At the time of this writing, the authors were staff members at Intel Labs. They can be contacted at [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected], respectively. Copyright (c) 2009 Intel Corporation. All rights reserved.
The development of wireless technologies, mesh networks, ubiquitous computing, and ad hoc networking enables new applications to enhance the user experience, provide more flexibility, and give the user more choice. Network technologies, recently deployed, have increased user connectivity options, allowing users to connect from virtually anywhere. These changes create challenges for network security. Traditional centralized authority-based mechanisms do not work, or work at less than optimum, for emerging networking patterns. Novel network topologies, such as peer-to-peer (P2P) networking, void many of the assumptions made by established approaches to security, and these new topologies, therefore, require us to rethink the entire security architecture.
One example of this kind of network is mobile, ad hoc networks (MANETs) that provide wireless network services without relying on any centralized infrastructure. MANETs treat each node in the network equally, and each node acts as both a client and a server node. The network topology is emergent, based on collaborative routing. Because of the emergent connectivity, a single centralized authentication server may not be reachable at all times.
Another example is P2P networks, widely used to share data and resources. As of 2006, over 80 percent of all Internet traffic consisted of P2P network traffic, and this percentage appears to be steadily growing. The network structure of a P2P network is also self-organizing, is typically unmanaged and unplanned, is unsupported by any dedicated support staff or servers, and is utilized by potentially very large numbers of users. The operation of these networks is distributed and autonomous. Interjecting a traditional centralized authentication scheme, therefore, into these sorts of networks would impose a centralized control structure and require permanent on-line servers and support staff to manage them, thereby undermining the emergent, unmanaged character that makes these networks so attractive to their users. Instead, what is needed is a trust management system that matches the emergent nature of these networks, and one that is based on collaborative individual decisions.
In this article, we examine centralized authentication systems and analyze the reasons why these systems fall short for new classes of networks. We argue that a centralized authority that creates and manages all of the identities for a domain is too inflexible to support self-organizing networks, where relationships are emerging through individual interactions. We call for a new approach wherein identities are created to signify the relationships, and entities collaboratively manage and evolve trust, based on these relationships.
We propose a decentralized trust management framework that manages identities to support authentication in self-organizing networks. This framework contains several key functions: evidence collection and distribution, identity generation and auditing, and trust calculation. Within this framework, every node collects trust evidence locally and shares information with peers. Trust decisions are made locally, based on collected information. The global consensus of trusting identities is reached by peer interactions and trust calculation. We emphasize the need to bootstrap trust relationships in order to build practical trust-management systems. For managing and propagating trust, we propose a novel trust model to calculate trust, based on both first-hand observations and on second-hand opinions from peers. This trust calculus model has two unique features: (1) support for both positive and negative trust values; and (2) whenever possible, pre-existing relationships, such as those between devices and their users from other contexts and communities, are transformed into new relationships between devices in new communities.
We further analyze some threats, such as identity attacks, to the decentralized trust model, and we propose using device profiling to build consensus on binding a device identifier with its profiling attributes. We further discuss candidate attributes that can be used to thwart certain identity attacks.
Decentralized Trust-Management Problems
Traditional Trust Models and Problems
The current practice of managing trust and authentication is designed to efficiently address the needs of enterprise access control. A centralized server is deployed to perform all authentication procedures, such as X.509v3  certification authority, revocation servers, on-line certificate status protocol (OCSP) servers, or RADIUS servers . Having a single central server simplifies credential management and makes it easier for the organization to enforce its access-control policies. However, it has become evident that the dominant centralized security models fail to meet the following challenges presented by the P2P communication patterns in self-organizing networks:
A centralized authority has to be available all the time. Given the dynamic nature of new networking forms, it is impossible to guarantee that this centralized authority can be reached from everywhere in the network.
A single point of control makes it harder for users to communicate with the domain. The centralized authority generates and manages all the identities and credentials for the domain. This design forces users to contact the centralized authority for every enrollment and authentication activity. In self-organizing networks, communications may happen only in a local context, where contacting the centralized authority is impossible or, at best, very inconvenient.
Centralized trust models demand long-lived trust evidence. IT administrators often hold the view that computing devices belong to a single administrative domain, so that credentialing happens only once during the lifetime of a device, at most. The resulting identity credentials have to fit all usage cases. This increases the cost of gathering and maintaining evidence, increases the possible damage if credentials become compromised, and makes it difficult to re-evaluate trust evidence. In self-organizing networks, an entity's relationship with a particular domain may be dynamic and transient. Such relationships require frequent and on-line trust evidence re-evaluation.
A centralized authority imposes a single trust metric for the entire domain. This means that a name is bound to a key. However, in self-organizing networks, the trust evidence is not uniform. Evidence may be in the form of keys, names, hardware attributes, and even social relationships. Hence, evidence evaluation cannot be uniform either.
Traditional centralized security models require the domain to be established at a central place by some authority. In unmanaged networks, however, the trust relationships are formed at the grassroots level and from P2P interactions. A corresponding trust model needs to be built to match this pattern.
The centralized model enforces a uniform relationship between the individual named entities and the organization running the central server, not between different devices within the organization. This is at variance with the needs of devices in new usage models such as P2P networks, where each device needs some means to directly manage its relationships with other devices in the community.
Prior research on security models has proposed decentralized trust models that remove the dependency on the centralized authority and servers [3, 4, 5, 6, 7, 8, and 9]. However, most of the existing literature only focuses on the trust calculation models, which evolve and propagate trust on entities, based on a transitive property of trust. Decentralized trust calculations only address part of the problem. A complete and practical decentralized trust management system demands solutions to the following three additional problems: (1) trust evidence gathering; (2) trust evidence evaluation for initial trust computation; and (3) the creation of trusted communities.