Terminodes and Sybil:
Public-key management in
MANET
Dave MacCallum
(Brendon Stanton)
Apr. 9, 2004
Outline
• The problem
• Terminodes project: proposed solution to
public-key management problem
• Sybil attacks
• Sybil vs. Terminodes
• Thwarting Sybil?
The problem
• Wireless ad hoc networks cannot depend on many
of the resources available to traditional networks
for security
• Such networks do not have the fixed infrastructure
that is required for classical implementations of
centralized certification authorities
• One option for solving this problem is to develop
a self-organized system that completely sets aside
the need for a trusted authority at any stage of
implementation: Terminodes approach
Terminodes
Sybil attacks
• A Sybil attack is the forging of multiple identities
for malicious intent -- having a set of faulty
entities represented through a larger set of
identities.
• The purpose of such an attack is to compromise a
disproportionate share of a system.
• Result is overthrowing of any assumption of
designed reliability based on a limited proportion
of faulty entities.
Sybil: key idea
• Sybil Attack undermines assumed mapping
between identity to entity and hence number of
faulty entities
Model in Douceur(2002):
• Set E of entities e; two disjoint subsets C (c is
correct) and F (f is faulty).
• Broadcast communication cloud, pipe connecting
each entity to the cloud.
• Entities communicate by broadcast messages, all
messages received within bounded time, not
necessarily in order.
• Assume local entity l is correct.
remote entities
communication
cloud
local entity
• Identity i is abstract representation of entity e which
persists across multiple messages.
• 3 sources of info for which a local entity can accept
identity i of remote e :
– Trusted agency
– Itself
– Other entities
• Two ways to validate entities not received from trusted
agency:
– Direct validation
– Indirect validation; accept identities vouched for by already
accepted identities
• Goal: accept all legitimate identities, but no counterfeits
• Method: for direct and and indirect validation (not
using trusted agency), utilize computational tasks
to validate distinctness;
– basically, validate distinctness of two entities by getting
them to perform some task (computational puzzle) that
a single entity could not.
– cannot assume homogeneous resources, only minimum;
faulty entity could have more than minimum
– practical impossibility of having challenges issued
simultaneously.
– Result: for direct or indirect validation, a set
of faulty entities can counterfeit an
unbounded number of identities. (Douceur)
• Validation which does not use a trust agency can’t
provably meet the identity goal;
– Identification based on local-only information not
practical
– PGP-style web of (certification) trust not adequate; is
indirect-validation.
• Douceur’s Conclusion: A centralized
authority is required to realize a reliable
distributed system.
Douceur’s 4 Lemmas
1. If  is the ratio of the resources of a faulty entity
ƒ to the resources of a minimally capable entity,
then ƒ can present g =  distinct identities to
local entity l.
2. If local entity l accepts entities that are not
validated simultaneously, then a single faulty
entity ƒ can present an arbitrarily large number
of distinct identities to entity l.
Douceur’s 4 Lemmas (cont)
3. If local entity l accepts any identity vouched for
by q accepted identities, then a set F of faulty
entities can present an arbitrarily large number
of distinct identities to l if either |F|  q or the
collective resources available to F at least equal
those of q + |F| minimally capable entities.
4. If the correct entities in set C do not coordinate
time intervals during which they accept
identities, and if local entity l accepts any
identity vouched for by q accepted identities,
then even a minimally capable faulty entity f can
present g = |C| / q distinct identities to l.
Sybil vs. Terminodes
• Despite their promises to the contrary, the
Terminodes project is not immune to Sybil
attacks
• This can be seen by looking at their
repository construction algorithms
Maximum Degree Algorithm
• Each user stores in her local repository several
directed and mutually disjoint paths of certificates.
• Each path begins at the user herself
• The certificates are added to the path as follows: a
new certificate is chosen among the certificates
connected to the last user on the path, such that the
new certificate leads to the user that has the
highest number of certificates connected to her
Shortcut Hunter Algorithm
• Certificates are stored into the local
repositories based on the number of the
shortcut certificates connected to the users
• A shortcut certificate is a certificate that,
when removed from the graph makes the
shortest path between two users previously
connected by this certificate strictly larger
than two
Thwarting Sybil
• Do we believe any of this?
– Any flaws in the logic chain?
– Is there another way to bind identities to entities?
– Is there something about trust authorities that means
they must (by nature) be centralized?
• Is this really a problem?
– Existing systems seem to be working fine.
– What’s wrong with a distributed system using a
centralized trust authority?
– Is a CA part of the distributed system that uses it?
– Are existing practices good enough in practice?
The Sybil Attack in Sensor
Networks: Newsome, et al.
• Malicious node and its Sybils:
– Direct vs indirect communication
– Fabricated vs stolen identities
– Simultaneous vs non-simultaneous attacks
Sybil attacks
•
•
•
•
•
•
Distributed storage
Routing
Data aggregation
Voting
Resource allocation
Misbehavior detection
Defenses
• Old:
– Computation
– Storage
– Communication
• New: direct attacks only
–
–
–
–
–
Radio resource testing
Random key predistribution
Registration
Position verification
Code attestation