Sepp - Secure P2p Framework

Institute for Applied Information Processing and Communications

Secure Peer-to-Peer Framework https://sourceforge.net/projects/securep2p Stefan Kraxberger

Stefan Kraxberger

Secure P2P Framework 1

Institute for Applied Information Processing and Communications

O Overview i Motivation P2P Networking Requirements for Secure P2P Security Concept S PP Security SePP S it P Protocols t l Current Work & Open Issues

Stefan Kraxberger

Secure P2P Framework 2

Institute for Applied Information Processing and Communications

P2P N Networking t ki Structured and unstructured P2P systems • Structured systems are based on idea from Plaxton [1] „how to organize data in a distributed environment to find it efficiently ffi i tl and d provide id redundancy“ d d “

• Unstructured can be divided further into • Pure (Gnutella 0.4) • Centralized (Napster) • Hybrid (JXTA) Napster

Stefan Kraxberger

Secure P2P Framework 3

Institute for Applied Information Processing and Communications

Oth Classes Other Cl P2P systems can also be classified by other means • performance & resources • underlying physical network • mobility patterns • organization & determinism

SePP is a pure self-organizing heterogenous P2P system

Stefan Kraxberger

Secure P2P Framework 4

Institute for Applied Information Processing and Communications

S Security it R Requirements i t 1. Peer ID Generation and Assignment g –

IDs must be unique and undeniable

2. Authentication and Authorization –

How peers must join the network

3. Route Establishment and Maintenance –

How to find routes and maintain them

4. Message Transport –

How to authenticate messages

5 Key Protection 5. –

How to ensure the integrity and secrecy of the used keys

6. Protection against Attacks –

How to detect and/or prevent attacks (insider and outsider)

Stefan Kraxberger

Secure P2P Framework 5

Institute for Applied Information Processing and Communications

S Security it C Conceptt [2] Securityy concept p with different levels to address p points 1- 5 • Protection against Attacks is treated as added value

• • •

Admission security (IDs, Authentication, Routing) Data security (Message Transport) Session key protection (Key Protection)

Stefan Kraxberger

Secure P2P Framework 6

Institute for Applied Information Processing and Communications

S PP Security SePP S it P Protocols t l SePP Join Protocol SePP Routing Protocol S PP Merge SePP M P Protocol t l SePP Neighborhood Protocol

Stefan Kraxberger

Secure P2P Framework 7

Institute for Applied Information Processing and Communications

P Peer Start St t After a p peer starts the following g steps p are p performed 1. Obtain the peers specified as neighbors from the configuration 2. Start low level communication services 3 Register components for receiving and sending 3. 4. Start join process SePP Join Process

5. Inform API about result

Stefan Kraxberger

Secure P2P Framework 8

Institute for Applied Information Processing and Communications

S PP Join SePP J i P Process Join p process consists of the following g steps p 1. 2. 3. 4.

Find and select network Find peer in the selected network with direct connection (neighbor) Execute jjoin p protocol Return result and update network status

If no network could be found a new one will be created –

The same process is executed in every peer which has not found any existing suitable network

If more than one network with has been found one is selected l t d –

Based on the amount of members and the creation time

Stefan Kraxberger

Secure P2P Framework 9

Institute for Applied Information Processing and Communications

N t Network kC Creation ti Requirements q for a SMEPP network • Peers can join in arbitrary numbers • Peers can join any number of times • Networks with same security status can merge • Peers can switch between different networks • Ordering Od i b between t similar i il networks t k • Networks with different routing schemes

Stefan Kraxberger

Secure P2P Framework 10

Institute for Applied Information Processing and Communications

N t Network kC Creation ti Parameters which enforce requirements q – Network id • Random number obtained at network creation

– Network routing g algorithm g • Algorithm specified in the configuration

– Network routing key • Session key created at network creation depending on the

– Network creation time • Time stored at network creation

– Network members (provides indirect network size) • Distributed parameter which is updated periodically

– Network neighbors • Specified for each peer to find existing network instance

Stefan Kraxberger

Secure P2P Framework 11

Institute for Applied Information Processing and Communications

Fi d N Find Network t k Broadcast a NetworkRequest q to the local network and the peers specified in the configuration Collect NetworkResponses After specified amount of time select best network – Suitable network with most peers – or if equal which was created first

Obtain peer of selected network to which we have a direct connection St t jjoin Start i protocol t l with ith selected l t d peer

Stefan Kraxberger

Secure P2P Framework 12

Institute for Applied Information Processing and Communications

S PP Join SePP J i P Protocol t l Needham-Schroeder-Lowe protocol p – Mutual entity authentication – Key authentication – Keyy transport p ((modified version))

If successful the protocol guarantees – Peer has verified the authenticity of the SePP network – New peer is verified and authenticated to the SePP network – Peer has obtained the authentic current routing session key

Stefan Kraxberger

Secure P2P Framework 13

Institute for Applied Information Processing and Communications

N dh Needham-Schroeder-Lowe S h d L [3] Protocol steps 1. 1 2.

A A

B : Request public key B : PK(B)

A verifies certificate and identity of B 3. 4. 5.

A A A

6.

A

7.

A

1.

A

B : {{Na,A}}PK(B) B : Request public key B : PK(A) B verifies certificate and identity of A B : {Na,Nb,B}PK(A) A knows about identity of B B : {Nb}PK(B) B knows about identity of A B : {Na,Nb,KSMEPP}PK(A)

Na,b … Random number A B … Identity A,B Id tit (peerId) ( Id) Ts … Timestamp (session key time) Stefan Kraxberger

PK(A),PK(B) … Public keys of A and B KSMEPP … SMEPP routing ti session i kkey Secure P2P Framework 14

Institute for Applied Information Processing and Communications

S PP Routing SePP R ti P Protocols t l DSR ((Dynamic y Source Routing) g) Ariadne (Secure on demand routing protocol for ad hoc networks) SSR (Simple Secure Routing based on Security Concept) AODV (Ad hoc On demand Distance Vector) OLSR (Optimized Link State Routing)

Stefan Kraxberger

Secure P2P Framework 15

Institute for Applied Information Processing and Communications

D Dynamic i S Source R Routing ti [4] The sender of a p packet specifies p the complete p sequence q of nodes through which to forward the packet Dynamically determines a route based on – Cached C h d iinformation f ti – The result of a route discovery

The advantages of DSR – No periodic routing advertisement messages • bandwidth, battery power

– Don't require transmissions between hosts to work bidirectional – Able to adapt quickly to changes

Stefan Kraxberger

Secure P2P Framework 16

Institute for Applied Information Processing and Communications

D Dynamic i S Source R Routing ti Two basic operation p modes • Route Discovery • Route Maintenance

The sender constructs a source route in the packet's packet s header If the receiver is the destination host, sends a route reply else forward packets Each host maintains a route cache If no route t cache h iis ffound, d use th the route t di discovery Hosts monitor the operation of the route and use the route a te a ce maintenance Stefan Kraxberger

Secure P2P Framework 17

Institute for Applied Information Processing and Communications

R t Discovery Route Di 1,2 2

5

1,2,5

1

1,2,5,7,8

12578 1,2,5,7,8

12578 1,2,5,7,8 1,2,5,7

1

7

8

1,2,5,7,8 1,3,4,6

1

1,3

3

Stefan Kraxberger

1,3,4

4

6

Secure P2P Framework 18

Institute for Applied Information Processing and Communications

R t Maintenance Route M i t 2

5

RERR (2,5)

1

7

8

1,2,5,7,8 1,10,11,13 …

3

Stefan Kraxberger

4

6

Secure P2P Framework 19

Institute for Applied Information Processing and Communications

A i d [6] Ariadne Based on DSR but adds securityy against g well known attacks Uses either one of the following mechanisms – Pairwise P i i shared h d secrets t – Digital signatures – TESLA [5]

TESLA efficient for resource constrained devices – Symmetric cryptography – Asymmetry via time • Delayed key disclosure • Requires loose time synchronization

– Requires public/private keys for synchronization and key commitment

Stefan Kraxberger

Secure P2P Framework 20

Institute for Applied Information Processing and Communications

Ai d Ariadne Each p peer g generates a hash keyy chain S0 serves as key commitment Messages are signed with key Si in interval ti Specific time after interval ti key Si is disclosed Messages must be buffered for verification

Stefan Kraxberger

Secure P2P Framework 21

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery Sender computes MAC using the shared key KSD over – –

route request,initiator, request initiator target, target id (unique unused value), time interval

A checks if – –

Id and initiator of the request isn‘t alreadyy cached Key is still not published

Broadcasts the request to his next hops – –

Calculates new hash Calculates new MAC and adds it

Target verifies the security conditions – –

Keys ti are not released yet and therefore secure Keys are authentic and MAC is valid

If request is verfied constructs reply – –

Stefan Kraxberger

Calculate new MAC using KSD over reply plus route and MAC list Send it back to initiator

Secure P2P Framework 22

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery A checks if – Id and initiator of the request are already cached – Key is still not published

Broadcasts the request to his next hops – Calculates new hash – Calculates new MAC and adds it to the MAC list

Stefan Kraxberger

Secure P2P Framework 23

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery B performs the same actions as A

Stefan Kraxberger

Secure P2P Framework 24

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery C again performs the same actions as A and B

Stefan Kraxberger

Secure P2P Framework 25

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery Target verifies the security conditions – Keys ti are not released yet and therefore secure – Keys are authentic and MAC is valid

If request is verfied constructs reply – Calculate new MAC using KSD over reply plus route and MAC list – Send it back to initiator

Stefan Kraxberger

Secure P2P Framework 26

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery C waits until the end of the time interval – Attaches key used in request – Forwards reply to B

Stefan Kraxberger 12/03/2009 12/03/2009

Fourth Review Meeting, Brussels Fourth Review Meeting, Brussels

27 Secure P2P Framework 27 27

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery B performs the same actions as C

Stefan Kraxberger

Secure P2P Framework 28

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t Di Discovery A performs the same actions as C and B S verifies the security conditions – Keys are valid – MAC list is valid – MD is valid

If everything is valid the reply is accepted

Stefan Kraxberger

Secure P2P Framework 29

Institute for Applied Information Processing and Communications

Ai d R Ariadne Route t M Maintenance i t Route Error – – Intermediate node • Forwards the packet and searches its route cache for all routes that use <sending address, receiving address> • If exists, checks validity of time interval • If valid, checks authentication of the Error • Until U til authentication, th ti ti saves E Error iinfo f iin memory until til a kkey iis di disclosed l d and d uses routes in route cache • If authenticated, removes all such routes

Stefan Kraxberger

Secure P2P Framework 30

Institute for Applied Information Processing and Communications

Si l S Simple Secure R Routing ti DSR algorithm g adapted p for Security y Concept p – Allows for 3 different security levels 1. SL0 = plain DSR 2. SL1 = DSR + using routing session key 3. SL2 = SL1 + public/private keys

– Operation modes and work flow are the same as with DSR but • • •

Messages adapted Parameters added Additional verifications at the peers introduced

L0 provides no security L1 assumes all legitimate peers as well behaved L2 enables detection and countermeasures against misbehaving peers Stefan Kraxberger

Secure P2P Framework 31

Institute for Applied Information Processing and Communications

SSR R Route t Di Discovery (SL1) {Ts,1,2}SK 2

5

{Ts,1}SK

{Ts,1,2,5}SK

{Ts,1,2,5,7,8}SK {Ts,1,2,5,7}SK 1

7

{Ts,1,3,4,6}SK

8

{Ts,1,2,5,7,8}SK

{Ts,1}SK

{Ts,1,3}SK

3

SK … Routing session key {}x … Encrypted with key X

Stefan Kraxberger

{Ts,1,3,4}SK

4

6

TS … Timestamp

Secure P2P Framework 32

Institute for Applied Information Processing and Communications

SSR R Route t Di Discovery (SL1) Secure against g unauthorized route modification Only peers with authentic session key can take part in the routing process Timestamps are used to prevent reply attacks using previously sent route requests and replies. Very efficient since only symmetric cryptography is used Small overhead to unsecured DSR Problem of misbehavior of legitimate g p peers can’t be solved in this security level

Stefan Kraxberger

Secure P2P Framework 33

Institute for Applied Information Processing and Communications

SSR R Route t Di Discovery (SL2) {Ts,1,2}SK 2

5

{Ts,1}SK

{Ts,1,2,5}SK

{Ts,1,2,5,7,8, SS8(R)}SK {Ts,1,2,5,7}SK 1

7

{T 1 3 4 5}SK {Ts,1,3,4,5}SK

8

{Ts,1,2,5,7,8, SS8(R)}SK

{Ts,1}SK

{Ts,1,3}SK

3

SK … Routing session key {}x … Encrypted with key X

Stefan Kraxberger

{Ts,1,3,4}SK

4

TS … Timestamp Sx … Signature with key x

6

S8 … Private key peer 8

Secure P2P Framework 34

Institute for Applied Information Processing and Communications

SSR R Route t Di Discovery (SL2) Initiator sends signed g request q containing g a timestamp p Intermediate nodes check if route is available and return it to initiator or check if request isn’t a duplicate and broadcasts it to its neighbors Destination checks the timestamp and signs the route and returns it on the same path p Every peer checks the timestamp and verifies the signature and if the route is correct – Th The local l l peer mustt b be iin th the route t – The peers before and after the peer must be neighbors

Stefan Kraxberger

Secure P2P Framework 35

Institute for Applied Information Processing and Communications

SSR Enables routing g on different security y levels • Resource constrained devices can communicate with powerful devices (SL0, SL1) • Powerful devices can communicate with maximum security (SL2) • Powerful devices can participate in all routing activities and provide message forwarding for constrained devices

Stefan Kraxberger

Secure P2P Framework 36

Institute for Applied Information Processing and Communications

S PP Merge SePP M P Protocol t l Allows networks with same securityy status to merge g • Allows self-organization and prevents network separation – networks can be separated because bridging peers may not be available • If a peer discovers another network which has priority ((older and equal q or bigger) gg ) tries to jjoin it. • Neighbors of this peer discover also the new network through checking the status of the neighbors • Security constraints are meet since each peer performs join protocol

Stefan Kraxberger

Secure P2P Framework 37

Institute for Applied Information Processing and Communications

S PP N SePP Neighborhood i hb h d P Protocol t l The neighborhood g p protocol is responsible p for obtaining g network status information and maintaining the network stability Common tasks: • Check neighbor availability periodically (detect network changes) g ) • Find new neighbors at the local network Find neighbors from the member list to reduce maximal route length and thus the network diameter Small World Problem [7] Stefan Kraxberger

Secure P2P Framework 38

Institute for Applied Information Processing and Communications

R f References [1] C. Greg Plaxton and Rajmohan Rajaraman and Andr'ea W. Richa, “Accessing nearby copies of replicated objects in a distributed environment” environment”, ACM Symposium on Parallel Algorithms and Architectures, 1997, pp. 311-320. [2] Stefan Kraxberger, Stefan Tillich, Udo Payer - "General Security Concept for Embedded Peer-toPeer Systems" , MIMES Workshop, 2008. [3] Gavin Lowe Lowe,“Breaking Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR” FDR , Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, pp. 147 - 166 , LNCS 1055, 1996. [4] David B. Johnson, David A. Maltz, and Josh Broch. „DSR: The Dynamic Source Routing Protocol for Multi-Hop Wireless Ad Hoc Networks“ , in Ad Hoc Networking, g edited by y Charles E. Perkins, Chapter 5, pp. 139-172, Addison-Wesley, 2001.

[5] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “The TESLA Broadcast Authentication Protocol”, RSA CryptoBytes, 5, 2002.

[[6]] Y. Hu,, A. Perrig, g, and D. B. Johnson,, “Ariadne: A secure on-demand routing gp protocol for ad hoc networks”, in Proceedings of ACM MOBICOM’02, Atlanta, Georgia, USA, 2002. [7] Stanley Milgram: “The Small World Problem.”, in Psychology Today, pp. 60–67, 1967

Stefan Kraxberger

Secure P2P Framework 39