2
0

keyconcepts.texi 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325
  1. @cindex Key Concepts
  2. @node Key Concepts
  3. @chapter Key Concepts
  4. In this section, the fundamental concepts of GNUnet are explained.
  5. @c FIXME: Use @uref{https://docs.gnunet.org/bib/, research papers}
  6. @c once we have the new bibliography + subdomain setup.
  7. Most of them are also described in our research papers.
  8. First, some of the concepts used in the GNUnet framework are detailed.
  9. The second part describes concepts specific to anonymous file-sharing.
  10. @menu
  11. * Authentication::
  12. * Accounting to Encourage Resource Sharing::
  13. * Confidentiality::
  14. * Anonymity::
  15. * Deniability::
  16. * Peer Identities::
  17. * Zones in the GNU Name System (GNS Zones)::
  18. * Egos::
  19. @end menu
  20. @cindex Authentication
  21. @node Authentication
  22. @section Authentication
  23. Almost all peer-to-peer communications in GNUnet are between mutually
  24. authenticated peers. The authentication works by using ECDHE, that is a
  25. DH (Diffie---Hellman) key exchange using ephemeral elliptic curve
  26. cryptography. The ephemeral ECC (Elliptic Curve Cryptography) keys are
  27. signed using ECDSA (@uref{http://en.wikipedia.org/wiki/ECDSA, ECDSA}).
  28. The shared secret from ECDHE is used to create a pair of session keys
  29. @c FIXME: Long word for HKDF. More FIXMEs: Explain MITM etc.
  30. (using HKDF) which are then used to encrypt the communication between the
  31. two peers using both 256-bit AES (Advanced Encryption Standard)
  32. and 256-bit Twofish (with independently derived secret keys).
  33. As only the two participating hosts know the shared secret, this
  34. authenticates each packet
  35. without requiring signatures each time. GNUnet uses SHA-512
  36. (Secure Hash Algorithm) hash codes to verify the integrity of messages.
  37. @c FIXME: A while back I got the feedback that I should try and integrate
  38. @c explanation boxes in the long-run. So we could explain
  39. @c "man-in-the-middle" and "man-in-the-middle attacks" and other words
  40. @c which are not common knowledge. MITM is not common knowledge. To be
  41. @c selfcontained, we should be able to explain words and concepts used in
  42. @c a chapter or paragraph without hinting at Wikipedia and other online
  43. @c sources which might not be available or accessible to everyone.
  44. @c On the other hand we could write an introductionary chapter or book
  45. @c that we could then reference in each chapter, which sound like it
  46. @c could be more reusable.
  47. In GNUnet, the identity of a host is its public key. For that reason,
  48. man-in-the-middle attacks will not break the authentication or accounting
  49. goals. Essentially, for GNUnet, the IP of the host has nothing to do with
  50. the identity of the host. As the public key is the only thing that truly
  51. matters, faking an IP, a port or any other property of the underlying
  52. transport protocol is irrelevant. In fact, GNUnet peers can use
  53. multiple IPs (IPv4 and IPv6) on multiple ports --- or even not use the
  54. IP protocol at all (by running directly on layer 2).
  55. @c FIXME: "IP protocol" feels wrong, but could be what people expect, as
  56. @c IP is "the number" and "IP protocol" the protocol itself in general
  57. @c knowledge?
  58. @c NOTE: For consistency we will use @code{HELLO}s throughout this Manual.
  59. GNUnet uses a special type of message to communicate a binding between
  60. public (ECC) keys to their current network address. These messages are
  61. commonly called @code{HELLO}s or @code{peer advertisements}.
  62. They contain the public key of the peer and its current network
  63. addresses for various transport services.
  64. A transport service is a special kind of shared library that
  65. provides (possibly unreliable, out-of-order) message delivery between
  66. peers.
  67. For the UDP and TCP transport services, a network address is an IP and a
  68. port.
  69. GNUnet can also use other transports (HTTP, HTTPS, WLAN, etc.) which use
  70. various other forms of addresses. Note that any node can have many
  71. different active transport services at the same time,
  72. and each of these can have a different addresses.
  73. Binding messages expire after at most a week (the timeout can be
  74. shorter if the user configures the node appropriately).
  75. This expiration ensures that the network will eventually get rid of
  76. outdated advertisements.
  77. For more information, refer to the following paper:
  78. Ronaldo A. Ferreira, Christian Grothoff, and Paul Ruth.
  79. A Transport Layer Abstraction for Peer-to-Peer Networks
  80. Proceedings of the 3rd International Symposium on Cluster Computing
  81. and the Grid (GRID 2003), 2003.
  82. (@uref{https://git.gnunet.org/bibliography.git/plain/docs/transport.pdf, https://git.gnunet.org/bibliography.git/plain/docs/transport.pdf})
  83. @cindex Accounting to Encourage Resource Sharing
  84. @node Accounting to Encourage Resource Sharing
  85. @section Accounting to Encourage Resource Sharing
  86. Most distributed P2P networks suffer from a lack of defenses or
  87. precautions against attacks in the form of freeloading.
  88. While the intentions of an attacker and a freeloader are different, their
  89. effect on the network is the same; they both render it useless.
  90. Most simple attacks on networks such as @command{Gnutella}
  91. involve flooding the network with traffic, particularly
  92. with queries that are, in the worst case, multiplied by the network.
  93. In order to ensure that freeloaders or attackers have a minimal impact
  94. on the network, GNUnet's file-sharing implementation (@code{FS}) tries
  95. to distinguish good (contributing) nodes from malicious (freeloading)
  96. nodes. In GNUnet, every file-sharing node keeps track of the behavior
  97. of every other node it has been in contact with. Many requests
  98. (depending on the application) are transmitted with a priority (or
  99. importance) level. That priority is used to establish how important
  100. the sender believes this request is. If a peer responds to an
  101. important request, the recipient will increase its trust in the
  102. responder: the responder contributed resources. If a peer is too busy
  103. to answer all requests, it needs to prioritize. For that, peers do
  104. not take the priorities of the requests received at face value.
  105. First, they check how much they trust the sender, and depending on
  106. that amount of trust they assign the request a (possibly lower)
  107. effective priority. Then, they drop the requests with the lowest
  108. effective priority to satisfy their resource constraints. This way,
  109. GNUnet's economic model ensures that nodes that are not currently
  110. considered to have a surplus in contributions will not be served if
  111. the network load is high.
  112. For more information, refer to the following paper:
  113. Christian Grothoff. An Excess-Based Economic Model for Resource
  114. Allocation in Peer-to-Peer Networks. Wirtschaftsinformatik, June 2003.
  115. (@uref{https://git.gnunet.org/bibliography.git/plain/docs/ebe.pdf, https://git.gnunet.org/bibliography.git/plain/docs/ebe.pdf})
  116. @cindex Confidentiality
  117. @node Confidentiality
  118. @section Confidentiality
  119. Adversaries (malicious, bad actors) outside of GNUnet are not supposed
  120. to know what kind of actions a peer is involved in. Only the specific
  121. neighbor of a peer that is the corresponding sender or recipient of a
  122. message may know its contents, and even then application protocols may
  123. place further restrictions on that knowledge. In order to ensure
  124. confidentiality, GNUnet uses link encryption, that is each message
  125. exchanged between two peers is encrypted using a pair of keys only
  126. known to these two peers. Encrypting traffic like this makes any kind
  127. of traffic analysis much harder. Naturally, for some applications, it
  128. may still be desirable if even neighbors cannot determine the concrete
  129. contents of a message. In GNUnet, this problem is addressed by the
  130. specific application-level protocols. See for example the following
  131. sections @pxref{Anonymity}, @pxref{How file-sharing achieves Anonymity},
  132. and @pxref{Deniability}.
  133. @cindex Anonymity
  134. @node Anonymity
  135. @section Anonymity
  136. @menu
  137. * How file-sharing achieves Anonymity::
  138. @end menu
  139. Providing anonymity for users is the central goal for the anonymous
  140. file-sharing application. Many other design decisions follow in the
  141. footsteps of this requirement.
  142. Anonymity is never absolute. While there are various
  143. scientific metrics
  144. (Claudia Díaz, Stefaan Seys, Joris Claessens,
  145. and Bart Preneel. Towards measuring anonymity.
  146. 2002.
  147. (@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf}))
  148. that can help quantify the level of anonymity that a given mechanism
  149. provides, there is no such thing as "complete anonymity".
  150. GNUnet's file-sharing implementation allows users to select for each
  151. operation (publish, search, download) the desired level of anonymity.
  152. The metric used is based on the amount of cover traffic needed to hide
  153. the request.
  154. While there is no clear way to relate the amount of available cover
  155. traffic to traditional scientific metrics such as the anonymity set or
  156. information leakage, it is probably the best metric available to a
  157. peer with a purely local view of the world, in that it does not rely
  158. on unreliable external information or a particular adversary model.
  159. The default anonymity level is @code{1}, which uses anonymous routing
  160. but imposes no minimal requirements on cover traffic. It is possible
  161. to forego anonymity when this is not required. The anonymity level of
  162. @code{0} allows GNUnet to use more efficient, non-anonymous routing.
  163. @cindex How file-sharing achieves Anonymity
  164. @node How file-sharing achieves Anonymity
  165. @subsection How file-sharing achieves Anonymity
  166. Contrary to other designs, we do not believe that users achieve strong
  167. anonymity just because their requests are obfuscated by a couple of
  168. indirections. This is not sufficient if the adversary uses traffic
  169. analysis.
  170. The threat model used for anonymous file sharing in GNUnet assumes that
  171. the adversary is quite powerful.
  172. In particular, we assume that the adversary can see all the traffic on
  173. the Internet. And while we assume that the adversary
  174. can not break our encryption, we assume that the adversary has many
  175. participating nodes in the network and that it can thus see many of the
  176. node-to-node interactions since it controls some of the nodes.
  177. The system tries to achieve anonymity based on the idea that users can be
  178. anonymous if they can hide their actions in the traffic created by other
  179. users.
  180. Hiding actions in the traffic of other users requires participating in the
  181. traffic, bringing back the traditional technique of using indirection and
  182. source rewriting. Source rewriting is required to gain anonymity since
  183. otherwise an adversary could tell if a message originated from a host by
  184. looking at the source address. If all packets look like they originate
  185. from one node, the adversary can not tell which ones originate from that
  186. node and which ones were routed.
  187. Note that in this mindset, any node can decide to break the
  188. source-rewriting paradigm without violating the protocol, as this
  189. only reduces the amount of traffic that a node can hide its own traffic
  190. in.
  191. If we want to hide our actions in the traffic of other nodes, we must make
  192. our traffic indistinguishable from the traffic that we route for others.
  193. As our queries must have us as the receiver of the reply
  194. (otherwise they would be useless), we must put ourselves as the receiver
  195. of replies that actually go to other hosts; in other words, we must
  196. indirect replies.
  197. Unlike other systems, in anonymous file-sharing as implemented on top of
  198. GNUnet we do not have to indirect the replies if we don't think we need
  199. more traffic to hide our own actions.
  200. This increases the efficiency of the network as we can indirect less under
  201. higher load.
  202. Refer to the following paper for more:
  203. Krista Bennett and Christian Grothoff.
  204. GAP --- practical anonymous networking. In Proceedings of
  205. Designing Privacy Enhancing Technologies, 2003.
  206. (@uref{https://git.gnunet.org/bibliography.git/plain/docs/aff.pdf, https://git.gnunet.org/bibliography.git/plain/docs/aff.pdf})
  207. @cindex Deniability
  208. @node Deniability
  209. @section Deniability
  210. Even if the user that downloads data and the server that provides data are
  211. anonymous, the intermediaries may still be targets. In particular, if the
  212. intermediaries can find out which queries or which content they are
  213. processing, a strong adversary could try to force them to censor
  214. certain materials.
  215. With the file-encoding used by GNUnet's anonymous file-sharing, this
  216. problem does not arise.
  217. The reason is that queries and replies are transmitted in
  218. an encrypted format such that intermediaries cannot tell what the query
  219. is for or what the content is about. Mind that this is not the same
  220. encryption as the link-encryption between the nodes. GNUnet has
  221. encryption on the network layer (link encryption, confidentiality,
  222. authentication) and again on the application layer (provided
  223. by @command{gnunet-publish}, @command{gnunet-download},
  224. @command{gnunet-search} and @command{gnunet-fs-gtk}).
  225. Refer to the following paper for more:
  226. Christian Grothoff, Krista Grothoff, Tzvetan Horozov,
  227. and Jussi T. Lindgren.
  228. An Encoding for Censorship-Resistant Sharing.
  229. 2009.
  230. (@uref{https://git.gnunet.org/bibliography.git/plain/docs/ecrs.pdf, https://git.gnunet.org/bibliography.git/plain/docs/ecrs.pdf})
  231. @cindex Peer Identities
  232. @node Peer Identities
  233. @section Peer Identities
  234. Peer identities are used to identify peers in the network and are unique
  235. for each peer. The identity for a peer is simply its public key, which is
  236. generated along with a private key the peer is started for the first time.
  237. While the identity is binary data, it is often expressed as ASCII string.
  238. For example, the following is a peer identity as you might see it in
  239. various places:
  240. @example
  241. UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0
  242. @end example
  243. @noindent
  244. You can find your peer identity by running @command{gnunet-peerinfo -s}.
  245. @cindex Zones in the GNU Name System (GNS Zones)
  246. @node Zones in the GNU Name System (GNS Zones)
  247. @section Zones in the GNU Name System (GNS Zones)
  248. @c FIXME: Explain or link to an explanation of the concept of public keys
  249. @c and private keys.
  250. @c FIXME: Rewrite for the latest GNS changes.
  251. GNS zones are similar to those of DNS zones, but instead of a hierarchy of
  252. authorities to governing their use, GNS zones are controlled by a private
  253. key.
  254. When you create a record in a DNS zone, that information is stored in your
  255. nameserver. Anyone trying to resolve your domain then gets pointed
  256. (hopefully) by the centralised authority to your nameserver.
  257. Whereas GNS, being fully decentralized by design, stores that information
  258. in DHT. The validity of the records is assured cryptographically, by
  259. signing them with the private key of the respective zone.
  260. Anyone trying to resolve records in a zone of your domain can then verify
  261. the signature of the records they get from the DHT and be assured that
  262. they are indeed from the respective zone.
  263. To make this work, there is a 1:1 correspondence between zones and
  264. their public-private key pairs.
  265. So when we talk about the owner of a GNS zone, that's really the owner of
  266. the private key.
  267. And a user accessing a zone needs to somehow specify the corresponding
  268. public key first.
  269. For more information, refer to the following paper:
  270. Matthias Wachs, Martin Schanzenbach, and Christian Grothoff.
  271. A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name
  272. System. In proceedings of 13th International Conference on Cryptology and
  273. Network Security (CANS 2014). 2014.
  274. @uref{https://git.gnunet.org/bibliography.git/plain/docs/gns2014wachs.pdf, https://git.gnunet.org/bibliography.git/plain/docs/gns2014wachs.pdf}
  275. @cindex Egos
  276. @node Egos
  277. @section Egos
  278. @c what is the difference between peer identity and egos? It seems
  279. @c like both are linked to public-private key pair.
  280. Egos are your "identities" in GNUnet. Any user can assume multiple
  281. identities, for example to separate their activities online. Egos can
  282. correspond to "pseudonyms" or "real-world identities". Technically an
  283. ego is first of all a key pair of a public- and private-key.