diff options
Diffstat (limited to 'icann66/gns.tex')
-rw-r--r-- | icann66/gns.tex | 195 |
1 files changed, 195 insertions, 0 deletions
diff --git a/icann66/gns.tex b/icann66/gns.tex new file mode 100644 index 0000000..6838432 --- /dev/null +++ b/icann66/gns.tex | |||
@@ -0,0 +1,195 @@ | |||
1 | \documentclass[aspectratio=169]{beamer} | ||
2 | \usepackage{appendixnumberbeamer} | ||
3 | \usetheme{metropolis} % Use metropolis theme | ||
4 | \definecolor{fhggreen}{RGB}{23,156,125} | ||
5 | \let\oldemph\textbf | ||
6 | \renewcommand{\textbf}[1]{{\color{mLightBrown}\oldemph{#1}}} | ||
7 | |||
8 | \usepackage{blkarray} | ||
9 | \usepackage{amsmath} | ||
10 | \usepackage{multirow} | ||
11 | \title{The GNU Name System\\\small{ICANN66}} | ||
12 | \date{11/5/2019} | ||
13 | \author{Martin Schanzenbach} | ||
14 | \institute{\hfill\large{GNUnet} \includegraphics[trim={0cm 1.5cm 0cm 0cm},clip,width=4em]{gnunet}} | ||
15 | \begin{document} | ||
16 | \metroset{block=fill,sectionpage=progressbar,numbering=counter} | ||
17 | \maketitle | ||
18 | |||
19 | \section{The GNU Name System In a Nutshell} | ||
20 | \begin{frame}{Motivation} | ||
21 | \begin{itemize} | ||
22 | \item DNS remains a source of traffic amplification DDoS. | ||
23 | \item DNS censorship (i.e. by China) causes collateral damage in other countries. | ||
24 | \item DNS is part of the mass surveillance apparatus (MCB). | ||
25 | \item DNS is abused for offensive cyber war (QUANTUMDNS). | ||
26 | \item DoT/DoH, DNSSEC, DPRIVE unfortunately do \textbf{NOT} fix this. | ||
27 | \end{itemize} | ||
28 | \end{frame} | ||
29 | |||
30 | \begin{frame}{What is the GNU Name System?\footnote{Joint work with Christian Grothoff and Matthias Wachs}} | ||
31 | \begin{itemize} | ||
32 | \item Fully decentralized name system $\Rightarrow$ Names are not global. | ||
33 | \item Supports globally unique and secure identification. | ||
34 | \item Features query and response privacy. | ||
35 | \item Provides a public key infrastructure | ||
36 | \begin{itemize} | ||
37 | \item Each zone is associated with a cryptographic key pair. | ||
38 | \item Delegation between zones establishes trust relationship. | ||
39 | \end{itemize} | ||
40 | \item Interoperable with DNS. | ||
41 | \item Usable.\footnote{User studies conducted in ``Decentralized Authentication for Self-Sovereign Identities using Name Systems'' (DASEIN) project.} | ||
42 | \end{itemize} | ||
43 | \end{frame} | ||
44 | |||
45 | \begin{frame}{Applications} | ||
46 | \begin{itemize} | ||
47 | \item Identity management: \textbf{re:claimID} (\url{https://reclaim-identity.io}) | ||
48 | \item Social Networks: \textbf{SecuShare} (\url{https://secushare.org}) | ||
49 | \item Healthcare: \textbf{Accident insurance and private health data}.\footnote{Joint work with FH Bern, ``Decentralized Authentication for Self-Sovereign Identities using Name Systems'' (DASEIN)} | ||
50 | \item Others: \textbf{Chat}, \textbf{Host addressing}, \ldots | ||
51 | \end{itemize} | ||
52 | \end{frame} | ||
53 | |||
54 | \section{Technical Overview} | ||
55 | \begin{frame}{Record Storage / Retrieval} | ||
56 | \begin{itemize} | ||
57 | \item GNS stores records in a \textbf{Distributed Hash Table} (DHT). | ||
58 | \item DHTs allow us to map keys to values. | ||
59 | \item Naive approach: Map domain names to records.\\e.g.: example.com $\Rightarrow$ A: 1.2.3.4 | ||
60 | \end{itemize} | ||
61 | \begin{center} | ||
62 | \includegraphics[width=0.5\textwidth]{DHT.pdf} | ||
63 | \end{center} | ||
64 | \end{frame} | ||
65 | |||
66 | %\begin{frame}{Record Storage / Retrieval} | ||
67 | % \begin{itemize} | ||
68 | % \item GNS implements a \textbf{Private Information Retrieval} (PIR) scheme. | ||
69 | % \item DHT values (records) are signed and encrypted. | ||
70 | % \item DHT keys are derived from queried name and zone. | ||
71 | % \end{itemize} | ||
72 | % \begin{center} | ||
73 | % \includegraphics[width=0.5\textwidth]{DHT.pdf} | ||
74 | % \end{center} | ||
75 | %\end{frame} | ||
76 | |||
77 | \begin{frame}{Secure Storage / Retrieval} | ||
78 | \begin{itemize} | ||
79 | \item \textbf{Query privacy} | ||
80 | \begin{itemize} | ||
81 | \item GNS implements a \textbf{Private Information Retrieval} (PIR) scheme:\\ | ||
82 | ``a protocol that allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved.''\footnote{\url{https://en.wikipedia.org/wiki/Private_information_retrieval}} | ||
83 | |||
84 | \item Queries do not reveal domain name. | ||
85 | %item DHT keys are ``blinded'' record labels and zone identity. | ||
86 | \end{itemize} | ||
87 | \item \textbf{Record confidentiality}: Values in DHT are signed and encrypted by zone owner. | ||
88 | \item \textbf{Zone privacy}: Zones cannot be enumerated. | ||
89 | \item \textbf{Censorship and DDoS resistance}: Decentralized, resilient directory. | ||
90 | \end{itemize} | ||
91 | \end{frame} | ||
92 | |||
93 | \begin{frame}{Zone Delegation} | ||
94 | \begin{itemize} | ||
95 | \item The ``NS'' equivalent in GNS is called ``PKEY''. | ||
96 | \item A ``PKEY'' record contains public zone keys. | ||
97 | \item The combination of a ``PKEY'' record value and a name allows users to | ||
98 | query records in a delegated zone. | ||
99 | \end{itemize} | ||
100 | \end{frame} | ||
101 | |||
102 | \begin{frame} | ||
103 | \includegraphics[height=0.9\textheight]{deleg0.pdf} | ||
104 | \end{frame} | ||
105 | |||
106 | |||
107 | \begin{frame} | ||
108 | \includegraphics[height=0.9\textheight]{deleg1.pdf} | ||
109 | \end{frame} | ||
110 | |||
111 | |||
112 | \begin{frame} | ||
113 | \includegraphics[height=0.9\textheight]{deleg2.pdf} | ||
114 | \end{frame} | ||
115 | |||
116 | \section{How do we bootstrap the top-level zones?} | ||
117 | \begin{frame} | ||
118 | \includegraphics[height=0.9\textheight]{deleg3.pdf} | ||
119 | \end{frame} | ||
120 | |||
121 | |||
122 | \begin{frame}{The GNU Name System Root} | ||
123 | ``Hyper-hyper local root'' concept: | ||
124 | \begin{itemize} | ||
125 | \item Resolver ships with initial root zone configuration. | ||
126 | \item Root zone configurable \emph{locally} at \emph{each} endpoint. | ||
127 | \item User override/extension of root at top-level or subdomain-level for: | ||
128 | \begin{itemize} | ||
129 | \item Circumvent censorship if necessary. | ||
130 | \item Private networks. | ||
131 | \end{itemize} | ||
132 | \end{itemize} | ||
133 | \end{frame} | ||
134 | |||
135 | \begin{frame}{Envisioned Governance Model} | ||
136 | \begin{itemize} | ||
137 | \item Non-profit organization. | ||
138 | \item Multi-stakeholder model: Board, supporting organizations, \ldots | ||
139 | \item Examples for possible stakeholders: | ||
140 | \begin{itemize} | ||
141 | \item Software and OS Distributors | ||
142 | \item Browser vendors | ||
143 | \item Governments | ||
144 | \end{itemize} | ||
145 | \item Funding options: | ||
146 | \begin{itemize} | ||
147 | \item Applications for new top-level domains. | ||
148 | \item Registrations of new top-level domains. | ||
149 | \item \ldots | ||
150 | \end{itemize} | ||
151 | \end{itemize} | ||
152 | \end{frame} | ||
153 | |||
154 | |||
155 | \section{Quo Vadis?} | ||
156 | \begin{frame}{Roadmap} | ||
157 | \begin{itemize} | ||
158 | \item In progress: | ||
159 | \begin{itemize} | ||
160 | \item 2019-2020: Technical specification of GNS protocol, packaging and alternative implementations.\footnote{Funded by NLnet under EU Next Generation Internet program (\url{https://nlnet.nl/project/GNS/}).} | ||
161 | \item Continuous development and integration into applications. | ||
162 | \end{itemize} | ||
163 | \item 2020--: Establishment of governing body. | ||
164 | \end{itemize} | ||
165 | \end{frame} | ||
166 | |||
167 | \begin{frame} | ||
168 | \begin{center} | ||
169 | The GNU Name System\\ | ||
170 | \vspace{2cm} | ||
171 | \url{https://gnunet.org}\\ | ||
172 | \vspace{1em} | ||
173 | {\tiny | ||
174 | \texttt{schanzen@gnunet.org}\\ | ||
175 | \texttt{3D11~063C~10F9~8D14~BD24~D147~0B09~98EF~86F5~9B6A}\\ | ||
176 | } | ||
177 | \end{center} | ||
178 | \end{frame} | ||
179 | |||
180 | \appendix | ||
181 | |||
182 | \begin{frame}{References} | ||
183 | \centering | ||
184 | {\small | ||
185 | \begin{enumerate} | ||
186 | \item {Matthias Wachs, Martin Schanzenbach and Christian Grothoff. {\em A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System}. {\bf 13th Intern | ||
187 | ational Conference on Cryptology and Network Security}, 2014.} | ||
188 | \item {Martin Schanzenbach, Georg Bramm, Julian Schütte. {\em reclaimID: Secure, Self-Sovereign Identities Using Name Systems and Attribute-Based Encryption}. {\bf 17th | ||
189 | IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom)}, 2018} | ||
190 | \item {Christian Grothoff, Martin Schanzenbach, Annett Laube, Emmanuel Benoist, Pascal Mainini. {\em Decentralized Authentication for Self-Sovereign Identities using Name Systems (DASEIN)}. {\bf https://git.gnunet.org/bibliography.git/plain/docs/dasein10.pdf}, 2018.} | ||
191 | \end{enumerate} | ||
192 | } | ||
193 | \end{frame} | ||
194 | |||
195 | \end{document} | ||