practical cryptography for a peer-to-peer web browsing system project present… · difﬁe-hellman...

Introduction Cryptography in P2P Systems A P2P Web Browsing System Comparison of Implementations in C Summary

Practical Cryptography for a Peer-to-PeerWeb Browsing System

A. Pokluda

Cheriton School of Computer ScienceUniversity of Waterloo

CS758 Cryptography and Network Security Project


Outline

1 Introduction

2 Cryptography in P2P SystemsCryptography in Real-World Peer-to-Peer SystemsMessage Stream Encryption

3 A P2P Web Browsing SystemIdentify Security RequirementsSatisfy Security Requirements

A Brief Introduction to Elliptic Curve Cryptography

4 Comparison of Implementations in C


Overview of Project Objectives

1 Perform a brief survey of the protocols and schemes usedin real-world peer-to-peer systems

2 1 Identify the general security related requirements for a newpeer-to-peer web browsing system and identify thecryptographic protocols that meet those securityrequirements.

2 Identify one or two schemes to solve each problem thatmeet the security requirements. These may be the sameschemes that are used in current peer-to-peer systems orare new schemes obtained from the literature.

3 Compare production-level implementations in C andevaluate them on a number of criteria: level of security;CPU time and memory requirements; and performanceover limited bandwidth network connection.


Cryptography in Real-World Peer-to-Peer Systems

Skype

Key Agreement RSA with 1536- to 2048-bit key lengthsBlock Cipher 256-bit AESPublic-Key Infrastructure The Skype “login server” performs

the role of TA and certifies user public keys

Skype is proprietary, closed-source software and all networktraffic is encrypted. There have been some efforts to documentthe Skype peer-to-peer architecture, but not much is knownabout the inner-workings of Skype software.


Cryptography in Real-World Peer-to-Peer Systems

BitTorrent

Most current BitTorrent clients use a custom encryption schemeknown as “Message Stream Encryption” (MSE)Key Agreement Diffie-Hellman with 768-bit key lengthsBlock Cipher RC4Public-Key Infrastructure None; New public keys are generated

for each sessionHash Functions Content is located using .torrent metainfo

files containing an index of data chucks needed toreconstruct a file or set of files and their SHA-1hash values; A metainfo file itself is identified bythe SHA-1 hash of the index (known as an infohash)


Message Stream Encryption

Context

Diffie-Hellman Parametersp is a published, 768-bit safe prime, 0xFF...63Generator G is 2rA and rB are random ints between 128- and 180-bits longPublic key of A is YA = GrA mod pPublic key of B is YB = GrB mod pThe shared secret is S = Y rB

A mod p = Y rAB mod p

Constants/VariablesPadA and PadB are random data with length 0-512 bytesTinfo hash is the info hash of the torrentVC is a verification constant defined to be 8 bytes set to 0


Message Stream Encryption

Operation

Alice BobYA = GrA mod p

YB = GrB mod p

S = Y rAB mod p

KA = H(‘keyA’,S,Tinfo hash)KB = H(‘keyB’,S,Tinfo hash)

S = Y rBA mod p

KA = H(‘keyA’,S,Tinfo hash)KB = H(‘keyB’,S,Tinfo hash)

YA,PadA

YB,PadB

H(‘req1’,S),H(‘req2’,Tinfo hash)⊕ H(‘req3’,S),eKA(VC)

eKB(VC)


Basic Architecture

At the outer levelusers will use their webbrowsers tocommunicate with thepeer-to-peer Websoftware

At the inner levelinstances of thepeer-to-peer Websoftware willcommunicate with eachother using apeer-to-peer networkoverlay

S

SS

S

S S

c

c

c

c

cc

c

c c


Identify Security Requirements

New Challenges

We are designing a new system from scratchWe can learn from existing systems, such as BitTorrentHowever, there are several fundamental differencesbetween a web browsing system and BitTorrent from asecurity perspective:

BitTorrent provides no way to verify the identity of thesource of a contentBitTorrent provides no way to update content once it hasbeen released


Identify Security Requirements

What Protocols Are Needed?

Like BitTorrent,We can secure peer to peer communications fromeavesdropping by using a key agreement scheme andblock cipherWe can locate content using a hash function

Unlike BitTorrent,We can bind the identity of an author to content using asignature schemeWe need a public key infrastructure to support theverification of signatures

Side NoteIn a distributed system such as this, a Web of Trust ispreferable to a TA.


Satisfy Security Requirements

Schemes Implementing the Protocols

Key Agreement Diffie-HellmanBlock Cipher AESHash Function SHA-256, MD6Signature Scheme ElGamal, DSAPublic Key Infrastructure custom based on DHT

The Diffie-Hellman, ElGamal, and DSA schemes can beimplemented in a Finite Multiplicative Group or on an EllipticCurve over a Finite Field.




DefinitionAn Elliptic Curve is the set E ofsolutions (x , y) ∈ R2 to theequation y2 = x3 + ax + btogether with a special pointcalled the point at infinity.

An Elliptic Curve Over R2




Point ArithmeticWe define a binary operation over E which makes E into anabelian group, denoted by +. The point at infinity O is theidentity element, thus O+ P = P + O = P for all P ∈ E .

If x1 6= x2 then P + Q = (x1, y1) + (x2, y2) = (x3, y3), where

x3 = λ2 − x1 − x2

y3 = λ(x1 − x3)− y1

λ =y2 − y1

x2 − x1



Elliptic Curve vs Finite Multiplicative Group

The primary benefit of elliptic curve cryptography is smallerkey size for level of security comparable to an RSA-basedsystem with large modulus and large key size. Forexample, a 256-bit ECC public key should providecomparable security to a 3072-bit RSA public key.The reduced key size also results in reduced storage,transmission and computational requirements. Thesefeatures will likely be beneficial to our Peer-to-Peer WebBrowsing System.


Work in Progress

I am currently evaluating implementations in the Cprogramming language of the schemes mentioned previously.

Criteria: level of security; computation, storage andtransmission requirements

Implementation Sources:Diffie-Hellman, ElGamal, DSA: I am coding these myself inFMG and ECAES: OpenSSL’s implementation that uses hardwareaccelerationSHA-256: Crypto++ library; MD6: Rivest et al. havepublished C source for a reference implementation


Summary

We briefly looked at the protocols and schemes used byreal-world peer-to-peer systemsWe identified the general security requirements for a newpeer-to-peer system and the cryptographic protocols thatmeet those security requirementsWe identified several schemes to implement the protocolsProduction-level implementation of the schemes in C arebeing evaluated on a number of criteria

Appendix

Discussion Questions

1 What other considerations may have influenced the designof the BitTorrent encryption scheme?

2 Are there other schemes that would be more suitable for apeer-to-peer system?

practical cryptography for a peer-to-peer web browsing system project present… · difﬁe-hellman...

Documents