to adopt these trust and reputation systems for Peer-to-Peer networks (TrustMe, ...) but in my opinion its is the wrong way.
what's wrong with reputation / trust metrics specifically? too difficult to make workable, or inherently flawed in some manner?
The known security issues for Chord and DHT based P2P networks are: - how to secure DHT entries against others (with PKI infrastructures and certificates, redundancies, peers should not be allowed to choose its place within the Chord ring)
PKI == teh suck. if it's peer to peer you're after, this is the anti-thesis. SPKI is better, web of trust (hey, a trust metric! ;), etc. redundancies help against intermittent failures, but as has been discussed malicious peers with directed attacks are much harder to mitigate or prevent. as for selective views of the ring, i am still fond of the achord method for constricting ring visibility via the digest of the node public IP address. there are other such techniques bound to endpoints or identities which are useful, but certainly solve only a small and less critical problem with DHT security in general.
- how can certificates dispensed without a central authorisation system (entry points as the bootstrap could do that, but who tells me that this peer isn't a malicious node)
let me know when you find the optimal answer to this one.. *grin*
- how to stop man in the middle attacks (distributed routing as solution)
SPKI / WoT with mutually assured certs/signatures == no MITM. opportunistic key exchange where the initial discovery is authentic provides MITM protection for all subsequent interactions. (perhaps you trust long lived / well known peers more than new ones?) bootstrap transitive introductions with strongly authenticated peers?
- how to intentify malicious nodes / applications to punish them (what about anonymity and privacy)
constrain initial and transitive introduction? use tit for tat based resource allocation / expenditure? attach service availability or quantity to reputations?
- how to stop sybil attacks against specific nodes, services (anonymity and virtual IDs could be a solution, maybe an open and secured DHT with some super nodes (then who is super node, ...))
sybil attacks are hard. i find the proof of work based approaches totally worthless. some people think they are somewhat practical despite "theoretical" deficiencies.
There are still a lot of open questions
that's what makes it interesting. :)
and I would like to know your thoughts, ideas and papers I should read how to find a suitable solution. I'm writing my diploma thesis about this topic and would like to find a solution.
have you scanned through the list archives? there have been a number of good discussions on all of the topics over the years. some key concepts that i think are relevant: - implicit feedback for relative ranking of discovered resources - directed iterative unicast discovery/search with early termination and local ordering of destination peers by reputation. - self certifying identifiers for resources with nicknames / metadata ascribed to local petnames via reputable recommendation/attestation. - user centric digital identities and authentication with support for mutually authenticated SPKI/WoT in addition to opportunistic key exchange. - IPv4/IPv6 endpoint based connectivity into a decentralized overlay network (tun/tap devices on top of a NAT busting, resource|peer discovery infrastructure) - sharing the boostrap, where possible, so that a common transport (bittorrent?) or common initial/transitive introduction service can be used by many applications and services to the benefit of all, rather than a plethora of less useful, isolated silos of functionality. again, it would be worth your time to browse the list archives as many threads on all of the subjects have been debated / discussed over the years. _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
