On Fri, Dec 17, 2010 at 04:08:08PM +0100, Valerio Schiavoni <valerio.schiav...@gmail.com> wrote a message of 68 lines which said:
> Simply define what a malicious user could potentially do to break your > system. > Sniffing packets/blocking packets/subverting routing/message-bombing the > network/...the list can be as long as you want. An adversary model should be much richer than that. "Sniffing packets" is a technique, which can be used by many different ennemies. It is not a description of what the ennemy can do. I suggest, for the security analysis of Seeks, to start with the adversaries: who they are, what are their goals and, the most important, what are their resources (human and financial). For a search engine, typical adversaries will be governements trying to censor content by wiping it out of the search results (big adversaries, lot of money), competitors (for instance commercial search engines) trying to eliminate the free and open search engine by DoSing it or by injecting dummy results, to destroy the confidence of users (not as big as governments, but still dangerous), police or gangsters trying to learn about you by spying on your queries (the only potential adversary mentioned presently in Seeks documents), companies or other organizations who wish to improve their rank by poisoning the results (when you see what companies can spend on b...s..t like SEO, you can imagine they will be motivated to influence Seeks' results), etc. For each adversary, find out if it can be on-site or off-site (this traditional separation, between those who are on the right side of the firewall and the others, is not very good for P2P...), or if it can be on-path or off-path. Then, find out the techniques they have access too: * sniffing packets (needs to be on-path, can be easily defeated by encryption), * injecting false traffic (needs to be on-path, or else it can be easily defeated by cookie-like techniques or of course encryption+HMAC), * posing as a legitimate peer (easy if the P2P network is open: you do not need to pose, you just enroll yourself), * brute force attacks by many packets (a problem for every protocol), * subtle attacks by exhaustion of a resource (the number of data slots in a DHT node, for instance), * attacking from inside: sending deliberately wrong answers, routing to the wrong peer, storing data and not yielding it when requested, etc. While inside attackers have always been the worst thing in security, open P2P change things because there is no longer a difference between the inside and the outside. Then you need to find the solutions but it is more complicated :-) I recommend reading also RFC 3552, "Guidelines for Writing RFC Text on Security Considerations". A "Security considerations" section is one of the things badly missing in Seeks. Section 3 covers the idea of an "adversary model". _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers
