On the Power of Impersonation Attacks Michael Okun Weizmann Institute of Science [email protected]

Background. In the standard message passing models it is assumed that the identity of a sender is known to the receiver. In practice, this often is not the case, due to impersonation attacks by malicious adversaries. Various impersonation attack schemes have been extensively investigated in the context of network security or cryptography, in particular for peep-to-peer and sensor networks [4,5]. Here, we study this problem in the context of distributed computing theory. Consider a set of n processors, p1 , ..., pn , communicating by means of pointto-point message passing between every pair of processors. Assume that the message sender is identified by including its id in the message. For simplicity the communication is assumed to be synchronous. The adversary is an external entity capable of injecting messages with arbitrary content into the network (but it is incapable of preventing the processors from receiving each other’s messages). The ids of the processors are assumed to be fixed and known a priori, thus injecting messages that impersonate the real processors is the only way by which the adversary can interfere with the computation. Adversarial behavior of this kind is known as stolen identities Sybil attack [4,5]. For the purpose of formal analysis, the strength of the adversary is quantified by the number of messages it is able to send to each processor in every round. A k-adversary can generate up to k messages for every processor, so that a processor can receive up to n+k messages in a round, instead of just n correct messages. This formulation includes the particular cases of an adversary that in every round can impersonate some specific k processors, or of a system with n + k processors, k of which are Byzantine, capable of sending messages with arbitrary ids and content. When a processor receives several messages tagged by pi , it might be impossible to know which one of them is correct, in which case it is reasonable to drop these messages altogether. If all the messages having a ”fake twin” are handled this way, we end up with a synchronous mobile failures model [7] in which the number of transmission failures with respect to every receiver is bounded by k. This is known to be equivalent to the standard asynchronous crash failure model [6]. The opposite direction, however, is not true - the k-adversary model is strictly stronger than the asynchronous model with k failures, because all the messages sent in every round by the processors are received. For example, in the impersonation model each processor is able to compute (in a single round) an upper bound on the input values of all the processors, which is impossible in the asynchronous case even with a single failure. Thus the question of the relative power of the impersonation model remains. 

This research was partially supported by Sir Charles Clore fellowship and the Ministry of Defence.

A. Pelc (Ed.): DISC 2007, LNCS 4731, pp. 494–495, 2007. c Springer-Verlag Berlin Heidelberg 2007 

On the Power of Impersonation Attacks

495

Results. To answer the above question we have considered the k-set agreement problem (and consensus in particular) and the renaming problem in the impersonation model. There exists a simple bivalency proof, similar to [1], which shows that deterministic consensus is impossible even in the presence of 1-adversary. For the k-set agreement problem, there exists an algorithm in the presence of (k − 1)adversary, but no deterministic algorithm resilient against a k-adversary. The proof of the latter result uses the combinatorial topology machinery from [3]. For the renaming problem1 there exists a simple order-preserving algorithm resilient against a k-adversary, that has a target namespace of size n + k, which is optimal. In the asynchronous case, the minimum possible size of the target namespace of any order-preserving algorithm resilient to t failures is 2t (n − t + 1) − 1 [2]. Whereas for asynchronous order-preserving renaming, the large target namespace is a result of complete uncertainty about the input values of some processors, in the impersonation model this uncertainty is reduced (eventually the input of each processor is known to belong to a small set of possible values), and as a result the size of the target namespace is significantly smaller. In summary, our results show that the effects of an impersonation attack, mobile failures and the loss of synchrony are very much alike. The subtle difference in the computational power of the models is not evident for k-set agreement. On the other hand, renaming, which is the easier among the coordination problems, reveals that the models are not equivalent.

References 1. Aguilera, M.K., Toueg, S.: Simple Bivalency Proof that t-Resilient Consensus Requires t + 1 Rounds. Inf. Proc. Lett. 71(3-4), 155–158 (1999) 2. Attiya, H., Bar-Noy, A., Dolev, D., Peleg, D., Reischuk, R.: Renaming in an Asynchronous Environment. J. ACM 37(3), 524–548 (1990) 3. Chaudhuri, S., Herlihy, M., Lynch, N.A., Tuttle, M.R.: Tight Bounds for k-set Agreement. J. ACM 47(5), 912–943 (2000) 4. Douceur, J.R.: The Sybil Attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002) 5. Newsome, J., Shi, E., Song, D.X., Perrig, A.: The Sybil Attack in Sensor Networks: Analysis & Defenses. In: Proc. 3rd International Symposium on Information Processing in Sensor Networks (IPSN), pp. 259–268 (2004) 6. Raynal, M., Roy, M.: A Note on a Simple Equivalence between Round-based Synchronous and Asynchronous Models. In: Proc. 11th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 387–392 (2005) 7. Santoro, N., Widmayer, P.: Time is Not a Healer. In: Cori, R., Monien, B. (eds.) STACS 89. LNCS, vol. 349, pp. 304–313. Springer, Heidelberg (1989)

1

To avoid a trivial solution, processor ids can be considered as entities that can be tested for equality but not compared, while renaming has to be performed using a unique private input provided to each processor.

LNCS 4731 - On the Power of Impersonation Attacks - Springer Link

security or cryptography, in particular for peep-to-peer and sensor networks [4,5]. ... entity capable of injecting messages with arbitrary content into the network.

73KB Sizes 3 Downloads 291 Views

Recommend Documents

LNCS 6683 - On the Neutrality of Flowshop Scheduling ... - Springer Link
Scheduling problems form one of the most important class of combinatorial op- .... Illustration of the insertion neighborhood operator for the FSP. The job located.

LNCS 6942 - On the Configuration-LP for Scheduling ... - Springer Link
insights on two key weaknesses of the configuration-LP. For the objective of maximizing the minimum machine load in the unrelated graph balancing setting ...... length. European Journal of Operational Research 156, 261–266 (2004). 19. Scheithauer,

LNCS 4261 - Image Annotations Based on Semi ... - Springer Link
MOE-Microsoft Key Laboratory of Multimedia Computing and Communication ..... of possible research include the use of captions in the World Wide Web. ... the Seventeenth International Conference on Machine Learning, 2000, 1103~1110.

LNCS 3352 - On Session Identifiers in Provably Secure ... - Springer Link
a responding server process in network service protocol architecture [23]. A ... 3. proposal of an improved 3PKD protocol with a proof of security using a.

LNCS 4261 - Image Annotations Based on Semi ... - Springer Link
Keywords: image annotation, semi-supervised clustering, soft constraints, semantic distance. 1 Introduction ..... Toronto, Canada: ACM Press, 2003. 119~126P ...

LNCS 6361 - Automatic Segmentation and ... - Springer Link
School of Eng. and Computer Science, Hebrew University of Jerusalem, Israel. 2 ... OPG boundary surface distance error of 0.73mm and mean volume over- ... components classification methods are based on learning the grey-level range.

LNCS 4191 - Registration of Microscopic Iris Image ... - Springer Link
Casey Eye Institute, Oregon Health and Science University, USA. {xubosong .... sity variance in element m, and I is the identity matrix. This is equivalent to.

LNCS 650 - Emergence of Complexity in Financial ... - Springer Link
We start with the network of boards and directors, a complex network in finance which is also a social ... from the board of Chase Manhattan Bank. Boards of ...

LNCS 2747 - A Completeness Property of Wilke's Tree ... - Springer Link
Turku Center for Computer Science. Lemminkäisenkatu 14 ... The syntactic tree algebra congruence relation of a tree language is defined in a natural way (see ...

LNCS 6621 - GP-Based Electricity Price Forecasting - Springer Link
learning set used in [14,9] at the beginning of the simulation and then we leave ..... 1 hour on a single core notebook (2 GHz), with 2GB RAM; the variable ...

LNCS 7335 - Usage Pattern-Based Prefetching: Quick ... - Springer Link
Oct 8, 2010 - The proposed scheme is implemented on both Android 2.2 and Linux kernel 2.6.29. ... solution for reducing page faults [1, 2, 3, 10]. The number ...

LNCS 6719 - Multiple People Activity Recognition ... - Springer Link
Keywords: Multiple Hypothesis Tracking, Dynamic Bayesian Network, .... shared space and doing some basic activities such as answering phone, using.

LNCS 3174 - Multi-stage Neural Networks for Channel ... - Springer Link
H.-S. Lee, D.-W. Lee, and J. Lee. In this paper, we propose a novel multi-stage algorithm to find a conflict-free frequency assignment with the minimum number of total frequencies. In the first stage, a good initial assignment is found by using a so-

LNCS 4325 - An Integrated Self-deployment and ... - Springer Link
The VFSD is run only by NR-nodes at the beginning of the iteration. Through the VFSD ..... This mutual effect leads to Ni's unpredictable migration itinerary. Node Ni stops moving ... An illustration of how the ZONER works. The execution of the ...

LNCS 4233 - Fast Learning for Statistical Face Detection - Springer Link
Department of Computer Science and Engineering, Shanghai Jiao Tong University,. 1954 Hua Shan Road, Shanghai ... SNoW (sparse network of winnows) face detection system by Yang et al. [20] is a sparse network of linear ..... International Journal of C

LNCS 3973 - Local Volatility Function Approximation ... - Springer Link
S&P 500 call option market data to illustrate a local volatility surface estimated ... One practical solution for the volatility smile is the constant implied volatility approach .... Eq. (4) into Eq. (2) makes us to rewrite ˆσRBF (w; K, T) as ˆσ

LNCS 6621 - GP-Based Electricity Price Forecasting - Springer Link
real-world dataset by means of a number of different methods, each cal- .... one, that we call GP-baseline, in which the terminal set consists of the same variables ...

LNCS 7601 - Optimal Medial Surface Generation for ... - Springer Link
parenchyma of organs, and their internal vascular system, powerful sources of ... but the ridges of the distance map have show superior power to identify medial.

LNCS 6622 - NILS: A Neutrality-Based Iterated Local ... - Springer Link
a new configuration that yields the best possible fitness value. Given that the .... The neutral degree of a given solution is the number of neutral solutions in its ...

LNCS 4258 - Privacy for Public Transportation - Springer Link
Public transportation ticketing systems must be able to handle large volumes ... achieved in which systems may be designed to permit gathering of useful business ... higher powered embedded computing devices (HPDs), such as cell phones or ... embedde

LNCS 7575 - Multi-component Models for Object ... - Springer Link
visual clusters from the data that are tight in appearance and configura- tion spaces .... Finally, a non-maximum suppression is applied to generate final detection ...