Dealing with Curious Players in Secure Networks

1
Dealing with Curious Players in Secure Networks

• By
• Liam Wagner
• Department of Mathematics and
• St Johns College within

Email LDW_at_maths.uq.edu.au Web
http//www.maths.uq.edu.au/ldw
2
Abstract

• In secure communications networks there are a
  great number of user behavioural problems which
  need to be dealt with. Curious players pose a
  very real and serious threat to the integrity of
  such a network. By traversing a network a Curious
  player could uncover secret information which
  that user has no need to know, by simply posing
  as a loyalty check. Loyalty checks are done
  simply to gauge the integrity of the network with
  respect to players who act in a Malicious manner.
  We wish to propose a method which can deal with
  Curious players trying to obtain "Need to Know"
  information using a combined Fault-tolerant,
  Cryptographic and Game Theoretic Approach.

3
Outline of Seminar

• Background to this problem.
• The Byzantine generals problem and its use in
  network signaling.
• Secure communication using Byzantine Agreements.
• Getting rid of Curious players in a network.
• Protocol.
• Further work and conclusion.

4
Introduction

• How do you uncover a traitor in a network of
  agents when you can only use their messages as a
  measure of their loyalty?
• A reliable communications system must be able to
  cope with failure of one or more of its
  components.
• Users must also be included in the scheme and
  classified as components of this system.

5
Curious Huh?

• The concept of a Curious Player in networks was
  first used to describe a method of information
  extraction.
• Why Curious?
• Players can traverse the network to extract
  information from other players
• This information may or may not be normally
  accessible to all players
• An appropriate level of clearance may be required
• Information could also require the Need-to-Know

6
The man who knew too much!

• Curious players use trust/reputation to obtain
  information out of a network.
• Curious players arent likely to present a threat
  to the integrity of the information flowing
  through the network.
• Their main motivation is extraction
• Malicious players however use there position to
  undermine the network.

7
The man who knew too little!

• The main danger in not seeking out curiosity is
  the possibility of attack by some third party who
  has been dealt information from the curious
  player.
• In a conventional network the grand designer may
  be unaware of the amount of information flowing
  to all the other players.
• Current methods to uncover traitors usually focus
  on malicious players whose intent is to destroy
  the integrity of the network.
• Without questioning all players on what they have
  distributed across the network the grand designer
  is helpless.
• Furthermore how can the grand designer know if
  the players know to much?

8
Games and Cryptography

• The current literature uses game theory to model
  the behaviour of networks of this type to try and
  find and eliminate errors.
• We will need to introduce the use of games and
  fault tolerance to build the structure for our
  own work.

9
The Byzantine Generals Problem

• Lamport describes the way to conceptualise the
  BGP is to use the example of the Byzantine army
  poised for attack.
• A collective decision based on all the available
  facts and played out by each division in unison.
• However in some cases there may be a traitor.

10
Byzantine Agreements

• The possibility of reaching agreement in the
  presence of faults was first introduced by Pease,
  Shostak and Lamport PSL
• The standard formulation of this problem is as
  follows
• We design a protocol that allows the uncorrupted
  parties to agree on a common value.
• This agreed value is the input for an uncorrupted
  party
• This is a very limited specific case of secure
  multiparty computation Cannetti

11
BA in Secure Communication I

• Given a set of n players and an additional
  trusted party which may be referred to as a grand
  designer.
• There are various goals that can be achieved in
  terms of correct, reliable and leak-free
  communication.
• In fact, all they need to do is relay their input
  values to the party who can compute any functions
  of these inputs and communicate to every player
  any data desired.
• In broad terms, our mission is to provide a
  protocol for the n parties to achieve all the
  tasks in the absence of a trusted party.

12
Cdr
x
z
y
z
y
Lieut 1
Lieut 2
Lieut 3
x
y
x
z
13
Prevention is better than Cure!

• The possibility of having players inside a
  network becoming curious is too great.
• What the current literature doesnt provide for
  are measures which could actively deter
  curiosity.
• Some however search for users who try to
  recombine access structures which they may not be
  permitted to do.

14
Mechanism Design

• To institute a scheme to outwit this type of
  behaviour we must place certain rules on each
  player.
• By standardizing the way in which each player
  receives and deals with packets of information we
  can place restrictions on each players set of
  possible moves.

15
Mechanism Design II

• Each player keeps 2 information sets.
• Information gathered or created
• Information transferred by other players
• Partioned to allow for both digital signatures
  applied to documents and full documents.
• Maintenance of 2 information sets which are all
  transferred in unison to the grand designer.
• Grand designer searches each set of values to
  determine who has been curious and not disclosed
  there entire second information set.

16
Loyalty without disclosure

• Within the current literature loyalty checks may
  be performed over secure channels.
• The information however still needs to be
  presented to each player in comprehensible form.
• Secure channels dont necessarily provide for
  varying levels of clearance and the need-to-know.
• We propose the use of digital signatures as a
  one-way function to be assigned to different
  levels of clearance.
• We can still make everyone privy to a loyalty
  check by exchanging the signed documents to
  players outside the need to know.

17
Grand Designer
Confidential
Protected
Highly Protected
18
Protocol for inter-clearance levels

• Apply Digital signature (Blinding Phase)
• Encrypt using a public key system
• Transmission Phase (Sender)
• register information and pretext of transfer with
  grand designer
• Decrypt and Comparison Phase (Receiver)
• register receipt of information

19
Further Work.

• Creating a stricter need to know principle.
• Eliminating uncontrolled access.
• No grand designer.
• Use of strategic information release of false
  information to exceed bounded rationality.
• Destroy integrity of the network to hunt out
  curious players.

20
Results and Conclusion.

• Systems like this have been implemented before.
• However they dont allow for the pro-active
  search for curious players.
• These restrictions and game design will allow us
  to present a cryptographic and game theoretic
  methodology to uncover and eliminate curious
  players within secure networks.

21
References

• Canetti, R., Security and Composition of
  Multiparty Cryptographic Protocols. Journal of
  Cryptology, vol. 13 pp.143-202, 2000
• Dasgupta, P., Agreement under Faulty Interfaces
  Information Processing Letters, vol.65, (1998)
  pp.125-129.
• Feigenbaum, J., Shenker, S., Distributed
  Algorithmic Mechanism Design Recent Results and
  Future Directions. Dial-M02, 2002
• Wagner, L.D., Curious Players in Secure Networks
  (Submitted to MILCOM 2004)