I recently sent out draft zero of my thesis description to Allen. Figured I’d CC it here (with minor updates) for comment. My apologies, it’s pretty thick with jargon–I’ll have to work on that. Like it? Think it’s full of holes? Care to help me start a business?
OpenTrustNet is a model for low-latency, high-throughput trusted networks; it is intended to address the small worlds problem, and to a lesser extent the Sybil attack, for dark networks. The idea is intimately tied with both my AHS capstone (a study in the things new-school geeks value and how to promulgate them) and a business concept I’m interested in developing post-graduation—that of extensible commercial trust nets.
Properly marketed (as application-optimized ISPs rather than data havens) and properly built, I wonder if these couldn’t drastically accelerate the spread of safer networking, tipping the industry away from its current position where it is vulnerable to (and evidently subject to) massive surveillance and traffic analysis.
A commercial trusted network has the following properties:
It is built on an infrastructure of dedicated fiber joined by dedicated gateway/routers at carrier hotels in multiple states (with no peering links in the core network, so AT&T can’t snoop on us). It may also use symmetric crypto and random padding to further assure no one can eavesdrop and get meaningful results. Some fixed integer number of lambdas and cables is entirely consumed on any given day for any given link.
The dedicated routers cache frequently requested things wherever possible (using application-layer protocols like BitTorrent and FTP). In order for this to work, the core network routers are trusted with important information, such as request headers. This trust comes in part from the reputation of the network maintainers, but my intent is to reinforce it with cryptographic coprocessing (a la Trusted Computing) and protect it from hostile third parties by any means necessary.
Only subscribers, with some amount of dedicated bandwidth, are allowed to talk to the core network gateways. Subscribers are expected to maintain a constant rate of traffic by adding garbage (to disguise the actual data rate). For their own protection and that of the users, subscriber traffic rates are audited. Where possible, the spare bandwidth will be spent on useful work (such as cache prefetches using some intelligent algorithm).
Remote attestation and public key infrastructure checks will be used at the startup of each gateway or intranet link prior to obtaining access to routing and caching information. Subscriber machines are not globally trusted, so their knowledge is limited.
Instead, subscriber machines are locally trusted to forward requests from child-nodes anonymously or pseudonymously (at the discretion of the client application) and to maintain TLS sessions with child-nodes. This, in combination with proper caching architecture, makes protecting seeds and hidden services easy. Note that parent and child do not have to share a network or subnet, although that makes things run a lot faster and enhances privacy.
The source code and checksums of trusted gateway and subscriber software are prominently displayed on the web, along with public keys to current servers and source code for the recommended client. Clients should demand an attestation from the local subscriber at the beginning of a TLS session.
With some slight modifications, this model can be extended to allow secondary and tertiary subscription. Subscription still requires Trusted Computing (and is permitted or denied at the discretion of the next higher link in the tree). Nodes with ample dependent connections can run hidden servers safely; alternatively, people can pay to have hidden services hosted on the core network for better secrecy and availability.
Advantages:
Traffic on the core network mesh does not have to perform extraneous hops, eliminating a major source of bandwidth drain.
Persistent direct links (router-router and to a lesser extent router-subscriber) minimize the load from TLS initialization, while the lightweight server minimizes trusted platform hardware load associated with paging sensitive data to the disk.
Tiered infrastructure provides the needed mid- and long-range linkages for small-world networks, while keeping local traffic local and putting the biggest financial and computational burden on big-pocket customers (those with tier-one subscriptions).
Problems:
I was initially a bit confused regarding the cheapness of dark fibers. In terms of one-time purchase cost and even maintenance, they’re pretty cheap per kilometer-gigabit; it’s the fiber-optics and telecom-grade router hardware that are obnoxiously expensive.
More definitively a problem is the current state of Trusted Computing hardware. Despite its steadily increasing ubiquity even (and perhaps especially) in consumer equipment, the current specification is clumsy and dependent on a strongly access-controlled OS (properly configured, Fedora Core counts). Worse, it does not guard against hardware-bus-measuring attacks. The latter imposes severe limits on what can be done with complete confidentiality, since data evicted from cache travels naked on the memory bus.
Assuming the eventual development of a fully trusted server architecture (such as XOM) capable of running at telecom speeds, these are not absolute problems. Whether the service is capable of paying its own operating costs is a bigger question mark. The fact that it can be bundled with fast general-purpose internet services will help, but it’s still going to look like highway robbery in terms of the cost per megabit. Adding second and third tiers will help the first tier pay for itself—but there must be no pyramid-scheme-like illusions about system throughput. Some theoretical cost & performance analysis is needed.
At this point I haven’t proved to myself whether public gateways into the system can ever really be trusted. You might trust the head of IEEE or ACM at your school to properly run a subscribed server, maybe, but can you trust freeproxy.example.com to do the same? Bear in mind that just by routing your packets they can begin to know things about you. Unless your client is sending them a constant stream of garbage as well, Sybil attacks can still happen at the local level.
Other things to look at:
As a more constrained and testable example, I’ve considered playing with small-scale trusted peering as a way of expanding small-world nets (think wired mesh as opposed to wireless mesh), as in the proposal for GAIM buddylist-linked filesharing. This and does not address the important problem of establishing long-and-fast connections, but it does drastically expand the library available to the average person with decent security over existing connections–if the feature shipped with the standard client and was enabled by default, it would join a significant fraction of the user base into one massive media library, albeit with lousy latency and iffy bandwidth.
I’ve considered extending the simple tree model of the trust network in a number of ways. In particular, I draw inspiration from essays by Allen Downey and Ian Clarke (which are influenced by a 1998 Watts & Strogatz paper, which in turn springs directly from Milgram’s famous “6 degrees” experiment). They point out that the most efficiently structured darknets in terms of the requisite number of “blind jumps” are those with (I think?) Zipf’s Law distribution of link distances. In most cases, a regular, locally connected structure (for instance a grid) will suffice to keep the scaling logarithmic, provided there is a random sprinkling of long pathways. How to establish those pathways for best efficiency, and what the security consequences of doing so may be, are things I haven’t fully explored yet. What I do know is that the current link structure relies on a handful of definitely-not-random long links, the scaling properties of which are not great.
2 Comments so far
Leave a comment
I wonder how you protect minors and crazies from using this type of site for illegal and unethical purposes. I think I understand the idea of increased privacy. But, wouldn’t this be a way that for example child porn sites could protect themselves? Just a thought… maybe I do not undestand your safeguards.
Comment by Karen 10.18.06 @ 5:41 amYou understand perfectly. Ian Clarke, the leader of a related project called Freenet, put it succinctly when he said: “You cannot guarantee freedom of speech *and* enforce copyright.” For the same reason it would be impossible to trace child pornographers, terrorists, cybercriminals and the like.
As many have pointed out, it’s already damned near impossible to trace child pornographers, terrorists and cybercriminals, because they hack the internet protocol and use it to find nooks to bury themselves in. It’s the rest of us that pay the price for the neverending hunt for “subversives” when the government decides it’s okay for NSA to spy on us without a court order. It is we who pay the price when the RIAA and MPAA organize a legal dragnet to extort money from filesharers.
There is another way. As Lawrence Lessig put it, on the internet “code is law”. Stuff that you’re able to do, you’re able to do. If e-commerce is going to run smoothly without massive government intervention (i.e., even more censorship and spying), there needs to be a line drawn somewhere that marks the boundary between spaces where ordinary law is observed and those where the net can handle itself and live by its own terms, moderated only by the users. Some call it cyber-secession; others call it common sense. Either way, this kind of freedom can’t spring into existence entirely by itself. Someone has to help build it.
Hope that answers your question.
Comment by daniel.j.gallagher 10.18.06 @ 12:54 pmLeave a comment