[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] Re: free haven project, notes

On Sat, Feb 26, 2000 at 03:29:05PM -0500, Kevin Fu wrote:
> Can you brush up my notes below?  I don't want to repeat much from
> your thesis proposal.  The Q/A needs to be correct though.
> --------
> Kevin E. Fu (fubob@mit.edu)
> PGP key: https://snafu.fooworld.org/~fubob/pgp.html
> The Free Haven Project aka "A distributed secure RAID 5"

I'm uncomfortable with the 'aka' here for several reasons. First,
we aren't a raid 5. We don't work that way. We do provide (as my thesis
title goes) an 'anonymous secure data haven', but the mechanism for
maintaining coherency has little to do with raid5 (for example, there
is no automatic reconstruction of lost shares). My second reason for
being uncomfortable with this is because I considered the parallel to
raid5 only after a company working on a similar project mentioned they
were doing wide-area raid5... so it would look pretty weird.

> February 22, 2000
> Speaker: Roger Dingledine
> Scribe: Kevin Fu
> Motivation:
> There does not exist a system to anonymously retreive documents when
> the location of the document is also anonymous.  Without this
> anonymity, opposition can easily remove publications.  For instance,
> the Church of Scientology bullies governments into preventing
> distribution of their religious documents.
> The Free Haven Project consists of a number of entities:
> * Servnet
> The Servnet consists of a set of independent servnet nodes.  Each
> node accepts opaque data for publication.  A Servnet node publishes
> the data.
> * Mixnet
> A collection of machines which anonymize email.
it doesn't have to be email. i would say 'communications' here to be
more general. many mixnets these days work at the packet level over IP.
> The Free Haven Project uses an information dispersal algorithm
> One ASRG member asked whether the Tornado algorithm would help with an
> O(n) reconstruction time.
> Accountability:
> Shares of a publication will check each other for validity.
> Related Work:
> The Freenet Project at sourceforge.net
> Rewebber
> Most anonymous storage systems perform the same functions as the Free
> Haven Project, but there is a significant difference in anonymity.
> Most projects define anonymity as "persons requesting a document
> cannot identify the publisher."  The Free Haven Project uses a
> different tack.  It defines anonymity as "the publisher does not know
> the identity of the reader."
No, we provide three levels of anonymity. Quoting from my proposal:

The Free Haven Project intends to deploy a system that provides a good
infrastructure for stronger anonymity. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves to anyone; and that the
current location of the document should not be known. Additionally, it would be
preferable to limit the number of opportunities where an outsider can show
that a given document passed through a given computer.

> ASRG participants raised several questions:
> Q: How does a person locate a document?
> A: Documents are named by a file handle which consists of a
> cryptographic hash of a public key.  Providing a directory service is
> not the goal of the Free Haven Project.  There is no native provision
> for directory lookups.  Users are expected to do this out of band.
> Q: It seems that searching for information will be difficult.  Why?
> A: A directory allows censorship.  A government could search for
> the file handle in a directory, then censor the file lookup.
> Q: So isn't it hard to trust directory contents that are built
> out of band?
> A: The Free Haven Project does not want to solve the directory problem
> within the main system.  Directories would require frequent updates.
> The Free Haven project has latencies in hours or days.  You wouldn't
> want a directory service like this.  Free Haven is a base
> infrastructure for anonymous publication.  It's not a web server.
> It's not a directory.  It neither allows or prevents others to add
> this functionality at a higher layer.
> Q: How many public keys are there per file fragment?
> A: Each file is associated with one public key.  The corresponding
> shares/fragments share the same key.
> Q: What are the potential bottlenecks?  
> A: Periodically each servnet node broadcasts to every other servnet
> node it knows about.  Each message is individually encrypted and
> signed to each other node.  This can be expensive.
> Q: Describe the GUI.  How easy is it to use compared to PGP or
> the LCS anonymous remailer?
> A: Point and click.  Users need only have the file handle (hash of the
> public key) of a document to locate the document content.
> Client code is underway to hide the cryptography from the user.
> Q: What's the first thing you'll do with the Free Haven?
> A: The first thing going into the system is the client code because it
> may contain potentially patented algorithms.

Er, you should put a smiley or something at the end of this one. :)

Looks good overall. Thanks!