Safe and Private Peer to Peer Data Sharing Bogdan C. Popescu Bruno Crispo Andrew S. Tanenbaum
Overview • Peer to peer file sharing • Threat model & defenses • Our solution • Conclusion
Started around 1999 with Napster mostly exchange of music&video highly popular from very beginning very controversial Third generation P2P systems: Kazaa, LimeWire Sparkled interest in P2P paradigm Peer to peer file sharing
Should we work on this? • Non-commercial file sharing - not a crime in EU – protect EU citizens against legal harassment abroad • In P2P networks information cannot be censored – safe & private data sharing would aid free speech • P2P keeps in check de-facto monopolies! – perceived as major threat by entertainment industry – subject to various types of attacks
Attack the company offering the service move to de-centralized solutions - 100% success Attack the software provider move off-shore or underground - 100% success Attack the content content tracing and rating - partial success Attack individual users BIG PROBLEM!! Types of Attacks on P2P
Most content is provided by small fraction of users RIAA’s “Crush the Connectors” strategy Identify users sharing large number of files Retrieve incriminating content Take them to court Exchanging content with strangersbecomes dangerous Attacking Users
Fraction of all P2P nodes controlled by enemy Need to prevent exposing good nodes exchanging data w. enemy nodes passive logging attacks Less concerned about traffic analysis anonymity Threat Model
Such systems currently being designed (Freenet) make impossible to identify source & destination based on earlier work - mix nets, Crowds and Onion Routing In theory RIAA has nobody to sue In practice endpoints are always exposed Anonymous File Sharing (1)
Exposed!! RIAA Anonymous File Sharing (2) 3. 5. Source 1. 4. 6. 2. Endpoints are always exposed!
Create the P2P overlay based on social links Communication between links is encrypted “Friend” nodes agree on keys out-of-band Both queries and results go hop-by-hop Solution - Turtle Data exchanged only between trusted parties!
Turtle ? ? ? ? ? ? ? ! ! ! ? ? ! ? ? ? ! ? ? ? ! ? ! ! ? ? ! ? ? ! ? ! ! ! ! !
Query/Hit Protocol Q: XYZ QID = 764 TTL = 10 Q: XYZ QID = 764 TTL = 9 HID: 444 QID = 764 Metadata Dist = 0 BW: 25KB/s HID: 444 QID = 764 Metadata Dist = 1 BW: 10KB/s 1 1 1 A B C QID: 764 Channel: 4 QID: 764 Channel: 3 QID: 764 Channel: - HID: 444 Channel: 2 Dist: 1 BW: 10 HID: 444 Channel: - HID: 444 Channel: 2 2 4 2 3 3 2
Query/hit protocol is not anonymous TTL in query packet can reveal identity of initiator Dist. Count in hit packet reveals identity of respoder identities only disclosed to small group of friends! Anonymous protocol also possible: replace TTL with probability of forwarding no more Dist. Count in query hit drawbacks: less flexible result selection Anonymous query/hit protocol
Node compromise causes localized damage Immune to Sybil and Eclipse attack Good protection against attacks on content Good protection against DoS attacks Security properties
How connected is the friendship graph? Social networking - Orkut, Friendster In 3 months Orkut has grown to 200000 members Through 14 friends I reach 90% of Orkut members Are people on-line long enough? ADSL & cable modem becoming widespread Turtle adds extra motivation Can connectors cope with relaying demands? ???? How will this work?
Turtle is the first P2P architecture that can guarantee private and safe data sharing Currently being implemented Feedback, please! Conclusion