diff options
Diffstat (limited to 'news/2019-02.inc')
-rw-r--r-- | news/2019-02.inc | 61 |
1 files changed, 49 insertions, 12 deletions
diff --git a/news/2019-02.inc b/news/2019-02.inc index d41f22e8..73cd2ce1 100644 --- a/news/2019-02.inc +++ b/news/2019-02.inc | |||
@@ -44,26 +44,63 @@ Mentor: Christian Grothoff | |||
44 | </section> | 44 | </section> |
45 | 45 | ||
46 | <section> | 46 | <section> |
47 | <h4>reclaimID alternative GNS-based encryption</h4> | 47 | <h4>re:claimID OpenID Connect performance improvements</h4> |
48 | <p> | 48 | <p> |
49 | reclaimID is a decentralized identity system build on top of the GNU | 49 | reclaimID is a decentralized identity system build on top of the GNU |
50 | Name System. | 50 | Name System. |
51 | Currently, it uses an encryption scheme called attribute-based encryption. | 51 | Upon authorization, the user provides a requesting party (RP) such as a website |
52 | However, through the clever use of GNS's built in record encryption, | 52 | with an authorization ticket (e.g. piggybacked in an OpenID authorization code). |
53 | it is possible to... | 53 | The RP uses information contained in this ticket to |
54 | <ol> | ||
55 | <li> Retrieve the decryption key from GNS</li> | ||
56 | <li> Retrieve the user attributes from GNS</li> | ||
57 | </ol> | ||
58 | The GNS lookups ensure that the RP receives up-to-date attributes and functional | ||
59 | decryption keys. However, in particular the RP-specific encryption key | ||
60 | resolution can be slow and even fail depending on the network topology. | ||
61 | We propose that in an initial exchange, in particular OpenID authorization code | ||
62 | flows, we try to incorporate key and maybe even an attribute set in the ticket | ||
63 | exchange. | ||
64 | |||
65 | In order to mitigate this issue, this project is meant to investigate and implement how... | ||
66 | <ol> | ||
67 | <li> ... decryption keys can be added to an initial exchange in OpenID.</li> | ||
68 | <li> ... initial set(s) of attributes can be piggybacked in OpenID.</li> | ||
69 | </ol> | ||
70 | <br/> | ||
71 | Mentor: Martin Schanzenbach | ||
72 | </p> | ||
73 | </section> | ||
74 | |||
75 | <section> | ||
76 | <h4>re:claimID alternative GNS-based encryption</h4> | ||
77 | <p> | ||
78 | re:claimID is a decentralized identity system build on top of the GNU | ||
79 | Name System. | ||
80 | The initial design and implementation of re:claimID includes an attribute-based | ||
81 | encryption module in order to prevent unauthorized access to attributes in the | ||
82 | name system. | ||
83 | Our motivation for re:claimID was for it to be name system agnostic, which | ||
84 | means the design theoretically also works for other name systems such as | ||
85 | namecoin. | ||
86 | Other name systems often do not have built-in mechanisms in order to do this. | ||
87 | Hence, we implemented an ABE access control layer. Our ABE implementation | ||
88 | requires two third party libraries: libpbc and libgabe. While we could merge | ||
89 | libgabe into the gnunet service implementation of re:claimID, libpbc is a | ||
90 | rather large, third party library which lacks packaging in distributions and | ||
91 | for platforms. | ||
92 | On the other hand, GNS supports record data encryption using symmetric keys as | ||
93 | labels. | ||
94 | If we make the access control layer of re:claimID more generic in order to | ||
95 | support both ABE and GNS encryption, we could reduce the required depenencies. | ||
96 | This would result in gnunet packages to include re:claimID by default. | ||
97 | |||
98 | In short, the goals are to... | ||
54 | <ol> | 99 | <ol> |
55 | <li> ... improve performance by reducing encryption overhead.</li> | 100 | <li> ... improve performance by reducing encryption overhead.</li> |
56 | <li> ... reduce dependencies.</li> | 101 | <li> ... reduce dependencies.</li> |
57 | </ol> | 102 | </ol> |
58 | <br/> | 103 | <br/> |
59 | This project also includes two separate, smaller tasks: | ||
60 | <ul> | ||
61 | <li> Performance improvements to the out-of-band authorization flow (OpenID Connect)</li> | ||
62 | <li> A webextension which allows reclaimID to be used without the need of a GNS proxy. | ||
63 | </ul> | ||
64 | The two smaller tasks are optional and may be dropped in case the student | ||
65 | encounters any unforseen complications when implementing the main task. | ||
66 | <br> | ||
67 | Mentor: Martin Schanzenbach | 104 | Mentor: Martin Schanzenbach |
68 | </p> | 105 | </p> |
69 | </section> | 106 | </section> |