commit 900656486fbf2f9bab861aba19ca220f77313abb
parent 4db4a112e2976e18b48498a4146009461e270f07
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Sat, 24 Feb 2024 11:33:28 +0100
Update about
Diffstat:
| M | about.rst | | | 128 | +++++++++++++++++++++++++++++++++++++++---------------------------------------- |
1 file changed, 63 insertions(+), 65 deletions(-)
diff --git a/about.rst b/about.rst
@@ -165,52 +165,6 @@ of them are also described in our research papers. First, some of the
concepts used in the GNUnet framework are detailed. The second part
describes concepts specific to anonymous file-sharing.
-Authentication
---------------
-
-Almost all peer-to-peer communications in GNUnet are between mutually
-authenticated peers. The authentication works by using ECDHE, that is a
-DH (Diffie—Hellman) key exchange using ephemeral elliptic curve
-cryptography. The ephemeral ECC (Elliptic Curve Cryptography) keys are
-signed using ECDSA. The shared secret from ECDHE is used to create a
-pair of session keys (using HKDF) which are then used to encrypt the
-communication between the two peers using both 256-bit AES (Advanced
-Encryption Standard) and 256-bit Twofish (with independently derived
-secret keys). As only the two participating hosts know the shared
-secret, this authenticates each packet without requiring signatures each
-time. GNUnet uses SHA-512 (Secure Hash Algorithm) hash codes to verify
-the integrity of messages.
-
-In GNUnet, the identity of a host is its public key. For that reason,
-man-in-the-middle attacks will not break the authentication or
-accounting goals. Essentially, for GNUnet, the IP of the host has
-nothing to do with the identity of the host. As the public key is the
-only thing that truly matters, faking an IP, a port or any other
-property of the underlying transport protocol is irrelevant. In fact,
-GNUnet peers can use multiple IPs (IPv4 and IPv6) on multiple ports — or
-even not use the IP protocol at all (by running directly on layer 2).
-
-GNUnet uses a special type of message to communicate a binding between
-public (ECC) keys to their current network address. These messages are
-commonly called HELLOs or peer advertisements. They contain the public
-key of the peer and its current network addresses for various transport
-services. A transport service is a special kind of shared library that
-provides (possibly unreliable, out-of-order) message delivery between
-peers. For the UDP and TCP transport services, a network address is an
-IP and a port. GNUnet can also use other transports (HTTP, HTTPS, WLAN,
-etc.) which use various other forms of addresses. Note that any node can
-have many different active transport services at the same time, and each
-of these can have a different addresses. Binding messages expire after
-at most a week (the timeout can be shorter if the user configures the
-node appropriately). This expiration ensures that the network will
-eventually get rid of outdated advertisements.
-
-For more information, refer to the following paper:
-
-Ronaldo A. Ferreira, Christian Grothoff, and Paul Ruth. A Transport
-Layer Abstraction for Peer-to-Peer Networks Proceedings of the 3rd
-International Symposium on Cluster Computing and the Grid (GRID 2003),
-2003. (https://git.gnunet.org/bibliography.git/plain/docs/transport.pdf)
Accounting to Encourage Resource Sharing
----------------------------------------
@@ -383,8 +337,20 @@ Grothoff, Tzvetan Horozov, and Jussi T. Lindgren. An Encoding for
Censorship-Resistant Sharing. 2009.
(https://git.gnunet.org/bibliography.git/plain/docs/ecrs.pdf)
+Cryptography
+------------
+
Peer Identities
----------------
+~~~~~~~~~~~~~~~
+
+In GNUnet, the identity of a host is its public key called **Peer Identity**.
+For that reason, man-in-the-middle attacks will not break the authentication or
+accounting goals. Essentially, for GNUnet, the IP of the host has
+nothing to do with the identity of the host. As the public key is the
+only thing that truly matters, faking an IP, a port or any other
+property of the underlying transport protocol is irrelevant. In fact,
+GNUnet peers can use multiple IPs (IPv4 and IPv6) on multiple ports — or
+even not use the IP protocol at all (by running directly on layer 2).
Peer identities are used to identify peers in the network and are unique
for each peer. The identity for a peer is simply its public key, which
@@ -397,10 +363,56 @@ might see it in various places:
UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0
-You can find your peer identity by running ``gnunet-peerinfo -s``.
+You can find your peer identity by running ``gnunet-core``.
-Zones in the GNU Name System (GNS Zones)
-----------------------------------------
+Almost all peer-to-peer communications in GNUnet are between mutually
+authenticated peers. The authentication works by using ECDHE, that is a
+DH (Diffie—Hellman) key exchange using ephemeral elliptic curve
+cryptography. The ephemeral ECC (Elliptic Curve Cryptography) keys are
+signed using **EdDSA**. The shared secret from ECDHE is used to create a
+pair of session keys (using HKDF) which are then used to encrypt the
+communication between the two peers using both **256-bit AES**
+and **256-bit Twofish** (with independently derived
+secret keys). As only the two participating hosts know the shared
+secret, this authenticates each packet without requiring signatures each
+time. GNUnet mostly uses the **SHA-512** hash algorithm.
+
+GNUnet uses a special type of message to communicate a binding between
+public (ECC) keys to their current network address. These messages are
+commonly called **HELLOs** or peer advertisements. They contain the public
+key of the peer and its current network addresses for various transport
+services. A transport service is a special kind of shared library that
+provides (possibly unreliable, out-of-order) message delivery between
+peers. For the UDP and TCP transport services, a network address is an
+IP and a port. GNUnet can also use other transports (HTTP, HTTPS, WLAN,
+etc.) which use various other forms of addresses. Note that any node can
+have many different active transport services at the same time, and each
+of these can have a different addresses. Binding messages expire after
+at most a week (the timeout can be shorter if the user configures the
+node appropriately). This expiration ensures that the network will
+eventually get rid of outdated advertisements.
+
+For more information, refer to the following paper:
+
+Ronaldo A. Ferreira, Christian Grothoff, and Paul Ruth. A Transport
+Layer Abstraction for Peer-to-Peer Networks Proceedings of the 3rd
+International Symposium on Cluster Computing and the Grid (GRID 2003),
+2003. (https://git.gnunet.org/bibliography.git/plain/docs/transport.pdf)
+
+
+Egos
+~~~~
+
+**Egos** are your “identities” in GNUnet. Any user can assume multiple
+identities, for example to separate their activities online. Egos can
+correspond to “pseudonyms” or “real-world identities”. Technically an
+ego is first of all a key pair of a public- and private-key.
+The current primary use for Egos are in the GNU Name System as zone keys.
+
+Zones in the GNU Name System
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Egos are used as **GNS zones**.
GNS zones are similar to those of DNS zones, but instead of a hierarchy
of authorities to governing their use, GNS zones are controlled by a
@@ -420,18 +432,4 @@ pairs. So when we talk about the owner of a GNS zone, that’s really the
owner of the private key. And a user accessing a zone needs to somehow
specify the corresponding public key first.
-For more information, refer to the following paper:
-
-Matthias Wachs, Martin Schanzenbach, and Christian Grothoff. A
-Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name
-System. In proceedings of 13th International Conference on Cryptology
-and Network Security (CANS 2014). 2014.
-https://git.gnunet.org/bibliography.git/plain/docs/gns2014wachs.pdf
-
-Egos
-----
-
-Egos are your “identities” in GNUnet. Any user can assume multiple
-identities, for example to separate their activities online. Egos can
-correspond to “pseudonyms” or “real-world identities”. Technically an
-ego is first of all a key pair of a public- and private-key.
+For more information, refer to RFC 9498.
