File Sharing Without Consequences

(1)

(2)

File Sharing

Without Consequences

Eijah

(3)

Who Am I?

• Eijah

• Voodoo Vision

• AA856A1BA814AB99FFDEBA6AEFBE1C04

• demonsaw

(4)

"Know thy self, know thy enemy. A thousand battles, a thousand victories.“

–Sun Tzu, general and author of The Art of War

The State of File Sharing

(5)

A History of File Sharing

• Internet founded on core principles of file sharing

• Endpoint connectivity

• Message/data exchange

• Abstract underlying protocols (TCP/IP Stack)

• Protocols

• FTP, HTTP

• NTFS, Samba, NFS, DLNA, TOR

• Applications

• IRC, IM, Rsync, Chromecast, XBMC (Kodi)

• Cloud Computing, Dropbox, Streaming Services, YouTube, Usenet, Mega, RapidShare, Pastebin, Demonsaw, Napster, BitTorrent, UV

(6)

File Sharing Under Siege

• Technology enables people to do amazing things

• Standard model for doing business has changed

• It’s human nature to fear what we do not understand

• Over time companies become afraid

• Fear leads to panic, misjudgment, and mistakes

• The file sharing wars

• We’ve suffered many casualties

• Napster, Aaron Swartz, Julian Assange

• Rapidshare, Grooveshark, Mega(share), Demonoid

• TPB, torrent trackers

• Led by MPAA, RIAA, and other evil groups :)

(7)

A Difficult Journey

• Secure data/message exchange

• More important now than ever before

• Illegal eavesdropping programs

• Governments are denouncing encryption

• The ignorance of cryptography

• The voice of the people

• One of the few remaining technologies that doesn't require a middle-man

• Corporation-free and threatening to their business models

• Fair Use is pro-privacy

• Technology will set us free

• The file sharing singularity

(8)

“Encryption is the defense against the dark arts.”

–Edward Snowden

The Insecurity of Security

(9)

The Modern Internet

• Four States

• Trust

• Convenience

• Control

• Change

• The Truth

• What they don’t want us to know

• Convenience doesn’t require trust

• No need to give up control

• There’s a safer way

• Why is it so difficult to make file sharing secure?

Trust

Convenience Control

Change

(10)

The Problem with Security

• Security is like water…

• We need it to survive

• It should be free

• Governments regulate it

• Companies bottle it up and sell it back to us at a premium

• We can do better ourselves for free

• Standard models of security require trust

• Trust is for those who cannot self regulate

• Trust is not an option for file sharing

• Standard methods of security are complex

• Asymmetric crypto is unnecessary

• Revocation lists are tedious to maintain

(11)

The Problem with File Sharing

• Historically insecure

• No need for security

• Hosted sites means we rely on 3rd parties

• Direct P2P means our identity is revealed

• Neither are good

• Founded on antiquated and dated technology

• Historically insecure because design/architecture trade offs

• For security to work, it cannot be a feature. It must be core.

• Not much has changed in 10+ years

• Evolution or Complacency?

• Inadequacy Breeds Innovation

• VPN’s, proxies, Darknet, PeerBlock, Tor

(12)

The Solution

• How do we make file sharing secure?

• We need…

• Secure message/data exchange

• Anonymity without trust

• Access to private/public content

• Leverage our personal Internet access

• Scalability and customization

• No P2P, no centralization

• We need to reinvent file sharing

• A modern approach for a modern generation

• The future of file sharing

(13)

“Sometimes it takes a revolutionary idea to start a revolution. I believe that information should be free. I believe in the Right to Share.”

demonsaw 1.5

(14)

Overview

• Secure, Anonymous, Free, Everywhere

• Designed to protect our identity and hide our actions

• Terminology

• Client

• Router

• Server (deprecated in v1.5)

• Versions

• 1.12

• 1.5

• 2.0 (DefCon 23)

(15)

Demo

v1.12

v1.50

(16)

C₁ C₀

C₂ C₃

R₁ R₂

R₀

File Sharing Networks

C₂ C₀

C₃ C₅

C₄

C₁ S₁

C₃

C₄ C₅

C₀

C₁

C₂

Client-Server P2P demonsaw

(17)

Architecture

• Tenants of Secure File Sharing

• Authoritative Source

• Stateless Authentication

• Layered & Modular Security

• Distributed Endpoints

• Standard Protocols

• Protocols

• HTTP, JSON, XML

• Application messages

• 2 required

• 11 optional

(18)

Architecture

• Tenants of Secure File Sharing

• Authoritative Source

• Stateless Authentication

• Protocols

• HTTP, JSON, XML

• 2 required

• 11 optional

0xEFF

C2

C1

0x0FF

C0

(19)

Architecture

• Tenants of Secure File Sharing

• Layered & Modular Security

• Protocols

• HTTP, JSON, XML

• 2 required

• 11 optional

C₁

2

1 3 4 5 6

2

1 3 4 5 6

2

1 3 4 5 6

R₀

2

1 3 4 5 6

C₀

R₁

(20)

Architecture

• Tenants of Secure File Sharing

• Distributed Endpoints

• Protocols

• HTTP, JSON, XML

• 2 required

• 11 optional

XML JSON

TCP/IP HTTP

(21)

Architecture

• Tenants of Secure File Sharing

• Standard Protocols

• Protocols

• HTTP, JSON, XML

• 2 required

• 11 optional

XML JSON

TCP/IP HTTP

(22)

Architecture

• Tenants of Secure File Sharing

• Protocols

• HTTP, JSON, XML

• Application messages

• 2 required

• 11 optional

(23)

Basic Messages

• Handshake

• Everything starts with a handshake

• Diffie-Hellman shared key

• Session Id

• Join

• Group clients

• Encrypted token

• Tunnel

• Socket connection

• Real-time callback mechanism

• Quit

• Ungroup clients

R0

C3

C₁

C₂ C₀

(24)

Advanced Messages

• Search

• Keywords, filters

• Group, Browse

• File/Folder hierarchy navigation

• Transfer

• Request file(s)

• Download, Upload

• Send/receive raw data

• Ping, Info

• Keep alive, router info

• Chat

• New in v2.0

R0

C3

C1

C2

C0

R1

R2

(25)

Network

C₁

C₀ C₆ C₇

Session Propagation

R₂

R₃

R₄

R₆

R₇

R₈

0xEFF 0x0FF

C₂ C₃ C₄ C₅ R₅

R₁ R₀

R₉

(26)

Security

• Algorithms

• AES

• Diffie-Hellman (key derivation)

• SHA-384

• PBKDF 1/2

• Multiple layers of encryption

• Passphrase Key (c2r, r2r)

• Session Key (c2r, r2r)

• Group Key (c2c)

• Transfer Key (c2r)

• Social Encryption

• New security model

(27)

Content Isolation

HTTP

Message

Data

· Session

· Method (‘POST’)

· Version (‘HTTP/1.1’)

· Resource (‘/’)

· Header Parameters

Security

· Passphrase/Session Key JSON· Header

· Message

· Data JSON Header

· Version

· Nonce

· Session JSON Message

· Id

· Type

· Action

· Delay JSON Data

· Encrypted Blob (Group Key)

Security

· Group Key JSON

· Objects

· Raw Data e.g. Search

· Keyword

· Filter(s)

e.g. Transfer Request

· Id

· Size

· Chunk

(28)

Search Request

(29)

Search Response

(30)

“Throughout the course of history technology has been the deciding factor between survival and extinction. Technology will save file sharing too.”

demonsaw 2.0

(31)

Version 2.0

• Everywhere

• Windows, Linux, OSX, Raspberry Pi, Android

• GUI, command-line, web server

• Faster

• 100% C++11 re-write

• Stream-lined API

• Compression

• Increased Security

• New crypto algorithms

• User-defined file/folder HMAC salts

• Choice of algorithms, key sizes

(32)

Version 2.0

• New Features

• Streaming

• Session Propagation

• Auto-sync files/folders

• Instantaneous downloads, multi-threaded transfers

• Chat

• Simplification

• Single interface (client & router co-exist)

• No more servers

• Social Encryption

• The art of hiding our secrets within the fabric of social interaction

• Leverage the entropy of the Internet to secure our transmissions

(33)

“Digital Self Expression is the process of exercising of our Right to Share. It's evidence of freedom in the Modern Age.”

Summary

(34)

Next Steps

• The best is yet to come

• I need your continued support

• Suggestions, bug fixes, beta testing

• One person can make a difference

• Email, Twitter

• demonsaw 2.0

• DefCon 23

(35)

Thank you

www.demonsaw.com [email protected]

@demon_saw

Eijah

(36)