Private authentication and identity management with the GNU Name System

DASEIN solves problems of secure addressing and identification of devices or individuals, with the help of the free and privacy-friendly GNU Name System.

Factsheet

  • Lead department Engineering and information technology
  • Institute Research Institute for Security in the Information Society RISIS
  • Research unit Security and Privacy
  • Duration (planned) 01.01.2018 - 31.08.2018
  • Project management Christian Grothoff
  • Head of project Christian Grothoff
  • Project staff Annett Laube
    Pascal Manini
    Emmanuel Benoist
  • Partner Pretty Easy Privacy AG
    Martin Schanzenbach
    GNUnet
    Frauenhofer AISEC
  • Keywords PIK, DNS, FIDO, X.509, GNS, GDPR, e-health, IoT

Initial situation

How do we communicate securely with each other and with our devices? Communication needs addresses, and secure encryption needs cryptographic keys. But keeping both of these secure and privacy-friendly is not so easy.

Today’s landscape for identifying network services and subscribers is fragmented and not conducive to data protection. The ageing Domain Name System (DNS) is expensive, subject to total surveillance, overburdened by complexity, and not suitable for addressing humans. X.509 can hardly be used by individuals, and network services are often issued false certificates by inadequately secured certification authorities. Even OpenPGP is still only deployed by a minority due to usability problems. The use of Google, Twitter or Facebook accounts as a stopgap only worsens the surveillance issue and so is not permitted for sensitive areas of application.

Goals

Our goal is to establish a usable, secure, privacy-friendly and provider-independent infrastructure for name resolution. Name resolution is the process by which addresses and key material can be inferred from names. This infrastructure then lets us solve a number of problems, from exchanging health data between patients, doctors, researchers, industry and insurance companies to identifying IoT devices. Classic applications such as DNS and X.509 can also be replaced by our more secure and privacy-friendly technology. Backwards compatibility to DNS allows users to add new methods without retraining.

Procedure

The GNU Name System stores domain data in a Distributed Hash Table (DHT) in an encrypted and signed form. Each user and each device controls a private zone with domain data (see illustration). For read-access to the unencrypted data, the reader needs the public zone key and a label (e.g. a password). Since the data is encrypted, the DHT-r itself does not learn the stored content. The DHT is not even able to correlate entries with specific zones. Data can thus be exchanged asynchronously, even where the very existence of the entries must remain private, as is often desirable, for example in cases of illness.

reclaim Enlarge image

Solution

DASEIN has developed various applications based on the GNU Name System (GNS) and tested them for performance and usability. We have developed prototypes of applications in the area of eHealth (see diagrams) and the Internet of Things (IoT), and have also demonstrated that the GNS is compatible with existing protocols such as OpenID Connect and DNS and is thus a more privacy-friendly alternative for applications that use these protocols. Our solution is scalable to millions of users with costs per user per year in the cent range. We advise industry partners seeking privacy-friendly solutions for identity management and IoT in matters of systems architecture and implementation.