On Sat, Dec 18, 2010 at 12:36:36PM +0100, Stephane Bortzmeyer wrote: > On Fri, Dec 17, 2010 at 04:03:06PM +0100, > Loic Dachary <l...@dachary.org> wrote > a message of 100 lines which said: > > > A user finds the answer to question Q by sending a request to the > > DHT node responsible for Q (the question Q is hashed into a DHT > > key). A malicious node may try to impersonate the node responsible > > for Q and return an answer that is irrelevant. > > Why does it need to impersonate? It can simply join the DHT and then > be authoritative for a subset of the keys and reply what it > wants. That's the biggest problem with open DHTs (closed, one-shop > DHT, like those used at Google, Skype or Facebook are a different > matter).
I agree. I've reviewed countermeasures to the Sybil attack [1]. As of today, my current preference still goes to certificates and/or multiple trust-rings built by participants. This would somehow 'close' the participation to the DHT. However, Seeks implements a so-called 'non routing' mode for DHT nodes to use. In this mode, nodes plug themselves into the DHT ring but are invisible to other nodes for routing and storage purposes. They do maintain their own routing table for issuing lookups though. In my opinion this mitigates the 'closeness' imposed by the certifate-based scheme. The 'non routing' mode is the default mode in current implementation of Seeks DHT and does not require these nodes to bear a certificate. As of today, certificate revocation is my main concern. The work of [2] (Myrmic) has my preference for these matters. I'm interested in alternatives and similar schemes as well. Em. [1] G.Urdaneta, G. Pierre & M. Van-Steen, "A survey of DHT security techniques', ACM Computing Surveys, 43(2), June 2011, http://www.globule.org/publi/SDST_acmcs2009.html [2] P. Wang, I. Osipkov, N. Hopper & Y. Kim, "Myrmic: secure and robust DHT routing", TR, 2007. _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers
