How to get credibility of a messages author in a local p2p network without the use of accounts stored on external servers?

Question

Hello I am developing an application that will exchange unique groups and messages belonging to them between peers within a local network without any servers. Each of the peers should be able to create a new message and associate it with an existing or new group. Since messages and groups should be unique I have implemented a hash algorithm creating the ID of those messages from static values like, content, date of creation, author, title (messages are not editable). The ID I am using is helping me check the integrity and possible duplicate when the message/group is sent to another device. But since there is no server to store accounts and check for credibility of each of the peers I cant think of a way to implement a mechanism that will check whether a given message is genuine from a specific author. At the moment anyone can publish messages adding a false author name, which is something I want to resolve. How can I do that?

PS. My application might be similiar to how Twitter works but it has no accounts and no main servers to store them. It is developed on android and it cannot use the internet simply because it is using wifi to connect to LAN only routers and I wouldn't want the users to have to use 3G/edge.

Possible solutions:

1. Use the phone's special ID (IMEI) , but also how do I get that programatically and is it really unique?

2. Use MAC Address of the phone (actually hashed concatanation of Bluetooth and WiFi MAC Address), is that unique per phone? The problem with this and the above is that the genuine author might change his phone over time.

3. If the genuine author has logged on with his Google Account previously is it stored in the phone's memory and can I programatically get this information in offline mode?

Answer 1

The use of Digital Certificates to sign messages could also be a solution. Although its use may raise some more questions like "Who's the issuer?". Well, it could be an "entity" created by you if the authenticity of the messages are only important inside your own application.

Just something to consider if you haven't already.

Answer 2

I don't think you can do anything about a false name, but in most cases fake names are okay - what you want to protect against is one user posing as another. Digital signatures would be the way to go - ensure that everyone has a randomly-generated secret they can use to sign all their communications.

For mobile-based comms, you could go one step further and get people to certify they know another person, using short-range communications. For example your app could do a Bluetooth exchange with another phone, and that would modify each profile to say "trusted person X certifies they have met untrusted person Y". Since it would require the consent of both parties, if one party is trusted, the other one likely can be too. The short-range comms would ensure that the parties have met (and perhaps are certifying that a person is like their profile picture).

You could also do a similar thing to Gravatar - use a hash of the name and the secret to choose from a wide range of avatars (or, generate a random image using a very long hash). This way, two people posting under the same handle will have very different avatars, and they can easily be told apart by the user community.