GNUnet: Big Brother can’t watch you anymore
Internet, as we know it today, is based on Client-Server architecture and relies heavily on TCP/IP protocol stack, which depends on centralized services like ICANN and ISP. These centralized services do not provide any security guarantee yet function as the backbone of the internet. These insecure centralized services have enabled the United States National Security Agency(NSA) to collect internet communication from various US internet companies under the code name PRISM. Even though we have authenticated encryption to communicate over the internet, such as Tor, these services leak metadata such as time, frequency, and volume of communication. This can be reversed engineered to get information about pages visited using traffic analysis.
Michael Hayden, the former head of both NSA and CIA explained, the US government “kills based on metadata”.
In order to tackle these shortcomings of the current internet infrastructure, we need an internet infrastructure that offers
- metadata protection
- decentralization
- encryption
GNUnet is the solution. It is a free software framework for secure peer-to-peer networking that aims to protect users’ privacy, freedom, and autonomy. It provides a secure and decentralized platform for communication, file sharing, and other applications. It is generally an overlay network that runs on top of the existing internet network but can also function as an underlay network created by an ad-hoc wireless mesh network that can run TCP/IP over it.
There are some high-level similarities between the internet and GNUnet. There is an underlying communication mechanism (“TRANSPORT”) with very weak capabilities, semantics, and assurances, a first link-level mechanism to facilitate a fundamental level of service (“CORE”), followed by routing (“DHT”), reliable end-to-end communication (“CADET”), a system for reliably naming objects on the network (“GNS”), a messaging protocol (“PSYC”) and finally applications.
Transport underlay abstraction:
GNUnet was the first P2P network that supported more than two methods of communication between peers. This is done to bypass firewalls, NAT, and censorship. All these are handled by the transport plugin. The transport plugin determines the address format for sending and receiving messages. As a peer can support many mechanisms at the same time, with each transport mechanism having zero or many addresses associated with it, the transport subsystem decides with plugin and addresses should be used to communicate with peers. One of the issues with the P2P network is NAT traversal. Having multiple methods of communicating between peers can help us solve this issue in some cases. For example, suppose node B is behind a NAT box and cannot be reached directly via UDP or TCP. In a system with multiple transport protocols, A could initiate a connection by sending an email to B (SMTP) and then have B contact A via TCP, allowing A to continue further communication on a bidirectional TCP connection.
R5N Distributed Hash Table(DHT):
Distributed Hash Table is used in the P2P systems to provide lookup services to access key-value pairs. Any node can retrieve any value associated with a given key. R5N is an acronym for “randomized recursive routing for restricted-route networks”. A primary goal of R5N is to provide an open network where users can join or leave at any time without approval by a certificate authority or other trusted entity.
CADET( Confidential ad-hoc decentralized end-to-end transport):
CADET subsystem uses R5N DHT to find multiple paths to connect to a user and establishes end-to-end encryption connection. This subsystem tries to find a direct connection between peers if possible. It also establishes multiple paths to the destination and uses them in parallel. CADET performs better after a network has been operating for a while because the peers learn the network topology and optimize the path resulting in shorter paths and more connections. The roles of both IP and TCP/UDP are fulfilled by CADET and R5N DNT. In particular, CADET takes care of the connectivity needs of peers that cannot establish direct connections. CADET uses the DHT to discover routes and performs authentication, encryption, and traffic control between any two peers in the network — as long as they are in a connected graph. It also adapts quickly to any change in the network.
GNU Naming System(GNS):
GNU Naming System in GNUnet plays the role of DNS in the internet infrastructure. A key feature of GNS is that all public records are stored in R5N DHT and not in a centralized and authoritative server like DNS. Unlike DNS, GNS does not leak metadata like the user’s name resolution activity to the network. This subsystem can be used for telephonic applications too. GNUnet conversation uses GNU Naming System(GNS) as a public key infrastructure. A GNS zone is used as a phone book. GNUnet conversation then uses CADET to establish a communication channel.
Conclusion:
Current Internet infrastructure based on TCP/IP protocol stack was not designed with security in mind. We can secure ourselves from corporations spying on us by using GNUnet, which is decentralized, peer-to-peer, and encrypted.
Resources:
