Proposed System

This section introduces protocols that promise to satisfy the NA property. The main idea is to rely on a trusted party to issue certificates to peers during churn events, and the certificates are linked to the latest counter values at the peers’ TPMs in order to guarantee their freshness. The formal proof that the system does indeed satisfy the NA (and consequently RA) property is left until Chapter 6.

4.3.2.1 Assumptions.

First, peers are equipped with running TPMs. Furthermore, counter cid at each TPM is used exclusively for the P2P application. This assumption could be used to establish a simple ID scheme for peers in which public part of the AIK is assigned as the peer ID. This scheme is simpler than the one proposed by Balfe et al. [9], but it still guarantees uniqueness even though multiple AIKs can be generated for the TPM. It is because cid is unique per TPM, therefore if multiple IDs are used then updating cid using one ID will invalidate the states of others.

Second, for the churn model, it is assumed that peers leave the network gracefully, meaning that they notify their neighbors (and other relevant entities) before exiting.

4.3.2.2 Certificate Authority.

There exists a certificate authority (CA) that is trusted to issue neighbor certificates as peers join and leave the network. The CA does not need to run on trusted hardware. It is a single point of trust, but as discussed later, is unlikely to be a performance bottleneck.

The CA has an asymmetric key pair xKPrivCA,KPubCAy. At the end of a joining

process, for example, a new peer pn contacts CA to get a neighbor certificate, which is of

the form:

xcid, v, pn, pl, pryP rivK

CA

where v is the current value of the counter cid of pn’s TPM. pl, pr are the immediate left

and right neighbor of pn, at the moment the certificate being issued. They also receive

new neighbor certificates from the CA. It is important that the CA knows the correct immediate left and right neighbors of pn in order to issue such certificates. There are

several ways for the CA to acquire this knowledge. For simplicity, it is assumed that the CA maintains a list of peers currently in the network. When pn joins, it checks that pn

is not already in the list, then issues the relevant certificates and adds pn to the list. It

performs the opposite when pn leaves the network.

4.3.2.3 Joining/Leaving Protocol.

Protocol 4.3.1 illustrates the protocol between the CA and other nodes when pn joins the

network. The CA knows that pl, pr are the immediate left and right neighbor of pn in the

current network. First, it asks pn, pl and pr to increment their counters. Once receiving

the signatures on the new counter values, the CA adds pn to its list of existing peers, then

issues new certificates for pn, pl and pr containing information of their new neighbors.

When a node leaves the network, the protocol is similar, except that the CA only issues certificates for the current neighbors of the leaving nodes.

4.3.2.4 Routing Protocol.

Suppose that pv searches for the root node of a key k. The normal P2P routing protocol

is executed first, which returns a peer pd. As shown in Figure 4.3.1, before accepting pd

as the destination of k, pv performs the verification protocol with pd, which is depicted in

CA pl pn pr cid, nn

xinc, cid, cn, nnyKP riv

pn

cid, nl

xinc, cid, cl, nlyKP riv

pl

cid, nr

xinc, cid, cr, nryKP riv

pr xcid, cn, pn, pl, pryKP riv CA xcid, cl, pl, , pnyKP riv CA xcid, cr, pr, pn, yKP riv CA

Protocol 4.3.1: Peer pn joins in between pl and pr in the network. ’-’ indicates that the

value of the field is not important

pv pd pl

cid, nd

xread, cid, cd, ndyKP riv

pd

xcid, cd, pd, pl, yKP riv

CA

cid, nl

xread, cid, cl, nlyKP riv

pl

xcid, cl, pl, , pdyKP riv

CA

Protocol 4.3.2: Peer pv verifies if pl is the current left neighbor of peer pd. ’-’ indicates

that the value of the field is not important. This protocol essentially implements the pv.neighborVerificationppl, pdqoperation.

the certificate of Certpd that contains cpd. pv can be confident that Certpd is the latest

certificate issued by the CA to pd.

Certpd contains information of pd’s left neighbor, namely pl. pv then asks pl for its

latest certificate, namely Certpl. The verification returns true if Certpd and Certpl match,

i.e. in Certpd, pd is the right neighbor of pl and in Certpl, pl is the left neighbor of pd.

Certificates from both pd and pl are required in order to avoid the following sce-

nario. Assume that only the certificate from pd is asked for during verification, i.e.

pv.neighborVerificationppl, pdq always returns true regardless of pl. Suppose that pd is

the adversary that executed the joining protocol properly and has already left the net- work (gracefully), but it is still online. The routing protocol returns pd. Since it is still

online, pd provides its out-of-date certificate during verification, which is accepted by the

pv. Consequently, pv.destVerificationpk, pdq could return true, violating the RA property

that requires the destination node to be a node currently in the network.

4.4

Detection of Misbehavior at the Application Layer