GNU Name System: 2019 Edition Christian Grothoff IETF 104 - - PowerPoint PPT Presentation

gnu name system 2019 edition
SMART_READER_LITE
LIVE PREVIEW

GNU Name System: 2019 Edition Christian Grothoff IETF 104 - - PowerPoint PPT Presentation

Mar 02, 2023 332 likes •759 views

GNU Name System: 2019 Edition Christian Grothoff IETF 104 Developers of new name resolution systems that must work in existing contexts actually have no choice: they must use a Special-Use Domain Name to segregate a portion of the namespace

slide-1
SLIDE 1

GNU Name System: 2019 Edition

Christian Grothoff IETF 104 “Developers of new name resolution systems that must work in existing contexts actually have no choice: they must use a Special-Use Domain Name to segregate a portion of the namespace for use with their system.” –RFC 8244

slide-2
SLIDE 2

Context

GNU Name System: 2019 Edition 1/1

slide-3
SLIDE 3

Applications in GNUnet (under development)

◮ Anonymous and non-anonymous publishing ◮ IPv6–IPv4 protocol translation and tunnelling ◮ GNU Name System: censorship-resistant replacement for DNS ◮ Conversation: secure, decentralized voice communication ◮ SecuShare: social networking ◮ GNU Taler: privacy-friendly payments ◮ ...

GNU Name System: 2019 Edition 2/1

slide-4
SLIDE 4

DNS troubles

◮ DNS remains a source of traffic amplification for DDoS ◮ DNS censorship (i.e. by China) causes collateral damage in other countries ◮ DNS is part of the mass surveillance apparatus (MCB) ◮ DNS is abused for the offensive cyber war (QUANTUMDNS)

Band aid solutions1 will not fix this.

1DNS-over-TLS, DoH, DNSSEC, DPRIVE, ... GNU Name System: 2019 Edition 3/1

slide-5
SLIDE 5

The GNU name system2

◮ Decentralized name system ⇒ Names are not global ◮ Supports globally unique (& secure) identification ◮ Achieves query and response privacy ◮ Provides public key infrastructure ◮ Interoperable with DNS

2Joint work with Martin Schanzenbach, Matthias Wachs and Patrick Gerber GNU Name System: 2019 Edition 4/1

slide-6
SLIDE 6

Zone management

GNU Name System: 2019 Edition 5/1

slide-7
SLIDE 7

Zone management

GNU Name System: 2019 Edition 6/1

slide-8
SLIDE 8

Zone management

GNU Name System: 2019 Edition 7/1

slide-9
SLIDE 9

Zone management

GNU Name System: 2019 Edition 8/1

slide-10
SLIDE 10

Zone management

GNU Name System: 2019 Edition 9/1

slide-11
SLIDE 11

Zone management

GNU Name System: 2019 Edition 10/1

slide-12
SLIDE 12

Zone management

GNU Name System: 2019 Edition 11/1

slide-13
SLIDE 13

Zonenmanagement

GNU Name System: 2019 Edition 12/1

slide-14
SLIDE 14

Zone management

GNU Name System: 2019 Edition 13/1

slide-15
SLIDE 15

Zone management

GNU Name System: 2019 Edition 14/1

slide-16
SLIDE 16

Name resolution in GNS

Local Zone: www A 5.6.7.8

Bob Bob's webserver

K

Bob pub

K

Bob priv

◮ Bob can now reach his Web server under www.bob

GNU Name System: 2019 Edition 15/1

slide-17
SLIDE 17

Secure Introduction

Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321 Mail: bob@H2R84L4JIL3G5C

◮ Bob provides his public key to his friends, i.e. via QR code

GNU Name System: 2019 Edition 16/1

slide-18
SLIDE 18

Delegation

Local Zone: bob PKEY 8FS7

. . .

Alice

K

Alice priv

K

Alice pub

. . .

Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: 555-12345 Mobile: 666-54321

◮ Alice learns Bob’s “public” key ◮ Alice creates a delegation to zone KBob pub under the label bob ◮ Alice can then reach Bob’s Web server under www.bob.alice

GNU Name System: 2019 Edition 17/1

slide-19
SLIDE 19

Name resolution

Bob Alice

DHT

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 18/1

slide-20
SLIDE 20

Name resolution

Bob Alice

DHT

PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 19/1

slide-21
SLIDE 21

Name resolution

www.bob.alice ? 1 Bob Alice

DHT

PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 20/1

slide-22
SLIDE 22

Name resolution

www.bob.alice ? 1 Bob Alice

DHT

'bob'? 2 PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 21/1

slide-23
SLIDE 23

Name resolution

www.bob.alice ? 1 Bob Alice

DHT

'bob'? 2

3

PKEY 8FS7! PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 22/1

slide-24
SLIDE 24

Name resolution

www.bob.alice ? 1 Bob Alice

DHT

'bob'? 2

3

PKEY 8FS7! 8FS7-www? 4 PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 23/1

slide-25
SLIDE 25

Name resolution

www.bob.alice ? 1 Bob Alice

DHT

'bob'? 2

3

PKEY 8FS7! 8FS7-www? 4 A 5.6.7.8!

5

PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 24/1

slide-26
SLIDE 26

Browser Configuration

GNU Name System: 2019 Edition 25/1

slide-27
SLIDE 27

Browser Configuration

GNU Name System: 2019 Edition 26/1

slide-28
SLIDE 28

Browser Configuration

GNU Name System: 2019 Edition 27/1

slide-29
SLIDE 29

Browser Configuration

GNU Name System: 2019 Edition 28/1

slide-30
SLIDE 30

Browser Configuration

GNU Name System: 2019 Edition 29/1

slide-31
SLIDE 31

Browser Usage

GNU Name System: 2019 Edition 30/1

slide-32
SLIDE 32

Privacy issue: DHT

www.bob.alice ? 1 Bob Alice

DHT

'bob'? 2

3

PKEY 8FS7! 8FS7-www? 4 A 5.6.7.8!

5

PUT 8FS7-www: 5.6.7.8

. . . . . .

www A 5.6.7.8 8FS7

Bob

A47G

. . . . . .

bob PKEY 8FS7

Alice

GNU Name System: 2019 Edition 31/1

slide-33
SLIDE 33

Query privacy: terminology

G generator in ECC curve, a point n size of ECC group, n := |G|, n prime x private ECC key of zone (x ∈ Zn) P public key of zone, a point P := xG l label for record in a zone (l ∈ Zn) RP,l set of records for label l in zone P qP,l query hash (hash code for DHT lookup) BP,l block with encrypted information for label l in zone P published in the DHT under qP,l

GNU Name System: 2019 Edition 32/1

slide-34
SLIDE 34

Query privacy: cryptography

Publishing records RP,l as BP,l under key qP,l

h : = H(l, P) (1) d : = h · x mod n (2) BP,l : = Sd(EHKDF(l,P)(RP,l)), dG (3) qP,l : = H(dG) (4)

GNU Name System: 2019 Edition 33/1

slide-35
SLIDE 35

Query privacy: cryptography

Publishing records RP,l as BP,l under key qP,l

h : = H(l, P) (1) d : = h · x mod n (2) BP,l : = Sd(EHKDF(l,P)(RP,l)), dG (3) qP,l : = H(dG) (4)

Searching for records under label l in zone P

h : = H(l, P) (5) qP,l : = H(hP) = H(hxG) = H(dG) ⇒ obtain BP,l (6) RP,l = DHKDF(l,P)(BP,l) (7)

GNU Name System: 2019 Edition 33/1

slide-36
SLIDE 36

Globally unique identifiers

◮ Public keys are globally unique ◮ Users can use any public key (in a base32 encoding) as a TLD ◮ “alice.bob.KEY” is a valid, globally unique identifier

GNU Name System: 2019 Edition 34/1

slide-37
SLIDE 37

Key revocation

◮ Revocation message signed with private key (ECDSA) ◮ Flooded on all links in P2P overlay, stored forever ◮ Efficient set reconciliation used when peers connect ◮ Expensive proof-of-work used to limit DoS-potential ◮ Proof-of-work can be calculated ahead of time ◮ Revocation messages can be stored off-line if desired

GNU Name System: 2019 Edition 35/1

slide-38
SLIDE 38

Latest political developments

Originally, GNS used pTLD “.gnu” as protocol switch. draft-grothoff-iesg-special-use-p2p-names tried to make this official following RFC 6761.

◮ IETF’s dnsop refused to follow RFC 6761 for us, only Apple and Facebook

have political power to get “free” TLDs (“.local”, “.onion”)

◮ But, RFC 8244 (quote from slide 1) is wrong:

Our latest release allows users to override any domain name

◮ Can override “ietf.org”, or “.fr”, or “.bob” by simply specifying a GNS public

key for that domain in configuration:

◮ Usability greatly improved (thank you, IETF) ◮ Transparency reduced for users: usability study showed users cannot tell DNS

  • vs. GNS

◮ gnunet-dns2gns is DNS proxy speaking DNS resolving some names via

GNS

GNU Name System: 2019 Edition 36/1

slide-39
SLIDE 39

Latest techncial developments

◮ Demonstrated scaling of DHT implementation to deal with millions of

records

◮ Implemented gnunet-zoneimport to import DNS records by single query

(given list of names)

◮ Implemented Ascension to import DNS records via AXFR ◮ Imported “.fr” into GNS zone based on public name list and brute force zone

transfer

◮ Imported “.se” and “bfh.ch” using AXFR

GNU Name System: 2019 Edition 37/1

slide-40
SLIDE 40

Conclusion and outlook

◮ The DNS monopoly is over. ◮ GNS is simpler than DNS: no glue, no NSEC3, no RRSIG ◮ GNS provides private name resolution and censorship resistance ◮ GNS does not require ICANN or a root zone or IANA special-use TLDs ◮ Operators should no longer be advised about “.gnu”, but about name

resolution protocol diversity without any signalling

◮ GNUnet will include domain → public key map in default configuration

⇒ Donate just 130,000 EUR to GNUnet e.V. today to get yours!3

3This is a special discount for dnsop members. GNU Name System: 2019 Edition 38/1

slide-41
SLIDE 41

Questions? More Information on the Web:

◮ https://gnunet.org/gns ◮ Slides will be published at

https://grothoff.org/christian/.

“When governments fear the people, there is liberty. When the people fear the government, there is tyranny. The strongest reason for the people to retain the right to keep and bear arms is, as a last resort, to protect themselves against tyranny in government.” —Thomas Jefferson

GNU Name System: 2019 Edition 39/1