Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
[Apparently a pile of my mail got dropped, the following few messages are re-sends] The Doctor writes: >It might be a reasonable way of protecting PGP key information in DNS records >so that someone doesn't try inserting their own when it's looked up. And that's the problem with DNS, it's the only global distributed database that we've got, so everyone wants to use it as the universal substrate for, well, anything. We'd just need to get draft-ietf-dnsind-kitchen-sink-02.txt adopted and people could cram anything they liked into the DNS. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/27/2013 09:47 PM, Jonathan Thornburg wrote: > Assuming it were widely deployed, would > DNSSEC-for-key-distribution be a reasonable way to store > email_address --> public_key mappings? It might be a reasonable way of protecting PGP key information in DNS records so that someone doesn't try inserting their own when it's looked up. Here's something I've been playing with for the first half of this: http://www.gushi.org/make-dns-cert/HOWTO.html - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "The enemies know the system. The allies do not." --Jay Jacobs -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIeEFIACgkQO9j/K4B7F8EDGQCfdLmwFha87qK3PjVaUBD2gB+4 S90AoKkoy+lg6Pyww5HvV+fRJ2IcnhSg =jZy3 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > The DHT model says that millions of Raspberry Pi's and thumb drives together > implement > this immense database. But since a DHT, by design, scatters the data around > the network > at random, *my* thumb drive is full of information that I will never need - > all the > information *I* need is out there, somewhere - where, based on the research > we've been > discussing, I have no secure way to get at it. Why would I buy into such a > design? Doesn't > it make much more sense for me to store the information relevant to me? When we designed PNRP, I was pretty adamant to avoid this business of storing other people's data. We assumed that your data would be stored locally. The cost is a bit of added synchronization cost, effectively scaling as the number of records that have to be published. But if you are looking at a P2P name server type application, there are very few such records. Basically, the less nodes rely on strangers, the better. - -- Christian Huitema -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQEcBAEBAgAGBQJSHYReAAoJELba05IUOHVQuJsH/2W+6CLtc+IRjH/7ufNhlIx8 F8H30+vt3D1QxikluwKkzBB3HVxSiZL1N1z5z63Vvi9a+nIzuJPX8xNJf27tvvp7 gcHQqTz3J/Ffa2pX0fjtr83bpfBg+x27b7T4gBdbuN1KZ3sesQaHXWurCV2bz3Nb 9IDn2PYBOna+FXM/fMA8cpvElb+C6rEDvO0hcW1CVIxutt3yLICR3rAnyzhFQSUP 7MbnOZ7iSXRrmgvY3ukmI+OsAf9iOEavxdmgMYJJj1istyg1PMHcFH3MPoxggrfl 9ESTc1wiiZYsVF3r0SXf0DI08J8z7RXzJ/0WY9PUGgxQ49CEYgsq9ZSpUUfEm7Y= =4LGc -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, Aug 27, 2013 at 10:18 PM, Perry E. Metzger wrote: > On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre > wrote: > > On 8/27/13 7:47 PM, Jonathan Thornburg wrote: > > > On Tue, 27 Aug 2013, Perry E. Metzger wrote: > > >> Say that you want to distribute a database table consisting of > > >> human readable IDs, cryptographic keys and network endpoints for > > >> some reason. Say you want it to scale to hundreds of millions of > > >> users. > > > > > > This sounds remarkably like a description of DNSSEC. > > > > > > Assuming it were widely deployed, would > > > DNSSEC-for-key-distribution be a reasonable way to store > > > email_address --> public_key > > > mappings? > > > > You mean something like this (email address --> OTR key)? > > > > https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ > > My problem with the use of DNSSEC for such things is the barrier to > entry. It requires that a systems administrator for the domain your > email address is in cooperate with you. This has even slowed DNSSEC > deployment itself. > How about the fact that the US govt de facto controls the organization controlling the root key and it is a single rooted hierarchy of trust? But in general, the DNS is an infrastructure for making assertions about hosts and services. It is not a good place for assertions about users or accounts. So it is a good place to dump DANE records for your STARTTLS certs but not for S/MIME certs. > It is, of course, clearly the "correct" way to do such things, but > trying to do things architecturally correctly sometimes results in > solutions that don't deploy. > > I prefer solutions that require little or no buy in from anyone other > than yourself. One reason SSH deployed so quickly was it needed no > infrastructure -- if you controlled a single server, you could log in > to it with SSH and no one needed to give you permission. > > This is a guiding principle in the architectures I'm now considering. I very much agree that deployment is all. One thing I would like to do is to separate the email client from the crypto decision making even if this is just a temporary measure for testbed purposes. I don't want to hack plugs into a dozen email clients for a dozen experiments and have to re-hack them for every architectural tweak. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Aug 27, 2013, at 9:41 PM, Perry E. Metzger wrote: > On Tue, 27 Aug 2013 21:13:59 -0400 Jerry Leichter > wrote: >> I wonder if much of the work on secure DHT's and such is based on >> bad assumptions. A DHT is just a key/value mapping. There are two >> reasons to want to distribute such a thing: To deal with high, >> distributed load; and because it's too large to store on any one >> node. > > You've forgotten other reasons. One might want to avoid a single > point of failure. And yet DHT's have completely failed at doing this. > One might also want to avoid having any central > organization responsible for running a database so that it cannot be > shut down by an adversary without shutting down thousands or millions > of nodes. Redundancy and validation of updates are issues separable from the implementation of the map and, in particular, from routing. DHT's try to combine all four and, as we've seen, fail. Just because it's possible to actually store the contents of a DHT in a single big database doesn't mean you'd actually want to do it that way. I'm suggesting that you start with the idealization of a single, secure database, then make the modifications needed to actually attain the necessary properties in the face of high distributed QPS, random failures, and a variety of attacks. >> I contend that the second has become a non-problem. > > That is untrue. > > Say that you want to distribute a database table consisting of human > readable IDs, cryptographic keys and network endpoints for some > reason. Say you want it to scale to hundreds of millions of users. A > quick back of the envelope shows that no home user's little ARM based > gateway machine is going to want to handle storing the entire database > or handling the entire update traffic volume -- the latter alone > might swamp someone even with quite reasonable connectivity. Why in the world would you want to put the information for even a million users on such a server. This would be a server that exists to provide services to at most a few 10's of people - probably fewer. How many users will they, personally, ever contact it their collective lifetimes? This is an ideal application for local caching of relevant information from the global database stored "somewhere else". It might well, transparently, also contain mapping information that its own users received "out of band" and want to use - but have no reason to share globally. > >> Even at the high end, what's today a fairly small, moderately >> powered system can handle this much data with no problems. > > I don't think so. Lets say you have a few hundred bytes per entry and > a billion users. That's hundreds of gigabytes, far more than you can > store on a thumb drive and an appreciable fraction even of today's > hard drives. Furthermore, say that 1% of the entries update per day > -- even at that low rate, you're going to swamp lots of people's > internet transfer quotas. Again, why would individuals want to store that much data? The DHT model says that millions of Raspberry Pi's and thumb drives together implement this immense database. But since a DHT, by design, scatters the data around the network at random, *my* thumb drive is full of information that I will never need - all the information *I* need is out there, somewhere - where, based on the research we've been discussing, I have no secure way to get at it. Why would I buy into such a design? Doesn't it make much more sense for me to store the information relevant to me? It's not as if this isn't a design we have that we know works: DNS. Yes, DNS, even the "secure" versions, have security issues. But then so do DHT's, so they are hardly an improvement. And many of DNS's problems have to do with the assumption of a single hierarchy with, as a result, a small number of "extremely trusted" nodes up at the top. That's a problem that can be attacked. -- Jerry > > Perry > -- > Perry E. Metzger pe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On 8/27/13 7:47 PM, Jonathan Thornburg wrote: > On Tue, 27 Aug 2013, Perry E. Metzger wrote: >> Say that you want to distribute a database table consisting of human >> readable IDs, cryptographic keys and network endpoints for some >> reason. Say you want it to scale to hundreds of millions of users. > > This sounds remarkably like a description of DNSSEC. > > Assuming it were widely deployed, would DNSSEC-for-key-distribution > be a reasonable way to store > email_address --> public_key > mappings? You mean something like this (email address --> OTR key)? https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre wrote: > On 8/27/13 7:47 PM, Jonathan Thornburg wrote: > > On Tue, 27 Aug 2013, Perry E. Metzger wrote: > >> Say that you want to distribute a database table consisting of > >> human readable IDs, cryptographic keys and network endpoints for > >> some reason. Say you want it to scale to hundreds of millions of > >> users. > > > > This sounds remarkably like a description of DNSSEC. > > > > Assuming it were widely deployed, would > > DNSSEC-for-key-distribution be a reasonable way to store > > email_address --> public_key > > mappings? > > You mean something like this (email address --> OTR key)? > > https://datatracker.ietf.org/doc/draft-wouters-dane-otrfp/ My problem with the use of DNSSEC for such things is the barrier to entry. It requires that a systems administrator for the domain your email address is in cooperate with you. This has even slowed DNSSEC deployment itself. It is, of course, clearly the "correct" way to do such things, but trying to do things architecturally correctly sometimes results in solutions that don't deploy. I prefer solutions that require little or no buy in from anyone other than yourself. One reason SSH deployed so quickly was it needed no infrastructure -- if you controlled a single server, you could log in to it with SSH and no one needed to give you permission. This is a guiding principle in the architectures I'm now considering. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013, Perry E. Metzger wrote: > Say that you want to distribute a database table consisting of human > readable IDs, cryptographic keys and network endpoints for some > reason. Say you want it to scale to hundreds of millions of users. This sounds remarkably like a description of DNSSEC. Assuming it were widely deployed, would DNSSEC-for-key-distribution be a reasonable way to store email_address --> public_key mappings? -- -- "Jonathan Thornburg Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984" ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Tue, 27 Aug 2013 21:13:59 -0400 Jerry Leichter wrote: > I wonder if much of the work on secure DHT's and such is based on > bad assumptions. A DHT is just a key/value mapping. There are two > reasons to want to distribute such a thing: To deal with high, > distributed load; and because it's too large to store on any one > node. You've forgotten other reasons. One might want to avoid a single point of failure. One might also want to avoid having any central organization responsible for running a database so that it cannot be shut down by an adversary without shutting down thousands or millions of nodes. > I contend that the second has become a non-problem. That is untrue. Say that you want to distribute a database table consisting of human readable IDs, cryptographic keys and network endpoints for some reason. Say you want it to scale to hundreds of millions of users. A quick back of the envelope shows that no home user's little ARM based gateway machine is going to want to handle storing the entire database or handling the entire update traffic volume -- the latter alone might swamp someone even with quite reasonable connectivity. > Even at the high end, what's today a fairly small, moderately > powered system can handle this much data with no problems. I don't think so. Lets say you have a few hundred bytes per entry and a billion users. That's hundreds of gigabytes, far more than you can store on a thumb drive and an appreciable fraction even of today's hard drives. Furthermore, say that 1% of the entries update per day -- even at that low rate, you're going to swamp lots of people's internet transfer quotas. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
I wonder if much of the work on secure DHT's and such is based on bad assumptions. A DHT is just a key/value mapping. There are two reasons to want to distribute such a thing: To deal with high, distributed load; and because it's too large to store on any one node. I contend that the second has become a non-problem. The DHT uses I've seen involve at most a couple of billion small key/value pairs; most involve a few million at most. Even at the high end, what's today a fairly small, moderately powered system can handle this much data with no problems. The limitations are on QPS. However, there are plenty of mundane techniques to deal with that, including replication, deterministic sharding, and caching. They are all much simpler than DHT's and are hence less likely to have the subtle security problems that DHT's do. Fundamentally, we're asking DHT's to solve three problems at once: Distribute a map; be robust in the face of node failure; do it all securely. Better to use good solutions to the individual problems and combine them than to try to find a way to do all at once. I worked on data structures somewhat like DHT's back in the late 1970's (to implement the Linda distributed programming language on LAN's and hypercubes and similar networks). Neat idea at the time, and it was fun to see it come back as a neat idea on a much larger scale years later; but perhaps its time is (again) passing. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
Hi, >> There is a host of older literature, too - P2P research, however, has become >> a cold topic. Although I expect that it will see a revival in the face of >> surveillance. > > For people who are interested, the list I have (for a year or two back) is: [list] I would like to add the following: R5n: Randomized recursive routing for restricted-route networks NS Evans, C Grothoff Network and System Security (NSS) 2011 Routing in the dark: Pitch black NS Evans, C GauthierDickey, C Grothoff Computer Security Applications Conference, 2007. ACSAC 2007 Exploiting KAD: possible uses and misuses M Steiner, T En-Najjary, EW Biersack ACM SIGCOMM Computer Communication Review 37 (5), 65-70 A global view of kad M Steiner, T En-Najjary, EW Biersack Proceedings of the 7th ACM SIGCOMM IMC, 2007 Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm T Holz, M Steiner, F Dahl, E Biersack, F Freiling Proceedings of 1st Usenix Workshop LEET Ralph ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
Ralph Holz writes: >There is a host of older literature, too - P2P research, however, has become >a cold topic. Although I expect that it will see a revival in the face of >surveillance. For people who are interested, the list I have (for a year or two back) is: "Security Considerations for Peer-to-Peer Distributed Hash Tables", Emil Sit and Robert Morris, Proceedings of the 1st International Workshop on Peer-to- Peer Systems (IPTPS'01), Springer-Verlag LNCS No.2429, March 2002, p.261. "A Survey of Peer-to-Peer Security Issues", Dan Wallach, Proceedings of the 2002 International Symposium on Software Security (ISSS'02), Springer-Verlag LNCS No.2609, November 2002, p.42. "Eclipse Attacks on Overlay Networks: Threats and Defenses", Atul Singh, Tsuen-Wan Ngan, Peter Druschel and Dan Wallach, Proceedings of the 25th International Conference on Computer Communications (INFOCOM'06), April 2006, "The Index Poisoning Attack in P2P File Sharing Systems", Jian Liang, Naoum Naoumov and Keith Ross, Proceedings of the 25th Conference on Computer Communications (INFOCOM'06), April 2006, "Conducting and Optimizing Eclipse Attacks in the Kad Peer-to-Peer Network", Michael Kohnen, Mike Leske and Erwin Rathgeb, Proceedings of the 8th IFIP-TC 6 Networking Conference (Networking'09), Springer-Verlag LNCS No.5550, May 2009, p.104. "Combating Index Poisoning in P2P File Sharing", Lingli Deng, Yeping He and Ziyao Xu, Proceedings of the 3rd Conference and Workshops on Advances in Information Security and Assurance (ISA'09), Springer-Verlag LNCS No.5576, June 2009, p.358. "Hashing it out in public: Common failure modes of DHT-based anonymity schemes", Andrew Tran, Nicholas Hopper and Yongdae Kim, Proceedings of the 8th Workshop on Privacy in the Electronic Society (WPES'09), November 2009, p.71. "Poisoning the Kad Network", Thomas Locher, David Mysicka, Stefan Schmid and Roger Wattenhofer, Proceedings of the 11th International Conference on Distributed Computing and Networking (ICDCN'10), Springer-Verlag LNCS No.5935, January 2010, p.195. If there's anything significant I've missed, feel free to fill in the gaps. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/25/2013 09:04 PM, Christian Huitema wrote: > If we want something robust, we have to forgo the mathematical > elegance of the DHT, and adopt a network structure in which nodes > only connect to peers that they trust. You could call that > "networks of friends." That removes the It sounds like you're describing the F2F structure underlying the Retroshare network (though it does piggyback atop the BitTorrent DHT as a shortcut for peer finding). However, Retroshare has evidenced some significant problems on Windows as a platform, and UPnP for automatic port forwarding is dodgy at the best because not every home router out there supports it correctly (or at all). - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Who are you? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIbxskACgkQO9j/K4B7F8Hn3wCgwbBRSYaLmWCv38fDMlsso8+g 6HAAn3fEucUf43FhZxVhUx/X6oOcfrJU =V4Zm -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Sun, Aug 25, 2013 at 12:12 PM, Perry E. Metzger wrote: > Anyone care to shed some light? Pointers to literature are especially > welcome Check out this paper: Security Considerations for Peer-to-Peer Distributed Hash Tables http://and.they.can.be.quite.long.3.4.0.f.0.6.a.0.1.0.0.2.ip6.arpa/~bauerm/names/DHTsec.pdf -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Sun, Aug 25, 2013 at 7:42 PM, Christian Huitema wrote: > > My knowledge of the field is pretty spotty in general as I've never paid > much > > attention up until now -- mostly I know about how people have built DHTs > in > > non-hostile environments. I'm close enough to starting from scratch that > I > don't > > know yet what I don't know. > > I studied such systems intensely, and designed some > (http://en.wikipedia.org/wiki/Peer_Name_Resolution_Protocol). Using a > distributed hash table securely is really hard. The basic idea of DHT is > that information is spread on the network based on matches between the hash > of a resource identifier and the hash of a node identifier. All nodes are > effectively relying on every other node. In an open network, that is pretty > much equivalent to "relying on the goodness of strangers." You can be sure > that if our buddies at the NSA set up to watch the content of a DHT, they > will succeed. > I am doing a history of the Web. I came to the conclusion that the clever part is the problems it decides not to solve. Ted Nelson was absolutely right on what was desirable, but what he considered 'essential' turned out to be easily added as layers (search for example). A confidentiality solution that tells the user 'you can't send mail right now because you may be subject to an intercept' is more than acceptable. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
Hi,
>> Can you rephrase whether you want info about DHT systems that are
>> related to some kind of mix system (e.g. GNUnet), or whether you
>> simply want to know about common DHT systems. If the latter, what
>> kind of attacks are you after? Eclipse?
>
> My knowledge of the field is pretty spotty in general as I've never
> paid much attention up until now -- mostly I know about how people
> have built DHTs in non-hostile environments. I'm close enough to
> starting from scratch that I don't know yet what I don't know.
OK, so I'll just add to what's been written so far.
* Most DHTs are indeed intended for a non-hostile environment and allow
users to freely place information in the DHT. This means that data items
can be easily eclipsed from the network by abusing the DHT's principle
of storing an item on the node with the ID that is closest to the item's
own ID. Most concepts support replica.
* The only DHT type that really has seen wide deployment seems to be
Kademlia, most notably in aMule/eMule and some bot networks. Steiner et
al. showed by example that Eclipse attacks against data items are easy
("Conducting and optimizing Eclipse attacks in the Kad P2P network").
* The aMule developers reacted to that attack by restricting routing
tables. Kohen/Leske et al. showed that this can be easily circumvented
by introducing chains of attackers that cooperate in a particular
fashion to redirect queries and let Kad run into a timeout.
* We have been active in Kad research for a little while, too. We found
that while Eclipse attacks against data items are easy, they are much
much harder against active nodes. I.e. Kad is designed to keep
long-running nodes as long in the routing tables as possible, and to
spread this knowledge widely in the network. This makes it very hard for
an attacker to reroute traffic intended for a victim. However, given a
very strong attacker (1000s of nodes), this should become possible
again. It is one of the disruptive DoS methods.
* The most interesting work that I know of is GNUnet: www.gnunet.org.
They employ a DHT called R5N that combines recursive Kad-style routing
with an initial random walk to evade the above attacker. GNUnet's
problem is that there are not enough developers to get the network to a
reasonable size, but the underlying technology is interesting. GNUnet
also has a SDSI/SPKI-style DNS replacement called GADS. Christian
Grothoff is the main developer and also at TUM (that's how I know him) -
he recently gave a talk on PRISM and GNUnet:
https://www.gnunet.org/internetistschuld
There is a host of older literature, too - P2P research, however, has
become a cold topic. Although I expect that it will see a revival in the
face of surveillance.
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Sun, 25 Aug 2013 18:04:13 -0700 "Christian Huitema" wrote: > Bottom line, anonymous DHT are fragile. Though it appears that Tor uses them for its hidden service directory. How does it do that robustly (or does it do it robustly)? How do other users of DHTs handle attacks in practice (or is it just that no one has tried attacking them enough?) My back of the envelope says that there's little enough data needed in the distributed data store I want that 1000x replication would not be a serious problem. I presume that is not sufficient to make Sybil attacks moot, given the size of modern botnets? Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On 2013-08-26 11:04 AM, Christian Huitema wrote: Of course the data can be signed, encrypted, etc. But the rule of the game is that the adversary can manufacture as many peers as they want -- something known as the Sybil attack. They can then perform various forms of denial. We need, and have not designed, a good distributed reputation system, resting on Zooko's triangle and a large global hash tree that provides an unfalsifiable past history of the past conduct of key holders. Such a global hash tree requires, like bitcoin, a solution to the Byzantine Generals Problem - a known hard problem that is nonetheless soluble. A distributed reputation system can also provide things like debt based money that provides an incentive for seeding - for providing storage of interesting content as well as an incentive for upload bandwidth of interesting content. Bittorrent provides an upload bandwidth incentive, but no storage incentive. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
> That is not my worry. Signing the data posted to the DHT can prevent spoofing, > querying it over a mix network or using a PIR protocol can prevent > eavesdropping. I'm more worried about various sorts of denial of service > attacks, or service being shut down by inadvertent behavior. Of course the data can be signed, encrypted, etc. But the rule of the game is that the adversary can manufacture as many peers as they want -- something known as the Sybil attack. They can then perform various forms of denial. For example, the connectivity of the DHT generally relies on connectivity between nodes of similar indices. The attackers can research hashes that fall very near the hash of the target node, add the corresponding nodes in the DHT, and effectively place themselves in the path of DHT traffic meant for the target node. This enables passive traffic analysis, and active denial of service. Another potential attack is to get node indices close to that of a popular resource, effectively becoming the repository of record for that resource. Again, that enables passive traffic analysis, e.g. finding who accesses a specific resource, and also active denial of service attacks. If the attackers can manufacture enough virtual nodes, they obtain control of the network. They can use that passively for global traffic analysis. They can also engineer selective disruption, inject traffic to DOS specific nodes, and other fun games. Bottom line, anonymous DHT are fragile. If we want something robust, we have to forgo the mathematical elegance of the DHT, and adopt a network structure in which nodes only connect to peers that they trust. You could call that "networks of friends." That removes the nice O(log N) properties of the DHT, and it becomes hard to guarantee that all queries will converge. But the network becomes much harder to penetrate. The old Freenet had a structure like that. -- Christian Huitema ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Sun, 25 Aug 2013 16:42:57 -0700 "Christian Huitema" wrote: > I studied such systems intensely, and designed some > (http://en.wikipedia.org/wiki/Peer_Name_Resolution_Protocol). Using > a distributed hash table securely is really hard. The basic idea of > DHT is that information is spread on the network based on matches > between the hash of a resource identifier and the hash of a node > identifier. All nodes are effectively relying on every other node. > In an open network, that is pretty much equivalent to "relying on > the goodness of strangers." You can be sure that if our buddies at > the NSA set up to watch the content of a DHT, they will succeed. That is not my worry. Signing the data posted to the DHT can prevent spoofing, querying it over a mix network or using a PIR protocol can prevent eavesdropping. I'm more worried about various sorts of denial of service attacks, or service being shut down by inadvertent behavior. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
> My knowledge of the field is pretty spotty in general as I've never paid much > attention up until now -- mostly I know about how people have built DHTs in > non-hostile environments. I'm close enough to starting from scratch that I don't > know yet what I don't know. I studied such systems intensely, and designed some (http://en.wikipedia.org/wiki/Peer_Name_Resolution_Protocol). Using a distributed hash table securely is really hard. The basic idea of DHT is that information is spread on the network based on matches between the hash of a resource identifier and the hash of a node identifier. All nodes are effectively relying on every other node. In an open network, that is pretty much equivalent to "relying on the goodness of strangers." You can be sure that if our buddies at the NSA set up to watch the content of a DHT, they will succeed. -- Christian Huitema ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On Sun, 25 Aug 2013 21:33:42 +0200 Ralph Holz wrote: > On 08/25/2013 09:12 PM, Perry E. Metzger wrote: > > For some research on communications privacy I'm doing at the > > moment, I'm interested in learning about the state of the art of > > DHT systems and mix network systems. I'd like to know both which > > systems are > > Can you rephrase whether you want info about DHT systems that are > related to some kind of mix system (e.g. GNUnet), or whether you > simply want to know about common DHT systems. If the latter, what > kind of attacks are you after? Eclipse? My knowledge of the field is pretty spotty in general as I've never paid much attention up until now -- mostly I know about how people have built DHTs in non-hostile environments. I'm close enough to starting from scratch that I don't know yet what I don't know. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
On 08/25/2013 09:12 PM, Perry E. Metzger wrote: > For some research on communications privacy I'm doing at the moment, > I'm interested in learning about the state of the art of DHT systems > and mix network systems. I'd like to know both which systems are Can you rephrase whether you want info about DHT systems that are related to some kind of mix system (e.g. GNUnet), or whether you simply want to know about common DHT systems. If the latter, what kind of attacks are you after? Eclipse? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Implementations, attacks on DHTs, Mix Nets?
For some research on communications privacy I'm doing at the moment, I'm interested in learning about the state of the art of DHT systems and mix network systems. I'd like to know both which systems are currently considered "state of the art" and what the state of the art is on attacks against such systems. Anyone care to shed some light? Pointers to literature are especially welcome, but anything that is just "in the folklore" is also clearly of use... Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
