Expression of Interest in development of a new style forum

[da2ce7]

I'm looking for interest in developing the security and crypto model for a new breed of forum.  Using new security research into group signatures as forum membership. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.68.816&rep=rep1&type=pdf

Something like this is how a post will work in the forum concept. (part of a larger picture)


Comments are welcome. Message me on freenode.

Goal: Secure and Forkable Forums for TOR hidden services.  The forum is based upon pgp keys.

Works on the sign (personal) – encrypt (symmetric) – sign (group) concept.

Objectives:
•   New forum system that uses group signatures to verify that a poster is a member without needing to identify the individual poster.  Posters may use a personal private key to sign their posts.  Or not.
•   The system is adaptive so that members can be registered into the group, and revoked.  Upon revoking, the symmetric key will be reset.
•   Different groups have differing privileges.
•   A ‘forum owner’ is the only fixed public key in the system, this is used to set the governing rules,  it is also used to issue out the administrators public group key.
•   Each user of a server gets to have a ‘key folder’ where they can keep an encrypted copy of their forum keys.
•   Key management is completely automated; client side software will automate the key management and verification.  The client only needs to supply her own personal pgp key.
•   Natural web-of-trust development is made through merkle trees; one verifies others messages by posting a message.

Problems:
•   Server is backed up publicly.  Data may be secure initially, but eventually the (shared) secrets will be leaked to the adversary.
•   Many server functions are no longer applicable, as the server has no access to the decrypted post tree.
•   Timing attacks.

notes:
If the server were captured by an adversary, it would contain no data that would require the forum to shut down.  Secondly, the server is blind to its posts.  It has no idea what is being posted.  Hashes of the forum database can be regularly saved by third parties, on a fork; the hashes can be used to check that nobody has tampered with the database.

[Anonymous]

*expresses his interest in using such a forum.

[Nefario]

This would require a client, you couldn't do this with a web based interface directly to the server. If the main issue is to keep the content a secret from the server then all the clients can just use the same AES key to encrypt/decrypt. Actually you could do this with a browser plugin that uses ssl or something(the one build into the broswer would be easiest, although I'm not sure that kind of thing is accessible when writing plugins.
Once the key is nolonger secret all the content will have to be re-encrypted using the new key. Or, you could have constantly changing keys. Say every 12 hours the key is changed, this also encrypts the old key, which would be used to de-crypt the older messages. It removes the problem of a single key being used long term, but once a key is known or becomes publicly available then all the posts made using that key become readable.

We can reduce the danger of too much content becoming available by changing the key every few hours, only only the posts in those few hours are available to decrypt with that key. Every post would be associated with a key so the client would know which key to pick out to de-crypt the post.

The problem then becomes protecting keys instead of a single key. Once an adversary learns the latest key, and say they were a member of the forum then they could get all the keys previously used and de-crypt all past messages. So were back at square one.

We could set it up so that not everyone has all the keys, that they are distributed among the users, and to read a particular message a request gets sent to the user who has that key, and they get the post and decrypt it and send the unencrpted post to the requester. This would ensure that if some keys are compromised only some of the posts would become available.

This would require a custom client and is kind of p2p in nature. So the only reason the server is there is to host the content and nothing else, this would make the server very easy to implement and the client would be more difficult.   

[da2ce7]

This would require a client, you couldn't do this with a web based interface directly to the server. If the main issue is to keep the content a secret from the server then all the clients can just use the same AES key to encrypt/decrypt.

The main reason of th the AES keys is only to keep the content hidden from the server.  For large forums it would be safe to assume that the key would be leaked very quickly.  However I image that there will be many forums, for small forums (say 10 members), it quite feasible that the ASE key will be kept secret for an extended period of time.

The latest AES key will encrypt an archive of the previous key.  Having the latest key will gain one access to the entire history of post within that forum.  When the key is changed, only the new posts are no longer available.

This would require a custom client and is kind of p2p in nature. So the only reason the server is there is to host the content and nothing else, this would make the server very easy to implement and the client would be more difficult.   

The server's role is to check that a member posting is doing what the 'forum owner' declares a member enrolled in that group can do.  For example, a member of a 'user' level group can add new content, however cannot remove other users posts.  A member of the 'moderators' group can remove 'users' posts. A member of a 'admin' group can do virtualy anything to the database.

A plugin to Firefox would be the most natural way to implement this sort of forum, the client software should ask for a private pgp key, that key will be used generate all the other private keys used within the forum.  The server can contain an file that contains a encrypted archive of all the private information generated by each user's client.  This archive is used so that when the user clears her computer history (other than her private pgp key), she can still recover all her forum memberships.

[comboy]

Isn't some plugin like FirePGP enough? (I don't know if there's something like this but actively developed) Standard forum script can be used then.

[Nefario]

Isn't some plugin like FirePGP enough? (I don't know if there's something like this but actively developed) Standard forum script can be used then.

FireGPG is not being developed anymore, it has some of this fuctionality and could be made to do this, it's a good choice to start with at least.

There is no other plugin that can do this.

da2ce7, if your just looking to protect future posting for a period of time then the firefox plugin on a regular forum application would work fine.

[da2ce7]

da2ce7, if your just looking to protect future posting for a period of time then the firefox plugin on a regular forum application would work fine.

I'm trying to do a few things at the same time:

• Forum that uses pgp signatures to verify the author's identity
• Forum where the server can not understand the posts or know who it's users are
• Forum where the server can easily be backed up and forked
• Forum where the server can check you are a member of the forum, without knowing who you are.

The entire system hinges upon the group membership system.  Group membership allows the server to stop spam from non-resisted members, without needing to keep a list of public keys.  When a member misbehaves, the group membership opener can reveal who owns that membership, and expel that user.

The server remains completely indifferent to the content or the members of the forum's it hosts.

Protecting future posting for a period of time is a side effect of the system I'm intending to build.  It may be useful for small groups, however in larger groups it is largely irrelevant. (somebody is going to leak the key one way or another).

[Nefario]

da2ce7, if your just looking to protect future posting for a period of time then the firefox plugin on a regular forum application would work fine.

I'm trying to do a few things at the same time:

• Forum that uses pgp signatures to verify the author's identity
• Forum where the server can not understand the posts or know who it's users are
• Forum where the server can easily be backed up and forked
• Forum where the server can check you are a member of the forum, without knowing who you are.

The entire system hinges upon the group membership system.  Group membership allows the server to stop spam from non-resisted members, without needing to keep a list of public keys.  When a member misbehaves, the group membership opener can reveal who owns that membership, and expel that user.

The server remains completely indifferent to the content or the members of the forum's it hosts.

Protecting future posting for a period of time is a side effect of the system I'm intending to build.  It may be useful for small groups, however in larger groups it is largely irrelevant. (somebody is going to leak the key one way or another).

Yes you can probably do most of this with a forked version of gpgfire and any decent forum server application.

[Anonymous]

http://osiris.kodeware.net/

Something like that?

[da2ce7]

http://osiris.kodeware.net/

Something like that?

I was having a look at that, looks 'ok' project.  However a fully distributed system (such as freenet), involves lots of protocol issues that I'm wanting to avoid.  I'm trying to design a forum system that will work on the normal internet, TOR, or even on top of freenet.  However just getting it to work on the normal internet is a big enough challenge.

A centralised system can be much faster than and distributed system, (avoids all the distribution issues).  In the long run, there isn't any real reason why the system I have designed cannot be placed on a distributed layer.  Just at this point I want to get it working in the first place.

Read up on group certificates.   This system is the only system that allows you to use your real pgp for signing on the forum level, however the server has no idea who made the each post (other the poster is a valid member of the forum) and is resistant to spam and malicious users. 

[Anonymous]

It sounds vaguely familiar .......