Terminodes and Sybil:Public-key management in

MANET

Dave MacCallum

(Brendon Stanton)

Apr. 9, 2004

Outline

• The problem

• Terminodes project: proposed solution to public-key management problem

• Sybil attacks

• Sybil vs. Terminodes

• Thwarting Sybil?

The problem

• Wireless ad hoc networks cannot depend on many of the resources available to traditional networks for security

• Such networks do not have the fixed infrastructure that is required for classical implementations of centralized certification authorities

• One option for solving this problem is to develop a self-organized system that completely sets aside the need for a trusted authority at any stage of implementation: Terminodes approach

Terminodes

Sybil attacks

• A Sybil attack is the forging of multiple identities for malicious intent -- having a set of faulty entities represented through a larger set of identities.

• The purpose of such an attack is to compromise a disproportionate share of a system.

• Result is overthrowing of any assumption of designed reliability based on a limited proportion of faulty entities.

Sybil: key idea

• Sybil Attack undermines assumed mapping between identity to entity and hence number of faulty entities

Model in Douceur(2002):

• Set E of entities e; two disjoint subsets C (c is correct) and F (f is faulty).

• Broadcast communication cloud, pipe connecting each entity to the cloud.

• Entities communicate by broadcast messages, all messages received within bounded time, not necessarily in order.

• Assume local entity l is correct.

communication cloud

remote entities

local entity

• Identity i is abstract representation of entity e which persists across multiple messages.

• 3 sources of info for which a local entity can accept identity i of remote e :– Trusted agency

– Itself

– Other entities

• Two ways to validate entities not received from trusted agency:– Direct validation

– Indirect validation; accept identities vouched for by already accepted identities

• Goal: accept all legitimate identities, but no counterfeits

• Method: for direct and and indirect validation (not using trusted agency), utilize computational tasks to validate distinctness;– basically, validate distinctness of two entities by getting them to

perform some task (computational puzzle) that a single entity could not.

– cannot assume homogeneous resources, only minimum; faulty entity could have more than minimum

– practical impossibility of having challenges issued simultaneously.

– Result: for direct or indirect validation, a set of faulty entities can counterfeit an unbounded number of identities. (Douceur)

• Validation which does not use a trust agency can’t provably meet the identity goal;– Identification based on local-only information not

practical – PGP-style web of (certification) trust not adequate; is

indirect-validation.

• Douceur’s Conclusion: A centralized authority is required to realize a reliable distributed system.

Douceur’s 4 Lemmas

1. If is the ratio of the resources of a faulty entity ƒ to the resources of a minimally capable entity, then ƒ can present g = distinct identities to local entity l.

2. If local entity l accepts entities that are not validated simultaneously, then a single faulty entity ƒ can present an arbitrarily large number of distinct identities to entity l.

Douceur’s 4 Lemmas (cont)3. If local entity l accepts any identity vouched for

by q accepted identities, then a set F of faulty entities can present an arbitrarily large number of distinct identities to l if either |F| q or the collective resources available to F at least equal those of q + |F| minimally capable entities.

4. If the correct entities in set C do not coordinate time intervals during which they accept identities, and if local entity l accepts any identity vouched for by q accepted identities, then even a minimally capable faulty entity f can present g = |C| / q distinct identities to l.

Sybil vs. Terminodes

• Despite their promises to the contrary, the Terminodes project is not immune to Sybil attacks

• This can be seen by looking at their repository construction algorithms

Maximum Degree Algorithm

• Each user stores in her local repository several directed and mutually disjoint paths of certificates.

• Each path begins at the user herself• The certificates are added to the path as follows: a

new certificate is chosen among the certificates connected to the last user on the path, such that the new certificate leads to the user that has the highest number of certificates connected to her

Shortcut Hunter Algorithm

• Certificates are stored into the local repositories based on the number of the shortcut certificates connected to the users

• A shortcut certificate is a certificate that, when removed from the graph makes the shortest path between two users previously connected by this certificate strictly larger than two

Thwarting Sybil• Do we believe any of this?

– Any flaws in the logic chain?– Is there another way to bind identities to entities?– Is there something about trust authorities that means

they must (by nature) be centralized?

• Is this really a problem? – Existing systems seem to be working fine.– What’s wrong with a distributed system using a

centralized trust authority?– Is a CA part of the distributed system that uses it?– Are existing practices good enough in practice?

The Sybil Attack in Sensor Networks: Newsome, et al.

• Malicious node and its Sybils:– Direct vs indirect communication– Fabricated vs stolen identities– Simultaneous vs non-simultaneous attacks

Sybil attacks

• Distributed storage

• Routing

• Data aggregation

• Voting

• Resource allocation

• Misbehavior detection

Defenses

• Old:– Computation– Storage– Communication

• New: direct attacks only– Radio resource testing– Random key predistribution– Registration– Position verification– Code attestation