Thursday, September 22, 2016

An Internet We Can Agree On: Secured DNS through Bitcoin


The Internet is peculiar place. People will tell you that it is the first thing of value truly owned by everybody and nobody collectively. This could not be farther from the truth. We do not own the Internet because we do not own the means of coordination. 

While the internet is ostensibly a swarm of nameless CPUs with network interfaces, playing IP address roulette is outside the scope of anybody's time. We rely on DNS, which means that we rely on the goodwill of the government of the United States to continue to run ICANN in a non-hostile manner. This trust has been violated numerous times; website domain names have been seized and the sites redirected to this image:



Furthermore, the security of server public key distribution has become a joke that stopped being funny a long time ago. When you visit a website, you're given a chain of certificates. Each certificate proves that an entity trusts the site, and the end of the chain is somebody that you trust absolutely. The problem with this absolute trust is that it is violated quite regularly. Legal pressures and financial incentives have made these authorities give out duplicate certificates in the past such that impersonation becomes practical. We can only expect more and more such demands. [ https://www.schneier.com/academic/archives/2000/01/ten_risks_of_pki_wha.html ] 

If the bedrock of the HTTP-driven Internet is not safe from bad actors, then the entire system is compromised. Most of the major sites you visit have had attacks attempted on them at one time or another in this vein. It's only a matter of time before warrantless SSL-wiretaps become a thing, potentially with malware on the other side of that transmission. 

Namecoin wants to put the DNS and CA system into the hands of the Internet itself by storing the state on an alternate blockchain that manages to borrow the work of Bitcoin mining without sacrificing security.

Threat Model


The threat model of Namecoin is very much like the threat model of Bitcoin, with a few specific differences. The network will be eventually consistent with a linear ordering, where state changes become cryptographically intractable to alter after their blocks have become farther back in the blockchain. Due to the use of Namecoin for identity manipulation, there are extra attacks to worry about. 

If an attacker sees you trying to put a block into the network that registers "myMillionDollarName," then they could decide that they want this name instead. They might want to sell it back to you at a high price. Namecoin solves this by separating the registration process into two steps. At first, the user inserts a block into the network that contains only the hash of the name that you want. After this hash is in a block at least 12 blocks away from the newest mined block, namecoin will allow you to submit a "first update" transaction that exposes the actual name and information. Future updates can be made to change where the address points, and to renew it before it expires. 

What if an attacker wants to register all alphanumeric names, and become the new ICANN by selling them to you at a steep premium and under a strict contract. This becomes very difficult. An attacker must spend money on the registration transaction fee, but must also spend money on a registration fee when they send their first "block registration" block. This registration fee is destroyed, it cannot be somehow revived and reused by anybody. There are no registration fees for renewals or updates, but a transaction fee does apply. You have to renew or update a name every 35,999 blocks at the latest (between 200 and 250 days), otherwise it expires. This makes holding on to a lot of domains expensive.

On the other hand, Namecoin offers no protection against squatting. A squatter can register "google" and demand a ransom when Google decides to get a namecoin address. There's not much one can do here without requiring out-of-bound validation, which some would consider an attack on the network itself.

Architecture


Namecoin is currently a naming system with two namespaces. One of them is for the identities of people, while the other is for the identities of software systems. 

Identities for people consist of a mapping between usernames and contact information for that identity. The GPG fingerprint can be included in this chain to act as a key registry for email transmission, though the actual keys are not stored to conserve space. 

Domain names are really a key-value store between a string key and a set of attributes that allows someone to interact with the computer behind the domain. This is exactly how Namecoin works. The value is a lot more rich than DNS currently allows. It can register a user, an ip address, an ipv6 address, a Tor hidden service address, an i2p address, a Freenet address, an owner email address, geographic locations for the hosting, a DNS nameserver to forward the lookup to, a key-value store for the locations of subdomains, a fingerprint of a TLS certificate, and a set of round-robin IP addresses to route to for load balancing. These are not disjoint choices, most of these can be placed in the same Namecoin value body and the user can choose how to use the information. 

Actual interaction works currently by having the local Namecoin client act as a DNS server and as a CA authority. It will expose these to the machine, while pulling the necessary data from the blockchain.

TLS works fairly simply, where the name points to a TLS certificate fingerprint. The website on the other end of the network socket will serve up the certificate as part of the handshake, and it can be validated against the blockchain rather than against your government's database. 


Merged Mining


The strength of any blockchain-based technology depends entirely on the number of users the network has. When a blockchain has too few good users, it becomes cheap for an attacker to coordinate enough resources to rewrite history by altering previous blocks and outracing the rest of the network. If Namecoin had used a separate mining population for it's separate blockchain, it would have ran up against these problems. 

The solution is called merged mining. The size of a block and the difficulty of mining the block are a heuristic tradeoff between history immutability and throughput. Let's say that currently a powerful attacker can rewrite history quickly enough to change the last 3 blocks. If it tried the last four, it wouldn't be able to catch up before the network started making more blocks and made it intractable for the attacker. If the block size got larger or the work got easier, then an attacker could reverse more transactions. 

However, merged mining allows Namecoin to securely get the Bitcoin mining population to mine two blocks at once by making them heterogeneous. Rewriting one bitcoin block allows an attacker to rewrite one Namecoin block. Since the difficulty rates for information are similar as before, Namecoin can trust blocks that are old enough in the Bitcoin blockchain.

Whenever Namecoin has enough transactions to mine a block, it will insert the hash into a field of a bitcoin transaction that does not invalidate the transaction, and will have this transaction mined for a standard transaction fee. When this block is mined, the Bitcoin blockchain contains proof-of-work for the Namecoin block. The Namecoin blockchain will now insert this Bitcoin block into the Namecoin blockchain, dropping everything in the Merkle tree not necessary to validate the single mined transaction (to keep the Namecoin blockchain small). This serves as a proof-of-work for Namecoin.


Applicability of the Namecoin Blockchain for Other Applications


Namecoin offers features that may be attractive for other applications. Management of server and person identities is paramount in many computer systems. The promise of a simple, global, shared, auditable user identity system is attractive for many reasons. Namecoin requires a minor fee to register an account, making spamming or denial of service financially unreasonable for an attacker. In fact, we see nameID (openID provider) and bitMessage (chat) use Namecoin for just these purposes.

When thinking of storing more complex information in the blockchain, one must be weary. Namecoin has some performance problems which arise from the nature of blockchain consistency. Each record is limited to 520 bytes, which may not be enough for systems which want to store complex information. Likewise, it is neither low-latency nor free. A block is mined every 10 minutes, and requires a Namecoin transaction fee to be paid to miners. It isn't reasonable to use it as a distributed file system, and will not become a global SQL database any time soon. 

But there really isn't a problem with this. If you're trying to store all of the state of your application in the blockchain, you're doing something wrong. Namecoin is an example of a more general usage of blockchains which offers a lot of promise. Consider an RSS feed of weather monitor updates. Every time it wants to update the reading, it places this data in a data structure that is replicated via a DHT or over the Bittorrent network. Now you can store torrent hashes in Namecoin, or you can place torrent hashes in a data structure in the network, and you can put that hash in the network. 

Like most things in Computer Science, many problems with using blockchains as a component of a larger system can be solved with another level of indirection. 


Resources


https://nameid.org/
https://bitmessage.org/wiki/Main_Page
https://github.com/namecoin/namecoin-legacy/blob/namecoinq/DESIGN-namecoin.md
https://wiki.namecoin.org/index.php?title=Identity
https://wiki.namecoin.org/index.php?title=Domain_Name_Specification

No comments:

Post a Comment