Adam J. P. Wood
2005-10-10 12:40:19 UTC
In the little free time I've had recently I've been thinking about the
security of the OTAS software. The e-mail is a bit long but I hope that makes
it easier to follow step by step.
I think we have 2 different needs within the system.
1) There are the control protocols which nodes can use to communicate with
each other. These protocols handle things such as passing public certificates
around securely, registering a node's functions and the messages it can
handle. Perhaps even so far as allow inter node "chat" (not in an instant
message with emoticons type of way, more like secure communications) and log
file checking. There are more here but I'm not finished thinking about them
by a long way and I'll need everyone else's input on these.
This type of communication is unique between individual peers and not shared,
it also will often be sensitive information. I propose we use an
authenticated and encrypted channel for this. This allows us to securely and
accurately identify nodes joining the group, assign them a unique identifier,
check the certificate and perhaps most importantly, notify a new node of any
certificates we have to revoke from now untrustworthy members.
This communication must be direct node-to-node!
2) Only a few nodes will be communicating as described above, the rest will
happily sit on the network and relay earthquake data. Each node would
therefore have open channels and send signed messages to other interested and
connected nodes.
This type of message passing could be between any nodes. Some nodes might not
even generate or use messages, just passing them along to others. A message
from point A that is of interest to point B might pass through C, D, and E
before reaching an interested node but as long as the message is signed
properly it can still be trusted.
Here's an example using names from the list as reference points:
------------------EXAMPLE-------------------------------
a) Jose runs a node calculating the hypocentre of an earthquake, either by
using raw data or scraping the information from the USGS site.
b) Brian runs a node which takes the hypocentre and calculates the origin of a
tsunami.
c) Ben runs a node which takes the origin of a tsunami and calculates the
impact that will be seen in Indonesia.
d) Adam runs a nod that warns the inhabitants of Aceh if OTAS thinks there
will be a tsunami.
All of these nodes are interconnected (probably with many others too). On
start up only Jose has a certificate that we ALL trust. Jose also trusts
everyone listed above. Each node becomes part of the network and identifies
itself with Jose since we trust him.
Brian uses a secure channel to tell Jose that he would like any hypocentral
data that Jose can supply. Jose acknowledges that he can supply this.
Ben contacts as many peers as possible and asks for tsunami origin info. One
of those contacted will be Jose, since Jose can't supply this he passes back
to Ben the public key certificate for Brian who can fulfil this request. Ben
then repeats with Brian's node and can start receiving tsunami origin data in
the clear. One of the other peers contacted might have tsunami origin info
but until we receive a key from a trusted source or enter it manually we
can't be sure of the accuracy.
Ben's trust of Brian is assumed because Jose is trusted, we need to decide how
much trust can be passed along in such a way.
Brian contacts Ben and delivers a message signed by himself and by Jose. Ben
knows to trust this message since he can confirm where it has come from and
the whole trail back to where it started. If Ben receives another message
signed only by Brian and an unknown node he should either ignore it or try to
contact other peers to confirm authenticity.
When the Internet suffers a technical problem and Ben is unable to "see"
Brian, other nodes in the p2p group will pass the message along by other
channels. Since the message has been signed by Brian and by Jose the actual
node that delivers the message is unimportant. We know the message contents
are still accurate.
Things will get more complicated the more "hops" we are away from our most
trusted node. For example when Adam is told to send a warning by Ben, the
message will be signed by Jose, Brian and Ben. Since Adam has never had
contact with Brian we should get his public key before trusting the message
(at least before we trust it completely). So Adam contacts all his trusted
nodes over a secure channel asking for Brian's key. Not to hard to get and
then we have a full chain of trust back to the source. Obviously these keys
only need to be passed around the first time.
The trust relationships might be quite complex but shouldn't be too hard to
figure out. Using a system like this keeps the need for encrypted messages
down to a minimum and without time constraints, while allowing fast message
passing in the clear and still being able to authenticate those message
despite coming from any number of sources.
----------------------------------END OF EXAMPLE-----------------------------
I've got some ideas on message structure and node architecture too but I'll
wait for a few people to shoot holes in the ideas above first so we can
refine or throw that out before thinking about too many aspects of the
system.
Adam
security of the OTAS software. The e-mail is a bit long but I hope that makes
it easier to follow step by step.
I think we have 2 different needs within the system.
1) There are the control protocols which nodes can use to communicate with
each other. These protocols handle things such as passing public certificates
around securely, registering a node's functions and the messages it can
handle. Perhaps even so far as allow inter node "chat" (not in an instant
message with emoticons type of way, more like secure communications) and log
file checking. There are more here but I'm not finished thinking about them
by a long way and I'll need everyone else's input on these.
This type of communication is unique between individual peers and not shared,
it also will often be sensitive information. I propose we use an
authenticated and encrypted channel for this. This allows us to securely and
accurately identify nodes joining the group, assign them a unique identifier,
check the certificate and perhaps most importantly, notify a new node of any
certificates we have to revoke from now untrustworthy members.
This communication must be direct node-to-node!
2) Only a few nodes will be communicating as described above, the rest will
happily sit on the network and relay earthquake data. Each node would
therefore have open channels and send signed messages to other interested and
connected nodes.
This type of message passing could be between any nodes. Some nodes might not
even generate or use messages, just passing them along to others. A message
from point A that is of interest to point B might pass through C, D, and E
before reaching an interested node but as long as the message is signed
properly it can still be trusted.
Here's an example using names from the list as reference points:
------------------EXAMPLE-------------------------------
a) Jose runs a node calculating the hypocentre of an earthquake, either by
using raw data or scraping the information from the USGS site.
b) Brian runs a node which takes the hypocentre and calculates the origin of a
tsunami.
c) Ben runs a node which takes the origin of a tsunami and calculates the
impact that will be seen in Indonesia.
d) Adam runs a nod that warns the inhabitants of Aceh if OTAS thinks there
will be a tsunami.
All of these nodes are interconnected (probably with many others too). On
start up only Jose has a certificate that we ALL trust. Jose also trusts
everyone listed above. Each node becomes part of the network and identifies
itself with Jose since we trust him.
Brian uses a secure channel to tell Jose that he would like any hypocentral
data that Jose can supply. Jose acknowledges that he can supply this.
Ben contacts as many peers as possible and asks for tsunami origin info. One
of those contacted will be Jose, since Jose can't supply this he passes back
to Ben the public key certificate for Brian who can fulfil this request. Ben
then repeats with Brian's node and can start receiving tsunami origin data in
the clear. One of the other peers contacted might have tsunami origin info
but until we receive a key from a trusted source or enter it manually we
can't be sure of the accuracy.
Ben's trust of Brian is assumed because Jose is trusted, we need to decide how
much trust can be passed along in such a way.
Brian contacts Ben and delivers a message signed by himself and by Jose. Ben
knows to trust this message since he can confirm where it has come from and
the whole trail back to where it started. If Ben receives another message
signed only by Brian and an unknown node he should either ignore it or try to
contact other peers to confirm authenticity.
When the Internet suffers a technical problem and Ben is unable to "see"
Brian, other nodes in the p2p group will pass the message along by other
channels. Since the message has been signed by Brian and by Jose the actual
node that delivers the message is unimportant. We know the message contents
are still accurate.
Things will get more complicated the more "hops" we are away from our most
trusted node. For example when Adam is told to send a warning by Ben, the
message will be signed by Jose, Brian and Ben. Since Adam has never had
contact with Brian we should get his public key before trusting the message
(at least before we trust it completely). So Adam contacts all his trusted
nodes over a secure channel asking for Brian's key. Not to hard to get and
then we have a full chain of trust back to the source. Obviously these keys
only need to be passed around the first time.
The trust relationships might be quite complex but shouldn't be too hard to
figure out. Using a system like this keeps the need for encrypted messages
down to a minimum and without time constraints, while allowing fast message
passing in the clear and still being able to authenticate those message
despite coming from any number of sources.
----------------------------------END OF EXAMPLE-----------------------------
I've got some ideas on message structure and node architecture too but I'll
wait for a few people to shoot holes in the ideas above first so we can
refine or throw that out before thinking about too many aspects of the
system.
Adam