The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance

Size: px

Start display at page:

Download "The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance"

Bertina Gaines
5 years ago
Views:

1 The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance Christian Grothoff The GNUnet Project Never doubt your ability to change the world. Glenn Greenwald

2 The Internet Virtually all Internet protocols are broken: Ethernet MAC spoofing, cleartext IP IP spoofing, cleartext BGP AS hijacking, cleartext DNS cache poisoning, cleartext DNSSEC cleartext, often no end-to-end authentication TLS 100 CAs can certify anybody for anything HTTP too chatty, complex, slow... 2 / 51

3 The Internet Virtually all Internet protocols are broken: Ethernet MAC spoofing, cleartext IP IP spoofing, cleartext BGP AS hijacking, cleartext DNS cache poisoning, cleartext DNSSEC cleartext, often no end-to-end authentication TLS 100 CAs can certify anybody for anything HTTP too chatty, complex, slow... Rule 1 for the GNUnet: Encrypt everything. 2 / 51

4 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) 3 / 51

5 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) Encryption does not help if PKI is compromised! 3 / 51

6 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) Encryption does not help if PKI is compromised! PGP Web-of-Trust leaks social graph 3 / 51

7 How bad is it? 4 / 51

8 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net 5 / 51

9 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com 5 / 51

10 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net 5 / 51

11 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de 5 / 51

12 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net 5 / 51

13 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net 5 / 51

14 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de 5 / 51

15 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de 5 / 51

16 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de 5 / 51

17 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de 5 / 51

18 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de 5 / 51

19 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de 5 / 51

20 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de NS of net.in.tum.de is dns1.lrz.de 5 / 51

21 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de NS of net.in.tum.de is dns1.lrz.de A of pixel.net.in.tum.de is / 51

22 Exemplary Attacks: MORECOWBELL 6 / 51

23 Exemplary Attacks: QUANTUMDNS 7 / 51

24 DNSSEC DNS Server Root Zone a.root-servers.net. Stub Resolver A RRSIG example.com. K0rp9n... AD DNSSEC Trust Anchor 49AAC1... Recursive Name Server NS a.gtld-servers.net.test DS E2D3C9... RRSIG. S4LXnQiBS... NS a.gtld-servers.net.test DS 3490A6... RRSIG com. U/ZW6P3c... DNS Server.com a.gtld-servers.net. A RRSIG example.com. K0rp9n... DNS Server example.com a.iana-servers.net. 8 / 51

25 Query Name Minimization Stub Resolver A Recursive Name Server NS com? NS a.gtld-servers.net. NS example.com? NS a.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net A DNS Server example.com a.iana-servers.net 9 / 51

26 DNS over TLS Stub Resolver A Recursive Name Server NS a.gtld-servers.net. NS a.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net. A DNS Server example.com a.iana-servers.net. 10 / 51

27 The Textbook Version of the Internet Layering, 1990 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer 11 / 51

28 The Textbook Version of the Internet Layering, 1990 Layering, 2020 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer HTTPS TLS-with-DANE DNS-over-TLS TLS TCP IPv6 Ethernet Phys. Layer libmicrohttpd libgnutls libunbound libnss Linux Linux = castrated version without RFC 6125 or RFC 6394, possibly NULL cipher, see TLS profiles draft. 11 / 51

29 DNSCurve DNSCurve Cache Public Key P c Private Key S c NS a.gtld-servers.net. NS uz5...hyw.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net. Pc, N, E ( N, E (A ) DNSCurve Server example.com uz5...hyw.iana-servers.net. 12 / 51

30 Namecoin Append registration to block chain Namecoin Client Local Copy of Block Chain Get copy of block chain P2P Network Block Chain 13 / 51

31 Zooko s Triangle Secure Global Memorable A name system can only fulfill two! 14 / 51

32 Zooko s Triangle Secure Cryptographic Identifiers Petname Systems Global Hierarchical Registration Memorable DNS,.onion IDs and /etc/hosts/ are representative designs. 15 / 51

33 Zooko s Triangle Secure mnemonic URLs Cryptographic Identifiers SDSI Petname Systems Global certificates Hierarchical Registration Memorable DNSSEC security is broken by design (adversary model!) 16 / 51

34 Namecoin 17 / 51

35 Namecoin Memorable: 17 / 51

36 Namecoin Memorable: Check Global: 17 / 51

37 Namecoin Memorable: Check Global: Check Secure: 17 / 51

38 Namecoin Memorable: Check Global: Check Secure: different adversary model! 17 / 51

39 Namecoin Memorable: Check Global: Check Secure: different adversary model! Availability of names (registration rate) is restricted 17 / 51

40 Namecoin Memorable: Check Global: Check Secure: different adversary model! Availability of names (registration rate) is restricted Adversary must not have 51% compute power 17 / 51

41 The GNU Name System 1 Properties of GNS Decentralized name system with secure memorable names Delegation used to achieve transitivity Achieves query and response privacy Provides alternative public key infrastructure Interoperable with DNS 1 Joint work with Martin Schanzenbach and Matthias Wachs 18 / 51

42 Zone Management: like in DNS 19 / 51

43 Name resolution in GNS Local Zone: K Bob pub www A Bob Bob's webserver K Bob priv Bob can locally reach his webserver via 20 / 51

44 Secure introduction Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: Mobile: Mail: Bob gives his public key to his friends, possibly via QR code 21 / 51

45 Delegation Alice learns Bob s public key Alice creates delegation to zone Kpub Bob under label bob Alice can reach Bob s webserver via 22 / 51

46 Name Resolution DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 23 / 51

47 Name Resolution 0 PUT 8FS7-www: DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 24 / 51

48 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice Bob Alice 8FS7. A47G. www A bob PKEY 8FS7. 25 / 51

49 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 26 / 51

50 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 27 / 51

51 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 28 / 51

52 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob 5 A ! Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 29 / 51

53 GNS as PKI (via DANE/TLSA) 30 / 51

54 Privacy Issue: DHT 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob 5 A ! Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 31 / 51

55 Query Privacy: Terminology G generator in ECC curve, a point n size of ECC group, n := G, n prime x private ECC key of zone (x Z n ) P public key of zone, a point P := xg l label for record in a zone (l Z n ) R P,l q P,l B P,l set of records for label l in zone P query hash (hash code for DHT lookup) block with encrypted information for label l in zone P published in the DHT under q P,l 32 / 51

56 Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) 33 / 51

57 Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) Searching for records under label l in zone P h : = H(l, P) (5) q P,l : = H(hP) = H(hxG) = H(dG) obtain B P,l (6) R P,l = D HKDF (l,p) (B P,l ) (7) 33 / 51

58 The GNU Name System (GNS) Bob s NSS.gnu = Pbob A Bob s GNS Service Pbob zone database carol PKEY Pcarol www A PUT (H(carol, Pbob), E(PKEY Pcarol)) PUT (H(www, Pbob), E(A )) Carols s GNS Service Pcarol zone database www A PUT (H(www, Pcarol), E(A )) GET (H(carol, Pbob)) DHT E (PKEY Pcarol) GET (H(www, Pcarol)) E (A ) P2P Network Alice s NSS.gnu = Palice A Alice s GNS Service A Palice zone database bob PKEY Pbob www A / 51

59 Revocation Revocation Basics Revocation certificate (RC): message signed with private key Peer receives new valid RC, floods to all neighbours All peers store all valid RCs forever Expensive operation proof-of-work 35 / 51

60 Revocation Revocation Basics Revocation certificate (RC): message signed with private key Peer receives new valid RC, floods to all neighbours All peers store all valid RCs forever Expensive operation proof-of-work Revocation Magic Peers maybe offline during initial flood Network might be temporarily partitioned Need to reconsile revocation sets on connect Whenever two peers establish a P2P connection, they must compute the set union of their RC sets! 35 / 51

61 The.zkey ptld LABELS.PKEY.zkey format PKEY is the public key of the zone Works a bit like.onion Globally unique identifiers! Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: Mobile: Mail: bob@h2r84l4jil3g5c.zkey 36 / 51

62 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) 37 / 51

63 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) NICK records allow Krista to specify her preferred NICKname GNS adds a NICK record to each record set automatically Eve learns the NICK, and GNS creates krista.short.gnu 37 / 51

64 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) NICK records allow Krista to specify her preferred NICKname GNS adds a NICK record to each record set automatically Eve learns the NICK, and GNS creates krista.short.gnu Memorable, short trust path in the future! TOFU! Krista better pick a reasonably unique NICK. 37 / 51

65 Shadow Records Records change Expiration time controls validity, like in DNS DHT propagation has higher delays, compared to DNS 38 / 51

66 Shadow Records Records change Expiration time controls validity, like in DNS DHT propagation has higher delays, compared to DNS SHADOW is a flag in a record Shadow records are only valid if no other, non-expired record of the same type exists 38 / 51

67 Practical Concerns Name registration Support for browsing New record types Integration with applications State of the implementation 39 / 51

68 Registering a name in GNS Bob gives his PKEY to his friends via QR code or registers it at the GNUnet fcfs authority pin.gnu as bob Bob s friends can resolve his records via *.petname.gnu or *.bob.pin.gnu 40 / 51

69 From DNS to GNS Names are not globally unique, but we need support for Virtual Hosting!... we need support for SSL! 41 / 51

70 From DNS to GNS Names are not globally unique, but we need support for Virtual Hosting!... we need support for SSL! Solution: Client Side SOCKS Proxy 41 / 51

71 Legacy Hostname (LEHO) Records LEHO records give a hint about the DNS name the server expects. Dave HTTP GET HTTP GET Host: Local Proxy Host: <a href= " <a href= " 42 / 51

72 Legacy Hostname (LEHO) Records LEHO records give a hint about the DNS name the server expects. Dave HTTP GET HTTP GET Host: Local Proxy Host: <a href= " <a href= " HTTP GET Host: Local Proxy HTTP GET Host: Alice Server 42 / 51

73 Long-Term Vision Integration with browser and HTTP server HTTP server receives GNS-Zone: PKEY instead of Hostname HTTP client uses TLSA record of GNS, instead of LEHO 43 / 51

74 Relative Names GNS records can contain.+ CNAME: server1.+ MX: mail.+.+ stands for relative to current zone Supporting this for links in browsers would be nice, too. 44 / 51

75 New Record Types PKEY: delegate to another GNS zone NICK: preferred names for shortening LEHO: legacy hostname 45 / 51

76 New Record Types PKEY: delegate to another GNS zone NICK: preferred names for shortening LEHO: legacy hostname GNS2DNS: delegate to DNS VPN: peers hosting TCP/IP services PHONE: call users using gnunet-conversation 45 / 51

77 DNS Delegation Delegate to DNS using GNS2DNS records GNS2DNS record specifies: Name of DNS resolver (i.e. ns1.example.com or piratedns.+ ) DNS domain to continue resolution in (i.e. example.com or piratebay.org ) GNS will first resolve DNS resolver name to A/AAAA record GNS will then resolve left.of.gns2dns.example.com using DNS 46 / 51

78 VPN Delegation Delegates to GNUnet VPN VPN record specifies: Identity of hosting peer (no anonymity!) Service identifier (hash code) GNS can map VPN record to A/AAAA record of gnunet-vpn tunnel 47 / 51

79 PHONE service PHONE record specifies: Identity of hosting peer (no anonymity yet!) Line number (to support multiple phones per peer) 48 / 51

80 Application Integration SOCKS proxy (gnunet-gns-proxy) NSS plugin DNS packet interception (gnunet-dns-service) GNS (C) API GNS (IPC) protocol GNS command-line tool 49 / 51

81 Current State GNS part of GNUnet since Crypto changed to Curve25519 in Internationalized Domain Names are supported 50 / 51

82 Current State GNS part of GNUnet since Crypto changed to Curve25519 in Internationalized Domain Names are supported Installation is non-trivial (for your parents) Needs more work on reverse lookup 50 / 51

83 Privacy summary Method Defense against MiTM Zone privacy Privacy vs. network Privacy vs. operator DNS DNSSEC DNSCurve DNS-over-TLS n/a Namecoin GNS Traffic amplification resistance Censorship resistance Ease of migration EDNS0 51 / 51

84 Key management summary Suitable for personal use Memorable Decentralised Modern cryptography Understandable Exposes metadata Transitive DNS DNSSEC DNSCurve DNS-over-TLS TLS-X.509 Web of Trust TOFU SMP/PANDA Namecoin GNS 52 / 51

85 Conclusion We have decentralized the PKI Privacy and security are preserved 53 / 51

86 Conclusion We have decentralized the PKI Privacy and security are preserved 53 / 51

87 Do you have any questions? References: Nathan Evans and Christian Grothoff. R 5 N. Randomized Recursive Routing for Restricted-Route Networks. 5th International Conference on Network and System Security, Matthias Wachs, Martin Schanzenbach and Christian Grothoff. On the Feasibility of a Censorship Resistant Decentralized Name System. 6th International Symposium on Foundations & Practice of Security, M. Schanzenbach Design and Implementation of a Censorship Resistant and Fully Decentralized Name System. Master s Thesis (TUM), / 51

Towards Secure Name Resolution on the Internet

Towards Secure Name Resolution on the Internet C. Grothoff M. Wachs M. Ermert J. Appelbaum 26.2.2017 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Security Goals for Name Systems