File Sharing Without Consequences

Transcription

1

2 File Sharing Without Consequences Eijah v1.02 May 16 th, 2015

3 Who Am I? Eijah Voodoo Vision AA856A1BA814AB99FFDEBA6AEFBE1C04 demonsaw 3

4 The State of File Sharing "Know thy self, know thy enemy. A thousand battles, a thousand victories. Sun Tzu, general and author of The Art of War 4

5 A History of File Sharing Internet founded on core principles of file sharing Endpoint connectivity Message/data exchange Abstract underlying protocols (TCP/IP Stack) Protocols FTP, HTTP NTFS, Samba, NFS, DLNA, TOR Applications IRC, IM, Rsync, Chromecast, XBMC (Kodi) Cloud Computing, Dropbox, Streaming Services, YouTube, Usenet, Mega, RapidShare, Pastebin, Demonsaw, Napster, BitTorrent, UV 5

6 File Sharing Under Siege Technology enables people to do amazing things Standard model for doing business has changed It s human nature to fear what we do not understand Over time companies become afraid Fear leads to panic, misjudgment, and mistakes The file sharing wars We ve suffered many casualties Napster, Aaron Swartz, Julian Assange Rapidshare, Grooveshark, Mega(share), Demonoid TPB, torrent trackers Led by MPAA, RIAA, and other evil groups :) 6

7 A Difficult Journey Secure data/message exchange More important now than ever before Illegal eavesdropping programs Governments are denouncing encryption The ignorance of cryptography The voice of the people One of the few remaining technologies that doesn't require a middle-man Corporation-free and threatening to their business models Fair Use is pro-privacy Technology will set us free The file sharing singularity 7

8 The Insecurity of Security Encryption is the defense against the dark arts. Edward Snowden 8

9 The Modern Internet Four States Trust Convenience Control Change The Truth What they don t want us to know Convenience doesn t require trust No need to give up control There s a safer way Convenience Why is it so difficult to make file sharing secure? Trust Change Control 9

10 The Problem with Security Security is like water We need it to survive It should be free Governments regulate it Companies bottle it up and sell it back to us at a premium We can do better ourselves for free Standard models of security require trust Trust is for those who cannot self regulate Trust is not an option for file sharing Standard methods of security are complex Asymmetric crypto is unnecessary Revocation lists are tedious to maintain 10

11 The Problem with File Sharing Historically insecure No need for security Hosted sites means we rely on 3rd parties Direct P2P means our identity is revealed Neither are good Founded on antiquated and dated technology Historically insecure because design/architecture trade offs For security to work, it cannot be a feature. It must be core. Not much has changed in 10+ years Evolution or Complacency? Inadequacy Breeds Innovation VPN s, proxies, Darknet, PeerBlock, Tor 11

12 The Solution How do we make file sharing secure? We need Secure message/data exchange Anonymity without trust Access to private/public content Leverage our personal Internet access Scalability and customization No P2P, no centralization We need to reinvent file sharing A modern approach for a modern generation The future of file sharing 12

13 demonsaw 1.5 Sometimes it takes a revolutionary idea to start a revolution. I believe that information should be free. I believe in the Right to Share. 13

14 Overview Secure, Anonymous, Free, Everywhere Designed to protect our identity and hide our actions Terminology Client Router Server (deprecated in v1.5) Versions (DefCon 23) 14

15 Demo v1.50 v1.12 v

16 File Sharing Networks Client-Server P2P demonsaw C 0 C 5 C 0 C 5 C 0 C 3 C 1 S 1 C 4 C 1 C 4 R 0 R 1 R 2 C 2 C 3 C 2 C 3 C 1 C 2 16

17 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional 17

18 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional C 0 0x0FF C 2 C 1 0xEFF 18

19 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional C 0 R 0 R C 1 19

20 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional HTTP XML TCP/IP JSON 20

21 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional HTTP XML TCP/IP JSON 21

22 Architecture Tenants of Secure File Sharing Authoritative Source Stateless Authentication Layered & Modular Security Distributed Endpoints Standard Protocols Protocols HTTP, JSON, XML Application messages 2 required 11 optional 22

23 Basic Messages Handshake Everything starts with a handshake Diffie-Hellman shared key Session Id Join Group clients Encrypted token Tunnel Socket connection Real-time callback mechanism Quit Ungroup clients C 0 R 0 C 3 C 1 C 2 23

24 Advanced Messages Search Keywords, filters Group, Browse File/Folder hierarchy navigation Transfer Request file(s) Download, Upload Send/receive raw data Ping, Info Keep alive, router info Chat New in v2.0 C 2 C 0 R 1 R 0 R 2 C 3 C 1 24

25 Network 0xEFF 0x0FF C 0 C 1 C 6 C 7 R 2 R 9 Session Propagation R 6 R 3 R 0 R 1 R 7 R 4 R 8 R 5 C 2 C 3 C 4 C 5 0xEFF 25

26 Security Algorithms AES Diffie-Hellman (key derivation) SHA-384 PBKDF 1/2 Multiple layers of encryption Passphrase Key (c2r, r2r) Session Key (c2r, r2r) Group Key (c2c) Transfer Key (c2r) Social Encryption New security model 26

27 Content Isolation HTTP Session Method ( POST ) Version ( HTTP/1.1 ) Resource ( / ) Header Parameters Message Security Passphrase/Session Key JSON Header Message Data JSON Header Version Nonce Session JSON Message Id Type Action Delay JSON Data Encrypted Blob (Group Key) Security Group Key JSON Objects Raw Data e.g. Search Keyword Filter(s) Data e.g. Transfer Request Id Size Chunk 27

28 Search Request 28

29 Search Response 29

30 demonsaw 2.0 Throughout the course of history technology has been the deciding factor between survival and extinction. Technology will save file sharing too. 30

31 Version 2.0 Everywhere Windows, Linux, OSX, Raspberry Pi, Android GUI, command-line, web server Faster 100% C++11 re-write Stream-lined API Compression Increased Security New crypto algorithms User-defined file/folder HMAC salts Choice of algorithms, key sizes 31

32 Version 2.0 New Features Streaming Session Propagation Auto-sync files/folders Instantaneous downloads, multi-threaded transfers Chat Simplification Single interface (client & router co-exist) No more servers Social Encryption The art of hiding our secrets within the fabric of social interaction Leverage the entropy of the Internet to secure our transmissions 32

33 Summary Digital Self Expression is the process of exercising of our Right to Share. It's evidence of freedom in the Modern Age. 33

34 Next Steps The best is yet to come I need your continued support Suggestions, bug fixes, beta testing One person can make a difference , Twitter demonsaw 2.0 DefCon 23 34

35 Thank you Eijah 35

36