The IETF (Internet Engineering Task Force) committee, which develops the protocols and architecture of the Internet, has begun the process of standardizing the GNS (GNU Name System) domain name system, developed by the project as a fully decentralized and uncensorable DNS replacement. At present the first draft of the standard, after the stabilization of which an RFC will be formed, which will have the status of a Proposed Standard.
can be used side by side with DNS and used in traditional applications such as web browsers. The integrity and immutability of records is ensured through the use of cryptographic mechanisms. Unlike DNS, GNS uses a directed graph instead of a tree-like hierarchy of servers. Name resolution is similar to DNS, but requests and responses are performed with confidentiality - the node processing the request does not know to whom the answer is given, and transit nodes and third-party observers cannot decrypt requests and responses.
The DNS zone in GNS is determined using a bunch of public and private keys based on elliptic curves . Using Curve25519 some as a very strange step, since other types of elliptic curves are used for ECDSA, and paired with Curve25519, a digital signature algorithm is usually used , , more secure and faster than ECDSA. From the point of view of cryptographic strength, the choice of key size is also questionable - 32 bytes instead of 64 bytes, usually used for Ed25519, as well as the use symmetric encryption using AES and TwoFish algorithms in CFB mode.
This approach is explained by the need to implement hierarchical keys that make it possible to use the root public key to extract the child public key, using the linearity property of the Curve25519 curve. This feature allows you to get child public keys without knowing the private root keys. This technique is also in Bitcoin. The 32-byte key size is chosen to allow the key to fit in a single DNS entry.
Additionally, it can be noted framework , designed to build secure decentralized P2P networks. Networks created using GNUnet do not have a single point of failure and are able to guarantee the inviolability of users' private information, including eliminating possible abuse by intelligence agencies and administrators who have access to network nodes. The release is marked as containing significant protocol changes that break backward compatibility with versions 0.12.x.
GNUnet supports the creation of P2P networks over TCP, UDP, HTTP/HTTPS, Bluetooth and WLAN, and can work in F2F (Friend-to-friend) mode. NAT traversal is supported, including using UPnP and ICMP. A distributed hash table (DHT) can be used to address data placement. Tools are provided for deploying mesh networks. To selectively grant and revoke access rights, a decentralized exchange of identification attributes service is used , GNS (GNU Name System) and attribute-based encryption ().
The system features low resource consumption and uses a multi-process architecture to provide isolation between components. Provides flexible tools for logging and accumulation of statistics. To develop end applications, GNUnet provides an API for the C language and bindings for other programming languages. To simplify development, it is proposed to use event loops and processes instead of threads. It includes a test library for automatically deploying experimental networks covering tens of thousands of peers.
In addition to GNS, several off-the-shelf applications are also being developed based on GNUnet technologies:
- An anonymous file sharing service that does not allow information to be analyzed by transmitting data only in encrypted form and does not allow tracking who posted, searched and downloaded files using the GAP protocol.
- VPN system for creating hidden services in the ".gnu" domain and forwarding IPv4 and IPv6 tunnels over a P2P network. Additionally, IPv4-to-IPv6 and IPv6-to-IPv4 translation schemes are supported, as well as IPv4-over-IPv6 and IPv6-over-IPv4 tunneling.
- GNUnet Conversation service for making voice calls over GNUnet. GNS is used to identify users, the content of voice traffic is transmitted in encrypted form. Anonymity is not yet provided - other peers can track the connection between two users and determine their IP addresses.
- Platform for building decentralized social networks using the protocol and supporting the distribution of notifications in multicast mode using end-to-end encryption so that only authorized users can access messages, files, chats and discussions (those to whom messages are not addressed, including site administrators, will not be able to read them);
- System for organizing encrypted e-mail , which uses GNUnet to protect metadata and supports various for key verification;
- Payment system , which provides anonymity for buyers, but tracks seller transactions for transparency and tax reporting. Work with various existing currencies and electronic money is supported, including dollars, euros and bitcoins.
Main new features of GNUnet 0.13:
- Entered into the registry (GNUnet Assigned Numbers Authority), responsible for assigning names and addresses for GNUnet.
- The implementation of the decentralized GNS domain name system has been brought into line with proposed by the IETF. The work of the NSS-plugin "block" has been adjusted. Added new SUPPLEMENTAL flags for entries that are not explicitly published under the given label but are returned by the resolver. Added a warning to the gnunet-namestore utility when adding TLSA or SRV entries outside of an entry .
- In the key revocation mechanism (GNS/REVOCATION), the function switched to use the Argon2 hashing algorithm.
- In the decentralized identity attribute exchange (RECLAIM) service, the ticket size has been increased to 256 bits.
- The transport plugin that uses the UDP protocol for data transfer has been moved to the experimental category due to stability issues;
- The key file format and ECDSA private key serialization method is unified with other libraries (old keys will no longer work).
- The library is used as an implementation of encryption algorithms based on elliptic curves .
- Added ability to build utilities with cURL library not related to gnutls.
- The continuous integration server is back .
- The build dependencies include the libmicrohttpd, libjansson, and libsodium libraries.
Source: opennet.ru