Abstract
Several alternative schemes have been presented in the literature to try to solve the users’ admission problem in P2P systems when it is not possible to include a logically centralized authority (either online or offline) in the system. However, most of them are not suitable for on-the-fly P2P systems and the most typical ones (IP based, shared secret and threshold cryptography) have several security and performance drawbacks. From the deficiencies of the existing schemes, in this paper we present a new decentralized certification scheme for on-the-fly P2P systems which is based on the recently published Internet Attribute Certificate Profile for Authorization. Our proposal greatly improves the security and flexibility of IP based and shared secret schemes with no infrastructure cost and with a minimal performance charge. Also, it achieves a similar level of security than threshold cryptography while highly reducing its computational and communicational cost. All these facts position our certification proposal as a users’ admission alternative for on-the-fly P2P systems in non very hostile environments where performance and security are key factors.
Similar content being viewed by others
Notes
We understand as non very hostile the scenarios where administrators cannot be compromised, as discussed in Section 4.1.
Unless the attacker has access to the range of addresses assigned to a university or a large company.
The continuous process of users arrival and departure.
In case administrators want to share private information by leaving it encrypted in a well known location of the system.
In the case of the presented PKCs, and for simplicity reasons, only the most representative fields for our proposal are described; being valid any PKC compliant with the standard profile described in [36].
DCLs are described in Section 3.5.
It could be also possible to automatize this process based on the number of users of the system and choosing the candidates from a web of trust model or a social network. However, that possibility is out of the initial scope of this paper.
Even with a single device available, like a laptop, a user may use virtualization to simulate several devices and include them in the network.
The costs required for protecting each protocol message are not taken into account because they vary with the specific secure protocol used.
Using the OpenSSL (version 0.9.8g) speed test in an Ubuntu 10.04 (lucid) 64-bits with kernel Linux 2.6.32-25 running over an Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz with 4GB of RAM.
References
Jennings C, Lowekamp B, Rescorla E, Baset S, Schulzrinne H (2010) Internet-draft: REsource LOcation And Discovery (RELOAD) base protocol, -draft-ietf-p2psip-base-12 (work in progress)
Baset SA, Schulzrinne H (2006) An analysis of the skype peer-to-peer internet telephony protocol. In: Proceedings of the 25th IEEE international conference on computer communications. IEEE Computer Society, Washington, DC, USA, pp 1–11
Douceur JR (2002) The Sybil attack. In: Revised papers from the first international workshop on peer-to-peer systems, IPTPS ’02. Springer-Verlag, London, UK, pp 251–260
Bryan DA, Lowekamp BB, Jennings C (2005) SOSIMPLE: a serverless, standards-based, P2P SIP communication system. In: Proceedings of the first international workshop on advanced architectures and algorithms for internet delivery and applications. IEEE Computer Society, Washington, DC, USA, pp 42–49
Merkle RC (1978) Secure communications over insecure channels. Commun ACM 21:294–299
von Ahn L, Blum M, Hopper N, Langford J (2000) The official CAPTCHA site. http://www.captcha.net/
Zimmermann PR (1995) The official PGP user’s guide. MIT Press, Cambridge, MA
Desmedt Y, Frankel Y (1989) Threshold cryptosystems. In: Proceedings of the 9th annual international cryptology conference on advances in cryptology, CRYPTO’89. Springer-Verlag, London, UK, pp 307–315
Yu H, Kaminsky M, Gibbons PB, Flaxman A (2006) SybilGuard: defending against Sybil attacks via social networks. SIGCOMM Comput Commun Rev 36:267–278
Condie T, Kacholia V, Sankararaman S, Maniatis P, Hellerstein JM (2005) Maelstrom: churn as shelter. Tech. Rep. UCB/EECS-2005-11, University of California Berkeley
Shamir A (1985) Identity-based cryptosystems and signature schemes. In: Proceedings of CRYPTO 84 on advances in cryptology. Springer-Verlag New York, Inc., New York, NY, USA, pp 47–53
Farrell S, Housley R, Turner S (2010) An internet attribute certificate profile for authorization, RFC 5755 (standard). http://www.ietf.org/rfc/rfc5755.txt
Cerri D, Ghioni A, Paraboschi S, Tiraboschi S (2005) ID mapping attacks in P2P networks. In: IEEE global telecommunications conference, GLOBECOM’05, vol 3
Suárez Touceda D., Sierra J.M., Izquierdo A., Schulzrinne H. (2011) Survey of attacks and defenses on P2PSIP Communications. Communications Surveys and Tutorials, IEEE. doi:10.1109/SURV.2011.060711.00152
Information Technology Laboratory (2008) NIST, Gaithersburg, USA, FIPS 180-3. Secure Hash Standard
Stoica I, Morris R, Karger D, Kaashoek, MF, Balakrishnan H (2001) Chord: a scalable peer-to-peer lookup service for internet applications. In: Proceedings of the 2001 conference on applications, technologies, architectures, and protocols for computer communications, SIGCOMM ’01. ACM, New York, NY, USA, pp 149–160
Castro M, Druschel P, Ganesh A, Rowstron A, Wallach DS (2002) Secure routing for structured peer-to-peer overlay networks. In: Proceedings of the 5th symposium on operating systems design and implementation, OSDI ’02. ACM, New York, NY, USA, pp 299–314
Bryan D, Lowekamp B, Zangrilli M (2008) The design of a versatile, secure P2PSIP communications architecture for the public internet. In: IEEE international symposium on parallel and distributed processing, IPDPS. IEEE Computer Society, Washington, DC, USA, pp 1–8
Borisov N (2006) Computational puzzles as sybil defenses. In: Proceedings of the sixth IEEE international conference on peer-to-peer computing, P2P ’06. IEEE Computer Society, Washington, DC, USA, pp 171–176
Zhou L, Haas ZJ (1999) Securing ad hoc networks. IEEE Netw 13(6):24–30
Kong J, Zerfos P, Luo H, Lu S, Zhang L (2001) Providing robust and ubiquitous security support for mobile ad hoc networks. In: Proceedings of the ninth international conference on network protocols, ICNP ’01. IEEE Computer Society, Washington, DC, USA
Shamir A (1979) How to share a secret. Commun ACM 22(11):612–613
Pedersen TP (1991) A threshold cryptosystem without a trusted party. In: Proceedings of the 10th annual international conference on theory and application of cryptographic techniques, EUROCRYPT’91. Springer-Verlag, Berlin, Heidelberg, pp 522–526
Saxena N, Tsudik G, Yi JH (2007) Threshold cryptography in P2P and MANETs: the case of access control. Comput Networks 51(12):3632–3649
Merwe JVD, Dawoud D, McDonald S (2007) A survey on peer-to-peer key management for mobile ad hoc networks. ACM Comput Surv 39(1):1–45
Yu H, Gibbons PB, Kaminsky M, Xiao F (2008) Sybillimit: a near-optimal social network defense against sybil attacks. In: Proceedings of the 2008 IEEE symposium on security and privacy. IEEE Computer Society, Washington, DC, USA, pp 3–17
Danezis G, Mittal P (2009) SybilInfer: detecting sybil nodes using social networks. In: 16th annual network & distributed system security symposium, NDSS’09. The Internet Society
Eronen P, Tschofenig H (2005) Pre-shared key ciphersuites for transport layer security (TLS). RFC 4279 (proposed standard). http://www.ietf.org/rfc/rfc4279.txt
Taylor D, Wu T, Mavrogiannopoulos N, Perrin T (2007) Using the Secure Remote Password (SRP) protocol for TLS authentication, RFC 5054 (informational). http://www.ietf.org/rfc/rfc5054.txt
Dierks T, Rescorla E (2005) The transport layer security (TLS) protocol version 1.2. RFC 5246 (proposed standard). http://www.ietf.org/rfc/rfc5246.txt
Rescorla E, Modadugu N (2006) Datagram transport layer security. RFC 4347 (proposed standard). http://www.ietf.org/rfc/rfc4347.txt
Scheideler C (2005) How to spread adversarial nodes?: rotate! In: Proceedings of the thirty-seventh annual ACM symposium on theory of computing, STOC ’05. ACM, New York, NY, USA, pp 704–713
Butler KRB, Ryu S, Traynor P, McDaniel PD (2009) Leveraging identity-based cryptography for node ID assignment in structured P2P systems. IEEE Trans Parallel Distrib Syst 20(12):1803–1815
James N, Shi E, Song D, Perrig A (2004) The sybil attack in sensor networks: analysis & defenses. In: Proceedings of the 3rd international symposium on iformation processing in sensor networks, IPSN ’04. ACM, New York, NY, USA, pp 259–268
ITU (2005) ITU-T recommendation X.509: the directory: public key and attribute certificate frameworks. Tech. rep. ITU
Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk W (2008) Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (proposed standard). http://www.ietf.org/rfc/rfc5280.txt
Dinger J, Waldhorst OP (2009) Decentralized bootstrapping of P2P systems: a practical view. In: Proceedings of the 8th international IFIP-TC 6 networking conference, Networking ’09. Springer-Verlag, Heidelberg, Germany, pp 703–715
Cramer C, Kutzner K, Fuhrmann T (2004) Bootstrapping locality-aware P2P networks. In: Proceedings of the 12th IEEE international conference on networks. ICON 2004, vol 1, pp 357–361
Gennaro R, Jarecki S, Krawczyk H, Rabin T (1996) Robust threshold DSS signatures. In: Proceedings of the 15th annual international conference on theory and application of cryptographic techniques, EUROCRYPT’96. Springer-Verlag, Berlin, Heidelberg, pp 354–371
Gennaro R, Jarecki S, Krawczyk H, Rabin T (2007) Secure distributed key generation for discrete-log based cryptosystems. J Cryptol 20(1):51–83. doi:10.1007/s00145-006-0347-3
Blum T, Paar C (1999) Montgomery modular exponentiation on reconfigurable hardware. In: 14th IEEE symposium on computer arithmetic, ARITH-14. IEEE Computer Society, Washington, DC, USA, pp 70–77
NIST Information Technology Laboratory (2009) FIPS 186-3: Digital Signature Standard (DSS). NIST, Gaithersburg, USA
Schoof R (2008) Four primality testing algorithms. Algorithmic Number Theory 44:101–126
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Suárez Touceda, D., Sierra Cámara, J.M. & Soriano, M. Decentralized certification scheme for secure admission in on-the-fly peer-to-peer systems. Peer-to-Peer Netw. Appl. 5, 105–124 (2012). https://doi.org/10.1007/s12083-011-0113-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12083-011-0113-7