Secure Peer-to-Peer Overlay Networks


Peer-to-peer systems have recently become extremely popular for a variety of reasons. For example, the fact that peer-to-peer systems do not need a central server means that individuals can cooperate without fees or an investment in additional high-performance hardware. Also, peer-to-peer systems allow to make use of the tremendous amount of resources (such as computation and storage) that otherwise sit idle on individual computers when they are not in use. Furthermore, the decentralized and distributed nature of peer-to-peer systems makes them robust against faults.

Many peer-to-peer systems (e.g., CAN, Chord, Pastry, Tapestry, I3, etc.) have recently been suggested. Unfortunately, the architecture of many of these systems assumes that the nodes involved can be trusted. While this may be possible to achieve with the help of a central certification authority, in many situations it is not desirable to constrain the membership of a peer-to-peer system. Consequently, it must be able to withstand a variety of security attacks, including malicious behavior by a relatively large fraction of its members. Surprisingly, essentially all of the existing systems do not qualify even for the lowest level of security, that we call unlucky-input security. There is no need to do anything malicious to execute a major denial of service. Even if all processors follow the protocol to the letter, it is possible for the system to run into a situation with extremely poor connectivity (and therefore performance) or a memory overflow at some sites. Furthermore, if users leave the network at inopportune times, they may permanently remove data or disconnect some sites. Although these bad luck events may rarely happen, an adversary can significantly reduce the time required for such events without doing anything illegal such as altering the protocol or sniffing at communication between other peers. These anomalies are just an exploitation of "minor theoretical glitches" in the consistent hashing approach, and they can serve as a platform for major DOS attacks.

We consequently pursue a different approach, with the following new ideas:

Faculty members:

PhD students:



Christian Scheideler
Last modified: Tue May 20 2003