diff options
Diffstat (limited to 'doc/documentation/chapters/philosophy.texi')
-rw-r--r-- | doc/documentation/chapters/philosophy.texi | 378 |
1 files changed, 378 insertions, 0 deletions
diff --git a/doc/documentation/chapters/philosophy.texi b/doc/documentation/chapters/philosophy.texi new file mode 100644 index 000000000..10006ebe1 --- /dev/null +++ b/doc/documentation/chapters/philosophy.texi | |||
@@ -0,0 +1,378 @@ | |||
1 | @cindex Philosopy | ||
2 | @node Philosophy | ||
3 | @chapter Philosophy | ||
4 | |||
5 | The foremost goal of the GNUnet project is to become a widely used, | ||
6 | reliable, open, non-discriminating, egalitarian, unfettered and | ||
7 | censorship-resistant system of free information exchange. | ||
8 | We value free speech above state secrets, law-enforcement or | ||
9 | intellectual property. GNUnet is supposed to be an anarchistic network, | ||
10 | where the only limitation for peers is that they must contribute enough | ||
11 | back to the network such that their resource consumption does not have | ||
12 | a significant impact on other users. GNUnet should be more than just | ||
13 | another file-sharing network. The plan is to offer many other services | ||
14 | and in particular to serve as a development platform for the next | ||
15 | generation of decentralized Internet protocols. | ||
16 | |||
17 | @menu | ||
18 | * Design Goals:: | ||
19 | * Security & Privacy:: | ||
20 | * Versatility:: | ||
21 | * Practicality:: | ||
22 | * Key Concepts:: | ||
23 | @end menu | ||
24 | |||
25 | @cindex Design Goals | ||
26 | @cindex Design Goals | ||
27 | @node Design Goals | ||
28 | @section Design Goals | ||
29 | |||
30 | These are the core GNUnet design goals, in order of relative importance: | ||
31 | |||
32 | @itemize | ||
33 | @item GNUnet must be implemented as free software. | ||
34 | @item GNUnet must only disclose the minimal amount of information | ||
35 | necessary. | ||
36 | @item GNUnet must be decentralised and survive Byzantine failures in any | ||
37 | position in the network. | ||
38 | @item GNUnet must make it explicit to the user which entities must be | ||
39 | trustworthy when establishing secured communications. | ||
40 | @item GNUnet must use compartmentalization to protect sensitive | ||
41 | information. | ||
42 | @item GNUnet must be open and permit new peers to join. | ||
43 | @item GNUnet must be self-organizing and not depend on administrators. | ||
44 | @item GNUnet must support a diverse range of applications and devices. | ||
45 | @item The GNUnet architecture must be cost effective. | ||
46 | @item GNUnet must provide incentives for peers to contribute more | ||
47 | resources than they consume. | ||
48 | @end itemize | ||
49 | |||
50 | |||
51 | @cindex Security and Privacy | ||
52 | @node Security & Privacy | ||
53 | @section Security & Privacy | ||
54 | |||
55 | GNUnet's primary design goals are to protect the privacy of its users and | ||
56 | to guard itself against attacks or abuse. | ||
57 | GNUnet does not have any mechanisms to control, track or censor users. | ||
58 | Instead, the GNUnet protocols aim to make it as hard as possible to | ||
59 | find out what is happening on the network or to disrupt operations. | ||
60 | |||
61 | @cindex Versatility | ||
62 | @node Versatility | ||
63 | @section Versatility | ||
64 | |||
65 | We call GNUnet a peer-to-peer framework because we want to support many | ||
66 | different forms of peer-to-peer applications. GNUnet uses a plugin | ||
67 | architecture to make the system extensible and to encourage code reuse. | ||
68 | While the first versions of the system only supported anonymous | ||
69 | file-sharing, other applications are being worked on and more will | ||
70 | hopefully follow in the future. | ||
71 | A powerful synergy regarding anonymity services is created by a large | ||
72 | community utilizing many diverse applications over the same software | ||
73 | infrastructure. The reason is that link encryption hides the specifics | ||
74 | of the traffic for non-participating observers. This way, anonymity can | ||
75 | get stronger with additional (GNUnet) traffic, even if the additional | ||
76 | traffic is not related to anonymous communication. Increasing anonymity is | ||
77 | the primary reason why GNUnet is developed to become a peer-to-peer | ||
78 | framework where many applications share the lower layers of an | ||
79 | increasingly complex protocol stack. | ||
80 | If merging traffic to hinder traffic analysis was not important, | ||
81 | we could have just developed a dozen stand-alone applications | ||
82 | and a few shared libraries. | ||
83 | |||
84 | @cindex Practicality | ||
85 | @node Practicality | ||
86 | @section Practicality | ||
87 | |||
88 | GNUnet allows participants to trade various amounts of security in | ||
89 | exchange for increased efficiency. However, it is not possible for any | ||
90 | user's security and efficiency requirements to compromise the security | ||
91 | and efficiency of any other user. | ||
92 | |||
93 | For GNUnet, efficiency is not paramount. If there is a more secure and | ||
94 | still practical approach, we would choose to take the more secure | ||
95 | alternative. @command{telnet} is more efficient than @command{ssh}, yet | ||
96 | it is obsolete. | ||
97 | Hardware gets faster, and code can be optimized. Fixing security issues as | ||
98 | an afterthought is much harder. | ||
99 | |||
100 | While security is paramount, practicability is still a requirement. | ||
101 | The most secure system is always the one that nobody can use. | ||
102 | Similarly, any anonymous system that is extremely inefficient will only | ||
103 | find few users. | ||
104 | However, good anonymity requires a large and diverse user base. Since | ||
105 | individual security requirements may vary, the only good solution here is | ||
106 | to allow individuals to trade-off security and efficiency. | ||
107 | The primary challenge in allowing this is to ensure that the economic | ||
108 | incentives work properly. | ||
109 | In particular, this means that it must be impossible for a user to gain | ||
110 | security at the expense of other users. Many designs (e.g. anonymity via | ||
111 | broadcast) fail to give users an incentive to choose a less secure but | ||
112 | more efficient mode of operation. | ||
113 | GNUnet should avoid where ever possible to rely on protocols that will | ||
114 | only work if the participants are benevolent. | ||
115 | While some designs have had widespread success while relying on parties | ||
116 | to observe a protocol that may be sub-optimal for the individuals (e.g. | ||
117 | TCP Nagle), a protocol that ensures that individual goals never conflict | ||
118 | with the goals of the group is always preferable. | ||
119 | |||
120 | @cindex Key Concepts | ||
121 | @node Key Concepts | ||
122 | @section Key Concepts | ||
123 | |||
124 | In this section, the fundamental concepts of GNUnet are explained. | ||
125 | Most of them are also described in our research papers. | ||
126 | First, some of the concepts used in the GNUnet framework are detailed. | ||
127 | The second part describes concepts specific to anonymous file-sharing. | ||
128 | |||
129 | @menu | ||
130 | * Authentication:: | ||
131 | * Accounting to Encourage Resource Sharing:: | ||
132 | * Confidentiality:: | ||
133 | * Anonymity:: | ||
134 | * Deniability:: | ||
135 | * Peer Identities:: | ||
136 | * Zones in the GNU Name System (GNS Zones):: | ||
137 | * Egos:: | ||
138 | @end menu | ||
139 | |||
140 | @cindex Authentication | ||
141 | @node Authentication | ||
142 | @subsection Authentication | ||
143 | |||
144 | Almost all peer-to-peer communications in GNUnet are between mutually | ||
145 | authenticated peers. The authentication works by using ECDHE, that is a | ||
146 | DH key exchange using ephemeral eliptic curve cryptography. The ephemeral | ||
147 | ECC keys are signed using ECDSA. The shared secret from ECDHE is used to | ||
148 | create a pair of session keys (using HKDF) which are then used to encrypt | ||
149 | the communication between the two peers using both 256-bit AES and 256-bit | ||
150 | Twofish (with independently derived secret keys). As only the two | ||
151 | participating hosts know the shared secret, this authenticates each packet | ||
152 | without requiring signatures each time. GNUnet uses SHA-512 hash codes to | ||
153 | verify the integrity of messages. | ||
154 | |||
155 | In GNUnet, the identity of a host is its public key. For that reason, | ||
156 | man-in-the-middle attacks will not break the authentication or accounting | ||
157 | goals. Essentially, for GNUnet, the IP of the host has nothing to do with | ||
158 | the identity of the host. As the public key is the only thing that truly | ||
159 | matters, faking an IP, a port or any other property of the underlying | ||
160 | transport protocol is irrelevant. In fact, GNUnet peers can use | ||
161 | multiple IPs (IPv4 and IPv6) on multiple ports --- or even not use the | ||
162 | IP protocol at all (by running directly on layer 2). | ||
163 | |||
164 | GNUnet uses a special type of message to communicate a binding between | ||
165 | public (ECC) keys to their current network address. These messages are | ||
166 | commonly called HELLOs or peer advertisements. They contain the public key | ||
167 | of the peer and its current network addresses for various transport | ||
168 | services. | ||
169 | A transport service is a special kind of shared library that | ||
170 | provides (possibly unreliable, out-of-order) message delivery between | ||
171 | peers. | ||
172 | For the UDP and TCP transport services, a network address is an IP and a | ||
173 | port. | ||
174 | GNUnet can also use other transports (HTTP, HTTPS, WLAN, etc.) which use | ||
175 | various other forms of addresses. Note that any node can have many | ||
176 | different | ||
177 | active transport services at the same time, and each of these can have a | ||
178 | different addresses. Binding messages expire after at most a week (the | ||
179 | timeout can be shorter if the user configures the node appropriately). | ||
180 | This expiration ensures that the network will eventually get rid of | ||
181 | outdated advertisements.@footnote{More details can be found in | ||
182 | @uref{https://gnunet.org/transports, A Transport Layer Abstraction for Peer-to-Peer Networks}} | ||
183 | |||
184 | @cindex Resource Sharing | ||
185 | @node Accounting to Encourage Resource Sharing | ||
186 | @subsection Accounting to Encourage Resource Sharing | ||
187 | |||
188 | Most distributed P2P networks suffer from a lack of defenses or | ||
189 | precautions against attacks in the form of freeloading. | ||
190 | While the intentions of an attacker and a freeloader are different, their | ||
191 | effect on the network is the same; they both render it useless. | ||
192 | Most simple attacks on networks such as Gnutella involve flooding the | ||
193 | network with traffic, particularly with queries that are, in the worst | ||
194 | case, multiplied by the network. | ||
195 | |||
196 | In order to ensure that freeloaders or attackers have a minimal impact on | ||
197 | the network, GNUnet's file-sharing implementation tries to distinguish | ||
198 | good (contributing) nodes from malicious (freeloading) nodes. In GNUnet, | ||
199 | every file-sharing node keeps track of the behavior of every other node it | ||
200 | has been in contact with. Many requests (depending on the application) are | ||
201 | transmitted with a priority (or importance) level. That priority is used | ||
202 | to establish how important the sender believes this request is. If a peer | ||
203 | responds to an important request, the recipient will increase its trust in | ||
204 | the responder: the responder contributed resources. If a peer is too busy | ||
205 | to answer all requests, it needs to prioritize. For that, peers to not | ||
206 | take the priorities of the requests received at face value. | ||
207 | First, they check how much they trust the sender, and depending on that | ||
208 | amount of trust they assign the request a (possibly lower) effective | ||
209 | priority. Then, they drop the requests with the lowest effective priority | ||
210 | to satisfy their resource constraints. This way, GNUnet's economic model | ||
211 | ensures that nodes that are not currently considered to have a surplus in | ||
212 | contributions will not be served if the network load is high.@footnote{Mor | ||
213 | e details can be found in @uref{https://gnunet.org/ebe, this paper}} | ||
214 | |||
215 | @cindex Confidentiality | ||
216 | @node Confidentiality | ||
217 | @subsection Confidentiality | ||
218 | |||
219 | Adversaries outside of GNUnet are not supposed to know what kind of | ||
220 | actions a peer is involved in. Only the specific neighbor of a peer that | ||
221 | is the corresponding sender or recipient of a message may know its | ||
222 | contents, and even then application protocols may place further | ||
223 | restrictions on that knowledge. | ||
224 | In order to ensure confidentiality, GNUnet uses link encryption, that is | ||
225 | each message exchanged between two peers is encrypted using a pair of | ||
226 | keys only known to these two peers. | ||
227 | Encrypting traffic like this makes any kind of traffic analysis much | ||
228 | harder. Naturally, for some applications, it may still be desirable if | ||
229 | even neighbors cannot determine the concrete contents of a message. | ||
230 | In GNUnet, this problem is addressed by the specific application-level | ||
231 | protocols (see for example, deniability and anonymity in anonymous file | ||
232 | sharing). | ||
233 | |||
234 | @cindex Anonymity | ||
235 | @node Anonymity | ||
236 | @subsection Anonymity | ||
237 | |||
238 | @menu | ||
239 | * How file-sharing achieves Anonymity:: | ||
240 | @end menu | ||
241 | |||
242 | Providing anonymity for users is the central goal for the anonymous | ||
243 | file-sharing application. Many other design decisions follow in the | ||
244 | footsteps of this requirement. | ||
245 | Anonymity is never absolute. While there are various | ||
246 | @uref{https://gnunet.org/anonymity_metric, scientific metrics} that can | ||
247 | help quantify the level of anonymity that a given mechanism provides, | ||
248 | there is no such thing as complete anonymity. | ||
249 | GNUnet's file-sharing implementation allows users to select for each | ||
250 | operation (publish, search, download) the desired level of anonymity. | ||
251 | The metric used is the amount of cover traffic available to hide the | ||
252 | request. | ||
253 | While this metric is not as good as, for example, the theoretical metric | ||
254 | given in @uref{https://gnunet.org/anonymity_metric, scientific metrics}, | ||
255 | it is probably the best metric available to a peer with a purely local | ||
256 | view of the world that does not rely on unreliable external information. | ||
257 | The default anonymity level is 1, which uses anonymous routing but | ||
258 | imposes no minimal requirements on cover traffic. It is possible | ||
259 | to forego anonymity when this is not required. The anonymity level of 0 | ||
260 | allows GNUnet to use more efficient, non-anonymous routing. | ||
261 | |||
262 | @cindex How file-sharing achieves Anonymity | ||
263 | @node How file-sharing achieves Anonymity | ||
264 | @subsubsection How file-sharing achieves Anonymity | ||
265 | |||
266 | Contrary to other designs, we do not believe that users achieve strong | ||
267 | anonymity just because their requests are obfuscated by a couple of | ||
268 | indirections. This is not sufficient if the adversary uses traffic | ||
269 | analysis. | ||
270 | The threat model used for anonymous file sharing in GNUnet assumes that | ||
271 | the adversary is quite powerful. | ||
272 | In particular, we assume that the adversary can see all the traffic on | ||
273 | the Internet. And while we assume that the adversary | ||
274 | can not break our encryption, we assume that the adversary has many | ||
275 | participating nodes in the network and that it can thus see many of the | ||
276 | node-to-node interactions since it controls some of the nodes. | ||
277 | |||
278 | The system tries to achieve anonymity based on the idea that users can be | ||
279 | anonymous if they can hide their actions in the traffic created by other | ||
280 | users. | ||
281 | Hiding actions in the traffic of other users requires participating in the | ||
282 | traffic, bringing back the traditional technique of using indirection and | ||
283 | source rewriting. Source rewriting is required to gain anonymity since | ||
284 | otherwise an adversary could tell if a message originated from a host by | ||
285 | looking at the source address. If all packets look like they originate | ||
286 | from a node, the adversary can not tell which ones originate from that | ||
287 | node and which ones were routed. | ||
288 | Note that in this mindset, any node can decide to break the | ||
289 | source-rewriting paradigm without violating the protocol, as this | ||
290 | only reduces the amount of traffic that a node can hide its own traffic | ||
291 | in. | ||
292 | |||
293 | If we want to hide our actions in the traffic of other nodes, we must make | ||
294 | our traffic indistinguishable from the traffic that we route for others. | ||
295 | As our queries must have us as the receiver of the reply | ||
296 | (otherwise they would be useless), we must put ourselves as the receiver | ||
297 | of replies that actually go to other hosts; in other words, we must | ||
298 | indirect replies. | ||
299 | Unlike other systems, in anonymous file-sharing as implemented on top of | ||
300 | GNUnet we do not have to indirect the replies if we don't think we need | ||
301 | more traffic to hide our own actions. | ||
302 | |||
303 | This increases the efficiency of the network as we can indirect less under | ||
304 | higher load.@footnote{More details can be found in | ||
305 | @uref{https://gnunet.org/gap, this paper}} | ||
306 | |||
307 | @cindex Deniability | ||
308 | @node Deniability | ||
309 | @subsection Deniability | ||
310 | |||
311 | Even if the user that downloads data and the server that provides data are | ||
312 | anonymous, the intermediaries may still be targets. In particular, if the | ||
313 | intermediaries can find out which queries or which content they are | ||
314 | processing, a strong adversary could try to force them to censor | ||
315 | certain materials. | ||
316 | |||
317 | With the file-encoding used by GNUnet's anonymous file-sharing, this | ||
318 | problem does not arise. | ||
319 | The reason is that queries and replies are transmitted in | ||
320 | an encrypted format such that intermediaries cannot tell what the query | ||
321 | is for or what the content is about. Mind that this is not the same | ||
322 | encryption as the link-encryption between the nodes. GNUnet has | ||
323 | encryption on the network layer (link encryption, confidentiality, | ||
324 | authentication) and again on the application layer (provided | ||
325 | by @command{gnunet-publish}, @command{gnunet-download}, | ||
326 | @command{gnunet-search} and @command{gnunet-gtk}).@footnote{More details | ||
327 | can be found @uref{https://gnunet.org/encoding, here}} | ||
328 | |||
329 | @cindex Peer Identities | ||
330 | @node Peer Identities | ||
331 | @subsection Peer Identities | ||
332 | |||
333 | Peer identities are used to identify peers in the network and are unique | ||
334 | for each peer. The identity for a peer is simply its public key, which is | ||
335 | generated along with a private key the peer is started for the first time. | ||
336 | While the identity is binary data, it is often expressed as ASCII string. | ||
337 | For example, the following is a peer identity as you might see it in | ||
338 | various places: | ||
339 | |||
340 | @example | ||
341 | UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0 | ||
342 | @end example | ||
343 | |||
344 | @noindent | ||
345 | You can find your peer identity by running @command{gnunet-peerinfo -s}. | ||
346 | |||
347 | @cindex GNS Zones | ||
348 | @node Zones in the GNU Name System (GNS Zones) | ||
349 | @subsection Zones in the GNU Name System (GNS Zones) | ||
350 | |||
351 | GNS zones are similar to those of DNS zones, but instead of a hierarchy of | ||
352 | authorities to governing their use, GNS zones are controlled by a private | ||
353 | key. | ||
354 | When you create a record in a DNS zone, that information stored in your | ||
355 | nameserver. Anyone trying to resolve your domain then gets pointed | ||
356 | (hopefully) by the centralised authority to your nameserver. | ||
357 | Whereas GNS, being decentralised by design, stores that information in | ||
358 | DHT. The validity of the records is assured cryptographically, by | ||
359 | signing them with the private key of the respective zone. | ||
360 | |||
361 | Anyone trying to resolve records in a zone your domain can then verify the | ||
362 | signature on the records they get from the DHT and be assured that they | ||
363 | are indeed from the respective zone. To make this work, there is a 1:1 | ||
364 | correspondence between zones and their public-private key pairs. | ||
365 | So when we talk about the owner of a GNS zone, that's really the owner of | ||
366 | the private key. | ||
367 | And a user accessing a zone needs to somehow specify the corresponding | ||
368 | public key first. | ||
369 | |||
370 | @cindex Egos | ||
371 | @node Egos | ||
372 | @subsection Egos | ||
373 | |||
374 | Egos are your "identities" in GNUnet. Any user can assume multiple | ||
375 | identities, for example to separate teir activities online. Egos can | ||
376 | correspond to pseudonyms or real-world identities. Technically, an | ||
377 | ego is first of all a public-private key pair. | ||
378 | |||