PowerPoint **** - National University of Singapore
advertisement
Who are you?
Secure identities in ad hoc networks
Seth Gilbert
Calvin Newport
Chaodong Zheng
National University of Singapore
Georgetown University
National University of Singapore
Identity establishment in wireless networks
2
The Sybil Attack
• [Definition] Sybil attack: refers to the behavior where
malicious users dishonestly generate large number of fake
identities (also called sybil identities, or sybils) to obtain
unfair advantage or conduct other hostile activity.
3
What we offer
• Algorithms that solve identity establishment
• With good sybil bound
• Asymptotically optimal
• With correctness guarantee
• Every correct node accepts all other correct nodes
4
The basic idea for sybil-resistance…
Radio resource testing!
!ALERT!
channel one
Ack for
msg
msg
msg
channel two
Honest users:
always pass the test!
Malicious users:
lose (fake) identity with 50% chance!
[1] N. James, E. Shi, D. Song, and A. Perrig. The sybil attack in sensor networks: Analysis & defenses.
[2] D. Mónica, J. Leitão, L. Rodrigues, and C. Ribeiro. On the use of radio resource tests in wireless ad-hoc networks.
5
Challenges
• Decentralized (i.e., ad hoc) environment
• No central base station
• Efficiency of radio resource tests
• Test on per-pair basis is too slow
• Colluding when multiple malicious clients exist
• Insufficient to divide nodes to just two channels
6
Overview of this (short) talk
• Background and Motivation
• Approach and Results
• Model and Problem
• The SimpleSybilSieve Algorithm
• The SybilSieve2 Algorithm
7
Model: multi-channel wireless network
• Network: consists of c channels
• Single-hop, synchronous
• Users: n nodes in total
• Nodes don’t know n, don’t have pre-assigned identities
• Can use crypto tools
• Communication: each node has one transceiver
• Each transceiver can access all channels
• Each transceiver can send/receive on one channel at any time
channel one
……
channel c
8
Model: adversary
• t (of the n nodes) are Byzantine
• 𝑡 ≤ 𝑛/α, and 𝑡 ≤ 𝑐/α, for some constant 𝛼 ≥ 1
• Faulty nodes can: create sybil, jam, etc…
• Faulty nodes can also collude
• Model them as one adversary called Eve
channel one
……
channel c
$%#%@#$%@#$^@$^%$#$%^
9
Problem: sybil-resistant identity establishment
• Nodes are activated simultaneously
• Each node randomly generate asymmetric key pair
• Use public key as the identity
• Sign messages to prevent spoofing
• Goal: provide each node with a set of identities
• Contains all honest nodes
• Contains limited number of sybil identities
channel one
……
channel c
10
SimpleSybilSieve: Intuition
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
Imagine: each node randomly chooses a channel, then broadcasts
or listens each with probability ½
After 𝑛lg(𝑛) time slots, each node will:
Hear approximately 1/e fraction of silent rounds
Hear each other honest node Θ(lg(𝑛)) times (criteria for accepting identities)
Accept at most 𝑂(𝑡) sybil identities (when using the above criteria)
11
SimpleSybilSieve: Handle unknown n
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
Estimate n via doubling: n=1? n=2? n=4? n=8? n=16? …
When estimate 𝑛 = 𝑛, use 𝑛/2 channels
Use fraction of silent rounds heard to verify correctness
𝑛 is small: Eve can do nothing due to contention
𝑛 is large: Eve can do nothing due to large number of channels
12
SimpleSybilSieve: Handle small c
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
When needed channels is larger than c, simulate it!
However, this allows Eve’s to create more sybil!
channel 1
channel 1
channel 2
time slot 1
channel 2
channel 3
channel 3
channel 4
channel 4
channel 5
channel 1
channel 6
channel 7
channel 8
time slot 2
one round
channel 2
channel 3
channel 4
13
The SimpleSybilSieve Protocol
• Proceeds in epochs, each of which contains multiple rounds
• In epoch i, nodes assume n = 2i, use 2i-1 channels
• In each round, each node randomly chooses a channel
• Then, broadcast or listen each with probability ½
• Use fraction of silent rounds heard to check if estimation is correct
𝑛 =2?
𝑛 =4?
𝑛 = 2 lg(𝑛) −1 ?
𝑛 = 2 lg(𝑛) ?
𝑛 = 2 lg(𝑛) +2 ?
1 channel
2 channels
2 lg(𝑛) −2 channels
2 lg(𝑛) −1 channels
2 lg(𝑛) +1 channels
Epoch 1
Epoch 2
Epoch lg(𝑛) − 1
Epoch lg(𝑛)
……
……
Epoch lg(𝑛) + 2
time
14
The SimpleSybilSieve Protocol (Continued…)
• Once fraction of silent rounds reach some constant 𝛾1
• Nodes start accepting identities
• Once fraction of silent rounds reach some constant 𝛾2 > 𝛾1
• Nodes terminate
• Criteria for accepting an identity
• Heard that identity “sufficiently” often in current epoch
Epoch 1
Epoch 2
……
Epoch lg(𝑛) − 1
Epoch lg(𝑛)
……
Epoch lg(𝑛) + 2
time
15
SimpleSybilSieve’s gurantees
• [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 6, SimpleSybilSIeve
finishes within 𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees the
following, with high probability: (a) there are at most 𝑂(𝑡 · max{1, 𝑛/
𝑐}) sybil identities accepted by the honest nodes, collectively; and (b)
every honest node accepts all other honest nodes.
• When 𝑐 ≥ 𝑛, running time is 𝑂(𝑛 lg 2 𝑛 ) and sybil bound is 𝑂(𝑡)
• Asymptotically optimal sybil bound
• When 𝑐 < 𝑛, running time is 𝑂(𝑛2 lg 2 𝑛 ) and sybil bound is 𝑂(𝑛)
• Hum… Not so good…
16
Can we do better?
• SybilCast: a protocol for centralized wireless networks
• SybilCast: guarantees 𝑂(𝑡) sybil bound even if 𝑐 < 𝑛
• Imagine such a protocol:
• First run SimpleSybilSieve
• Then run SybilCast many times, each time one identity is base station
• An identity is accepted only if it is not sybil in most of these SybilCast instances
SimpleSybilSieve
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
[1] Seth Gilbert and Chaodong Zheng. SybilCast: Broadcast on the open airwaves.
17
But, wait…
• For SimpleSybilSieve:
• Nodes may terminate at different time…
• Nodes may accept different sets of identities…
• Need synchronization and consensus mechanism!
• We build a sybil-resistant consensus primitive: SybilSensus
• Based on existing Byzantine consensus protocol
SimpleSybilSieve???
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
[1] T. Srikanth and S. Toueg. Simulating authenticated broadcasts to derive simple fault-tolerant algorithms.
18
SybilSieve and
2
SybilSieve
• SimpleSybilSieve to SybilSieve: add SybilSensus to end of each epoch
• Nodes terminate simultaneously
• Nodes have same estimation on network size
• Use SybilSensus again to agree on set of accepted identities
• Run repeated instances of (variant of) SybilCast
• Accept an identity if it not sybil in most repetitions
Epoch 1
SybilSensus
Epoch 2
SybilSensus
……
Epoch i
SybilSensus
SybilSieve2
SybilSieve
SybilSensus
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
19
2
SybilSieve
guarantees
• [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 256, SybilSieve2
finishes within 𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees
the following, with high probability:
• (a) there are at most 𝑂(𝑡) sybil identities accepted by the honest
nodes, collectively;
• (b) every honest node accepts all other honest nodes;
• (c) all honest nodes terminate simultaneously and have same
estimation on network size which is either 2 lg(𝑛) or 2 lg(𝑛) +1 .
20
Comparison of variants
Running Time
Correctness
Sybil Bound
Synchronous
Termination
SimpleSybilSieve
𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡 · max{1, 𝑛/𝑐})
NO
SybilSieve
𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡 · max{1, 𝑛/𝑐})
YES
SybilSieve2
𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡)
YES
21
To sum up…
• New algorithms for sybil-resistant identity establishment
• SimpleSybilSieve, SybilSieve, and SybilSieve2
• They provide trade-offs between runtime and sybil bound
• Pick the one that is most appropriate
• Useful subroutines that can be used elsewhere
• Sybil-resistant Byzantine consensus, networks size estimation
22
