Peer-to-peer Frameworks

The last type of frameworks covered are ones based on decentralised P2P techniques [46, 126]. They can be built based on two approaches. First, there are unstructured networks, where no index information is maintained, messages with search information (such as, TTL, message identifier or list of already contacted peers) flood the network. Their performance is roughly [45]: search latency; storage and update costs low; good resilience to failures; and high messages bandwidth. Secondly, there are structured networks, where index information is distributed and maintained among the peers according to different solutions (for example, based on a distributed hash table or a binary search tree). Their performance is roughly [45]: a logarithmic search but higher storage and update costs (for example, due to routing tables or replication). From a privacy point of view, the second approach is likely to imply that trust evidence of a user would be maintained by other users, who cannot be chosen by the user. When the network consists of a social network (as in the frameworks of the previous section), a variant of the first approach can be used. Thanks to the assumed small-world properties of the social network, the search may be optimised by directing the search according to properties of the target of the search and properties of the direct peers [77]. For example, if an email about movies has been sent by a previously unknown sender, the search for information about the sender would start with the contacts that are known to have an interest in movies. In this section, three peer-to-peer frameworks with adjunct computational trust are reviewed.

According to Ziegler and Lausen’s trust metric classification [194] (explained above), the trust metric used in the Eigentrust [96] framework is a global distributed group metric. The trust values based on the number of positive and negative outcomes are normalised according to the following formula (trust value c of virtual identity i in virtual identity j):

( )

( )

, sij =NumberOfPositiveObservations−NumberOfNegativeObservations

They depend on one (or several) structured P2P networks for the trust value computation. They use the global trust value to increase the quality of P2P file sharing systems (based on an unstructured P2P network). They evaluate their work on a simulated network constructed according to power law and have a threat analysis, where different strategies are used by a number of malicious peers.

Damiani et al. [41, 42] (the Damiani framework) add a computational trust metric on top of a P2P unstructured network. The searching follows Gnutella’s flooding technique [60], which consists of sending an identified search request message to a number of direct contacts with a TTL. Their first application domain is file sharing. The trust metric is used to choose the most trustworthy peer among the peers who claim to have the sought-after file. In order to minimise the risk of Sybil attack, recommendations coming from a clique of IP addresses are discarded. Similarly, a number of recommenders are re-contacted to check that they really meant the recommendation and it is supposed to increase the cost of running faked virtual identities by the same real-world identity. It is also an example of weak authentication (detailed in Section 4.2.3) and related to the schemes developed in this thesis. They evaluate their work by a discussion on the communication overhead (as we do) introduced by the collaboration for computational trust on top of the file sharing system (since “usually, the limiting resource in P2P networks is network bandwidth rather storage” [41]). The second application [42] reuses their Gnutella-based computational trust to fight spam in email settings. In order to protect the privacy of the users of a mail server, only the mail servers are considered to be peer in the unstructured network. The mail server aggregates direct observations of its email users about spam emails. Since it is common that spam emails are slightly modified, a fuzzy hash mechanism is used to give the same hash for slightly different spam emails. The peers send updated collection of hashes of spam emails, without reference to the involved email users, to another type of peers, called super-peers. The super-peers maintain a distributed collection of spam hashes and peers can query information about

unknown emails. The result of the query is a number of recommendations that are used to compute the final trust value based on the recommenders trustworthiness and a trust metric, whose choice is left to the future users.

Sierra is the implementation of the OpenPrivacy computational trust management framework [26, 133]. Sierra is composed of: the “Nym Manager”, which creates, manages and authenticates the pseudonymous certificates; the “Reputation”, which is signed by the current local virtual identity and used as recommendation or observation; the “Reputation Calculation Engine (RCE)”, which implements the trust metric, computes and maintains Reputations; the “Query” package to query and index data; the “Communication” interface for transparent communication with peers (the type of P2P network can be plugged with this interface); and the “Storage Manager”. Any trust metric could be used as long as there is an RCE implementation of the trust metric. Noticeably, there is no risk component in their framework. The “Nym Manager” has many interesting features although it is limited to public keys for authentication. According to the trust context, different virtual identities can be used. It is possible that a parent virtual identity generates different child virtual identities [108]. It is not clear how they would implement the automatic selection of the appropriate virtual identity according to the current context. Generally, the specifics of their framework are left undefined. They underline that long-lived virtual identities are preferable in order to be granted interactions requiring a great trust value. In this thesis, we introduce how to combine trust values of different virtual identities once a link has been proven between them. The final contribution of their framework is in the use of certificates of recommendations, called “gifts” [26], carried by the trustee. It is useful in scenarios where the recommender might become unreachable. It is supposed to work in a fully decentralised manner (but this will depend on the communication type chosen and the trust metrics).