2.4 Distributed Security Mechanisms
2.4.9 Conclusion Security Mechanisms for Distributed Systems
The discussion of security mechanisms for distributed systems presented the basic concepts of secret sharing, distributed key generation, threshold cryptography, and proactive secret sharing.
As a basic requirement, it can be concluded that for autonomous distributed systems with a dynamic number of participants, it must be possible to generate additional shares even after the initialisation phase. Thus, additive secret sharing cannot be applied, and any applied scheme should be based on Shamir’s polynomial secret sharing.
Further, as it must be taken into account that if an adversary tries to get knowledge of the shared private key, proactive secret sharing should be applied. Three different kinds of proactive secret sharing schemes exist:
RSA-based proactive threshold schemes are the most discussed in the literature. However, for large systems only the URSA-scheme can be applied. The URSA has security hole that would require generating a new key pair after a specific number of update rounds. The distributed key generation is very traffic intensive due to the requirement to generate prime numbers in a distributed way. Its advantage is the efficient signature protocol that requires only a linear number of messages with growing threshold t.
DSA-based schemes do not have these disadvantages. The distributed key generation is much more efficient than distributed RSA-key generation, as no prime numbers need to be generated. However, its disadvantage is that the signature protocol requires several broadcasting phases. Further, 2t participants are required for signing a message.
The most efficient scheme seems to be the BLS-threshold scheme. The key pair can be initialised using (GJKR99, GJKR07). Furthermore, the signature protocol requires a linear number of messages with growing threshold t. Also, its security has been proved to be without significant faults.
Verification of shares and partial signatures is an important feature of proactive secret sharing. For distributed generation of a key pair, the participants have to broadcast individual verification values for each participant to all participants. URSA does not provide this mechanism, however Threshold DSA and Threshold BLS do. An evaluation of the BLS-threshold scheme in terms of produced traffic and computational requirements is presented in (STY03). This shows that the computational complexity of the BLS-scheme is higher then for the other schemes.
When applying proactive secret sharing to autonomous distributed systems, boot strapping a single server for generating a system-wide key pair should be avoided. Therefore, proactive threshold schemes that allow a distributed key generation are required. For RSA-based threshold systems the distributed key generation presented in (BF01) and optimised for efficiency in (FMY98) can be applied. This was already discussed in Section 2.4.6.2. For discrete-log based schemes like DSA and BLS the method presented in (GJKR99, GJKR07) should be applied, as it represents the most actual findings. This was discussed in 2.4.6.1.
In conclusion, for applying a proactive secret sharing scheme to autonomous distributed systems, the BLS-scheme is the best suited scheme, as it offers all characteristics desired for an application in p2p systems. It scales to an unlimited number of peers, it provides verifiable secret sharing, and it allows efficient distributed generation of keys. However, should proactive secret sharing be applied on devices with low computational power, the URSA-based scheme can be more appropriate. In that case, it is important to pay close attention to the constraint that after a specific number of update rounds a new key must be generated.
2.5 Summary
To fulfil the goal of demonstrating the feasibility of a fully distributed accounting scheme for p2p systems with intrinsic automatic cooperation control, this chapter has reviewed the related work.
The first section gives the relevant definitions in context of this dissertation. An overview on the different definitions of p2p systems is given and the definition of Steinmetz and Wehrle (SW05a) is selected as the most relevant for this dissertation. Accounting in information systems is defined as the process of tracing relevant IS activities to a responsible source. Cooperation control is understood as a three part process consisting of definition of rules, control of rules, and enforcement of rules. Finally, security and trustworthiness are circumscribed. A trustworthy system is designed with good intentions, has the ability to perform the functionality it was designed for, and is secure. Secure refers to information security and data protection.
The second section reviews accounting functionality in computer networks, apart from p2p systems. All solutions for accounting in centralised systems, decentralised systems, in the Grid, as well as micro- payment schemes apply a central trusted entity. Therefore, these solutions cannot be applied to p2p systems.
The third section reviews mechanisms presented in the context of p2p systems that could be applied to p2p systems. First, a classification is given for accounting in p2p systems. It structures the solution space according to the type of information collection, the information storage location, and the type of issuer for systems that use an issuing process. All relevant works are classified and discussed in detail. It was concluded that the most efficient solution for trusted accounting in p2p systems uses local information storage, because this allows a message complexity of O(1) during transactions. However, there was no existing trustworthy solution found that applies this design decision. Karma (VCS03) is closest to the goal of this dissertation. However, it relies completely on the availability of bank sets and the correctness of information the bank sets store. There is no analysis presented that concludes the required bank set size in order to guarantee availability and trustworthiness of information.
The final section reviews the related work in the field of security mechanisms that can be applied in decentralised autonomous systems. Threshold cryptography is an especially well suited mechanism that allows delegating the signing of a document with a private key to a group of peers. Each peer possesses a share of the private key and no peer possesses the knowledge of the complete key. Using proactive secret sharing, the secrecy of the shared key can be achieved over time. However, the intensive study of threshold cryptography mechanisms revealed that most schemes cannot be applied to p2p systems due to various limitations. Using additive sharing all key shares have to be created when the key is created and no additional key shares can be created afterwards. Using Shamir’s Secret Sharing this limitation does not exist, however most solutions cannot be applied in large systems. Finally, two threshold schemes could be identified that fulfil these requirements. Threshold BLS presented in (Bol03) is a short signature scheme, however it has computationally high requirements. It is not yet suited for application in systems with low computational capabilities. Therefore, the URSA threshold scheme (LKZ+04) was selected as a second choice. However, it has a security leak and requires the generation of new shares after 160 update phases. Furthermore, it does not support verifiable secret sharing yet.
After giving the relevant definitions in context of this dissertation, reviewing the related work, and laying the technical foundations for establishing a distributed basis of trust in p2p systems using thresh- old cryptography, all of the basics for designing a fully decentralised and trusted accounting mechanism with intrinsic cooperation control for p2p systems are worked out. The following chapter presents the framework, system architecture, and basic protocols of such a system, the novel token-based accounting scheme.
3 Token-Based Accounting Principles and Architecture
This dissertation presents the token-based accounting scheme that enables accounting with intrinsic cooperation control in autonomous distributed systems. The requirements for ac- counting and cooperation control have been stated in Chapter 1.In this chapter the basic framework and system architecture of the token-based accounting scheme are derived from the identified requirements. All fundamental design decisions are explained. The result is a framework that allows efficient collection of accounting informa- tion and effectively control cooperation using the accounting information. The token-based accounting scheme consists of four closely interlinked building blocks. Removing one block would compromise the provided functionalities or characteristics of the other blocks.
After the framework is derived the token-based accounting schemes architecture is described by elaborating each of the four building blocks: token structure, transaction protocols, token aggregation, and detection of double spending. Token aggregation implements fully decen-
tralised token creation and administration. Tokens are used to control cooperation, therefore
an efficient decentralised control of double spending is provided by the system. Finally, a trust-
worthy transaction is offered to peers, which removes the incentive to defraud the partner in
a transaction.
3.1 Assumption
For designing the token-based accounting scheme the following assumption have been taken into con- sideration:
User Identification
The token-based accounting scheme requires that actions can be clearly attributed to users. For the accounting system presented here, it is assumed that each user can clearly be authenticated using its private/public key pair.
Certification Authority
In order to authenticate a user with its key pair, functionalities like those offered by a public-key infrastructure (PKI) must be available in the system. This will clearly attribute a key pair to a user. There is no restriction requiring all users to use the same PKI; each peer can use the PKI of its choice. The architecture of the PKI is beyond the scope of the dissertation, as it does not further affect the accounting system’s design.
Peer Identification
The token-based accounting scheme assumes that users can clearly be identified through a permanent identification (ID) in the overlay network. A permanent ID can be obtained as hash value of a users public key, like in (Wal02, JXT04).
Permanent peer identification in combination with user identification issued by a certification authority eliminates potential Sybil attacks (Dou02) or Whitewashing attacks1 in the p2p system.
Reputation Mechanism
The token-based accounting scheme does not rely on a central trusted entity. Therefore, in order to detect dishonest behaviour, all system participants must observe other peers behaviour. That is, if peers are interacting with other peers and detect dishonest behaviour, there must be a mechanism to report and to punish such behaviour.
It is assumed that there exists a decentralised reputation system, where peers can report dishonest, fraudulent behaviour, which cannot be detected and prevented by other technical means. It is assumed that each peer has a reputation value that reflects the honesty of its past actions in the system.
Several possible solutions for such a decentralised reputation mechanism have been proposed. See, e.g., (YS00, KSGM03, XL04, DA06). The design of the applied decentralised reputation mechanism is beyond the scope of this dissertation.
These assumptions do not restrict the design of the accounting system. Rather, these assumptions form the basis the accounting system is built on and are required in order to clearly focus the research on the design and the evaluation of an accounting system for autonomous distributed systems.