[p2p-hackers] P2P Authentication

[Davide Carboni]

On 10/25/05, Frank Moore <francis.moore at rawflow.com> wrote:
> Hi,
>
> I have the following problem:
>
> I'm working on a hybrid p2p network where there is a central server and
> lots of clients (peers). I need a way for clients to authenticate
> themselves when they join the network. I've looked at doing a challenge
> response type thing using Challenge Handshake Authentication Protocol
> (CHAP) but that means putting a shared secret key in each client and
> the server.
>
> It seems entirely possible that someone could reverse engineer the
> client executable to get hold of the shared secret key and then write a
> 'rogue' client (or server) to subvert the network?
>
> Is there a standard (or any) way of authenticating peers in p2p
> networks that doesn't require secret shared keys?
>

I have a similar problem. Currently I'm thinking to use socket over
SSL to establish a connection between peers. So my idea is:
(1) a unique certification authority CA for the community issues
certificates to participants who are entitled to join
(2) once p1 connects to p2, ssl authentication via certificate is
requested both for the 'client' and for the 'server'. If both
certificates are issued by CA the connection is up otherwise the
connection fails.

This way, there is no need to connect to a central DB and there are
not shared secrets but each node must keep secret its private key.
I'm just concerned about performances.
D.


--
I lose control 'cause I'm a creature of the night (Bruce and Bongo)
--
http://people.crs4.it/dcarboni