diff options
Diffstat (limited to 'doc/chapters/philosophy.texi')
-rw-r--r-- | doc/chapters/philosophy.texi | 335 |
1 files changed, 335 insertions, 0 deletions
diff --git a/doc/chapters/philosophy.texi b/doc/chapters/philosophy.texi new file mode 100644 index 000000000..56c9bb552 --- /dev/null +++ b/doc/chapters/philosophy.texi | |||
@@ -0,0 +1,335 @@ | |||
1 | @c *************************************************************************** | ||
2 | @node Philosophy | ||
3 | @chapter Philosophy | ||
4 | |||
5 | The foremost goal of the GNUnet project is to become a widely used, | ||
6 | reliable, open, non-discriminating, egalitarian, unfettered and | ||
7 | censorship-resistant system of free information exchange. | ||
8 | We value free speech above state secrets, law-enforcement or | ||
9 | intellectual property. GNUnet is supposed to be an anarchistic network, | ||
10 | where the only limitation for peers is that they must contribute enough | ||
11 | back to the network such that their resource consumption does not have | ||
12 | a significant impact on other users. GNUnet should be more than just | ||
13 | another file-sharing network. The plan is to offer many other services | ||
14 | and in particular to serve as a development platform for the next | ||
15 | generation of decentralized Internet protocols. | ||
16 | |||
17 | @menu | ||
18 | * Design Goals:: | ||
19 | * Security & Privacy:: | ||
20 | * Versatility:: | ||
21 | * Practicality:: | ||
22 | * Key Concepts:: | ||
23 | @end menu | ||
24 | |||
25 | |||
26 | @c *************************************************************************** | ||
27 | @node Design Goals | ||
28 | @section Design Goals | ||
29 | |||
30 | These are the core GNUnet design goals, in order of relative importance: | ||
31 | |||
32 | @itemize | ||
33 | @item GNUnet must be implemented as free software. | ||
34 | @item The GNUnet must only disclose the minimal amount of information | ||
35 | necessary. | ||
36 | @item The GNUnet must be decentralised and survive Byzantine failures | ||
37 | in any position in the network. | ||
38 | @item The GNUnet must make it explicit to the user which entities must be | ||
39 | trustworthy when establishing secured communications. | ||
40 | @item The GNUnet must use compartmentalization to protect sensitive | ||
41 | information. | ||
42 | @item The GNUnet must be open and permit new peers to join. | ||
43 | @item The GNUnet must be self-organizing and not depend on administrators. | ||
44 | @item The GNUnet must support a diverse range of applications and devices. | ||
45 | @item The GNUnet architecture must be cost effective. | ||
46 | @item The GNUnet must provide incentives for peers to contribute more | ||
47 | resources than they consume. | ||
48 | @end itemize | ||
49 | |||
50 | |||
51 | @node Security & Privacy | ||
52 | @section Security & Privacy | ||
53 | |||
54 | GNUnet's primary design goals are to protect the privacy of its users and to | ||
55 | guard itself against attacks or abuse. GNUnet does not have any mechanisms | ||
56 | to control, track or censor users. Instead, the GNUnet protocols aim to make | ||
57 | it as hard as possible to find out what is happening on the network or to | ||
58 | disrupt operations. | ||
59 | |||
60 | @node Versatility | ||
61 | @section Versatility | ||
62 | |||
63 | We call GNUnet a peer-to-peer framework because we want to support many | ||
64 | different forms of peer-to-peer applications. GNUnet uses a plugin | ||
65 | architecture to make the system extensible and to encourage code reuse. | ||
66 | While the first versions of the system only supported anonymous file-sharing, | ||
67 | other applications are being worked on and more will hopefully follow in the | ||
68 | future. A powerful synergy regarding anonymity services is created by a large | ||
69 | community utilizing many diverse applications over the same software | ||
70 | infrastructure. The reason is that link encryption hides the specifics | ||
71 | of the traffic for non-participating observers. This way, anonymity can | ||
72 | get stronger with additional (GNUnet) traffic, even if the additional | ||
73 | traffic is not related to anonymous communication. Increasing anonymity is | ||
74 | the primary reason why GNUnet is developed to become a peer-to-peer | ||
75 | framework where many applications share the lower layers of an increasingly | ||
76 | complex protocol stack. If merging traffic to hinder traffic analysis was | ||
77 | not important, we could have just developed a dozen stand-alone applications | ||
78 | and a few shared libraries. | ||
79 | |||
80 | @node Practicality | ||
81 | @section Practicality | ||
82 | |||
83 | GNUnet allows participants to trade various amounts of security in exchange | ||
84 | for increased efficiency. However, it is not possible for any user's security | ||
85 | and efficiency requirements to compromise the security and efficiency of | ||
86 | any other user. | ||
87 | |||
88 | For GNUnet, efficiency is not paramount. If there is a more secure and still | ||
89 | practical approach, we would choose to take the more secure alternative. | ||
90 | @command{telnet} is more efficient than @command{ssh}, yet it is obsolete. | ||
91 | Hardware gets faster, and code can be optimized. Fixing security issues as | ||
92 | an afterthought is much harder. | ||
93 | |||
94 | While security is paramount, practicability is still a requirement. The most | ||
95 | secure system is always the one that nobody can use. Similarly, any | ||
96 | anonymous system that is extremely inefficient will only find few users. | ||
97 | However, good anonymity requires a large and diverse user base. Since | ||
98 | individual security requirements may vary, the only good solution here is to | ||
99 | allow individuals to trade-off security and efficiency. The primary challenge | ||
100 | in allowing this is to ensure that the economic incentives work properly. | ||
101 | In particular, this means that it must be impossible for a user to gain | ||
102 | security at the expense of other users. Many designs (e.g. anonymity via | ||
103 | broadcast) fail to give users an incentive to choose a less secure but more | ||
104 | efficient mode of operation. GNUnet should avoid where ever possible to | ||
105 | rely on protocols that will only work if the participants are benevolent. | ||
106 | While some designs have had widespread success while relying on parties | ||
107 | to observe a protocol that may be sub-optimal for the individuals (e.g. | ||
108 | TCP Nagle), a protocol that ensures that individual goals never conflict | ||
109 | with the goals of the group is always preferable. | ||
110 | |||
111 | @node Key Concepts | ||
112 | @section Key Concepts | ||
113 | |||
114 | In this section, the fundamental concepts of GNUnet are explained. Most of | ||
115 | them are also described in our research papers. First, some of the concepts | ||
116 | used in the GNUnet framework are detailed. The second part describes concepts | ||
117 | specific to anonymous file-sharing. | ||
118 | |||
119 | @menu | ||
120 | * Authentication:: | ||
121 | * Accounting to Encourage Resource Sharing:: | ||
122 | * Confidentiality:: | ||
123 | * Anonymity:: | ||
124 | * Deniability:: | ||
125 | * Peer Identities:: | ||
126 | * Zones in the GNU Name System (GNS Zones):: | ||
127 | * Egos:: | ||
128 | @end menu | ||
129 | |||
130 | @node Authentication | ||
131 | @subsection Authentication | ||
132 | |||
133 | Almost all peer-to-peer communications in GNUnet are between mutually | ||
134 | authenticated peers. The authentication works by using ECDHE, that is a | ||
135 | DH key exchange using ephemeral eliptic curve cryptography. The ephemeral | ||
136 | ECC keys are signed using ECDSA. The shared secret from ECDHE is used to | ||
137 | create a pair of session keys (using HKDF) which are then used to encrypt | ||
138 | the communication between the two peers using both 256-bit AES and 256-bit | ||
139 | Twofish (with independently derived secret keys). As only the two | ||
140 | participating hosts know the shared secret, this authenticates each packet | ||
141 | without requiring signatures each time. GNUnet uses SHA-512 hash codes to | ||
142 | verify the integrity of messages. | ||
143 | |||
144 | In GNUnet, the identity of a host is its public key. For that reason, | ||
145 | man-in-the-middle attacks will not break the authentication or accounting | ||
146 | goals. Essentially, for GNUnet, the IP of the host has nothing to do with | ||
147 | the identity of the host. As the public key is the only thing that truly | ||
148 | matters, faking an IP, a port or any other property of the underlying | ||
149 | transport protocol is irrelevant. In fact, GNUnet peers can use | ||
150 | multiple IPs (IPv4 and IPv6) on multiple ports --- or even not use the | ||
151 | IP protocol at all (by running directly on layer 2). | ||
152 | |||
153 | GNUnet uses a special type of message to communicate a binding between | ||
154 | public (ECC) keys to their current network address. These messages are | ||
155 | commonly called HELLOs or peer advertisements. They contain the public key | ||
156 | of the peer and its current network addresses for various transport services. | ||
157 | A transport service is a special kind of shared library that | ||
158 | provides (possibly unreliable, out-of-order) message delivery between peers. | ||
159 | For the UDP and TCP transport services, a network address is an IP and a port. | ||
160 | GNUnet can also use other transports (HTTP, HTTPS, WLAN, etc.) which use | ||
161 | various other forms of addresses. Note that any node can have many different | ||
162 | active transport services at the same time, and each of these can have a | ||
163 | different addresses. Binding messages expire after at most a week (the | ||
164 | timeout can be shorter if the user configures the node appropriately). This | ||
165 | expiration ensures that the network will eventually get rid of outdated | ||
166 | advertisements.@ | ||
167 | More details can be found in this paper. | ||
168 | |||
169 | @node Accounting to Encourage Resource Sharing | ||
170 | @subsection Accounting to Encourage Resource Sharing | ||
171 | |||
172 | Most distributed P2P networks suffer from a lack of defenses or precautions | ||
173 | against attacks in the form of freeloading. While the intentions of an | ||
174 | attacker and a freeloader are different, their effect on the network is the | ||
175 | same; they both render it useless. Most simple attacks on networks such as | ||
176 | Gnutella involve flooding the network with traffic, particularly with | ||
177 | queries that are, in the worst case, multiplied by the network. | ||
178 | |||
179 | In order to ensure that freeloaders or attackers have a minimal impact on the | ||
180 | network, GNUnet's file-sharing implementation tries to distinguish | ||
181 | good (contributing) nodes from malicious (freeloading) nodes. In GNUnet, | ||
182 | every file-sharing node keeps track of the behavior of every other node it | ||
183 | has been in contact with. Many requests (depending on the application) are | ||
184 | transmitted with a priority (or importance) level. That priority is used to | ||
185 | establish how important the sender believes this request is. If a peer | ||
186 | responds to an important request, the recipient will increase its trust in the | ||
187 | responder: the responder contributed resources. If a peer is too busy to | ||
188 | answer all requests, it needs to prioritize. For that, peers to not take the | ||
189 | priorities of the requests received at face value. First, they check how much | ||
190 | they trust the sender, and depending on that amount of trust they assign the | ||
191 | request a (possibly lower) effective priority. Then, they drop the requests | ||
192 | with the lowest effective priority to satisfy their resource constraints. This | ||
193 | way, GNUnet's economic model ensures that nodes that are not currently | ||
194 | considered to have a surplus in contributions will not be served if the | ||
195 | network load is high. More details can be found in this paper. | ||
196 | |||
197 | @node Confidentiality | ||
198 | @subsection Confidentiality | ||
199 | |||
200 | Adversaries outside of GNUnet are not supposed to know what kind of actions a | ||
201 | peer is involved in. Only the specific neighbor of a peer that is the | ||
202 | corresponding sender or recipient of a message may know its contents, and even | ||
203 | then application protocols may place further restrictions on that knowledge. | ||
204 | In order to ensure confidentiality, GNUnet uses link encryption, that is each | ||
205 | message exchanged between two peers is encrypted using a pair of keys only | ||
206 | known to these two peers. Encrypting traffic like this makes any kind of | ||
207 | traffic analysis much harder. Naturally, for some applications, it may still | ||
208 | be desirable if even neighbors cannot determine the concrete contents of a | ||
209 | message. In GNUnet, this problem is addressed by the specific | ||
210 | application-level protocols (see for example, deniability and anonymity in | ||
211 | anonymous file sharing). | ||
212 | |||
213 | @node Anonymity | ||
214 | @subsection Anonymity | ||
215 | |||
216 | Providing anonymity for users is the central goal for the anonymous | ||
217 | file-sharing application. Many other design decisions follow in the footsteps | ||
218 | of this requirement. Anonymity is never absolute. While there are various | ||
219 | scientific metrics that can help quantify the level of anonymity that a | ||
220 | given mechanism provides, there is no such thing as complete anonymity. | ||
221 | GNUnet's file-sharing implementation allows users to select for each | ||
222 | operation (publish, search, download) the desired level of anonymity. | ||
223 | The metric used is the amount of cover traffic available to hide the request. | ||
224 | While this metric is not as good as, for example, the theoretical metric | ||
225 | given in scientific metrics, it is probably the best metric available to | ||
226 | a peer with a purely local view of the world that does not rely on unreliable | ||
227 | external information. The default anonymity level is 1, which uses anonymous | ||
228 | routing but imposes no minimal requirements on cover traffic. It is possible | ||
229 | to forego anonymity when this is not required. The anonymity level of 0 | ||
230 | allows GNUnet to use more efficient, non-anonymous routing. | ||
231 | |||
232 | @menu | ||
233 | * How file-sharing achieves Anonymity: | ||
234 | @end menu | ||
235 | |||
236 | @node How file-sharing achieves Anonymity | ||
237 | @subsubsection How file-sharing achieves Anonymity | ||
238 | |||
239 | Contrary to other designs, we do not believe that users achieve strong | ||
240 | anonymity just because their requests are obfuscated by a couple of | ||
241 | indirections. This is not sufficient if the adversary uses traffic analysis. | ||
242 | The threat model used for anonymous file sharing in GNUnet assumes that the | ||
243 | adversary is quite powerful. In particular, we assume that the adversary can | ||
244 | see all the traffic on the Internet. And while we assume that the adversary | ||
245 | can not break our encryption, we assume that the adversary has many | ||
246 | participating nodes in the network and that it can thus see many of the | ||
247 | node-to-node interactions since it controls some of the nodes. | ||
248 | |||
249 | The system tries to achieve anonymity based on the idea that users can be | ||
250 | anonymous if they can hide their actions in the traffic created by other users. | ||
251 | Hiding actions in the traffic of other users requires participating in the | ||
252 | traffic, bringing back the traditional technique of using indirection and | ||
253 | source rewriting. Source rewriting is required to gain anonymity since | ||
254 | otherwise an adversary could tell if a message originated from a host by | ||
255 | looking at the source address. If all packets look like they originate from | ||
256 | a node, the adversary can not tell which ones originate from that node and | ||
257 | which ones were routed. Note that in this mindset, any node can decide to | ||
258 | break the source-rewriting paradigm without violating the protocol, as this | ||
259 | only reduces the amount of traffic that a node can hide its own traffic in. | ||
260 | |||
261 | If we want to hide our actions in the traffic of other nodes, we must make | ||
262 | our traffic indistinguishable from the traffic that we route for others. As | ||
263 | our queries must have us as the receiver of the reply (otherwise they would | ||
264 | be useless), we must put ourselves as the receiver of replies that actually | ||
265 | go to other hosts; in other words, we must indirect replies. Unlike other | ||
266 | systems, in anonymous file-sharing as implemented on top of GNUnet we do not | ||
267 | have to indirect the replies if we don't think we need more traffic to hide | ||
268 | our own actions.@ | ||
269 | |||
270 | This increases the efficiency of the network as we can indirect less under | ||
271 | higher load. More details can be found in this paper. | ||
272 | |||
273 | @node Deniability | ||
274 | @subsection Deniability | ||
275 | |||
276 | Even if the user that downloads data and the server that provides data are | ||
277 | anonymous, the intermediaries may still be targets. In particular, if the | ||
278 | intermediaries can find out which queries or which content they are | ||
279 | processing, a strong adversary could try to force them to censor | ||
280 | certain materials. | ||
281 | |||
282 | With the file-encoding used by GNUnet's anonymous file-sharing, this problem | ||
283 | does not arise. The reason is that queries and replies are transmitted in | ||
284 | an encrypted format such that intermediaries cannot tell what the query | ||
285 | is for or what the content is about. Mind that this is not the same | ||
286 | encryption as the link-encryption between the nodes. GNUnet has | ||
287 | encryption on the network layer (link encryption, confidentiality, | ||
288 | authentication) and again on the application layer (provided | ||
289 | by @command{gnunet-publish}, @command{gnunet-download}, @command{gnunet-search} | ||
290 | and @command{gnunet-gtk}). More details can be found here. | ||
291 | |||
292 | @node Peer Identities | ||
293 | @subsection Peer Identities | ||
294 | |||
295 | Peer identities are used to identify peers in the network and are unique for | ||
296 | each peer. The identity for a peer is simply its public key, which is | ||
297 | generated along with a private key the peer is started for the first time. | ||
298 | While the identity is binary data, it is often expressed as ASCII string. | ||
299 | For example, the following is a peer identity as you might see it in | ||
300 | various places:@ | ||
301 | @code{@ | ||
302 | UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0@ | ||
303 | } | ||
304 | |||
305 | You can find your peer identity by running@ | ||
306 | @command{gnunet-peerinfo -s} | ||
307 | |||
308 | @node Zones in the GNU Name System (GNS Zones) | ||
309 | @subsection Zones in the GNU Name System (GNS Zones) | ||
310 | |||
311 | GNS zones are similar to those of DNS zones, but instead of a hierarchy of | ||
312 | authorities to governing their use, GNS zones are controlled by a private key. | ||
313 | When you create a record in a DNS zone, that information stored in your | ||
314 | nameserver. Anyone trying to resolve your domain then gets pointed (hopefully) | ||
315 | by the centralised authority to your nameserver. Whereas GNS, being | ||
316 | decentralised by design, stores that information in DHT. The validity of the | ||
317 | records is assured cryptographically, by signing them with the private key of | ||
318 | the respective zone. | ||
319 | |||
320 | Anyone trying to resolve records in a zone your domain can then verify the | ||
321 | signature on the records they get from the DHT and be assured that they are | ||
322 | indeed from the respective zone. To make this work, there is a 1:1 | ||
323 | correspondence between zones and their public-private key pairs. So when we | ||
324 | talk about the owner of a GNS zone, that's really the owner of the private | ||
325 | key. And a user accessing a zone needs to somehow specify the corresponding | ||
326 | public key first. | ||
327 | |||
328 | @node Egos | ||
329 | @subsection Egos | ||
330 | |||
331 | Egos are your "identities" in GNUnet. Any user can assume multiple | ||
332 | identities, for example to separate his activities online. Egos can | ||
333 | correspond to pseudonyms or real-world identities. Technically, an | ||
334 | ego is first of all a public-private key pair. | ||
335 | |||