Institute for Applied Information Processing and Communications

Secure Peer-to-Peer Framework

https://sourceforge.net/projects/securep2p
Stefan Kraxberger

Stefan Kraxberger Secure P2P Framework

1
Institute for Applied Information Processing and Communications

O
Overview
i

Motivation
P2P Networking
Requirements for Secure P2P
Security Concept
S PP Security
SePP S it P
Protocols
t l
Current Work & Open Issues

Stefan Kraxberger Secure P2P Framework

2
Institute for Applied Information Processing and Communications

P2P N
Networking
t ki
Structured and unstructured P2P systems

• Structured systems are based on idea from Plaxton [1]

„how to organize data in a distributed environment to find it
efficiently
ffi i tl and
d provide
id redundancy“
d d “

• Unstructured can be divided further into

• Pure (Gnutella 0.4)
• Centralized (Napster)
• Hybrid (JXTA)
Napster

Stefan Kraxberger Secure P2P Framework

3
Institute for Applied Information Processing and Communications

Oth Classes
Other Cl
P2P systems can also be classified by other means
• performance & resources
• underlying physical network
• mobility patterns
• organization & determinism

SePP is a pure self-organizing heterogenous

P2P system

Stefan Kraxberger Secure P2P Framework

4
Institute for Applied Information Processing and Communications

S
Security
it RRequirements
i t
1. Peer ID Generation and Assignment
g
– IDs must be unique and undeniable
2. Authentication and Authorization
– How peers must join the network
3. Route Establishment and Maintenance
– How to find routes and maintain them
4. Message Transport
– How to authenticate messages
5 Key Protection
5.
– How to ensure the integrity and secrecy of the used keys
6. Protection against Attacks
– How to detect and/or prevent attacks (insider and outsider)
Stefan Kraxberger Secure P2P Framework
5
Institute for Applied Information Processing and Communications

S
Security
it CConceptt [2]
Securityy concept
p with different levels to address p
points 1- 5
• Protection against Attacks is treated as added value

• Admission security (IDs, Authentication, Routing)

• Data security (Message Transport)
• Session key protection (Key Protection)

Stefan Kraxberger Secure P2P Framework

6
Institute for Applied Information Processing and Communications

S PP Security
SePP S it PProtocols
t l

SePP Join Protocol

SePP Routing Protocol

S PP Merge
SePP M P
Protocol
t l

SePP Neighborhood Protocol

Stefan Kraxberger Secure P2P Framework

7
Institute for Applied Information Processing and Communications

P
Peer Start
St t
After a p
peer starts the following
g steps
p are p
performed

1. Obtain the peers specified as neighbors from the

configuration
2. Start low level communication services
3 Register components for receiving and sending
3.
4. Start join process
SePP Join Process
5. Inform API about result

Stefan Kraxberger Secure P2P Framework

8
Institute for Applied Information Processing and Communications

S PP Join
SePP J i PProcess
Join p
process consists of the following
g steps
p
1. Find and select network
2. Find peer in the selected network with direct connection (neighbor)
3. Execute jjoin p
protocol
4. Return result and update network status
If no network could be found a new one will be created
– The same process is executed in every peer which has not found any
existing suitable network
If more than one network with has been found one is
selected
l t d
– Based on the amount of members and the creation time

Stefan Kraxberger Secure P2P Framework

9
Institute for Applied Information Processing and Communications

N t
Network
kCCreation
ti
Requirements
q for a SMEPP network
• Peers can join in arbitrary numbers
• Peers can join any number of times
• Networks with same security status can merge
• Peers can switch between different networks
• Ordering
Od i b between
t similar
i il networks
t k
• Networks with different routing schemes

Stefan Kraxberger Secure P2P Framework

10
Institute for Applied Information Processing and Communications

N t
Network
kCCreation
ti
Parameters which enforce requirements
q
– Network id
• Random number obtained at network creation
– Network routing
g algorithm
g
• Algorithm specified in the configuration
– Network routing key
• Session key created at network creation depending on the
– Network creation time
• Time stored at network creation
– Network members (provides indirect network size)
• Distributed parameter which is updated periodically
– Network neighbors
• Specified for each peer to find existing network instance

Stefan Kraxberger Secure P2P Framework

11
Institute for Applied Information Processing and Communications

Fi d N
Find Network
t k
Broadcast a NetworkRequest
q to the local network and the
peers specified in the configuration
Collect NetworkResponses
After specified amount of time select best network
– Suitable network with most peers
– or if equal which was created first
Obtain peer of selected network to which we have a direct
connection
St t jjoin
Start i protocol
t l with
ith selected
l t d peer

Stefan Kraxberger Secure P2P Framework

12
Institute for Applied Information Processing and Communications

S PP Join
SePP J i PProtocol
t l
Needham-Schroeder-Lowe protocol
p
– Mutual entity authentication
– Key authentication
– Keyy transport
p ((modified version))

If successful the protocol guarantees

– Peer has verified the authenticity of the SePP network
– New peer is verified and authenticated to the SePP network
– Peer has obtained the authentic current routing session key

Stefan Kraxberger Secure P2P Framework

13
Institute for Applied Information Processing and Communications

N dh
Needham-Schroeder-Lowe
S h d L [3]
Protocol steps
1.
1 A B : Request public key
2. A B : PK(B)
A verifies certificate and identity of B
3. A B : {{Na,A}}PK(B)
4. A B : Request public key
5. A B : PK(A)
B verifies certificate and identity of A
6. A B : {Na,Nb,B}PK(A)
A knows about identity of B
7. A B : {Nb}PK(B)
B knows about identity of A
1. A B : {Na,Nb,KSMEPP}PK(A)

Na,b … Random number PK(A),PK(B) … Public keys of A and B

A B … Identity
A,B Id tit (peerId)
( Id) KSMEPP … SMEPP routing
ti session
i kkey
Ts … Timestamp (session key time)
Stefan Kraxberger Secure P2P Framework
14
Institute for Applied Information Processing and Communications

S PP Routing
SePP R ti P Protocols
t l
DSR ((Dynamic
y Source Routing)
g)

Ariadne (Secure on demand routing protocol for ad hoc

networks)

SSR (Simple Secure Routing based on Security Concept)

AODV (Ad hoc On demand Distance Vector)

OLSR (Optimized Link State Routing)

Stefan Kraxberger Secure P2P Framework

15
Institute for Applied Information Processing and Communications

D
Dynamic
i SSource R
Routing
ti [4]
The sender of a p
packet specifies
p the complete
p sequence
q of
nodes through which to forward the packet
Dynamically determines a route based on
– Cached
C h d iinformation
f ti
– The result of a route discovery
The advantages of DSR
– No periodic routing advertisement messages
• bandwidth, battery power
– Don't require transmissions between hosts to work bidirectional
– Able to adapt quickly to changes

Stefan Kraxberger Secure P2P Framework

16
Institute for Applied Information Processing and Communications

D
Dynamic
i SSource R
Routing
ti
Two basic operation
p modes
• Route Discovery
• Route Maintenance
The sender constructs a source route in the packet's
packet s
header
If the receiver is the destination host, sends a route reply
else forward packets
Each host maintains a route cache
If no route
t cache
h iis ffound,
d use th
the route
t di
discovery
Hosts monitor the operation of the route and use the route
a te a ce
maintenance

Stefan Kraxberger Secure P2P Framework

17
Institute for Applied Information Processing and Communications

R t Discovery
Route Di
1,2

2 5

1,2,5
1
1,2,5,7,8

12578
1,2,5,7,8 12578
1,2,5,7,8
1,2,5,7

1 7 8

1,2,5,7,8
1,3,4,6
1

1,3 1,3,4

3 4 6

Stefan Kraxberger Secure P2P Framework

18
Institute for Applied Information Processing and Communications

R t Maintenance
Route M i t
2 5

RERR (2,5)

1 7 8

1,2,5,7,8
1,10,11,13
…

3 4 6

Stefan Kraxberger Secure P2P Framework

19
Institute for Applied Information Processing and Communications

A i d [6]
Ariadne
Based on DSR but adds securityy against
g well known
attacks
Uses either one of the following mechanisms
– Pairwise
P i i shared
h d secrets
t
– Digital signatures
– TESLA [5]
TESLA efficient for resource constrained devices
– Symmetric cryptography
– Asymmetry via time
• Delayed key disclosure
• Requires loose time synchronization
– Requires public/private keys for synchronization and key commitment

Stefan Kraxberger Secure P2P Framework

20
Institute for Applied Information Processing and Communications

Ai d
Ariadne
Each ppeer ggenerates a hash keyy chain
S0 serves as key commitment
Messages are signed with key Si in interval ti
Specific time after interval ti key Si is disclosed
Messages must be buffered for verification

Stefan Kraxberger Secure P2P Framework

21
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
Sender computes MAC using the
shared key KSD over
– route request,initiator,
request initiator target,
target
– id (unique unused value), time interval
A checks if
– Id and initiator of the request isn‘t
alreadyy cached
– Key is still not published
Broadcasts the request to his next
hops
– Calculates new hash
– Calculates new MAC and adds it
Target verifies the security conditions
– Keys ti are not released yet and
therefore secure
– Keys are authentic and MAC is valid
If request is verfied constructs reply
– Calculate new MAC using KSD over
reply plus route and MAC list
– Send it back to initiator

Stefan Kraxberger Secure P2P Framework

22
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
A checks if
– Id and initiator of the
request are already
cached
– Key is still not published
Broadcasts the request to
his next hops
– Calculates new hash
– Calculates new MAC and
adds it to the MAC list

Stefan Kraxberger Secure P2P Framework

23
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
B performs the same
actions as A

Stefan Kraxberger Secure P2P Framework

24
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
C again performs the
same actions as A and
B

Stefan Kraxberger Secure P2P Framework

25
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
Target verifies the
security conditions
– Keys ti are not released
yet and therefore secure
– Keys are authentic and
MAC is valid
If request is verfied
constructs reply
– Calculate new MAC using
KSD over reply plus route
and MAC list
– Send it back to initiator

Stefan Kraxberger Secure P2P Framework

26
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
C waits until the end of
the time interval
– Attaches key used in
request
– Forwards reply to B

Stefan Kraxberger 27
12/03/2009
Fourth Review Meeting, Brussels Secure P2P Framework
Fourth Review Meeting, Brussels 27
27
12/03/2009
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
B performs the same
actions as C

Stefan Kraxberger Secure P2P Framework

28
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t Di
Discovery
A performs the same
actions as C and B
S verifies the security
conditions
– Keys are valid
– MAC list is valid
– MD is valid
If everything is valid the
reply is accepted

Stefan Kraxberger Secure P2P Framework

29
Institute for Applied Information Processing and Communications

Ai d R
Ariadne Route
t MMaintenance
i t
Route Error
– <Route Error, initiator, target, time interval, error MAC, recent TESLA
key>
– Intermediate node
• Forwards the packet and searches its route cache for all routes that use
<sending address, receiving address>
• If exists, checks validity of time interval
• If valid, checks authentication of the Error
• Until
U til authentication,
th ti ti saves E Error iinfo
f iin memory until
til a kkey iis di
disclosed
l d and
d
uses routes in route cache
• If authenticated, removes all such routes

Stefan Kraxberger Secure P2P Framework

30
Institute for Applied Information Processing and Communications

Si l S
Simple Secure R
Routing
ti
DSR algorithm
g adapted
p for Security
y Concept
p
– Allows for 3 different security levels
1. SL0 = plain DSR
2. SL1 = DSR + using routing session key
3. SL2 = SL1 + public/private keys
– Operation modes and work flow are the same as with DSR but
• Messages adapted
• Parameters added
• Additional verifications at the peers introduced

L0 provides no security
L1 assumes all legitimate peers as well behaved
L2 enables detection and countermeasures against
misbehaving peers
Stefan Kraxberger Secure P2P Framework
31
Institute for Applied Information Processing and Communications

SSR R
Route
t Di
Discovery (SL1)
{Ts,1,2}SK

2 5

{Ts,1}SK
{Ts,1,2,5}SK

{Ts,1,2,5,7,8}SK

{Ts,1,2,5,7}SK

1 7 8

{Ts,1,3,4,6}SK {Ts,1,2,5,7,8}SK
{Ts,1}SK

{Ts,1,3}SK {Ts,1,3,4}SK

3 4 6

SK … Routing session key TS … Timestamp

{}x … Encrypted with key X

Stefan Kraxberger Secure P2P Framework

32
Institute for Applied Information Processing and Communications

SSR R
Route
t Di
Discovery (SL1)
Secure against
g unauthorized route modification
Only peers with authentic session key can take part in the
routing process
Timestamps are used to prevent reply attacks using
previously sent route requests and replies.
Very efficient since only symmetric cryptography is used
Small overhead to unsecured DSR
Problem of misbehavior of legitimate
g p
peers can’t be solved
in this security level

Stefan Kraxberger Secure P2P Framework

33
Institute for Applied Information Processing and Communications

SSR R
Route
t Di
Discovery (SL2)
{Ts,1,2}SK

2 5

{Ts,1}SK
{Ts,1,2,5}SK

{Ts,1,2,5,7,8, SS8(R)}SK

{Ts,1,2,5,7}SK

1 7 8

{Ts,1,2,5,7,8, SS8(R)}SK
{T 1 3 4 5}SK
{Ts,1,3,4,5}SK
{Ts,1}SK

{Ts,1,3}SK {Ts,1,3,4}SK

3 4 6

SK … Routing session key TS … Timestamp S8 … Private key peer 8

{}x … Encrypted with key X Sx … Signature with key x

Stefan Kraxberger Secure P2P Framework

34
Institute for Applied Information Processing and Communications

SSR R
Route
t Di
Discovery (SL2)
Initiator sends signed
g request
q containing g a timestampp
Intermediate nodes check if route is available and return it
to initiator or check if request isn’t a duplicate and
broadcasts it to its neighbors
Destination checks the timestamp and signs the route and
returns it on the same path
p
Every peer checks the timestamp and verifies the signature
and if the route is correct
– Th
The local
l l peer mustt b
be iin th
the route
t
– The peers before and after the peer must be neighbors

Stefan Kraxberger Secure P2P Framework

35
Institute for Applied Information Processing and Communications

SSR
Enables routing
g on different security
y levels
• Resource constrained devices can communicate with
powerful devices (SL0, SL1)
• Powerful devices can communicate with maximum
security (SL2)
• Powerful devices can participate in all routing activities
and provide message forwarding for constrained devices

Stefan Kraxberger Secure P2P Framework

36
Institute for Applied Information Processing and Communications

S PP Merge
SePP M P
Protocol
t l
Allows networks with same securityy status to merge
g
• Allows self-organization and prevents network
separation – networks can be separated because
bridging peers may not be available
• If a peer discovers another network which has priority
((older and equal
q or bigger)
gg ) tries to jjoin it.
• Neighbors of this peer discover also the new network
through checking the status of the neighbors
• Security constraints are meet since each peer performs
join protocol

Stefan Kraxberger Secure P2P Framework

37
Institute for Applied Information Processing and Communications

S PP N
SePP Neighborhood
i hb h d P Protocol
t l
The neighborhood
g p
protocol is responsible
p for obtaining
g
network status information and maintaining the network
stability
Common tasks:
• Check neighbor availability periodically (detect network
changes)
g )
• Find new neighbors at the local network

Find neighbors from the member list to reduce maximal

route length and thus the network diameter
Small World Problem [7]
Stefan Kraxberger Secure P2P Framework
38
Institute for Applied Information Processing and Communications

R f
References
[1] C. Greg Plaxton and Rajmohan Rajaraman and Andr'ea W. Richa, “Accessing nearby copies of
replicated objects in a distributed environment”
environment”, ACM Symposium on Parallel Algorithms and
Architectures, 1997, pp. 311-320.
[2] Stefan Kraxberger, Stefan Tillich, Udo Payer - "General Security Concept for Embedded Peer-to-
Peer Systems" , MIMES Workshop, 2008.
[3] Gavin Lowe
Lowe,“Breaking
Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR”
FDR ,
Proceedings of the Second International Workshop on Tools and Algorithms for Construction and
Analysis of Systems, pp. 147 - 166 , LNCS 1055, 1996.
[4] David B. Johnson, David A. Maltz, and Josh Broch. „DSR: The Dynamic Source Routing Protocol
for Multi-Hop Wireless Ad Hoc Networks“ , in Ad Hoc Networking,g edited by
y Charles E. Perkins,
Chapter 5, pp. 139-172, Addison-Wesley, 2001.
[5] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “The TESLA Broadcast Authentication Protocol”,
RSA CryptoBytes, 5, 2002.
[[6]] Y. Hu,, A. Perrig,
g, and D. B. Johnson,, “Ariadne: A secure on-demand routing
gpprotocol for ad hoc
networks”, in Proceedings of ACM MOBICOM’02, Atlanta, Georgia, USA, 2002.
[7] Stanley Milgram: “The Small World Problem.”, in Psychology Today, pp. 60–67, 1967

Stefan Kraxberger Secure P2P Framework

39