Securing Key Issuing in Peer-to-Peer Networks Cong Tang, Ruichuan Chen, Zhuhua Cai, Anmin Xie, Jianbin Hu ∗, Liyong Tang, Zhong Chen School of EECS, Peking University, China Key Lab of High Confidence Software Technologies, Ministry of Education, China {tangcong, chenrc, caizh, xieam, hjbin, tly, chen}@infosec.pku.edu.cn

1.

INTRODUCTION

Compared with the public key infrastructure (PKI) technique, identity based cryptography (IBC) can simplify the key management process in peer-to-peer (P2P) networks significantly. The identity of a peer (e.g., peer identifier or peer geometric coordinate) in P2P overlay networks is used to create its public key, thus avoiding the use of any certificates. These IBC-based systems are scalable, simple to administer, and each user can carry out anytime/anywhere encryption, establish secure communication channels, prove its identity to other nodes, verify protected messages and produce a form of signature with non-repudiation properties. So far, several studies have focused on introducing IBC into P2P security applications, but the proposed schemes suffered from attacks against key issuing phase. In real-world P2P networks, it is important to keep in secret whether the private key corresponding to a certain identity has been requested. Hence, it is important to have an anonymous key issuing scheme without secure channels. In our paper, we present a security scheme for P2P networks with a secure key issuing protocol.

2.

DESIGN RATIONALE

We propose our security scheme in the following three sections: peer registration, secure key issuing and system maintenance. The remainder of this section adopts the notation described in Table 1.

2.1

Terminology and assumptions

We present the entities involved and the security assumptions for the proposed scheme in this section. KGC: There is a trusted core node which acts as KGC at the center of the system, which provides peer registration and key issuing service. We assume that it has been highly fault tolerant and always available. KPA: n nodes are selected as Key Privacy Authorities (KPAs) in order to provide the key privacy service in the key issuing phase, which are not required to be as reliable as KGC. ∗

Corresponding author.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’09 March 8-12, 2009, Honolulu, Hawaii, U.S.A. Copyright 2009 ACM 978-1-60558-166-8/09/03 ...$5.00.

IDA KA N P roofA · SS(x, k) {X}KA P KA (ID)

Table 1: Notation Peer A’s identity (ID) Peer A’s private key Random nonce Peer A’s proof of the registration Concatenation Secret share of secret x in Shamir’s (k, n) threshold secret sharing scheme A string X signed by peer A Partial key of peer ID issued by A

Peer: A peer is an ordinary node in P2P networks, which is vulnerable to all kinds of attacks. There are three attacks we design the security scheme to defend against: Insider attack: In real-world P2P networks, malicious attackers can potentially compromise some of KPAs to perform insider attacks. The framework must be able to withstand these attacks, in which a minority of KPAs have been compromised by attackers. Collusion attack: An adversary can launch a collusion attack by compromising many paths between KPAs and the requesting peer, then compute peer’s ID and the proof of registration. DoS attack: Malicious peers in P2P network can simply drop the messages between KPAs and the requesting peer, which makes the requesting peer difficult to collect sufficient secret shares. This can be considered as a DoS attack.

2.2

Peer registration

Before joining the network, a peer A should get registered to the KGC at first. We adopt Shamir’s (k, n) threshold secret sharing scheme [3] to secure this process. The protocol is described as follows: Step1: A → KGC: N Step2: KGC → KP A : SS(IDA · P roofA , k), N Step3: KP A → A : SS(IDA · P roofA , k), N Request: When the peer A wishes to join the network, it must first get registered from KGC by sending a request to KGC. Distribution: After KGC receives the request, it generates IDA and P roofA for A. In particular, P roofA can be a keyed message authentication code of IDA . After that, KGC divides IDA and P roofA into n secret shares using Shamir’s (k, n) threshold secret sharing scheme. Then KGC distributes those n secret shares to n KPAs respectively. Reconstruction: After receiving the secret shares from KGC, KPAs send them to A. After A gets at least k different secret shares, IDA and P roofA can be reconstructed. If the peer does not get sufficient secret shares, it may run the peer registration protocol

end of this stage, each RG member Pi obtains a partial key from KP Ai .

again later.

2.3

Secure key issuing

We present a protocol which utilizes IBC secure key issuing schemes [2] and our scheme can easily be extended to other schemes that use one KGC and multiple KPAs. Step1: A → KGC: Request, IDA , P roofA , N Step2: KGC → A : Partial key from KGC, N Step3: A → KP A : Request, IDA , P roofA , N Step4: KP A → A : Partial key from KPA, N System setup: KGC selects its private key and specifies the system parameters. KPAs collaboratively run a key generation and distribution protocol and share a secret s such that any k KPAs can construct it with their own secret shares. Peer registration: As the system setup process is updated, in the peer registration process, IDA and P roofA are generated in a new way, but we can still utilize the protocol described in Section 2.2 to secure this process. Request: A sends a request with its proof of registration as well as a nonce N to KGC to obtain the partial private key; KGC response: On receiving A’s request, KGC checks the proof to verify whether A has been registered or not, if the result is positive, KGC responses with a partial private key; Blind KPA request: After receiving the partial private key from KGC, A randomly selects some KPAs and requests them in parallel to provide key privacy service by sending a request; KPA response: Each KPA authenticates A and issues a partial private key to it; Key retrieval: On receiving all the partial private keys, the peer combines them and then unblinds the resulting value to produce the private key;

2.4

System Maintenance

In real-world P2P networks, KPAs may also be malicious with relatively low probability and may be potentially compromised to perform insider attacks. We adopt a scalable Byzantine fault tolerant authentication scheme [1] to address this problem. KGC dynamically maintains a relay group (RG) to perform distributed challenge-response authentication. RG members are randomly selected in the setup phase, thus only a limited number of RG members can, with high probability, be compromised by manin-the-middle attacks. Our KPA authentication scheme, as described formally below, can be executed in three steps: claim announcement, distributed authentication and result generation. Step1: KGC → Pi : {IDi , P KKGC (IDi )}KKGC Step2.1: Pi → KP A : IDi , P KKGC (IDi ) Step2.2: KP A → Pi : {P KKP A (IDi )}KKP A Step3: Pi → KGC : {{P KKP A (IDi )}KKP A }KPi 1. Claim announcement: When the authentication process begins, KGC announces the claim to all its RG members and asks them to verify if KP Ai indeed possesses the secret si , which is generated in the system setup phase. KGC sends to RG member Pi a randomly selected peer’s ID IDi and its partial key from KGC. 2. Distributed authentication: According to the received peer’s ID IDi , each RG member Pi independently challenges KP Ai by sending a request that simulates the secure key issuing phase. KP Ai has the capacity of generating the corresponding partial key if and only if it holds the corresponding secret si . Afterwards, KP Ai returns the partial key to Pi . At the

3. Result generation: Each RG member Pi responds to KGCs authentication request (issued in the stage of claim announcement) with its partial key from KP Ai . Afterwards, KGC can verify these received partial keys by checking the equation described in [2]. If at least b N 3−1 c+1 partial keys can be successfully verified, KP Ai indeed possesses the secret si ; otherwise, KP Ai is not the genuine owner of si , and should be removed from the set of KPAs. Here, N denotes the total number of peers contained in KGC’s RG. After these authentication and removing operations, the number of KPAs may fall below a threshold which is minimum number of KPAs system possesses, thus we should utilize KGC’s RG to find new authenticated KPAs until the threshold is satisfied. We utilize client puzzle to verify KPA candidates. A peer wishing to be a KPA is challenged by the RG members. KPA candidates completing the puzzles of all RG members are accepted as a new KPA. The KPA addition scheme can also be executed in three steps: claim announcement, distributed authentication and result generation. Further, to guarantee the authentication correctness, we integrate a complementary relay group maintenance scheme, more details can be found in [1].

3.

ANALYSIS AND EVALUATION

We propose our scheme to address the inside attacks in Section 2.4, now we show how to adjust the threshold of the peer registration scheme to prevent the system from collusion attacks and DoS attacks. In a P2P network with n KPAs and average lookup path length L, let p denotes the fraction of malicious peers, k denotes the threshold of the peer registration scheme, to protect the scheme against the collusion attacks and DoS attacks, the value of k should satisfy the following inequality: n(1 − (1 − p)L ) < k < n(1 − p)L . We simulate a network consisting of 10000 peers organized by the Kademlia overlay. We add a number of malicious peers to the network such that malicious peers make up between 0% and 50% of all peers in the network. Considering the worst case, we assume each malicious peer can compromise all the paths between the registering peer and the KPA it is evolved into. We run experiments for each fraction of malicious peers in steps of 1%. The experimental result shows that our theoretical analysis result is quite fairly in agreement with the experimental data. We also find out that the user scale of our scheme can be very large according to our simulation results. A KGC can provide services that respond to each request in 1 second to about 106 peers if each peer request for its private key once per hour under a uniform distribution. In practice, the frequency of a peer request for its private key is much lower, so the KGC is able to support larger scale peers. Since the computation time that KGC and KPAs cost is short in a key issuing process, and a peer can communicate with KPAs in parallel, our key issuing scheme is effective and efficient.

4.

REFERENCES

[1] R. Chen, W. Guo, L. Tang, J. Hu, and Z. Chen. Scalable byzantine fault tolerant public key authentication for peer-to-peer networks. In Euro-Par, 2008. [2] A. Saxena. Threshold ski protocol for id-based cryptosystems. In IAS, pages 65–70, 2007. [3] A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.