On the Power of Impersonation Attacks Michael Okun Weizmann Institute of Science
[email protected]
Background. In the standard message passing models it is assumed that the identity of a sender is known to the receiver. In practice, this often is not the case, due to impersonation attacks by malicious adversaries. Various impersonation attack schemes have been extensively investigated in the context of network security or cryptography, in particular for peep-to-peer and sensor networks [4,5]. Here, we study this problem in the context of distributed computing theory. Consider a set of n processors, p1 , ..., pn , communicating by means of pointto-point message passing between every pair of processors. Assume that the message sender is identified by including its id in the message. For simplicity the communication is assumed to be synchronous. The adversary is an external entity capable of injecting messages with arbitrary content into the network (but it is incapable of preventing the processors from receiving each other’s messages). The ids of the processors are assumed to be fixed and known a priori, thus injecting messages that impersonate the real processors is the only way by which the adversary can interfere with the computation. Adversarial behavior of this kind is known as stolen identities Sybil attack [4,5]. For the purpose of formal analysis, the strength of the adversary is quantified by the number of messages it is able to send to each processor in every round. A k-adversary can generate up to k messages for every processor, so that a processor can receive up to n+k messages in a round, instead of just n correct messages. This formulation includes the particular cases of an adversary that in every round can impersonate some specific k processors, or of a system with n + k processors, k of which are Byzantine, capable of sending messages with arbitrary ids and content. When a processor receives several messages tagged by pi , it might be impossible to know which one of them is correct, in which case it is reasonable to drop these messages altogether. If all the messages having a ”fake twin” are handled this way, we end up with a synchronous mobile failures model [7] in which the number of transmission failures with respect to every receiver is bounded by k. This is known to be equivalent to the standard asynchronous crash failure model [6]. The opposite direction, however, is not true - the k-adversary model is strictly stronger than the asynchronous model with k failures, because all the messages sent in every round by the processors are received. For example, in the impersonation model each processor is able to compute (in a single round) an upper bound on the input values of all the processors, which is impossible in the asynchronous case even with a single failure. Thus the question of the relative power of the impersonation model remains.
This research was partially supported by Sir Charles Clore fellowship and the Ministry of Defence.
A. Pelc (Ed.): DISC 2007, LNCS 4731, pp. 494–495, 2007. c Springer-Verlag Berlin Heidelberg 2007
On the Power of Impersonation Attacks
495
Results. To answer the above question we have considered the k-set agreement problem (and consensus in particular) and the renaming problem in the impersonation model. There exists a simple bivalency proof, similar to [1], which shows that deterministic consensus is impossible even in the presence of 1-adversary. For the k-set agreement problem, there exists an algorithm in the presence of (k − 1)adversary, but no deterministic algorithm resilient against a k-adversary. The proof of the latter result uses the combinatorial topology machinery from [3]. For the renaming problem1 there exists a simple order-preserving algorithm resilient against a k-adversary, that has a target namespace of size n + k, which is optimal. In the asynchronous case, the minimum possible size of the target namespace of any order-preserving algorithm resilient to t failures is 2t (n − t + 1) − 1 [2]. Whereas for asynchronous order-preserving renaming, the large target namespace is a result of complete uncertainty about the input values of some processors, in the impersonation model this uncertainty is reduced (eventually the input of each processor is known to belong to a small set of possible values), and as a result the size of the target namespace is significantly smaller. In summary, our results show that the effects of an impersonation attack, mobile failures and the loss of synchrony are very much alike. The subtle difference in the computational power of the models is not evident for k-set agreement. On the other hand, renaming, which is the easier among the coordination problems, reveals that the models are not equivalent.
References 1. Aguilera, M.K., Toueg, S.: Simple Bivalency Proof that t-Resilient Consensus Requires t + 1 Rounds. Inf. Proc. Lett. 71(3-4), 155–158 (1999) 2. Attiya, H., Bar-Noy, A., Dolev, D., Peleg, D., Reischuk, R.: Renaming in an Asynchronous Environment. J. ACM 37(3), 524–548 (1990) 3. Chaudhuri, S., Herlihy, M., Lynch, N.A., Tuttle, M.R.: Tight Bounds for k-set Agreement. J. ACM 47(5), 912–943 (2000) 4. Douceur, J.R.: The Sybil Attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002) 5. Newsome, J., Shi, E., Song, D.X., Perrig, A.: The Sybil Attack in Sensor Networks: Analysis & Defenses. In: Proc. 3rd International Symposium on Information Processing in Sensor Networks (IPSN), pp. 259–268 (2004) 6. Raynal, M., Roy, M.: A Note on a Simple Equivalence between Round-based Synchronous and Asynchronous Models. In: Proc. 11th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 387–392 (2005) 7. Santoro, N., Widmayer, P.: Time is Not a Healer. In: Cori, R., Monien, B. (eds.) STACS 89. LNCS, vol. 349, pp. 304–313. Springer, Heidelberg (1989)
1
To avoid a trivial solution, processor ids can be considered as entities that can be tested for equality but not compared, while renaming has to be performed using a unique private input provided to each processor.