Peer-to-Peer Information Systems Week 13: Trust Old Dominion University Department of Computer Science CS 495/595 Fall 2003 Michael L. Nelson 11/17/03.

Slides:



Advertisements
Similar presentations
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Internet Security Protocols
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Peer-to-Peer Networking By: Peter Diggs Ken Arrant.
A. Frank 1 Internet Resources Discovery (IRD) Peer-to-Peer (P2P) Technology (1) Thanks to Carmit Valit and Olga Gamayunov.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Integrating ISA Server and Exchange Server. 2 How works.
1 Enabling Secure Internet Access with ISA Server.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Course 201 – Administration, Content Inspection and SSL VPN
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
E-Safety E-safety relates to the education of using new technology responsibly and safely focusing on raising awareness of the core messages of safe content,
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Chapter 21 Distributed System Security Copyright © 2008.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Freelib: A Self-sustainable Digital Library for Education Community Ashraf Amrou, Kurt Maly, Mohammad Zubair Computer Science Dept., Old Dominion University.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Administering Groups Chapter Eight. Exam Objectives In this Chapter:  Plan a security group hierarchy based upon delegation requirements  Plan a security.
Understand Permissions LESSON Security Fundamentals.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
CS 347Notes081 CS 347: Parallel and Distributed Data Management Notes 08: P2P Systems.
Network Security Celia Li Computer Science and Engineering York University.
Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Peer-to-Peer Information Systems Week 11: Trust Old Dominion University Department of Computer Science CS 495/595 Fall 2004 Michael L. Nelson 11/09/04.
Peer-to-Peer Information Systems Week 12: Naming
BUILD SECURE PRODUCTS AND SERVICES
WWW and HTTP King Fahd University of Petroleum & Minerals
Outline What does the OS protect? Authentication for operating systems
CHAPTER 3 Architectures for Distributed Systems
Outline What does the OS protect? Authentication for operating systems
CompTIA Server+ Certification (Exam SK0-004)
Using SSL – Secure Socket Layer
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Bethesda Cybersecurity Club
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Peer-to-Peer Information Systems Week 14: Assignment #6
Designing IIS Security (IIS – Internet Information Service)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Peer-to-Peer Information Systems Week 12: Naming
Peer-to-Peer Information Systems Assignment #6
Peer-to-Peer Information Systems Week 7: Anonymity Part 2
Presentation transcript:

Peer-to-Peer Information Systems Week 13: Trust Old Dominion University Department of Computer Science CS 495/595 Fall 2003 Michael L. Nelson 11/17/03

Trust (in Real Life) Trust in real life is increased by: –establishing positive reputations and networks for conveying these reputations –decreasing the number of people that have to be trusted –reducing risk However, in chapter 15 the focus is not on increasing trustworthiness, but rather reducing the requirement for trust –“the ideal trusted system is on that everyone has confidence in because they do not have to trust it”

Trust When Downloading Software RiskSolutionTrust Principle S/W doesn’t behave as advertised, and may even damage your system Only download s/w from companies/individuals who have established a good reputation, or those you know where to find should a problem occur Look for positive reputations S/W is modified (on server or in transit) Check for digital signature on message digest and verify signature against author’s certificate Use tools that accurately convey reputations Your downloads (and other activities) are logged by your ISP or other parties Use an anonymity tool so other parties do not get access to information that might link you to a particular download Reduce risk Table 15.1, p. 245

S/W Reputations in P2P Systems Not every P2P software package ties into an established entity with significant reputation credentials –e.g.: how would you bootstrap the distribution of the s/w we have developed in class? –similarly, where does one go to get a canonical Gnutella client? P2P and traditional notions of trust (or “branding”) are somewhat incompatible…

Detecting Tampering Assuming the organization / person you are downloading from is trustworthy, how do you know that: –the s/w was not modified on their server? –the s/w was not modified in transit? Message digest (e.g. MD5) can be used to alert to modifications –but clever attackers will modify the digest value Digital signatures can be used to “tamper-proof” the message digest –assumes integrity of the authors private key…

Sandboxing & Wrapping Many programs are in place to limit damage to the computer system, whether malicious or unintentional –for example, the OS limits your actions to your files, not the the files of others Java applets, for example, run in sandbox mode to prevent nasty things like file deletion But what of open source software? –if you install MS Office, you are trusting that it will not do anything bad –how would you convince others to trust your P2P app?

Web Server Logging anonymizer.com this portion of the transaction is visible will not reveal your IP (and thus your identity) to the remote server presumably, the anonymizing proxy can be trusted… is this a good assumption?

Web Server Logging SSL will prevent eavesdropping, but reveal your identity to the remote server

Web Server Logging …a mix network will encrypt the traffic and hide your identity from the server crowds will hide your identify and provide plausible deniability on the local side… but what if the mix network was installed by the RIAA? what if a crowd participants returned random pages?

Trust and Searching How well do you trust the query results of: –an Internet search engine? –100s s of distributed clients? Do the results really match your query? –malice, e.g.: RIAA returns MP3s that say “stealing music is bad” queries are changed to reflect the preferences of node operators –accident, e.g.: nodes are down query is damaged lack of authority files (“which version of _Louie Louie_”) content is 404

Building Trust / Reputation Into Our P2P Application What if we built a reputation metric into our system? Possible ideas: –content quality 1 = perfect transaction 0.5 = peer was confused or had errors 0.0 = peer lied about the content –duration keep track of the number of transactions

Trust: Local vs. Remote Certainly users are best suited to determine their own experience of trust… But this is simply automating what a single user experiences anyway… –this advises based on past transactions, but does not advise regarding unknown partners How do we: –bootstrap the system? –share reputations with friends? –avoid “bad” nodes? –not punish late arrivers?

Proposed Solution modify the friends list to be: cirrus.cs.edu 3923 VTRULZ <trust average=“0.95” total=“25.65” frequency=“27”>

Remote Trust further modify the friends list: cirrus.cs.odu.edu 3923 VTRULZ <trust average=“0.95” total=“25.65” frequency=“27” \> <friendsTrust average=“0.90” total=“315” frequency=“350” contributors=“11” \>

Exchanging Trust “listFriends” verb –can be issued periodically or on demand –of course, you would issue this only on the friends you trust –also would increase the list of known peers

Identifying Bad Sites Listing “bad” friends will inform others as well as maintain your own “opinion” of a host … riaa.cs.odu.edu 4000 VTRULZ <trust average=“0.125” total=“0.5” frequency=“4” \> <friendsTrust average=“0.066” total=“1” frequency=“15” contributors=“6”\>

Managing the Lists listFriends –returns a element listBadFriends –return a element borrows the same schema from

Peer Configurability Trust comes at a price -- increased semantic load for the user: –specify trust metric threshold only interact with friends I trust at >= X –specify age preference only interact with friends I trust at >=X and have N trusted transactions logged

Late Joiners So I find out about your client 6 months after everyone else… how do I join the system if everyone is only trusting peers with age and longevity? Options: –allow user specifiable “grace” period for new nodes; e.g.: trust >= 0.5; transactions <=10

Friends of My Friends is a cumulative metric… –but how much more important is it than my experiences? User parameter example: –local trust = 0.7 –remote trust = 0.3 Total trust is now a configurable weighted metric –must account for situations where either local or remote trust is not (yet) defined

Extracting Feedback From the User Don’t annoy the users… –should be able to turn the whole thing off/on –should be able to specify semantics of: “trust this user now” “always trust this user” –silently give all their transactions top marks “never trust this user” –no matter what my friends say etc. –have (configurable) default values for transaction rating

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.