Peer-to-Peer Information Systems Week 11: TrustTrust (in Real Life)Trust When Downloading SoftwareS/W Reputations in P2P SystemsDetecting TamperingDigital Certificates & Certificate AuthoritiesSandboxing & WrappingWeb Server LoggingSlide 9PowerPoint PresentationTrust and SearchingTrust in Censorship Resistant SystemsBuilding Trust / Reputation Into Our P2P ApplicationTrust: Local vs. RemoteProposed SolutionRemote TrustExchanging TrustIdentifying Bad SitesManaging the ListsPeer ConfigurabilityLate JoinersFriends of My FriendsExtracting Feedback From the UserPeer-to-Peer Information SystemsWeek 11: TrustOld Dominion UniversityDepartment of Computer ScienceCS 495/595 Fall 2004Michael L. Nelson <[email protected]>11/09/04Trust (in Real Life)•Trust in real life is increased by:–establishing positive reputations and networks for conveying these reputations–decreasing the number of people that have to be trusted–reducing risk•However, in chapter 15 the focus is not on increasing trustworthiness, but rather reducing the requirement for trust–“the ideal trusted system is on that everyone has confidence in because they do not have to trust it”Trust When Downloading SoftwareRisk Solution Trust PrincipleS/W doesn’t behave as advertised, and may even damage your systemOnly download s/w from companies/individuals who have established a good reputation, or those you know where to find should a problem occurLook for positive reputationsS/W is modified (on server or in transit)Check for digital signature on message digest and verify signature against author’s certificateUse tools that accurately convey reputationsYour downloads (and other activities) are logged by your ISP or other partiesUse an anonymity tool so other parties do not get access to information that might link you to a particular downloadReduce riskTable 15.1, p. 245S/W Reputations in P2P Systems•Not every P2P software package ties into an established entity with significant reputation credentials–e.g.: how would you bootstrap the distribution of the s/w we have developed in class?–similarly, where does one go to get a canonical Gnutella client?•P2P and traditional notions of trust (or “branding”) are somewhat incompatible…Detecting Tampering•Assuming the organization / person you are downloading from is trustworthy, how do you know that:–the s/w was not modified on their server?–the s/w was not modified in transit?•Message digest (e.g. MD5) can be used to alert to modifications–but clever attackers will modify the digest value•Digital signatures can be used to “tamper-proof” the message digest–assumes integrity of the author’s private key…–…and access to the author’s public keyDigital Certificates & Certificate Authorities1. Alice writes software package P2. Alice gets a certificate from CA3. Alice’s signature A=Sign(PubAlice,Digest(P))4. Alice uploads P, A1. Bob downloads P, A2. Bob gets Alice’s public key from the CA3. Bob computes B=Sign(PubAlice, Digest(P))4. if A==B, then P is ok Alice’s webpage Certificate Authoritycf. Figure 15-1, p. 247Sandboxing & Wrapping•Many programs are in place to limit damage to the computer system, whether malicious or unintentional–for example, the OS limits your actions to your files, not the the files of others•Java applets, for example, run in sandbox mode to prevent nasty things like file deletion•But what of open source software? –if you install MS Office, you are trusting that it will not do anything bad–how would you convince others to trust your P2P app?Web Server Logginganonymizer.comthis portion of the transactionis visiblewill not reveal your IP(and thus your identity) tothe remote serverpresumably, the anonymizing proxycan be trusted… is this a good assumption?Web Server LoggingSSL will prevent eavesdropping, butreveal your identity to the remote serverWeb Server Logging…a mix network will encrypt the trafficand hide your identity from the servercrowds will hide your identity and provide plausible deniability on the local side…but what if the mix network was installed by the RIAA?what if a crowd participants returned random pages?Trust and Searching•How well do you trust the query results of:–an Internet search engine?–100s - 1000s of distributed clients?•Do the results really match your query?–malice, e.g.:•RIAA returns MP3s that say “stealing music is bad”–cf. C. Lynch’s “When Documents Deceive : Trust and Provenance as New Factors for Information Retrieval in a Tangled Web”, JASIS 52(1), 12-17.•queries are changed to reflect the preferences of node operators–accident, e.g.:•nodes are down•query is damaged•lack of authority files (“which version of “Louie Louie””)•content is 404Trust in Censorship Resistant SystemsRisk Solution Trust PrincipleServers, proxies, ISPs, etc. may log your requestsUse a secure channel and/or anonymity tool to disassociate you and your actionsreduce risk; reduce # of people to be trustedProxies & search engines may alter content Run your own proxy; try several proxies / search engines and compare resultsreduce risk; reduce # of people to be trustedMultiple parties may conspire to censor your documentPublish your document in a way that requires many parties to conspire for censorshipreduce # of people to be trustedParties may censor your document through false updatesPublish in an update-free system reduce # of people to be trustedCensors may flood system with content in a DoS attackImpose limits/quotas; require fungible or non-fungible quid-pro-quo; use a reputation systemreduce # of reduce risk; look for good reputationsCensors may use legal tactics Publish your document in a way that requires many parties to conspire for censorshipreduce # of people to be trustedCensors may threaten you to delete you own documentsPublish in systems that do not allow deletionsreduce risk; reduce # of people to be trustedcondensed Table 15.2, p. 269Building Trust / Reputation Into Our P2P Application•What if we built a reputation metric into our system?•Possible ideas:–content quality•1 = perfect transaction•0.5 = peer was confused or had errors•0.0 = peer lied about the content–duration•keep track of the number of transactionsTrust: Local vs. Remote•Certainly users are best suited to determine their own experience of trust…•But this is simply automating what a single user experiences anyway…–this advises based on