Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon."— Presentation transcript:

1 1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon

2 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu2 Outline Background Motivation Model Lemmas Conclusion

3 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu3 Outline Background Motivation Model Lemmas Conclusion

4 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu4 Background P2P systems use multiple, independent entities to mitigate possible damage by other hostile entities Replication Computations Storage Fragmentation Protects against privacy violations Sybil Attack Attacker can assume multiple identities Aims to control substantial fraction of system

5 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu5 Motivation (1/2) Must protect against Sybil Attack Using replication or fragmentation requires ability to determine if entities are really different Paper claims Sybil attacks always possible except under extreme, unrealistic assumptions Need logically centralized authority

6 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu6 Motivation (2/2) Centralized authority possibilities VeriSign Explicit certification CFS (cooperative storage) Identities assigned using hash of IP address Problem? SFS (network file system) Identities assigned using host identifier + DNS name EMBASSY (multiparty trust system) Identities assigned using hardware-embedded cryptographic keys Issues?

7 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu7 Outline Background Motivation Model Lemmas Conclusion

8 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu8 Model – Overview Generic distributed computing environment Entities E Correct C union Faulty F = E Send messages Pipe Messages  cloud Messages Uninterrupted, finite-length bit string Cloud Broadcast Bounded time Guaranteed Unordered

9 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu9 Model – Definitions Identity Abstract representation that persists across multiple communication events Entities perceive other entities through identities Present Each entity presents an identity to other entities in the system Local entity L A specific entity that results are stated with respect to Accept If an entity e successfully presents an identity i for itself to L, L accepts i

10 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu10 Model – Characteristics General Leaves internals of cloud unspecified Includes any topology/geometry Friendly Limits obstructive power of corrupt entities DoS attacks not possible Strengthens negative results Q: Any drawbacks of the model?

11 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu11 Model – Resources Entities can perform operations with complexity polynomial in n Allows public-key cryptography Entities can establish point-to-point communication

12 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu12 Model – Main Idea Each entity e attempts to present one legitimate identity Each faulty entity f additionally attempts to present one or more counterfeit identities Goal: system should accept all legitimate identities, zero counterfeit

13 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu13 Outline Background Motivation Model Lemmas Conclusion

14 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu14 Lemmas Four lemmas Collectively show impracticality of establishing distinct identities in large-scale distributed system Proofs trivial (refer to paper) In absence of trusted authority, entities accept identities only when identity is: 1. Validated by entity itself (direct validation) Lemmas 1 and 2 2. Vouched for by other already validated identities (indirect validation) Lemmas 3 and 4

15 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu15 Lemma 1: Resources Let min = minimally capable entity R x = resources of x ρ = R f / R min f can present floor(ρ) distinct identities to L

16 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu16 Lemma 1: Resources Gives lower bound on damage achievable by f Achieve upper bound by exploiting limitations in resources Communication: L broadcasts request for identities and accept replies that come within given time interval Storage: L challenges identities to store large amount of unique, uncompressible data Computation: L challenges identities to solve unique computational puzzle

17 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu17 Lemma 1: Resources Computational puzzle example Generate large random value y Challenge identity to find (in limited time) pair of values x and z such that least significant n bits of hash(x | y | z) = 0 Given y, find x, z s.t. LSB n (hash(x | y | z)) = 0 Time to solve proportional to 2 n-1 Time to verify constant

18 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu18 Lemma 2: Concurrency If L accepts entities not validated simultaneously f presents a distinct identity to L using R f R f is freed and f repeats process Single f can present many counterfeit identities to L

19 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu19 Lemma 2: Concurrency Works for temporal resources (computation and communication), not storage L can indefinitely extend challenge duration: periodically demand different data excerpts Challenge consumes R, so real work limited

20 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu20 Lemma 3: Resources If L accepts any identity vouched for by q accepted identities, a group F can present many counterfeit identities to L if either: Size of group F >= q R F >= resources taken by q + |F| minimally capable entities

21 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu21 Lemma 4: Concurrency If correct entities C do not coordinate time intervals to accept identities, and if L accepts any identity vouched for by q accepted identities Minimally capable f can present floor( |C| / q ) counterfeit identities to L

22 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu22 Lemma 4: Concurrency Shows need for multiple entities in C to issue concurrent challenges May or may not be possible depending on resource Communication: possible because of broadcast cloud Storage: information theory says “probably not” Computation: possible by combining puzzles

23 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu23 Lemma 4: Concurrency Simultaneous computational puzzle example Same puzzle, but has m of them to solve Given m puzzles y1, y2, …, ym, find w s.t. LSB n (hash(0 | y1 | y2 | … | ym | w)) = 0 Solution to each puzzle yk is x k = 0 | y1 | y2 | … | y k-1 and z k = y k-1 | … | ym | w If validating entity challenges m identities all made by one f, then f can use this method Validating entity can check if this happens by x1 | y1 | z1 = x2 | y2 | z2

24 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu24 Outline Background Motivation Model Lemmas Conclusion

25 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu25 Conclusion Without centralized authority, Sybil attacks always possible except when: All entities have nearly identical resources All presented identities are validated simultaneously When accepting identities not directly validated, required number of vouchers exceeds number of system-wide failures Not justifiable as assumptions Not practically realizable as requirements

26 Cs294-4 Benjamin Poon bpoon@uclink.berkeley.edu26 Pros/Cons Pros General model for distributed computing environments with well thought-out reasons behind design Good reminder to keep Sybil attacks in mind when designing large-scale distributed systems Cons Leaves the fact that faulty nodes can solve multiple puzzles by combining them

Download ppt "1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
The Sybil Attack By John R. Douceur Presented by Samuel Petreski March 31, 2009.

The Sybil Attack By John R. Douceur Presented by Samuel Petreski March 31, 2009.
Scalable Content-Addressable Network Lintao Liu 2001.11.19.

Scalable Content-Addressable Network Lintao Liu
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Authors Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, Abraham Flaxman Presented by: Jonathan di Costanzo & Muhammad Atif Qureshi 1.

Authors Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, Abraham Flaxman Presented by: Jonathan di Costanzo & Muhammad Atif Qureshi 1.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.
Samsara: Honor Among Thieves in Peer-to-Peer Storage Landon P. Cox and Brian D. Noble University of Michigan.

Samsara: Honor Among Thieves in Peer-to-Peer Storage Landon P. Cox and Brian D. Noble University of Michigan.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
Haifeng Yu National University of Singapore

Haifeng Yu National University of Singapore
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Small-world Overlay P2P Network

Small-world Overlay P2P Network
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Group Communication Phuong Hoai Ha & Yi Zhang Introduction to Lab. assignments March 24 th, 2004.

Group Communication Phuong Hoai Ha & Yi Zhang Introduction to Lab. assignments March 24 th, 2004.
The Goldreich-Levin Theorem: List-decoding the Hadamard code

The Goldreich-Levin Theorem: List-decoding the Hadamard code
Centre for Wireless Communications University of Oulu, Finland

Centre for Wireless Communications University of Oulu, Finland
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Similar presentations

Ads by Google