1. Secure Routing for Structured Peer-to-Peer Overlay Networks M. Castro, P. Druschel, A. Ganesh, A. Rowstron and D. S. Wallach Proc. Of the 5 th Usenix Symposium on Operating Systems Design and Implementation, Boston, MA, Dec. 2002

2. Contents Background of P2P overlay network System model & Secure routing Secure nodeId assignment Secure Routing table maintenance Secure message forwarding Conclusion

3. Background of P2P Provide a powerful platform for decentralized services: network storage, content distribution, and application-level multicast. Example P2P overlay networks: CAN, Chord, Pastry and Tapestry An abstract model of P2P overlay network. Replica roots Key’s Root NodeId

4. Pastry A node’s route table has 128/2 b rows and 2 b columns. Each node maintains a neighbor set (“leaf set”) –Includes a set of l nodes with nodeIds that are numerically closes to the present node’s nodeId –l/2 larger than the current nodeId –l/2 smaller than the current nodeId –l is constant for all nodes –A typical value is 8*log 2 b N 1x1x 2x2x 3x3x 4x4x 5x5x 7x7x 8x8x 9x9x axax bxbx cxcx dxdx exex fxfx 60x60x 61x61x 62x62x 63x63x 64x64x 66x66x 67x67x 68x68x 69x69x 6ax6ax 6bx6bx 6cx6cx 6dx6dx 6ex6ex 6fx6fx 650x650x 651x651x 652x652x 653x653x 654x654x 655x655x 656x656x 657x657x 658x658x 659x659x 65bx65bx 65cx65cx 65dx65dx 65ex65ex 65fx65fx 65a0x65a0x 65a2x65a2x 65a3x65a3x 65a4x65a4x 65a5x65a5x 65a6x65a6x 65a7x65a7x 65a8x65a8x 65a9x65a9x 65aax65aax 65abx65abx 65acx65acx 65adx65adx 65aex65aex 65afx65afx 0x0x Routing table of a Pastry node with nodeId 65a1x, b=4. Digits are in base 16, x represents an arbitrary suffix

5. Message routing in Pastry Routing a message from node 65a1 f c with key d46a1c. The dots depict live nodes in Pastry’s circular namespace. 1x1x 2x2x 3x3x 4x4x 5x5x 7x7x 8x8x 9x9x axax bxbx cxcx dxdx exex fxfx 60x60x 61x61x 62x62x 63x63x 64x64x 66x66x 67x67x 68x68x 69x69x 6ax6ax 6bx6bx 6cx6cx 6dx6dx 6ex6ex 6fx6fx 650x650x 651x651x 652x652x 653x653x 654x654x 655x655x 656x656x 657x657x 658x658x 659x659x 65bx65bx 65cx65cx 65dx65dx 65ex65ex 65fx65fx 65a0x65a0x 65a2x65a2x 65a3x65a3x 65a4x65a4x 65a5x65a5x 65a6x65a6x 65a7x65a7x 65a8x65a8x 65a9x65a9x 65aax65aax 65abx65abx 65acx65acx 65adx65adx 65aex65aex 65afx65afx 0x0x

6. System model & Secure Routing System model –N: size of the overlay network –f : 0<= f < 1, fraction of faulty nodes –c: 1/N <= c <= f, size of collude nodes. (c=f) –Each node has a static IP address Secure Routing –Secure routing primitive: ensures that when a non-faulty node sends a message to a key k, the message reaches all non-faulty member in the set of replica roots R k with very high probability. –Securely assigning nodeIds to nodes –Securely maintain the routing tables –Securely forwarding messages

7. Secure nodeId assignment Goal –ensure that an attacker cannot choose the value of nodeId assigned to the nodes that the attacker controls. Attacks –By carefully choosing nodeIds, attack a victim node’s routing table –Control access to target objects by choosing closest nodeIds to all replica key. –Obtain a large number of legitimate nodeIds. Solutions –Centralized - Certified nodeId A set of trusted certification authorities (CAs) to assign nodeIds and to assign nodeId certificates. The nodeId certificate binds a random nodeId to the public key Nodes with valid certificates can join the overlay network CAs are not involved in the overlay network

8. –Decentralized Require prospective node to solve cryto puzzle to gain a nodeId. –The cost to solving a crypto puzzle must be acceptable to legitimate node but hard enough to slow down attackers --- conflict Simple approach using crypto puzzle –Each node generates a key pair: public key and private key –SHA-1(I, K) has the first p bits zero –I—initialization vector or MD5 –K – public key –The expected number of operations required to generate such a key pair is 2^p. –NodeId = SHA-1(I, K) Periodically invalidate nodeIds

9. Secure routing table maintenance Goal –Ensure that the fraction of faulty nodes that appears in the routing tables of correct nodes does not exceed f. Attacks –Attackers fake proximity to increate the fraction of bad routing table entries A correct node p sends a probe to estimate delay to a faulty node. An attacker intercepts the probe and have the faulty node closest to p reply to the probe. –Supply incorrect routing updates while nodes join the overlay network.

10. Secure routing table maintenance (con’t) Solutions – constrained routing table –One routing table that maintains network proximity information for efficient routing (as in Pastry and Tapestry) –The other routing table constraints routing entries (as in Chord).

11. Secure routing table maintenance (con’t) Constraint routing table of a Pastry node with nodeId 65a1x, b=4. Digits are in base 16, x represents an arbitrary suffix 1x1x 2x2x 3x3x 4x4x 5x5x 7x7x 8x8x 9x9x axax bxbx cxcx dxdx exex fxfx 60x60x 61x61x 62x62x 63x63x 64x64x 66x66x 67x67x 68x68x 69x69x 6ax6ax 6bx6bx 6cx6cx 6dx6dx 6ex6ex 6fx6fx 650x650x 651x651x 652x652x 653x653x 654x654x 655x655x 656x656x 657x657x 658x658x 659x659x 65bx65bx 65cx65cx 65dx65dx 65ex65ex 65fx65fx 65a0x65a0x 65a2x65a2x 65a3x65a3x 65a4x65a4x 65a5x65a5x 65a6x65a6x 65a7x65a7x 65a8x65a8x 65a9x65a9x 65aax65aax 65abx65abx 65acx65acx 65adx65adx 65aex65aex 65afx65afx 0x0x 64a1x64a1x 6501x6501x

12. Secure routing table maintenance (con’t) Initialize neighbor set –A newly joining node, n, picks a set of bootstrap nodes –Each bootstrap node obtain neighbor set to n –n picks the “closest” live nodeIds Initialize routing table –Initialize locality-aware routing table –Initialize constraint routing table Use secure forwarding to get live nodeId for each entry p for n’s constraint routing table – too expensive n request its neighbor set’s constraint routing table

13. Secure message forwarding(1) Goal: –Ensures that at lease one copy of a message sent to a key reaches each correct replica root for the key with high probability. Attacks: –Faulty nodes can drop message –route message to the wrong place –Pretend to be the key’s root. –The root node itself may be faulty –The probably of routing successfully to a correct replica node is (1-f)h (h is the average routing hops) b = 4

14. Secure message forwarding(2) Solution –Detect faults and redundant routes Routes a message to the key’s root using locality-aware routing table Collect the prospective set of replica roots from the prospective root node Apply failure test to the set of replica roots. If the test is negative, accept the prospective replica roots as the correct ones. Otherwise, message copies are sent over diverse routes toward the various replica roots

15. Secure message forwarding(3) U rn < U p *γ Routing failure test (Based on the observation: the average density of nodeIds per unit of “volume” in the id space is greater than the average density of faulty nodeIds). –Input: a key x and a set of prospective replica roots for the key x: rn = id0,…, idl+1 –Output: negative or positive –p calculate the average numerical distance U p between consecutive nodesIds in its neighbor set. –P checks All nodeIds in rn have a valid nodeId certificate, the closes nodeId to the key is the middle one, and the nodeIds satisfy the definition of a neighbor set. The average numerical distance U rn in rn satisfies U rn < U p *γ

16. Secure message forwarding(4) Other attacks –Collect old nodeId certificates –Include both nodeIds of nodes it controls and nodeId of correct nodes in a prospective root neighbor set. –nodeId suppression attack Suppress nodeId close to sender, increase β(false negative) Suppress nodeId in root neighbor set, which increaseα(false positive)

17. Redundant Routing While failure test is positive, send message to each replica root via multiple routes. In Pastry, they send message from the source node to all of its neighbors in the p2p overlay. Because nodeIds are random, the neighbors should represent a random, geographically diverse, sampling of the nodes in the p2p overlay. From there, each neighbor node forwards the message toward the target node. If at least one of the neighbors can achieve a successful route, then the message is considered successfully delivered.

18. Redundant route Neighbor set anycast: 1) p sends r messages to the destination key x with a nonce. 2) Any correct node that receives the message and has x’s root in its neighbor set returns its nodeId certificate and the nonce, signed by its private key. 3) p collects in a set N the l/2+1 nodeId certificates closet to x on the left and l/2+1 nodeId certificates closet to x on the right, marked pending. 4) After timeout or r replies are received, p sends a list of nodeIds in N to each node in N. and mark as done. 5) Any correct node that receives the list forwards p’s original message to the nodes in its neighbor set that are not in the list or returns a confirmation if no such nodes exist. 6) P receives r confirmation or step 4 was executed three times. it computes the set of replica rots for x from N.

19. Simulation results Model and simulation results for the probability of reaching all correct replica roots using redundant routing with neighbor set anycast.

20. Conclusion Presented the design and analysis of techniques for secure node joining, routing table maintenance and message forwarding in p2p overlay Based on modeling and corroborated with simulations, they have measured that this operation can be successful with a 99.9% probability, as long as f<= 30%.