Date post: | 20-Dec-2014 |
Category: |
Technology |
Upload: | diogo-monica |
View: | 49 times |
Download: | 1 times |
Observable Non-Sybil Quorums
Construction in One-Hop
Wireless Ad Hoc Networks
D. Mónica, J. Leitão, C. Ribeiro, L. RodriguesINESC-ID / IST
The Sybil Attack
The Sybil Attack
The Sybil Attack happens when a malicious node participates with multiple identities in a system
The Sybil Attack
The Sybil Attack happens when a malicious node participates with multiple identities in a system
The Sybil Attack
The Sybil Attack happens when a malicious node participates with multiple identities in a system
The Sybil Attack
The Sybil Attack happens when a malicious node participates with multiple identities in a system
Doomsday
Existing Techniques
Trusted Certification
Social Graphs
Resource Testing
Radio resource tests (RRT)
Computational resource tests (CRT)
Domain Specific
Mobility patterns detection
Objectives
Efficient techniques to mitigate the Sybil attack in Wireless Ad Hoc Networks:
Ensuring:
No node pre-configuration
Byzantine-node tolerance
Scalability
Our Solution
Create a quorum of identities, not affected by the Sybil attack, in which all other correct nodes trust.
Problem Statement
Non-Sybil Quorum
Construction Provides each correct node i with a quorum
NSQi with the following properties: Q-Size. Each delivered quorum has size q. Probabilistic Sybil-free. With a probability
arbitrarily close to 1, in any quorum NSQi the number of identities that have been proposed by the f malicious nodes is no larger than f.
Probabilistic Partial Consistency. With a probability arbitrarily close to 1, the intersection of the quorums delivered to all correct nodes has, at least, q-f identities from correct nodes .
Nodes VS Identities
One correct node proposes to the system one identity.
To an identity proposed by a correct node, we call correct identity.
Nodes VS Identities
One malicious node may propose to the system multiple identities.
Malicious nodes may collude to defend their malicious identities.
Non-Sybil Quorum Construction -
Example
In this network, f = 1, and q = 3f + 1 .
Non-Sybil Quorum Construction -
Example
In this network, f = 1, and q = 3f + 1 .
Non-Sybil Quorum Construction -
Example
Node
Quorum
Non-Sybil Quorum Construction -
Example
Node
Quorum
Non-Sybil Quorum Construction -
Example
Node
Quorum
Node
Quorum
Non-Sybil Quorum Construction -
Example
Node
Quorum
Non-Sybil Quorum Construction -
Example
All Quorums have size q.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
No malicious node was able to propose more than one identity in any correct node’s quorum.
Malicious nodes can propose different identities to different correct node’s quorum.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
No malicious node was able to propose more than one identity in any correct node’s quorum.
Malicious nodes can propose different identities to different correct node’s quorum.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
No malicious node was able to propose more than one identity in any correct node’s quorum.
Malicious nodes can propose different identities to different correct node’s quorum.
At the end of the algorithm, there is a majority of q-f correct identities, in every node’s quorum.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
No malicious node was able to propose more than one identity in any correct node’s quorum.
Malicious nodes can propose different identities to different correct node’s quorum.
At the end of the algorithm, there is a majority of q-f correct nodes, in every node’s quorum.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
All Quorums have size q.
No malicious node was able to propose more than one identity in any correct node’s quorum.
Malicious nodes can propose different identities to different correct node’s quorum.
At the end of the algorithm, there is a majority of q-f correct nodes, in every node’s quorum.
NSQ Guarantees
Non-Sybil Quorum Construction -
Example
Node
Quorum
Solution
Model
One-hop radio neighborhood.
Reliable communication channels (no omissions).
Synchronous communication.
Limit to the maximum number of transmissions a node is able to do, in a given time-period.
Collision detection mechanism.
Approach
Verify if a group of identities possesses the expected aggregated amount of resources that they would, if they belonged to different nodes.
Radio Resource Tests (RRT)
Computational Resource Tests (CRT)
…
Resource Tests:
Solution Overview
Solution Overview
Cooperative Nonce Generation
We propose a new algorithm for cooperative nonce generation.
A nonce has the following properties: Randomness Freshness
Every node should agree on the same nonce, one that malicious nodes cannot deterministically influence.
Correct Nonce
Nonce generation
STEP - 0
Nonce generation
STEP - 1
Nonce generation
STEP - 2
Nonce generation
STEP - 3
Nonce generation
STEP - 3
Collision
Nonce generation
STEP - 3
NULL
Nonce generation
STEP - 4
NULL
Nonce generation
STEP - 5
NULL
Nonce generation
STEP - 6
NULL
Nonce generation
NONCE = HASH ( )
One contribution from a correct node is enough to guarantee the correctness of the nonce.
NULL
Solution Overview
Solution Overview
Computational Resource Test
Use the computational constraints of the nodes, to hinder the proposal of more than one malicious identity (using crypto-puzzles).
Intuition:
We developed a modified version of Hashcash (Back 2004), the Trusted Hashcash.
Premise:
Each node has a limited computational resources
Trusted Hashcash
It is based on the assumption that exists a fresh and random nonce.
Answer
Computational Resource Tests
Tests with a probabilistic resolution time are unable to eliminate every additional malicious identity.
Solution Overview
Solution Overview
Radio Resource Tests
Premise: Each node possesses a single radio device.
Nodes with more than one radio device, are treated as multiple colluding nodes.
Use the limitations of radio devices to assess if distinct identities belong to different radio devices (nodes).
Intuition:
Sender Test (SST)
It is based on the assumption that radio devices are unable to transmit in more than one channel simultaneously.
Sender Test (SST)
It is based on the assumption that radio devices are unable to transmit in more than one channel simultaneously.
Sender Test (SST)
The challenger nodes is unable to listen simultaneously on more than one channel:
The test is repeated r times.
Radio Resource Tests
Weak scalability, but able to detect additional malicious identities w.h.p.
Summary
Non-Sybil Quorum
Observations:
Radio Resource Tests are able to eliminate additional malicious identities. However, they do not scale with the increase in the number of identities.
Computational Resource Tests, while scalable, are not capable of eliminating every additional malicious identity.
Use the advantages of each of the resource tests, to create a quorum without additional malicious identities, in an efficient and scalable fashion.
Intuition:
Non-Sybil Quorum
Nonce Generation
Non-Sybil Quorum
CRT
Nonce Generation
Non-Sybil Quorum
Nonce Generation
RRT
CRT
Non-Sybil Quorum
RRT
CRT
Nonce Generation
Non-Sybil Quorum
Final Remarks
We proposed an algorithm that allows the creation of a Non-Sybil quorum in an one-hop wireless network.
The algorithm is based on two distinct resource tests, in order to be scalable.
In the paper we also present: Proof sketches of all the quorum properties. Details on how we handle colluding malicious
nodes.
As future work, we plan on extending the NSQ algorithm to multi-hop wireless networks