Components for Building Secure Decentralized Networks

Transcription

1 Components for Building Secure Decentralized Networks Christian Grothoff Technische Universität München Never doubt your ability to change the world. Glenn Greenwald

2 Where We Are

3 Where We Are

4 My Research and Development Agenda Make decentralized systems: by: Faster, more scalable Easier to develop, deploy and use Easier to evolve and extend Secure (privacy-preserving, censorship-resistant, available,...) designing secure network protocols implementing secure software following and evolving best practices creating tools to support developers

5 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer

6 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer HTTPS/TCP/WLAN/...

7 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

8 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

9 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

10 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNU Name System Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

11 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer RegEx/PSYC GNU Name System Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

12 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet RegEx/PSYC GNU Name System Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

13 The GNU Name System 1 Properties of GNS Decentralized name system with secure memorable names Delegation used to achieve transitivity Also supports globally unique, secure identifiers Achieves query and response privacy Provides alternative public key infrastructure Interoperable with DNS Uses for GNS in GNUnet Identify IP services hosted in the P2P network Identities in social networking applications 1 Joint work with Martin Schanzenbach and Matthias Wachs

14 Zone Management: like in DNS

15 Name resolution in GNS Local Zone: K Bob pub www A Bob Bob's webserver K Bob priv Bob can locally reach his webserver via

16 Secure introduction Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: Mobile: Mail: Bob gives his public key to his friends, possibly via QR code

17 Delegation Alice learns Bob s public key Alice creates delegation to zone bob Alice can reach Bob s webserver via

18 Name Resolution DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

19 Name Resolution 0 PUT 8FS7-www: DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

20 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice Bob Alice 8FS7. A47G. www A bob PKEY 8FS7.

21 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

22 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

23 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

24 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob 5 A ! Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7.

25 GNS as PKI (via DANE/TLSA)

26 Query Privacy: Terminology G generator in ECC curve, a point n size of ECC group, n := G, n prime x private ECC key of zone ( Z n ) P public key of zone, a point P := xg l label for record in a zone ( Z n ) R P,l q P,l B P,l set of records for label l in zone P query hash (hash code for DHT lookup) block with information for label l in zone P published in the DHT under q P,l

27 Query Privacy: Cryptography Publishing B under q P,l := H(dG) h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3)

28 Query Privacy: Cryptography Publishing B under q P,l := H(dG) h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) Searching for l in zone P h = H(l, P) (4) q P,l = H(dG) = H(hxG) = H(hP) obtain B P,l (5) R P,l = D HKDF (l,p) (B P,l ) (6)

29 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet RegEx/PSYC GNS Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

30 PSYC2 for GNUnet Properties of PSYC2 Extensible syntax and semantics: try-and-slice pattern Supports stateful multicast Uses for PSYC2 in GNUnet P2P social networking foundation Push social profiles (state) to all recipients Replay from local database used as primary access method My data is stored on my machine

31 The Evolution Challenge 2 Features are frequently added to social applications Some require changes ( extensions ) to data formats and messages Centralized, browser-based networks can easily update to new version Decentralized systems must transition gracefully 2 Joint work with Carlo v. Loesch and Gabor Toth

32 Related Work: XML Extensible Markup Language Syntax is extensible Extensions have no semantics

33 PSYC We are working on PSYC2, the successor to PSYC: More compact, mostly human-readable, faster-to-parse relative of XML/JSON/XMPP PSYC messages consist of a state update and a method invocation PSYC includes interesting ideas for social networking: Stateful multicast History Difference-based updates PSYC addresses extensibility problem using try-and-slice pattern

34 PSYC State: Example The PSYC state is a set of key-value pairs where the names of keys use underscores to create an inheritance relationship: name name first name first chinese address address street address country The data format for each state is fixed for each top-level label.

35 PSYC Methods: Example A PSYC method has a name which follows the same structure as keys: message message private message public message public whisper message announcement message announcement anonymous Methods have access to the current state and a per-message bytestream.

36 The Try-and-Slice Pattern int msg (string method) { while (1) { switch (method) { case "_notice_update_news": // handle news update return 1; case "_notice": // handle generic notice return 1; case "_message": // handle generic message return 1; //... } int glyph = strrpos (method, _ ); if (glyph <= 1) break; truncate (method, glyph); } }

37 Advantages of Try-and-Slice Extensible, can support many applications Can be applied to state and methods Defines what backwards-compatible extensibility means: Can incrementally expand implementations by deepening coverage Incompatible updates = introduce new top-level methods

38 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet RegEx/PSYC GNS Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

39 RegEx Search for GNUnet Properties of RegEx Search Capability discovery in DHT-based P2P networks using regular expressions Linear latency in the length of the search string Suitable for applications that can tolerate moderate latency Uses for RegEx in GNUnet Discovery of matching services, such as VPN exit nodes Topic-based subscriptions in messaging (decentralized MQTT)

40 Distributed Search via Regular Expressions: Idea 3 1. Offerer creates regular expression describing service 2. Regular expression is compiled to a DFA 3. DFA is stored in the DHT 4. Patron matches using a string Offerer Patron DFA Search string PUT GET DHT NFA 3 Joint work with Max Szengel, Ralph Holz, Bart Polot and Heiko Niedermayer

41 Problem: Mapping of States to Keys Regular expression (ab cd)e f and corresponding DFA e q0 a a b (ab cd)e* f (ab cd)e*f c c d h("(ab cd)e*") h("c") DHT h("a") h("(ab cd)e*f")

42 Problem: Merging of DFAs Regular expressions (ab cd)e f and (ab cd)e fg with corresponding DFAs e q0 a c a c b d (ab cd)e* f (ab cd)e*f e g q0 a c a c b d (ab cd)e* f (ab cd)e*fg*

43 Problem: Merging of DFAs Merged NFA for regular expressions (ab cd)e fg and (ab cd)e f e q0 a c a c b d (ab cd)e* f f (ab cd)e*f g (ab cd)e*fg*

44 Problem: Decentralizing the Start State Regular expression: abc defg h and k = 4. abcd ef g abcc c def c def abc*defg* h abc*defg*h q0 ab abc* abde f

45 Evaluation Implementation in GNUnet Profiling of Internet-scale routing using regular expressions to describe AS address ranges CAIDA AS data set: Real AS data

46 Evaluation AS / / / / / / / / /24 AS / / / / / /22 AS / / / /24 AS / / / / / / / / / / / /21 AS / / / / / / / / / /21 AS / / / / /22 AS / / / / /20 AS /24 AS / /24 AS / / / /24 AS / / /20 Distributed Hash Table

47 Evaluation: Results of Simulation (1) Number of transitions and states in the merged NFA # of transitions / states no compr Maximum path compression length transitions states Dataset: All 40, 696 ASes

48 Evaluation: Results of Simulation Degree of non-determinism at states in the merged NFA 1e+07 1e # states max path length 1 max path length degree of non-determinism max path length 4 max path length 6 3 max path length 8 max path length 16 Dataset: All 40, 696 ASes

49 Evaluation: Results of Simulation (3) % of states e-05 1e >= k out degree max. path compression length 6 max. path compression length 8 max. path compression length 16 Dataset: All 40, 696 ASes

50 Evaluation: Results of Emulation Search duration averaged over five runs with randomly connected peers % of matched strings ,000 peers 10 2,000 peers 4,000 peers Search duration in seconds

51 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet News/Timeline Scalarproduct Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

52 Scalarproduct for GNUnet Properties of SMC Scalarproduct Scalarproduct over map on intersecting sets, not just vectors Privacy-preserving (but need to limit number of interactions) Relatively efficient in bandwidth and CPU usage Uses for Scalarproduct in GNUnet Collaborative filtering Maybe: collaborative attack detection

53 Background: Paillier We use the Paillier cryptosystem: E K (m) : = g m r n mod n 2, (7) D K (c) : = (cλ mod n 2 ) 1 n µ mod n (8) where the public key K = (n, g), m is the plaintext, c the ciphertext, n the product of p, q P of equal length, and g Z n 2. The private key is (λ, µ), which is computed from p and q as follows: λ : = lcm(p 1, q 1), (9) ( (g λ mod n 2 ) 1 ) 1 µ : = n mod n. (10)

54 Paillier offers additive homomorphism Paillier offers additive homomorphic public-key encryption, that is: for some public key K. E K (a) E K (b) E K (a + b) (11)

55 Background: Secure Multiparty Computation Alice and Bob have private inputs a i and b i. Alice and Bob run a protocol to jointly calculate f (a i, b i ). One of them learns the result. Adversary model: honest but curious

56 Secure Scalar Product Original idea by Ioannids et al. in 2002 (use: (a b) 2 = a 2 2ab + b 2 ) Refined by Amirbekyan et al. in 2007 (corrected math) Implemented with practical extensions in GNUnet (negative numbers, small numbers, concrete protocol, set intersection, implementation).

57 Preliminaries Alice has public key A and input map m A : M A Z. Bob has public key B and input map m B : M B Z. We want to calculate m A (i)m B (i) (12) i M A M B We first calculate M = M A M B. Define a i := m A (i) and b i := m B (i) for i M. Let s denote a shared static offset.

58 Network Protocol Alice transmits E A (s + a i ) for i M to Bob. Bob creates two random permutations π and π over the elements in M, and a random vector r i for i M and sends R : = E A (s + a π(i) ) E A (s r π(i) b π(i) ) (13) = E A (2 s + a π(i) r π(i) b π(i) ), (14) R : = E A (s + a π (i)) E A (s r π (i)) (15) = E A (2 s + a π (i) r π (i)), (16) S : = (r i + b i ) 2, (17) S : = r 2 i (18)

59 Decryption (1/3) Alice decrypts R and R and computes for i M: a π(i) b π(i) r π(i) = D A (R) 2 s, (19) ( a π (i) r π (i) = D A R ) 2 s, (20) which is used to calculate T : = ai 2 (21) i M U : = i M(a π(i) b π(i) r π(i) ) 2 (22) U : = i M(a π (i) r π (i)) 2 (23)

60 Decryption (2/3) She then computes P : = S + T + U ( = (b i + r i ) 2 + ai 2 + i M i M ) (a i b i r i ) 2 i M = ( (bi + r i ) 2 + ai 2 (a i b i r i ) 2) i M = 2 a i (b i + r i ). i M P : = S + T + U = ri 2 + ( ai 2 + ) (a i r i ) 2 i M i M i M = ( r 2 i + ai 2 (a i r i ) 2) = 2 a i r i. i M i M

61 Decryption (3/3) Finally, Alice computes the scalar product using: P P 2 = i M a i (b i + r i ) i M a i r i = i M a i b i. (24)

62 Our Vision Internet Google/Facebook DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet News/Timeline Scalarproduct Mesh (ECDHE+AES) R 5 N DHT CORE (ECDHE+AES) HTTPS/TCP/WLAN/...

63 Future Work: Privacy-enhanced Gossple 1. Alice selects peers Bob 2. Alice and Bob compute scalar product similarity 3. Bob forwards news to Alice with ranking based on similarity 4. Alice constructs timeline, ranks news, and 5. adapts her forwarding (2) and peer selection (1)

64 Dimensions for ranking news quality Agreement (on opinion, highly subjective)

65 Dimensions for ranking news quality Agreement (on opinion, highly subjective) Presentation (use of language, formatting, graphics)

66 Dimensions for ranking news quality Agreement (on opinion, highly subjective) Presentation (use of language, formatting, graphics) Accuracy (use of scientific method, well-sourced)

67 Dimensions for ranking news quality Agreement (on opinion, highly subjective) Presentation (use of language, formatting, graphics) Accuracy (use of scientific method, well-sourced) Relevance (by topic need tags)

68 Components for Future Work Efficient set intersection (current design: O(n log n) with O(log n) rounds) Secure decentralized random peer selection Tagging system Reputation system for authors

69 More Open Issues Information leakage over time! Evaluation scenarios? Usability Social effects

70 Conclusion Decentralization is necessary Security and scalability are hard issues We need to build systems that address both!

71 Do you have any questions? References: Glenn Greenwald and Ewen MacAskill. NSA Prism program taps in to user data of Apple, Google and others. In The Guardian, June Nathan Evans and Christian Grothoff. R5N. Randomized Recursive Routing for Restricted-Route Networks. 5th International Conference on Network and System Security, M. Schanzenbach Design and Implementation of a Censorship Resistant and Fully Decentralized Name System. Master s Thesis (TUM), M. Szengel. Decentralized Evaluation of Regular Expressions for Capability Discovery in Peer-to-Peer Networks. Master s Thesis (TUM), 2012.

72 GNUnet: Framework Architecture dv consensus pt gns fs set exit vpn dns namestore datastore mesh tun regex dht topology nse datacache hostlist block core transport ats nat fragmentation peerinfo hello

73 GNUnet: Envisioned Applications secushare gns fs reuters psyc vpn exit voting messaging dotproduct core multicast consensus dht regex set mesh ats

74 Research Agenda Secure, scaleable multicast Practical secure multiparty computation Tool support for building distributed systems Secure routing, censorship circumvention