The Architecture of the GNUnet: 45 Subsystems in 45 Minutes

Transcription

1 The Architecture of the GNUnet: 45 Subsystems in 45 Minutes Christian Grothoff Inria Rennes Bretagne Atlantique Never doubt your ability to change the world. Glenn Greenwald

2 The Internet is Broken Network generally learns too much Insecure defaults and high system complexity Centralized Internet infrastructure requires administation: Number resources (IANA) Domain Name System (Root zone) X.509 CAs (HTTPS certificates) Administrators have power, and power attracts attackers Self-organizing systems aka P2P systems offer a way forward!

3 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer

4 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer HTTPS/TCP/WLAN/...

5 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer CORE (OTR) HTTPS/TCP/WLAN/...

6 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer R 5 N DHT CORE (OTR) HTTPS/TCP/WLAN/...

7 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer CADET (Axolotl+SCTP) R 5 N DHT CORE (OTR) HTTPS/TCP/WLAN/...

8 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNU Name System CADET (Axolotl+SCTP) R 5 N DHT CORE (OTR) HTTPS/TCP/WLAN/...

9 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer Applications GNU Name System CADET (Axolotl+SCTP) R 5 N DHT CORE (OTR) HTTPS/TCP/WLAN/...

10 Our Vision (Simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet Applications GNU Name System CADET (Axolotl+SCTP) R 5 N DHT CORE (OTR) HTTPS/TCP/WLAN/...

11 Today: 45 things to do with GNUnet A fast tour-de-force through GNUnet s features Features for users, developers and researchers What you can do, not how it is done

12 C library Safer C: GNUNET malloc(), GNUNET asprintf(),... Containers: multi hash map, Bloom filter, heap,... Networking: event loop, socket abstraction (client, server) Initialization: find paths, parse configuration, parse options Disk: buffered and unbuffered IO, endianess conversion, logging

13 Cryptographic primitives RNG, permutation AES, Twofish SHA-512, SHA-256, SCRYPT, HKDF, CRC32, CRC16 Curve25519 point addition, Curve25519 point multiplication, small-scalar Curve25519-DLOG EdDSA, ECDHE Paillier (homomorphic addition) RSA blind signatures

14 The Automated Restart Manager (ARM) Starts services on-demand (like systemd) Automatically restarts crashed services (like ARM on OS/360) Can provide performance data per service gnunet-arm -e only terminates after peer is fully down Simple API: GNUNET ARM request service start(), GNUNET ARM request service stop(), etc.

15 Transport Unreliable, out-of-order packet delivery semantics Over TCP, UDP, IPv4/IPv6, HTTP/HTTPS, WLAN or BT (pluggable) Enforces bandwidth quotas Enforces connection restrictions (F2F) Supports NAT traversal Supports bootstrap via broadcast/multicast Measures network latency UDP/WLAN/BT: Fragments large messages (including ACKs and selective retransmission)

16 Distance-Vector Routing (WiP) Transport plugin Bounded (i.e. 3 hops) distance-vector routing Provides illusion of direct connections

17 Automated Transport Selection (ATS) Decides which connections to establish Selects best transport plugin to use Allocates bandwidth to peers by network technology (LO, LAN, WAN, WLAN) Allows other subsystems to specify preferences: Which peers? Minimize latency? Maximize bandwidth?

18 CORE Off-the-record link encryption between peers Multiplexes inbound messages by type to higher-level subsystems Hides connections from/to peers that do not speak same higher-level protocol

19 HOSTLIST Allows download of known peer addresses for bootstrapping HTTP client and HTTP server provided URLs from configuration or learned via gossip among peers

20 The Network Size Estimate (NSE) Gives estimate of log n where n is number of active peers (with reasonable lifetime) All peers converge to the same network size estimate Extremely cheap (bandwidth, storage & amortized CPU cost) Byzantine fault-tolerant Malicious attacker can only slightly increase size estimate Trivial API: GNUNET NSE connect()

21 Distributed Hash Table (DHT) Store key-value pairs in overlay network Replication in the network Multiple values per key possible Duplicate/known replies not transmitted repeatedly Tolerates small-world underlay topology Can optionally track path key-values took in the network O( n log n) lookup complexity, O(log n) hops Plugins provide custom logic to verify integrity of key-value pairs in DHT Simple API: GNUNET DHT get(), GNUNET DHT put(), GNUNET DHT monitor start()

22 Confidential Ad-Hoc Decentralised End-to-End Transport AXOLOTL-encrypted end-to-end communication Reliable or unreliable In-order or out-of-order Low-latency or buffered Multiple streams duplexed over one authenticated encrypted channel Encrypted channel multiplexed over multiple, redundant paths Easy API: GNUNET CADET connect(), GNUNET CADET channel create(), GNUNET CADET notify transmit ready()

23 Identity (management) Public key pairs as egos to identify users Each user can have many alter-egos (or pseudonyms) Separate from peer identities (network addresses)

24 The GNU Name System (GNS) Decentralized name system with secure memorable names Delegation used to achieve transitivity Also supports globally unique, secure identifiers Achieves query and response privacy Provides alternative public key infrastructure Interoperable with DNS Trivial API: GNUNET GNS connect(), GNUNET GNS lookup()

25 (Key) revocation Instant revocation at all peers that the network allowed to receive it Highly efficient protocol Revocation messages can be prepared and stored off-line if desired Trivial API: GNUNET REVOCATION revoke(), GNUNET REVOCATION query()

26 Set Compute set union or set intersection Surprisingly low bandwidth required Few round trips, but non-deterministic

27 Scalarproduct (SMC) Given private maps a : A Z and b : B Z, calculates scalar product a(e)b(e) (1) e A B Bandwidth-efficient at 100 bytes/element CPU-efficient with runtime in milliseconds/element Only leaks information derivable from final result and prior knowledge Result only disclosed to one party Assumes honest-but-curious adversary model Trivial API: GNUNET SCALARPRODUCT start computation(), GNUNET SCALARPRODUCT accept computation()

28 Random Peer Sampling (WiP) Selects a random peer, or sequence of random peers Fully decentralised Byzantine fault-tolerant

29 Multicast (WiP) Source controls membership in multicast group End-to-end encrypted Source does not have to KX with each group member Members that left really can no longer read messages

30 PSYC2 Extensible messaging format: syntax and semantics Stateful protocol with state updates using deltas Efficient encoding and decoding (in bandwidth and CPU) Runs on top of Multicast

31 Social (Network Applications) Combines PSYC2 and GNS to build social networking applications Key concepts: nym pseudonym of another user in the network place where social interactions happen host owner of a place guest visitor of a place API then offers vocabulary: enter, leave, host eject, host entry decision, host announce, guest talk, place history replay, place look at

32 SecuShare (WiP) Social networking application using SOCIAL API GUI written with Qt

33 Statistics Collects numeric run-time information from a peer Used for primarily for diagnostic monitoring and performance evaluation Trivial API: GNUNET STATISTICS set(), GNUNET STATISTICS update(), GNUNET STATISTICS get()

34 The Testbed Run controlled experiments Detect available ports, generate configurations Share services across peers for higher efficiency (i.e. DNS resolver) Connect peers into custom network topologies Run peers with non-uniform configurations Run multiple peers on one host Run testbed across multiple hosts Control large-scale execution with hierarchy of testbed controllers Launch thousands of peers per second

35 Conversation GNU Name System PKI: Address book GNS zone make calls to phone.alice.bob.gnu OPUS-encoded voice streams CADET end-to-end encryption Clean API, command-line and GTK user interfaces put calls on hold, etc. still lacks ringtones!

36 File- Sharing Anonymous, pseudonymous and non-anonymous publishing Files broken up into blocks (Merkle tree) Peers caching blocks cannot view contents (encrypted queries and replies) Multi-source download Contributing peers rewarded with better performance Keyword search File meta-data available as part of search result Can share directories, can mount shared directories via FUSE API, command-line and GTK GUIs

37 Search by REgular EXpression Service publisher advertises regular expression (!) Client searches using string Services where the RegEx matches string are returned Fully decentralised, uses R 5 N DHT Trivial API: GNUNET REGEX announce(), GNUNET REGEX search() Warning: non-trivial theory. Read up about RegEx prefixes before using.

38 DNS Integration Intercept DNS queries using iptables to: Observe DNS activity Drop DNS queries Supply alternative DNS replies Can be used to support GNS instead of NSS, proxies or GNS-specific resolution APIs

39 IP-over-GNUnet Open TUN interface to receive inbound IP traffic ( VPN ) Open TUN interface to forward IP traffic to Internet ( EXIT ) Translate between IPv4 and IPv6 as needed and implement NAT-PT for DNS ( PT ) Also allows routing IP traffic to a particular GNUnet peer Integrates with the GNU Name System

40 Byzantine Fault-tolerant Consensus Given a set of n peers with at most k malicious participants And a deadline (synchronous protocol!) and enough bandwidth for honest participants Compute the global union over a set of initial elements distributed across the n k honest participants Malicious participants may add additional (well-formed) elements All honest participants end up with exactl the same set Final set is super-set of union of initial elements at honest peers

41 Electronic Voting (SMC) 1 Implements Cramer 97-style electronic voting: correctness votes are counted correctly, one vote per voter secrecy voter s votes remain secret indi. verif. each voter can verify univ. verfi. third parties can verify fairness will not leak partial outcomes robustness a threshold faction of officials may be corrupt coercion res. Not offered! Adversary could verify that voter complied with his demands Three types of participants: supervisor affirms list of eligible voters, selects authorities authorities collect & verify ballots, tally results, provide audit data voter registers to vote, votes, submits ballot 1 Implemented in gnunet-java

42 RESTful APIs (WiP) Access GNUnet services via HTTP Plugin architecture Data encoded using JSON Used to buile Web service with JS for identity management

43 Taxable Anonymous Libre Electronic Reserves Payment system, not a new currency Client-server architecture, not peer-to-peer HTTP RESTful protocol (JSON over HTTP/HTTPS) Supposed to be used initially over Tor for anonymity Payer remains anonymous Payee easily identifiable by the government ( taxable ) Affero GPL server, GPL wallet, LGPL merchant logic Cheap transactions, can give change, supports refunds

44 secushare social voting conversation psyc secretsharing gns fs dv consensus revocation scalarproduct pt identity multicast exit set dns vpn rps cadet regex dht nse testbed hostlist topology core transport ats arm statistics rest taler util

45 GNUnet dependencies (generated by GNU Guix) Compile time: gnunet pkg-config-0.28 python glpk-4.56 gnurl gnutls libextractor-1.3 libgcrypt libidn-1.32 libmicrohttpd libltdl libunistring openssl-1.0.2d opus-1.1 pulseaudio-6.0 sqlite zlib bzip gdbm-1.11 libffi-3.1 readline-6.3 tcl tk gmp-6.0.0a perl groff texinfo-6.0 which-2.21 guile libtasn1-4.5 nettle libtiff libjpeg-9a exiv flac ffmpeg-2.8 file-5.22 glib gstreamer gst-plugins-base libogg libvorbis libgpg-error-1.19 curl m speex-1.2rc1 dbus libcap-2.24 eudev alsa-lib json-c-0.12 libsndfile libsamplerate intltool fftwf avahi check ncurses-6.0 libxft fontconfig libx libxext xproto libxrender freetype-2.6 gs-fonts-8.11 expat inputproto xextproto xtrans kbproto libxcb-1.11 libxau util-macros renderproto python-wrapper xcb-proto-1.11 libxslt libpthread-stubs-0.3 libxdmcp python-minimal libxml bison psutils-17 ghostscript netpbm flex procps xz python-wrapper lcms-2.6 libjpeg-8d libpng libpaper bison indent python bash libgc libatomic-ops bc-1.06 yasm ladspa-1.13 lame libass libbluray libcaca-0.99.beta19 libcdio-paranoia libquvi libtheora libvpx libx openal soxr twolame xvid gettext coreutils-8.24 tzdata-2015c gobject-introspection pango libxv cdparanoia-10.2 orc xmlto fribidi harfbuzz enca-1.16 doxygen texlive-2015 freeglut ftgl rc5 mesa libcdio-0.93 cyrus-sasl libquvi-scripts lua util-linux-2.27 net-base-5.3 tar-1.28 cairo graphite icu4c-55.1 recode libspectre poppler pixman python2-fonttools-2.5 acl attr openjpeg cairo python2-setuptools graphviz texlive-bin-2015 texlive-texmf-2015 gts gd libxaw libxmu libxpm libxt libice libsm fontforge b mpfr potrace-1.11 ruby tcsh teckit zziplib lua giflib libxi libspiro libuninameslist autoconf-2.69 automake-1.15 libtool zip-3.0 libxfixes fixesproto-5.0 autoconf-wrapper-2.69 autoconf-wrapper-2.69 libxrandr libxxf86vm xinput glu dri2proto-2.8 dri3proto-1.0 presentproto-1.0 libva-without-mesa libxvmc makedepend s2tc-1.0 glproto libdrm libxdamage libxshmfence-1.1 randrproto xf86vidmodeproto libxinerama gperf kmod-17 mesa-headers libpciaccess damageproto videoproto xineramaproto help2man libcddb gss libssh openldap mit-krb shishi bdb linux-pam libgcrypt fftw perl-xml-parser-2.44 libdaemon-0.14 Runtime: gnunet libltdl libidn-1.32 bash nettle libmicrohttpd zlib libgcrypt gnutls gnurl libunistring glpk-4.56 glibc-2.22 python gmp-6.0.0a libgpg-error-1.19 libtasn1-4.5 sqlite libextractor-1.3 gcc lib ncurses-6.0 readline-6.3 guile libgc libatomic-ops libffi-3.1 bash-static readline-6.3 ncurses-6.0 libxdmcp libxau xproto tk kbproto libxcb-1.11 xz coreutils-8.24 libx tcl gdbm-1.11 libpthread-stubs-0.3 xextproto util-macros libxext openssl-1.0.2d expat exiv libvorbis libtiff gst-plugins-base flac libjpeg-9a libogg glib orc file-5.22 ffmpeg-2.8 gstreamer pkg-config-0.28 fontconfig libxft acl libcap-2.24 gmp-6.0.0a gs-fonts-8.11 freetype-2.6 libxrender attr libxv pixman pango cairo libpng alsa-lib graphite libtheora cdparanoia-10.2 harfbuzz bash pulseaudio-6.0 libcdio-0.93 libcaca-0.99.beta19 lame openal libx libcdio-paranoia libbluray xvid twolame speex-1.2rc1 opus-1.1 soxr libass libvpx libquvi icu4c-55.1 avahi dbus libcap-2.24 json-c-0.12 libsndfile fftwf eudev libcddb libxxf86vm ftgl rc5 libxfixes libdrm glu libxshmfence-1.1 mesa libxdamage freeglut libxml enca-1.16 fribidi gss shishi libquvi-scripts curl libssh lua cyrus-sasl openldap libgcrypt libdaemon-0.14 attr kmod-17 libpciaccess libxvmc s2tc-1.0 libxi libxrandr recode curl doc mit-krb bdb Close inspection shows: Guix didn t build all of it.

46 Future Work Improve all of the above, in particular the WiPs Onion routing Asynchronous messaging Secure auctions News distribution / timeline construction Collaborative editing Multiparty linear programming

47 Conclusion GNUnet provides foundations for an alternative network stack More work needs to be done: SMTP 2.0, Web 3.0, Tor 2.0,... If what you need is not there, help us add it!

48 Do you have any questions? References: Nathan Evans and Christian Grothoff. R 5 N. Randomized Recursive Routing for Restricted-Route Networks. 5th International Conference on Network and System Security, M. Schanzenbach Design and Implementation of a Censorship Resistant and Fully Decentralized Name System. Master s Thesis (TUM), Christian Grothoff, Bart Polot and Carlo von Loesch. The Internet is broken: Idealistic Ideas for Building a GNU Network. W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT), Matthias Wachs, Martin Schanzenbach and Christian Grothoff. A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System. 13th International Conference on Cryptology and Network Security, 2014.