Publius (publishing system)

Publius is a web protocol developed by Lorrie Cranor, Avi Rubin and Marc Waldman that gives individuals the ability to publish information on the web anonymously and with a high guarantee that their publications will not be censored or modified by a third party.

Design goals

The nine design goals of the Publius development team are:

Overview

The Publius web system consists of the following agents:

The Publius system relies on a static list of m web servers. When a publisher wishes to add a contents M to the web, it first encrypts M using some random symmetric key K. Then K is split into n shares (parts) where at least k<n shares are required for the reconstruction of K (see also Secret sharing). A subset of the m servers receives another share of K and the encryption result of M using the key K, E(M,K).
When a retriever wishes to obtain the original contents M, it follows a generated URL which corresponds to the contents M combined with the portion of K as it appears on a subset of servers from the list. Gathering k different shares and a copy of E(M,K) allows the retriever to reconstruct the key K out of the shares and decrypt E(M,K) back into M. Modification or removal of the server hosted contents can be issued only by the original publishers using a combination of password and the hosting server domain name.

At present, Publius supports the hosting of HTML pages, images and other file formats such as PDFs and PostScripts.

Operations

The Publius protocol allows the following operations:

When a publisher wishes to add a web contents in the Publius web, its Publius client software (Publius Client Proxy) executes the following steps:

  1. Random symmetric key K is generated.
  2. The original content M is encrypted under Symmetric-key algorithm with the key K. Resulting with the encryption E(M,K).
  3. K is split into n shares using Shamir's Secret Sharing method in such that at least k<n shares are required for the reconstruction of K under the method of interpolation.
  4. For each of the n shares, the following computation takes place: where is the concatenation result of the original contents M with the key share ; H is the MD5 cryptographic hash function and wrap is the bitwise xor result of the two halves of the string which returned by H.
  5. The hosting servers are chosen out of the servers list; the chosen locations in the servers list are determined by in order to obtain n values in the range [1,m]. If less than k unique locations were found, this step is repeated till unique locations are found.
  6. In each server which appears in the servers list at a directory named is created containing the encrypted contents , the chosen server's share of key K (namely, ) and additional information(a password file containing the MD5 hash value of the chosen server domain name concatenated with a user chosen password used for authentication when a publisher wishes to update or remove its contents from the server).
  7. A unique Publius URL is constructed by concatenation of the d different identifiers of the servers containing the encrypted contents M and a key share of K.


Diagram describing the selection of servers out of the servers list to hold encrypted contents under hashed directory names.

After the publish operation is done, each chosen server at location at the servers list holds the following files under a directory named :

When a retriever wishes to browse for a web contents in the Publius web, its Publius client software (Publius Client Proxy)executes the following steps:

  1. The URL is parsed back into 8 bytes units (which are the units which were concatenated during the publish process).
  2. For each unit parsed out of the Publius URL, the hosting server is located from the servers list by computing which indicates on the server's location in the list.
  3. k servers are chosen arbitrarily out of the located servers in order to reconstruct the key K using an interpolation over the retrieved k shares, one from each chosen server.
  4. Among those k chosen servers, one is chosen for retrieving the encrypted contents E(M,K). This is issued using an HTTP GET request to the server for a file named file stored in the server directory named .
  5. The k shares of the key K are fetched in a similar way, known to be located in a server file named share under the directory.
  6. The original message is decrypted from E(M,K) using the reconstructed key K.
  7. The retriever then verifies that the contents M wasn't modified nor did the key share by recomputing and comparing it with the corresponding chunk which was parsed from the Publius URL.
    1. If a mismatch was found, another set of k servers can be tried, or maybe the contents should have been downloaded from another server.
    2. If verified successfully, the original contents M can be viewed by the web browser.

The delete operation is implemented by invoking a CGI script running over the servers. To each server the hash result of (namely, the MD5 hash result for the concatenation of the server domain name with the publisher's password) is sent along with the corresponding string and compared with the one already stored in the password file under the directory ; if there is a match, the file file is removed from that directory.

The update operation similarly uses the hashed concatenation of the server domain name with publisher's password in order to authenticate the original ownership of the hosted contents. Under this operation, the update itself is done by adding additional update file under the which contains the new Publius URL matching for the updated contents (recall that the Publius URL is tied with the published contents and the share of the encryption key and is verified against the contents when retrieved). In fact, the update operation is equivalent to the publish operation with the addition of adding the update file to the old directory for redirecting future retrieve request to the new URL. When a retrieve operation will be issued for the old URL, the Publius proxy client will be redirected to fetch the new URL, the same will be done with the rest of the k-1 chosen servers; if the k resulting URLs do not match, then another set of k servers will be chosen for retrieval.

Publius URLs

Encrypted web contents in the Publius protocol are traceable by their Publius URLs. Those have the following format:

Where is the concatenation of the hash results of the original contents combined with some key share, as were described for the publish operation in the previous section. The options section of the URL is 16 bits represented by a two characters ASCII string, containing:

Security analysis

This article is issued from Wikipedia - version of the 10/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.