Byzantine Fault Tolerant Authentication - CiteSeerX

7 downloads 635 Views 118KB Size Report
trust and supports dynamic membership without fail safe multi-cast or synchrony. This paper ... is impossible to create a digitally signed public key certifi- cate [10]. ... i.e. digital signatures are unforgeable and encryption transformations are ...
Byzantine Fault Tolerant Authentication Vivek Pathak Department of Computer Science Rutgers University, Piscataway, NJ 08854 Liviu Iftode Department of Computer Science University of Maryland, College Park, MD 20742 vpathak cs.rutgers.edu, iftode cs.umd.edu

Abstract

public key certificates and thus takes on the role of a certificate authority. A compromise of certificate authorities allows the creation of fake certificates that could endanger the privacy of trusters. In this manner, the dependence on a certificate authority limits the safety of secured networks and makes the trusted third party a single point of failure. Another problem with public key infrastructures is the efficiency of certificate revocation. This functionality is required to prevent misuse of a compromised private key [16, 9]. The off-line advantage of certificate authorities is reduced by the overhead of maintaining fresh revocation information.

A Byzantine fault tolerant public key infrastructure is presented. It aims to fulfill the authentication requirements of large distributed systems consisting of semi-trusted parties. The distributed trust model does not demand the existence of predefined trusted parties and provides authentication if more than a threshold of the participants are honest. A voting based protocol implements distributed trust and supports dynamic membership without fail safe multi-cast or synchrony. This paper describes the system design and discusses its applicability to mobile networks and peer-to-peer systems on the Internet. It also demonstrates the Byzantine fault tolerance of distributed authentication.

As an alternative model addressing these limitations, we propose a mechanism for distributed authentication that does not demand absolute trust in any party. It involves a distributed system of mutually authenticating semi-trusted parties and works correctly if there is an honest majority. The protocols allow addition and deletion of parties while maintaining the honest majority with very high probability. The protocols tolerate Byzantine faults and optimally   of the participrovide authentication if less than  pants are malicious or faulty.

1 Introduction As the usage of Internet is evolving from web browsing to electronic business transactions, the need for securing networked systems and data is becoming increasingly important. Privacy of data and authenticity of its sources are the primary concerns. Although the cryptographic tools capable of providing privacy and authenticity have existed for a while [17, 7, 20], their successful application to securing networked systems has lagged behind, as evidenced by the continuing incidence of network security failures [6]. Although a large number of security failures may be attributed to avoidable causes like poor implementation, a significant number are the consequence of limitations and weaknesses of the underlying security models. Among the limitations of prevalent security models is the problem of determining authentic public keys: Given a principal and its public key, how to determine (with very high probability) that the corresponding private key is not known to any other party? Authentication of keys is commonly done by a trusted third party that issues digitally signed

The autonomous nature of our peer-to-peer authentication protocols allows mutual authentication of participants that do not share a common trusted party. This property enables secure communication in highly heterogeneous groups and allows the light-weight creation of short lived trust bindings between peers that communicate infrequently. As a consequence, distributed authentication is well suited for the requirements of mobile networks and other peer-to-peer applications. The area of mobile network security is becoming a focal point of active research. Current approaches to authentication in mobile and sensor networks have have focused more on bandwidth limitation and energy conservation than on the implications of trust models [19, 23]. We take a different approach and begin with a trust model suitable for authentication in mobile 1

networks. The resulting system is then optimized to make it practicable in the mobile setting. Alternative approaches to provide fault tolerant authentication are known. There is a class of protocols relying on threshold cryptography that uses key shares with the following property : without a quorum of participants, it is impossible to create a digitally signed public key certificate [10]. As a consequence, unless the number of malicious parties is as large as the quorum, a false authentication is impossible. Threshold cryptography demands the existence of a dealer that initializes the system of parties with key shares. In this way, it unconditionally depends on the honesty of the dealer. On the contrary, distributed authentication does not require trusted cryptographic initialization and provides for a safe and efficient recovery after the compromise of public keys (unless the number of dishonest parties exceeds the given threshold). Threshold cryptography has been used in COCA, a fault tolerant public key authentication service [24] and as the basis of a number of other secure services [2, 21, 23]. Proactive recovery is possible through a dynamic version of threshold cryptography. To compromise such a system, the adversary is required to compromise the quorum in less than a given time out interval or lose any previous progress due to a re-randomization of key shares [3]. Although better than static key shares, the scheme cannot recover from the compromise of a quorum because the same long term shared secret is recycled among the trusted parties. In contrast, distributed authentication is proactively secure in the stronger sense that it holds no long term secrets. The remainder of this paper is organized as follows: Section 2 presents the system model which includes the trust model and its impact on system security. It outlines authentication as well as trusted group management. Section 3 specifies the protocols implementing distributed authentication and managing group membership. An informal discussion of the protocols is done to clarify their operation and security. The formal analysis of these protocols is done in Section 4. It is shown that distributed authentication provides Byzantine fault tolerant authentication if more than a threshold of the participants are honest.

requires the knowledge of authentic public keys of the peers. Authentication of public keys is effected through a voting based distributed authentication protocol. The system consists of honest and dishonest parties. An honest party protects the privacy of its private keys and executes the distributed authentication protocols correctly. Informally, it always tells the truth about its identity and public key. The remaining parties may behave in an arbitrary fashion either as a result of being under the control of malicious adversaries or because of system errors. The network is accessible to active and passive adversaries who cannot invert cryptographic transformations, i.e. digital signatures are unforgeable and encryption transformations are non-invertible. As a departure from the classical active adversary model, our active adversaries are allowed to send arbitrary messages but cannot indefinitely delay the messages of honest parties. The weakened adversary model is appropriate in wireless networks because of the physical difficulties in silencing radio transmissions. In internet applications, the weakened adversary model is justified by assuming that the internet backbone is secure in the following way: once a packet enters the backbone, it is impossible to prevent delivery under retransmissions except by corrupting either the sender or the receiver. This assumption is realistic in the contemporary Internet because secretly disrupting the backbone is an expensive and difficult proposition. This difficulty is partly due to large heterogeneous traffic volume and partly due to its protection as secure infrastructure by a number of independent service providers. In practice, a disrupted backbone would soon become common knowledge and initiate recovery.

2.1 Voting based authentication Public keys are authenticated by a voting based protocol which involves a set of semi-trusted peers. The system allows expirable public keys that are authenticated by a coordinated challenge response protocol depicted graphically in Figure 1. On receipt of an unauthenticated public key, the key ownership claim is challenged by the peers. The response results in a majority vote on the authenticity of the key. Because of honest majority, the vote results in key authentication or detection of a malicious claim. Distributed authentication has the side-effect of detecting malicious activity. This property is of fundamental importance for supporting dynamic groups. Malicious participants can be tagged as dishonest and expelled from trusted groups. Monitoring the actions of participants allows the expansion of trusted groups to securely accommodate new-comers without any human intervention. Distributed authentication has a significant messaging cost as it requires vote responses from a number of peers. This motivates optimization of the common case when all the trusted parties are indeed honest. A policy dependent op-

2 Model A distributed system of mutually semi-trusting parties is considered. The parties are interconnected by an asynchronous network and are identified by their network identifiers. The network does not guarantee message ordering or delivery. It is further assumed that no part of the network becomes permanently disconnected. Assuming retransmissions, every message is delivered eventually. Each party has a self generated public-private key pair. The parties are interested in secure communication which 2

A

B

ically optimal. The reliability of authentication increases rapidly with increasing rate of migration, larger group size   . and the separation of  from   The sets of mutually authenticating parties form trusted groups. Corresponding to each trusted group is a probationary group and an untrusted group as shown in Figure 2. The probationary group contains the parties that have requested, but have not been granted admission into the trusted group. Public keys of probationary members are in the process of being authenticated. The set of untrusted parties consists of the parties that are known to be malicious. The untrusted set keeps growing because distributed authentication detects malicious voting and membership control expels the malicious members. In order to prevent indefinite growth, the members forget malicious actions of the distant past.

Public key of A expired Message encrypted with expired public key

Can not decrypt Send fresh public key

Peers Initiate vote of authenticity Continue optimistically Co−ordinated challenge response with A Cast vote on authenticity

Collect vote result

Figure 1: Authentication of on request of .

Admission

                                                                                                          Probationary      Admission request                         members     Trusted     members                                                                                                                                                                                                                Deletion                                     Untrusted members                                                                                                                                          Honest                   members                                                                     

timistic authentication would hide the vote latency by proceeding before a public key is authenticated. The voters on their part could hand in the votes in a lazy manner. The public keys and their authentication proofs are propagated efficiently by an epidemic algorithm.

2.2 Membership control The system is organized into groups of mutually trusting parties. By design, the potentially overlapping trusted groups cover the set of honest parties, i.e. each live honest participant belongs to one or more trusted groups. The groups allow on-line addition and deletion of parties through a membership control protocol. New parties may request admission into a group and will be admitted if their public keys are successfully authenticated. Admission of malicious parties is acceptable because each party knows the voting pattern of other parties as a result of distributed authentication. This information is used by the membership control protocol to ensure expulsion of malicious parties from an honest majority group. Groups are formed by executions of membership control protocol as necessitated by the secure communication needs of the parties. The frequently communicating parties will share a trusted group in the common case. The system consists of honest and dishonest parties. The number of dishonest parties,  , is assumed to be lim  for a system of parties. Given a group ited by   of  parties, the group is called a honest majority group if no more than    of the members are dishonest. In the common operating case  , thus there are groups with and without honest majority. Because the honest parties periodically exit their trusted groups, a large proportion of trusted groups have an honest majority. Thus there are few honest parties in dishonest groups and the system provides an eventual guarantee on correctness of authenticated keys. The resilience to dishonest parties is asymptot-

Figure 2: Group structure

The set of trusted parties must agree on composition of the trusted group for correct execution of the distributed authentication protocol. Agreement in asynchronous systems is known to be impossible [8]. Practical systems overcome the impossibility by using randomness [24, 2, 21] or failure detection [4, 11, 14]. Distributed authentication uses the latter approach and simulates synchrony by moving the (non-failed) live participants through a sequence of view changes. The motivation for making this choice is as follows: In most operating conditions, the network would be fast and failures would be rare. Thus the view based algorithm, performing better with fewer failures, would outperform randomized agreement that depends only on the random choices. The design based on virtual synchrony is particularly suited for small trusted groups of up to a few hundred members. Small groups are expected to be the common operating case as a result of locality of communication end-points and the continual migration from trusted groups. A suitable migration rate would prevent the creation of very large trusted groups 3

safely introduce a new (potentially malicious) member. 1 The following scenario illustrates the' limitations: An . honest party initializes a trusted set and executes the membership control protocol. A malicious party requests admission with an authentic public key. When ' ( . grants it admission and expands the trusted set to ,

can act maliciously and threaten the security of the trusted group because the honest parties are no longer in majority. In particular, the membership control protocol requires that in a group of parties, no more than   parties be dishonest. Therefore, the initial trusted   set should have at least 5 members to safely recover from the entry of a malicious party. The following bootstrapping actions are done by each principal 6 in the initial trusted set:

that may impair authentication performance due to excessive network traffic.

3 Architecture This section describes the system architecture and the protocols. The participants implement Authentication protocol and the Membership control protocol. A bootstrapping procedure is implemented for system initialization. The authentication protocol propagates authenticated public keys in the system; Membership control maintains the honest majority of a trusted group and allows mutually untrusting honest participants to join a common trusted group to authenticate each others public keys.

  



 "!$#&% ' #)("*+(-,/. 1

' #0.

2 ! % 3 ! % 4 

1. 6 initializes 2 ! % a set of trusted peers and 9 6 9:;5 .

Public key of the principal . Private key of the principal . This is known# only to if is honest. A string encrypted with the public key of . A message containing three strings # * , , and . A message signed by . The universal set of all parties. A trusted group of party . A probationary group of party . A pseudo random number generated by party .

2 ! % 2 ! %87 6 : 6 1

  for each 2. 6 stores an 2 unauthenticated public key ! % peer =< 6 . The public keys are in a semitrusted unauthenticated state, it is required that less than ?> @A >  participants are malicious or faulty.

3.2 Authentication protocol The distributed authentication protocol operates on a set of parties and authenticates their public keys. The steps in the protocol are described as follows. The protocol is initiated by party 6 in the trusted set, on detection of an   unauthenticated public key, . The 2 integer  covers the ! % electorate of trusted parties i.e. B< 6 .

Table 1: Notation

DCB6 6LC C PC CB6

All protocol messages are assumed to have source and destination identifiers and are digitally signed by any feasible digital signature mechanism [20, 15]. It is also assumed that honest recipients ignore messages with an invalid signature or incorrect source or destination identifiers. Messages contain random nonces and timestamps that are guaranteed to increase. The participants maintain a most recent received timestamp vector and ignore stale messages from any participant. This guards against replay attacks.

E E E

E

E

'

'  (  !  %K.  FHGJI  ( ( ( M ! 4ON %K. N   AUTH'  ! 4 %O.  ' 4  .  '  N !HQ  %O( 4 N . 9R 

At the beginning, sends 6 its fresh public key and establishes its ownership of the last authenticated public key known to 6 by encrypting the new public key with the older private key. Only can produce the message because it is the owner of the last key pair known to 6 . Thus 6 can   conclude that either is the authentic key of or there is an active adversary in the middle that has inverted the older public key. In response to the declaration of the new public key, 6 accepts the key in a tentative state and asks the peers to verify it. This step is optimistic in the sense that communications may continue even though the key is not yet authenticated. Each peer challenges by sending a random number 4 encrypted with ’s supposed public key. can decrypt the

3.1 Bootstrapping The bootstrapping procedure is provided to cold-start the system. This is in contrast with the situation when the trusted groups already exist and a party joins some of them to get authenticated public keys of peers. Bootstrapping is required when there are no pre-existing trusted groups. It initializes the distributed authentication system by creating a common trusted group consisting of the bootstrapped parties. This phase is necessary to overcome the limitation that a system with less than three trusted parties cannot

1 Also, with two participants, the authentication becomes vulnerable to man in the middle attack. Hence the bootstrapped trusted set must have at least three members.

4

message to recover 4 only if it holds the corresponding private key. It can be observed that this step is insecure in a two party situation. However under the assumptions of distributed trust, a majority of peers will indeed contact and not an adversary in the middle posing as . will respond to the peer’s challenge by returning 4 . The peer will check the response of and cast its vote supporting or rejecting the authenticity of the public key. 2 At the end of this protocol, 6 gets a set of votes from its peers. If the group has an honest majority, i.e. the number of dishonest decides the parties is at most TSU> @ >  , then 6 correctly Q V authenticity of by waiting for W identical votes.

The relevance of each step is described as follows: The party 6 requests admission by sending 2 its untrusted public key to a member of the trusted set . If 6 is not known to be dishonest, forwards the public key to its set of trusted peers in a lazy manner. Each key forwarding message is signed and contains a random nonce encrypted with the public key of the recipient. The peer includes the new entrant in its probationary set and notifies by returning the signed nonce that can be recovered only by the peer. If receives valid messages from all the peers, it will conclude that 6 has been included into the probationary set of each of its trusted peers. On the other hand, if it receives invalid messages, it can conclude that the corresponding peer is either corrupt or its public key has been inverted. would delete the offending peer from its trusted set by the deletion mechanism as described in the next to next subsection. If an insufficient number of messages are received, it can assume some of its trusted peers are disconnected or broken, and prune its trusted set as described in the following subsection.

3.3 Membership control protocol The membership control protocol allows admission of new members into trusted groups. Admission can be divided into two phases. First, an untrusted party gets an unprivileged probationary access by requesting admission. Admission is granted after authentication of the new party’s public key. Membership control protocol requires the deletion of parties that act maliciously by voting against the group majority. 3 The deletion policy is a group property and depends on the recent count of wrong and right authentication votes that are updated as a side effect of voting based authentication. This information is maintained Y/ Z[ in data structures X and X that maintain a count of the recent correct and incorrect authentication votes as seen 2 from V< . Each party also maintains a boolean trust  vector  X to indicate membership of parties in the trusted set.

Group consistency The bootstrapping process statically creates a trusted 2 group of at least three mutually trusting parties. Runtime changes to the trusted group require the group members to agree on group composition. The group consistency requirement that each member of the trusted set have identical view of the trusted, untrusted and probationary sets, is a precondition for correct operation of the authentication protocol discussed earlier. The members also agree on group wide parameters like membership expiry time, deletion policy and view change timeouts. The impossibility of asynchronous agreement [8] prevents agreement on these parameters. This limitation is overcome by continuously moving the group members through a sequence of views that provide weak synchrony and allow the system to make progress in the presence of failures. The view ! % based scheme assumes that cdfehgji  , the the delay in delivery of a message sent at time  , is sub-exponential in  . The assumption is reasonable for contemporary networks because failed links and processors are eventually repaired. It has been used for other IP based asynchronous systems [5]. At any instant of time, the group is in a unique view identified by the view number k . The view number increments with successive view changes. On instantiation of a new view, there are new agreed sets of trusted parties, untrusted parties and probationary parties. The agreement is aided by a view coordinator. The coordinator lSmk0npocD is determined as a function of trusted group size  and current view number k . Each view has a view change timeout, qsr , that is set at the time of view creation. If a previous coordinator had set the view timeout of qr , then the view coordinator sends a signed PREPARE 

Probationary access The protocol allows an unknown party 6 to be granted probationary 2 access by requesting any member of the trusted group . If 6 is known to be dishonest (by virtue of its membership in the untrusted set) then the admission request -is \ ignored, else includes 6 in its set of peers and sets  6])S^R to indicate 6 is untrusted. It then communicates the addition of the untrusted party 6 to other parties. The following set of messages define the protocol to grant probationary access. Here takes all the values over the 2 set of trusted parties, i.e. _< .

6 C ` PC bC E

E E

'

'  N . N ( (  N (  ! 4 a%O. ADD 6 '  4 H. 

2 Because the knowledge of vote results allows deduction of the trusted set, the vote results are encrypted to protect the identity of the trusted group from passive adversaries. The encryption of vote results does not modify the outcome of the protocol. 3 In a group without honest majority, honest parties may be deleted and should react by trying to join other groups, an overwhelming majority of which have an honest majority

5

message to all trusted members within a time window of \ (Kt Q q+r qr ] after instantiation of view kTu . This phase   of the admission protocol announces the intention of creating a new trusted group by moving the system to k . The receipt of the PREPARE message prompts the honest parties to accept the view change if it has an authentic signature and is received within the valid time window. In response to the proposed view change the honest parties broadcast their respective signed local trust vector to each member t Q of the group. Each trusted participant waits for PW trust vectors. On receiving a sufficient number of messages, it updates the trust vector to contain the parQ ties that have at least TW trust recommendations from the peers and have responded to the protocol messages to prove their liveness. The current view is changed to k and the (live) group moves to a new view with a new agreed trusted set. This group consistency protocol is described below, the integers  and cover the trusted set, k corresponds to the current view, and v represents a newly admitted trusted party. '  !' ( ( .x%O. PREPARE k q+r PCw E '  ! '  . %O( ' ( ( .H. PREPARE k q+r bC E X '     ( .  DCmv E ADMIT  X

bit in the local trust vector at a party. By assumption, no Q more than  parties are malicious or faulty, finding AW concurring votes is sufficient to categorize a party as honest. Deletion is caused by lack of liveness or malicious actions of participants. If a participant votes maliciously in authentication protocol or during view changes, it is marked untrusted and enters the untrusted set. The agreement on the local untrusted sets is achieved during each view change and its correctness follows by an argument similar to the one for admission.

4 Analysis This section the security analysis of the authentication system. It is shown that distributed authentication of honest parties is correct if the trusted group has a sufficient number of honest parties. Similarly, membership control is shown to delete malicious parties in honest groups. The group dynamics resulting from the effects of membership control and group migration is shown to create honest majority groups with very high probability. The eventual correctness of byzantine fault tolerant authentication is shown to be asymptotically optimal with respect to the number of malicious parties in the system.

If the timeout q)r expires before the recommendations are received, the view is abandoned. This is done by the party Q Q with the trusted kW n`ocs initiatingQ the new view kW ` k u parties agreed at . The view timeout is doubled, i.e. t q rOy S q r . If this viewQ is also abandoned, t|{ y the process  must end before kLWzsW with timeout  q r because,  by assumption, there are no more than faulty parties. If t Q /W recommendations arrive before q r expires, the new view is initiated with a linear speedup to allow recovery from transient network delays.

4.1 Authentication protocol Consider the authentication protocol initiated by a party 6  on receipt of an unauthenticated public key of . If is malicious, it can either keep sending incorrect key change messages or may respond to the challenge from peers of 6 in a malicious byzantine way. In the first option, a policy dependent minimum key life would prevent the potential denial of service attack. Key expiry at a greater frequency would tag as untrusted and thus exclude it from participating in any communication with 6 . The second case of responding maliciously to challenge messages could cause the honest participants to vote against each other. This happens because could respond correctly to some challenges and intentionally fail the others. Although this poses a problem to trusted group management, it does not affect authentication. The protocol does not offer authentication to because it is dishonest. Similarly, if 6 is malicious, it can only request the authentication of arbitrary public keys. This does not affect the system because, as before, a bound on the number of requests shall be implemented in a real system to prevent denial of service attack. If 6 requests authentication of incorrect public keys, it fails because the peers cannot authenticate the bogus key. The protocol does not provide service to dishonest participants, hence the conclusion of   is irrelevant. If and 6 are both 6 about authenticity of honest, the following claim holds:

Admission and deletion of parties View changes cause agreement on the trusted set by majority of trust votes. The trust votes are cast on the basis of successful authentication of public keys. Parties that have authenticated their public keys to a given trusted member shall get a positive vote from that member. The trusted parties execute the authentication protocol for members of the probationary group in a lazy manner. Thus, each honest probationary party eventually becomes authenticated for each trusted party. Once this stage is reached, the trust recommendations for the probationary party would be in majority and it would be admitted into the trusted group. All the honest parties eventually agree on the authenticity of other honest parties’ public keys. The remaining  parties behave arbitrarily. To justify the value of   as necessary and sufficient, it can be observed }~  that agreement on each each bit of the trust vector corresponds exactly to a Byzantine generals problem [12]. A general’s recommendation to attack corresponds to a true 6

CLAIM 1 In a system of parties of which  are dishon  , then each honest party is authenticated est, if €~  correctly.

a minority and cannot change the decision on admission. Thus the trust vector is correct. If the coordinator is dishonest, it can only delay agreement without changing the agreed values. In this case, the view will be abandoned because of lack of agreement. In the worst t|{ case, a correct view will be effective after a delay of q r { with an   honest party as the coordinator.

PROOF: Consider an honest participant . It either has a previously authenticated public key or not. Thus, there   are two cases for authenticating a new public key of :  CASE 1: If the previous authenticated public key F"GI of has not been inverted, then only has    knowledge of public key to another party F"GI  . When updates its '  "(  !  a%O. F"GI  . By assumption 6 , it sends a message of non inverted public  key, the message can be generated  only if the owner of was the owner of the previous au thenticated public key F"GI . Therefore, if the previous key   was authentic and not inverted, is authentic.  CASE 2: If the previous public key FHGI has been inverted or is unauthenticated (as in the bootstrap or '  ‚(  !  adx%K. GI  mission), the construction of the message " F   does not guarantee authenticity of because the message could be constructed by an adversary claiming to be . in the In the authentication protocol, each '  "peer ! 4 %K.  trusted group of 6 sends a challenge to and  votes affirmatively only if successfully responds to the 4 challenge by recovering , a random number chosen by   . By assumption, at most  ofQ the participants are dishonest. Because 6 waits for ?W concurring votes, at least  one of them is from an honest party. Thus knows  , ƒ i.e. the public key is authentic.

4.3 Group dynamics The correctness of authentication and membership control depends on the honest majority of trusted groups. As the assumption on the number of faulty parties is system wide, the creation of honest majority groups is critical to the correct functioning of the system. This section discusses policies governing the voluntary entry and exit of honest parties and analyzes their impact on the expected proportion of honest majority groups. This in turn leads to a probabilistically correct authentication in dynamic groups. New communication path

B

A

Trusted group of A

Trusted group of B

Request membership of groups Authenticated communication path

4.2 Membership control A

Membership control protocol admits the participants from the probationary group to the trusted group. It also transfers the misbehaving trusted participants to the untrusted group. The correctness of the view changes is assured by requiring honest parties to reject malicious view change messages. The PREPARE message will be accepted only if it meets the following criteria:

Trusted group of A

B

Trusted group of B

Figure 3: Dynamics of authenticated communication

„ It is signed by an authenticated public key; The sender is entitled to initiate the current view because DS…k0npocD .

The admission request policy determines the trusted groups for seeking admission. In the common case, admission requests follow the needs for secure communication which requires authenticated public keys. If the parties and intend to communicate securely, they will check if they already share a trusted group. In this case, the problem is trivially solved because both have already authenticated the others public key through distributed authentication. On the other hand, if and do not 2 ! share % a trusted group, then will request admission to 2 ! , % a trusted group of and will request admission to , a trusted group of . As will be shown in the following2 part of this section, the probability of finding a group with greater than >  malicious parties is close to R . Therefore if both  > @Tˆ and are honest, the admission requests will succeed in the common operating case as shown in Figure 3. In

„ It is initiated at the correct time i.e. it should happen t† t|† y no earlier than q r † and no later Qthan  q r †   after the creation time of view k)u‡vsu , where v8:…R . The first condition ensures that view changes are initiated only by trusted parties, and among them only by the ones entitled to coordinate the new view. The second condition allows changes in the timeout to adapt to network delays. To argue correctness, if the view coordinator is honest, the malicious parties can not prevent agreement because there are justt  ofQ them. The trusted group is calculated after getting W recommendations of the trusted parties. In a set of this size, the malicious parties are in 7

the improbable case that both admission requests fail, and will randomly 2 ! % select another party ‰ and request admission into ‰ . The probability of ‰ being dishonest is at most  , thus in a few number of trials, and should find an honest party and join its trusted group. Exit policy determines a suitable exit strategy for honest members so that dishonest members cannot be in majority for more than a small number of groups. This is determined by group attrition parameter Š , denoting the number of parties admitted or deleted from the group as observed by a trusted member. Consider a global exit value Š ; An honest party will exit the group after observing Š admissions or deletions. This parameter affects the probability of finding dishonest groups on random selection. A lower value of Š corresponds to short lived trust bindings and disallows the creation of dishonest coalitions for durations larger than Š . 1 Consider the system of parties , with  dishonest members. Assume that the remaining honest members form trust groups by following the membership control protocols correctly. They also request admission or exit from groups as per the prescribed policies above. As a simplifying assumption, consider v groups of equal size each. 4 The group membership is at worst same as random selection, if the malicious parties successfully masquerade as honest. In that case the probability ‹ of randomly picking an honest majority group is defined as follows.

allows a natural growth of trust without requiring hierarchies of delegating and recommending parties as done in other trust management systems [1, 22]. Our approach is made feasible by the adversary assumptions that are weaker than the classical network is the adversary model. In our model, the active attacks are limited to the creation of arbitrary messages. Silencing more than the threshold of honest parties is impossible. The advent of wireless communication and the difficulty of suppressing transmissions in an open medium are the prime motivations behind this change of the underlying model. Although weaker than the traditional model in terms of adversary power, it is stronger in terms of fault tolerance. The system we envision is completely proactive and functions without having any long term secrets. This makes it robust in terms of recovery. The current exposition is incomplete in terms of performance optimization and implementation. These would be ™š! the% next steps. Although the protocols are written as › broadcast protocols, it is possible to implement them efficiently by an epidemic algorithm in byzantine environment [13]. This depends on two facts: First, the trust vector received by any intermediate party can be forwarded to another party in the system only if it is authentic. Secondly, the assumption that digital signature is unforgeable prevents construction of such a message by anyone other than the sender. A future version would outline the epidemic algorithm for authenticated key propagation "Ž’_ [‘ “   in detail. Another aspect of optimization is the replace” ! ( % ! ( %f! v lu_ % !  %    ‹ŒS ‰  v l _ u  l _ u ‰  ment of computationally expensive public key cryptograJ•– v v phy with an efficient substitute. Symmetric encryption methods have been used to efficiently authenticate mes > u; in- sages between mutually trusting parties [18]. A generThis function rapidly approaches one as  > — ˜ creases in value. Although it has been difficult to analyt- alization to multi-party trusted groups could be considically summarize the series given above, a computational ered. This would allow the use of distributed authentisimulation has given evidence of its properties. The ac- cation on energy or computation limited devices, sensors tual expectation of dishonest majority groups is lower than and clients. ‹ because the binomial probability ‹ , is based purely on The distributed authentication mechanism is intended random group selections by honest parties and ignores the to be prototyped in a heterogeneous systems of mobile defact that untrusted sets preserve information about past vices connected through a wireless network. We intend to malicious activities. This impedes the free assimilation explore applications in that setting to evaluate the effecof dishonest parties into trusted sets. A detailed analysis tiveness of this design. Another candidate application is of this issue is planned for the future. the elimination of spam electronic mail messages by having a set of mail clients that authenticate each other by an underlying distributed trust mechanism.

5 Conclusion and future work

Byzantine fault tolerant distributed authentication provides a new approach to tackle the authentication problems of distributed and peer to peer systems. The salient features are the lack of single points of failure and the capability to dynamically select a trusted group based on honest or malicious behavior of the parties. Our approach

References [1] B LAZE , M., I OANNIDIS , J., AND K EROMYTIS , A. D. Trust Management and Network Layer Security Protocols. In Cambridge Security Protocols International Workshop (1999), pp. 103–118.

4 This is reasonable because performance considerations are the basis of group size limitation. Therefore, the group size limit would be a performance dependent constant.

[2] C ACHIN , C. Distributing trust on the Internet. In International Conference on Dependable Systems 8

and Networks (DSN2001), Gteborg, Sweden. (June 2001), IEEE.

[14] M ANIATIS , P., G IULI , T., AND BAKER , M. Building Trusted Distributed Services Across Administrative Domains. Tech. Rep. CS.DC/0106058, June 2001.

[3] C ANETTI , R., G ENNARO , R., H ERZBERG , A., AND NAOR , D. Proactive Security: Long-term protection against break-ins. RSA CryptoBytes 3, 1 (1997), 1–8.

[15] M ERKLE , R. C. A digital signature based on a conventional encryption function. In Advances in Cryptology — Proceedings Crypto ’88, Santa Barbara, California, U.S.A, vol. 293 of Lecture Notes in Computer Science. Springer-Verlag, 1988, pp. 369–378.

[4] C ASTRO , AND L ISKOV. Practical Byzantine Fault Tolerance. In OSDI: Symposium on Operating Systems Design and Implementation (1999), USENIX Association, Co-sponsored by IEEE TCOS and ACM SIGOPS.

[16] NAOR , M., AND N ISSIM , K. Certificate Revocation and Certificate Update. In Proceedings 7th USENIX Security Symposium (San Antonio, Texas) (Jan 1998).

[5] C ASTRO , M., AND L ISKOV, B. Authenticated Byzantine Fault Tolerance Without Public-Key Cryptography. Tech. Rep. MIT/LCS/TM-595, 1999.

[17] NATIONAL I NSTITUTE OF S TANDARDS AND T ECHNOLOGY. Data Encryption Standard. at http://www.itl.nist.gov/div897/pubs/fip462.htm, December 1993. FIPS PUB 46-2.

[6] C OMPUTER S ECURITY I NSTITUTE AND F EDERAL B UREAU OF I NVESTIGATION. CSI/FBI Computer Crime and Security Survey. abridged version at http://www.gocsi.com, April 2002.

[18] P ERRIG , A., C ANETTI , R., S ONG , D., AND T YGAR , D. Efficient and secure source authentication for multicast. In Network and Distributed System Security Symposium (February 2001).

[7] D IFFIE , W., AND H ELLMAN , M. New Directions in Cryptography. IEEE Trans. Info. Theory 22 (1976), 644–654.

[19] P ERRIG , A., S ZEWCZYK , R., W EN , V., C ULLAR , D., AND T YGAR , J. SPINS: Security protocols for sensor networks. In MOBICOM (2001).

[8] F ISCHER , M. J., LYNCH , N. A., AND PATERSON , M. S. Impossibility of distributed consensus with one faulty process. Journal of the ACM (JACM) 32, 2 (1985), 374–382.

[20] R. R IVEST, A. S., AND A DLEMAN , L. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 2 (1978), 120–126.

[9] F OX , B., AND L A M ACCHIA , B. Certificate Revocation: Mechanics and Meaning. In FC’98: International Conference on Financial Cryptography, R. Hirschfeld, Ed., vol. 1465 of Lecture Notes in Computer Science. Springer-Verlag, 1998, pp. 158– 164.

[21] R EITER , M. K. The Rampart Toolkit for Building High-Integrity Services. In Dagstuhl Seminar on Distributed Systems (1994), pp. 99–110. [22] YAHALOM , R., K LEIN , B., AND B ETH , T. Trust relationships in secure systems—a distributed authentication perspective. In In Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy (May 1993), pp. 150–164.

[10] G OLDWASSER , S., M ICALI , S., AND R IVEST, R. L. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17, 2 (1988), 281–308. [11] K IHLSTROM , K. P., M OSER , L. E., AND M ELLIAR -S MITH , P. M. The SecureRing protocols for securing group communication. In 31st Hawaii International Conference on System Sciences (January 1998), IEEE, pp. 317–326.

[23] Z HOU , L., AND H AAS , Z. Securing Ad Hoc Networks. IEEE Network Magazine 13, 6 (1999). [24] Z HOU , L., S CHNEIDER , F. B., AND VAN R ENESSE , R. COCA: A Secure Distributed On-line Certification Authority. Tech. Rep. 2000-1828, Department of Computer Science, Cornell University, Ithaca, NY USA, December 2000.

[12] L AMPORT, L., S HOSTAK , R., AND P EASE , M. The byzantine generals problem. ACM Transactions on Programming Languages and Systems (TOPLAS) 4, 3 (1982), 382–401. [13] M ALKHI , D., R EITER , M. K., RODEH , O., AND S ELLA , Y. Efficient update diffusion in byzantine environments. In In 20th Symposium on Reliable Distributed Systems (SRDS 2001) (October 2001). 9