pseudo trust : zero-knowledge based authentication in anonymous peer-to-peer protocols
DESCRIPTION
Pseudo Trust : Zero-Knowledge Based Authentication in Anonymous Peer-to-Peer Protocols. Li Lu, Lei Hu. State Key Lab of Information Security, Graduate School of Chinese Academy of Sciences. Jinsong Han, Yunhao Liu, Lionel M. Ni. - PowerPoint PPT PresentationTRANSCRIPT
Pseudo Trust: Zero-Knowledge Based Authentication in Anonymous Peer-to-Peer
Protocols Li Lu, Lei Hu
State Key Lab of Information Security, Graduate School of Chinese Academy of Sciences
Jinsong Han, Yunhao Liu, Lionel M. Ni Dept. of Computer Science and Engineering, Hong Kong
University of Science and Technology
Jinpeng HuaiSchool of Computer Science,
State Key Lab of Software Developing Environment,Beihang University
Authentication
To make one person trust another one.Who is talking to whom must be as valid as whom he or she claimed.
Is he/she the valid person who is searching a public database? Is he/she the valid person who provide you a movie without virus? Is the collaborating company legal? Is a cheater who send you an e-mail?
However…
Your machine may be accessed by a hacker.You may receive fraudulent. advertisement via e-mail. The goal of authentication: A host will communicate with a server while he can determine its identity.
Anonymity or Privacy
the right to be let alone: one of the rights most cherished by people.Who is talking to whom should be confidential or private in the Internet.
Who is searching a public database?
Which movie are you downloading?
Which companies are collaborating?
Who are you talking to via e-mail?
However…Your machine’s IP uniquely identifies you across web sites.Nothing illegal about cross-referencing.The goal of Internet anonymity: A host can communicate with a server while nobody can determine its identity
www.ticket-agency.com
www.insurance-advertisement.com
Previous approaches: Authentication
Authentication in P2P is used to help evaluating reputations of peers. To know Who want to download or searching from Whom. Indeed, current P2P trust designs are identity-based, where one peer does not trust another before knowing its identity. Not trying to protect the identity’s anonymity of peers.
Previous approaches: Anonymity
Anonymity is the state of being indistinguishable from other members of some group. Don’t know Who is Searching or Downloading What from Whom.Main goal is to hide initiator’s and responder’s real identities, such as IP address, post address, etc. Not trying to authenticate the validity of peers.
IPD C
IPC
B
Anonymity Examples: Mix & Onion
A B C D
IPD
IPC
IPB
IPD
MIPC IPD M D CB
IPD M D C
IPC
M D
ABCD
Public keys IP
Anonymity Example: APFS
Server
Client
However, APFS is just for file delivery, without identity authentication.
Tradeoff
Authentication is Identity-based – Leaking the real identity of peer, such as
IP address, post address…
Anonymity is to hide the identity.– Vulnerable to many active attacks,
especially impersonation and man-in-middle-attack.
Basic goal: A New Mutual Anonymity Authentication for P2P
Non ID-based authenticationNo need to know real identity of peer before authentication.Pseudonym-based authentication.
Invulnerable to many active attacks.ImpersonationMan-in-Middle-AttackReplay…
Lightweight: efficient pseudonym generation and authentication.
Query and Downloading in Unstructured P2P Systems• Flooding based query• Reversed path based response
• Direct downloading
InitiatorQueryResponderResponseDownloading
Pseudonym generation
),,( 21 ppIDhSeed
),( nSeedhPI
21 ppn
We use cryptographic hash function to generate pseudonym PI:
Where moduli , and are two big primes.21, pp
These two primes are kept as peer’s secrets. Due to the one-way and collision-resistant properties of hash function, a malicious peer cannot impersonate other peer’s pseudonym.
Our Design: Pseudo Trust
Initiator I
Tail node IT
Responder R
Onion Path Flooding
Query q
Query Sending
Response
Initiator I
Responder R
Query q
Response; prove your pseudonym.
TCP Link
RT
Onion Path between R and
RTTail node
ITTail node
Onion Path between I and IT
Mutual authentication
Initiator I
ITTail node
Responder R
RT
Onion Path between R and
RTTail node
Onion Path between I and IT
Authentication request
Challenge messageRequest verification
Proof generation
Proof verification
TCP Link
Responder authenticates initiator.
Similar procedure for Initiator authenticating responder
Remarks on mutual authentication
The zero-knowledge identification protocol is used to implement pseudonym-base authentication. Session key exchange is embedded in the mutual authentication. After authentication, initiator and responder can use the session key to protect file confidentiality and integrity. For example, using symmetric-key encryption and massage authentication code.
Several important issues
SecurityAnonymity degreeImpersonationMan-in-Middle-attack
OverheadTraffic overheadCryptographic overhead
Response time of queries
Security Analysis
Completely anonymityResistant to impersonation and replay.Man-in-Middle attacker gets nothing from authenticationResistant to inner attacks
Tail nodes are attackers.Initiator or responder is attack.
Trace Driven Simulation
Physic network: Gnutella Overlay network: DSS Clip2 traceIn a variety of network sizes ranging from hundreds to thousands. For each simulation, we take the average result from 1,000 runs.
0 5 10 150
20
40
60
80
100
Time(seconds)
Acc
umul
ativ
e P
erce
ntag
e
GnutellaAPFSDirect AuthenticationPT
The response time of APFS is approximately 3 times that of overt Gnutella, while PT is around 7 times that of overt Gnutella.
The time consumed in anonymous paths of PT constitutes a major part of the whole latency.
The time consumption of authentication is indeed trivial.
Response Time
0 500 1000 1500
1.05
1.1
1.15
1.2
1.25
Tra
ffic
str
etc
h
Search scope
Traffic Overhead
The figure above plots the extra traffic cost brought about by authentication procedures.
Traffic stretch is defined as the traffic cost ratio between PT plus Gnutella, and Gnutella only
Prototype Implementation
We implemented a prototype in our labs at the Chinese Academy of Sciences, the campus of Beihang University and Hong Kong University of Science and Technology. We test:
The extra computation overhead caused by PT. Overall latency of pseudo identity authentication procedures in the Internet environment
0 20 40 60 80 1000
0.5
1
1.5
2
2.5
3
3.5x 104
Number of quadratic residues
Tim
e c
on
sum
ptio
n(m
s) PIV 2.66GPIV 1.8GPM 1.4GPIII 450M
0 20 40 60 80 1000
10
20
30
40
Number of quadratic residues
Tim
e c
on
sum
ptio
n(m
s) PIV 2.66GPIV 1.8GPM 1.4GPIII 450M
0 20 40 60 80 1000
2
4
6
8
10
Number of quadratic residues
Tim
e c
on
sum
ptio
n(m
s) PIV 2.66GPIV 1.8GPM 1.4GPIII 450M
Pseudonym certificate generation
Computational Overhead
Proof generation
Verification
0 20 40 60 80 10060
80
100
120
140
160
180
Tim
e c
on
sum
pa
tion
(ms)
Number of quadratic residues
length of moduli n=2048 bitslength of moduli n=1024 bits
0 20 40 60 80 100200
250
300
350
400
Tim
e c
on
sum
pa
tion
(ms)
Number of quadratic residues
length of moduli n=2048 bitslength of moduli n=1024 bits
0 20 40 60 80 100560
580
600
620
640
660
680
Tim
e c
on
sum
pa
tion
(ms)
Number of quadratic residues
length of moduli n=2048 bitslength of moduli n=1024 bits
Time Consumption in Message Transmission
CAN test MAN test
WAN test
Li Lu, Lei HuState Key Lab of Information Security, Graduate School of
Chinese Academy of Sciences
Jinsong Han, Yunhao Liu, Lionel M. Ni Dept. of Computer Science and Engineering, Hong Kong
University of Science and Technology
Jinpeng HuaiSchool of Computer Science,
State Key Lab of Software Developing Environment,Beihang University