Embed Size (px)
Citation preview
Privacy by Default.White Paper
p≡p foundation council2016–07–18 (v1.0.5)
Contact: mailto:[email protected]: https://pep.foundation2
1OpenPGP fingerprint: EC55 39C8 FECF 7C4F 324B F027 A9DE 30FC 56BB B5552Or using CAcert certificate cf. URL https://cacert.pep.foundation
Document versions
• v1.0.5 (2016-07-18): Update modules graphics (pEp for iOS; no Inboxcube patch)
• v1.0.4 (2016-07-02): Change OpenPGP fingerprint in the title page
• v1.0.3 (2016-03-03): Rename “Conceptual White Paper” in “White Paper”
• v1.0.2 (2016-03-02): One typographical fix
• v1.0.1 (2016-02-29): Stylistic changes and typographical fixes
• v1.0 (2016-02-29): First public version
• v0.6 (2016-02-29): Draft version
• v0.5 (2016-02-28): Second revised early draft
• v0.4 (2016-02-21): First early draft
1
Contents
1 Introduction and Motivation 3
2 p≡p at a glance: privacy without compromise 5
3 Design principles 73.1 Ease of use: hassle-free installation, automatic configuration and integration 73.2 Understandability: traffic lights semantics / Privacy Status . . . . . . . . . . 73.3 Interoperability: convergence of messaging systems . . . . . . . . . . . . . 83.4 Cross-platform support: free choice of platforms . . . . . . . . . . . . . . . 83.5 100% peer-to-peer: no central providers . . . . . . . . . . . . . . . . . . . . 9
4 Cryptography being used and communication strategy 10
5 Architectural aspects: p≡p engine and adapters 11
2
1 Introduction and Motivation
The Right to Privacy and the Rightto Freedom of Information are partof the inalienable Human Rights.
These rights are listed in Article 12 andArticle 19 of the Universal Declarationof Human Rights based on Resolution217 A (III) of the UN General Assem-bly as Objects of Legal Protection.
In a time when Chartered Rights arebeing more and more threatened, mea-sures have to be taken into our ownhands in order to protect and preservethem. Especially because of the Inter-net the circumstances for a majorityof people have changed completely,and unfortunately not for the better.
Taking a deep breath, we must real-ize that the entrance of humanity intodigital age is accompanied by all of uscontinuously losing more and more ofour privacy rights, which we believeare paramount for citizens, families,enterprises, public offices, lawyers,NGOs, journalists and political activistsfor being able not just to feel, but alsoto act and interact freely – withoutany fears of becoming discriminatedor suppressed based on past behav-iors, opinions expressed or the socialcommunication network an actor is in.
Today, any individual or collective ac-tor engaged in any digital activity, mustassume not only to be just constantlymonitored, but having its behavior auto-matically analyzed by text and data min-ing or other technologies of machinelearning3 – leading for literally everyonebeing scored and categorized. This gen-erally happens without the actors’ con-sent and without a clear consciousness
of the whereabouts of all the personal,collective or corporate data involved.
In the future, mass deployment ofInternet of Things (IoT) technologies isexpected, meaning that many of theobjects we know today – may that beimplants in our bodies, (parts of) ourclothes, all kind of sensor systems inour homes, streets or organizations– will get “on-line” and “talk” to eachother. Such developments have thepotential to completely eradicate thenotion of privacy. This puts in dan-ger an open and democratic society.
All that said, it’s vital to act now andin the most effective way possible:p≡p stands for pretty Easy privacy(abbreviated as p≡p) – the “E” or“≡” to be emphasized, but withoutcompromise in privacy. We want theInternet to become a secure place,where people and organizations gainback their constitutional rights tocommunicate in private by default.
We start our mission by radically easingthe use of well-known and establishedend-to-end cryptographic tools for al-ready existing and widely used writtendigital communication channels (likee-mail, SMS or chat), without forcingusers to adhere to new communica-tions channels and by providing thenecessary tools for gluing alreadyexisting – but not easy to use – compo-nents together and helping businessesto spread p≡p and the technologiesit employs as industry standards.
However, considering the differentuse cases the Internet has today (e. g.it’s also used for voice calls or to carry
3Sometimes also just called “big data” technologies involving (complex) algorithmic methods.
3
out payments), we don’t want p≡p tobe seen as forever bound and endingin “just” securing written digital com-
munciations: at least, we let that bethe beginning of our efforts to help tosecure the Internet and its users.
4
2 p≡p at a glance: privacy without compromise
What is p≡p?
p≡p motivates a new standard tosecurely encrypt and verify writtencommunications, without reinvent-ing the wheel. p≡p, by design, easessecure communications relying onwell-established end-to-end cryp-tographic methods (following stan-dards like OpenPGP or OTR) by in-tegrating into existing systems forwritten digital communications andautomating key management tasks.
Ultimately, p≡p wants to changethe default in written digital com-munications: from unencrypted,unverified and unanonymized to en-crypted, verifiable and anonymized.4
p≡p restores security and privacywithout requiring user interaction forits basic operation and never puttingcommunications’ security over theability to communicate: thus, if nosecure communication channel be-tween two peers can be established,the text message is sent unencrypted(cf. 4 for some more details) ratherthan hassling the users involved.
Whenever two p≡p peers establisheda technically secure communicationchannel, they can add human trust to itby verifying each other’s digital identityby comparing Trustwords (cf. 3.2 forsome more details): like that two peerscan increase confidence they are reallycommunicating with each other andno Man-In-The-Middle (MITM) attackis taking place. No trust will be putinto key servers or centralized trustinfrastructures (like commercial cer-
tificate authorities) by default, eventhough p≡p (for compatibility reasonsand integration purposes) supportsS/MIME (e. g. used in organizationsfor e-mail encryption). However, de-fault p≡p installations shall not beexpected to support non-end-to-endapproaches of cryptography: for p≡pcentralized cryptographic approachesprovide weak cryptography only andare considered an unreliable communi-cation type in terms of our approachof privacy without compromise.
To achieve the goal of spread, froman organizational point of view, the p≡pproject founders set up two differenttypes of entities, distinguished by sep-arated legal entities in two differentEuropean countries:
• p≡p foundation, a non-profit organiza-tion established as foundation underSwiss law holding the trademarks onp≡p and the copyrights of the p≡pengine and the p≡p adapters for dif-ferent programming languages anddevelopment environments. It is sup-porting Free and Open Source Soft-ware Projects (FOSS) to integratep≡p.
• p≡p security, a enterprise incorpo-rated in Switzerland and Luxem-bourg and licensed by p≡p founda-tion to spread p≡p software to bothBusiness-to-Business (B2B) andBusiness-To-Consumer (B2C) mar-kets by creating, distributing and pro-viding support for add-ons, plug-insand apps enabling users and organiza-tions to use p≡p technology.5
4For anonymization, GNUnet message transport is considered, cf. https://www.gnunet.org.5Cf. https://www.prettyeasyprivacy.com/
5
All software published by p≡p foun-dation will be and forever remainfreely available for the general pub-lic under the GNU General Public Li-cense version 3 (GPLv3) or any laterversion. All software will be subjectto an independent code review forany release, disclosing the full tech-nical report. As part of its its modelof security by design providing themost trust possible, p≡p foundationwill make sure that all licensed p≡psoftware gets code-reviewed by in-
dependent entities for each publicrelease. By all of these measures wedo our best effort to make sure p≡psoftware is and stays backdoor-freeeven if it’s distributed by third party.
p≡p software will be cryptographicallysigned and provided with detailed buildinstructions and a fully documentedbuild chain for each platform involved,to make transparent how deterministicbuilds6 can be created from source.
6Cf. https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
6
3 Design principles
Above all, p≡p – contrary to existingcryptographic solutions – shall beeasy to install, use and understand.
In our opinion, not just powerusers, but all users have the rightto use end-to-end cryptography.
Furthermore, for their communicationsp≡p users don’t depend on any specific(web or operating system) platform,message transport system (SMS, E-Mail, XMPP etc.) or centrally providedclient–server or “cloud” infrastructures:p≡p is 100% peer-to-peer by design.
3.1 Ease of use: hassle-free installation, automatic configuration and inte-gration
p≡p software shall integrate into ex-isting systems for written digital com-munications like e-mail clients (e. g.Thunderbird, Apple Mail or Outlook)and messaging clients, or be providedas apps for smartphones (e. g. for An-droid or iOS) in a hassle-free way: incase of e-mail this means that uponinstallation existing OpenPGP keyswill be used by p≡p automatically forany further communication; shouldno OpenPGP keys be available, p≡pautomatically creates a private andpublic key for the e-mail address con-cerned. Even though it’s discouraged
for regular users, of course powerusers will remain free to configure theirinstallation by themselves and turnoff the automation proposed by p≡p.
From the beginning, the p≡p conceptbears in mind to be installed not juston end user devices, but also in or-ganizations with thousands of users:important features for such settings,like distribution lists, BCC mailingsand unencrypted archiving of e-mails,which were sent or received encrypted,is possible.
3.2 Understandability: traffic lights semantics / Privacy Status
To indicate the security level in placefor a given communication situation,p≡p uses traffic lights semantics7 toeasily indicate the Privacy Status to theuser:
• red: An attack was detected or theuser explicitly expressed mistrust forthe given communication channel, sothat this channel must be consideredspecifically insecure.
• yellow: The communication chan-nel is perfectly encrypted by state-of-the-art technology known beingcorrect, using well-implemented cryp-tographic methods only and sufficientkey lengths, but sender (inbound) orrecipient (outbound) are not (yet) veri-fied.
• green: Two peers have used a side-channel (e. g. by making a phone call)
7Changes to the colors’ meanings might still occur.8Trustwords are unique representations of a peer’s public key fingerprint, but not in form of hexadeci-
mal blocks as usual when verifying OpenPGP fingerprints, but in form of words in users’ mother native lan-
7
to check their Trustwords,8 so thecommunication can be shown as fullytrusted by all reasonable means.9
• No color: That’s the default situa-tion of today without p≡p or anyother (known) cryptographic so-lution under management of p≡psoftware from an inbound or to anoutbound peer. In case of e-mailthe communication channel usuallymust be considered as insecure
like sending a post card. Any impor-tant actor transporting the messagecan read about the sender, the re-cipients, the subject and read themessage’s full contents and attach-ments. Also in cases where theencryption employed is undefinedor unreliable (e. g. S/MIME withcommercial CAs) or a key couldn’tbe found the Privacy Status has nocolor.
3.3 Interoperability: convergence of messaging systems
Instead of forcing whole user basesto use new (post e-mail) messagingsystems, the p≡p concept is aboutsecuring what’s insecure today.
Not at last taking into accountthat e-mail is one of the mostwidespread message transport sys-tems used10 for written digital com-munication, sided by SMS, XMPPand proprietary message formats.
p≡p pursues the philosophy not to takesides, respecting users’ choices andproviding solutions for their preferredmessaging systems and the ability tocommunicate with all peers on theirpreferred communications channels.Even though p≡p will provide its ownmessaging format for cases whereboth communication end points havep≡p software installed, and no otherformat delivers the needed properties.
3.4 Cross-platform support: free choice of platforms
From the very beginning (cf. 5 forsome more details) portability andcross-platform support is an importantdesign aspect of p≡p. p≡p will supportdesktop, apps and web-based systems.For the latter, add-ons and plug-ins willbe made available supporting popu-lar web-based e-mail providers, whichpeople are being used to access withtheir different devices by a browser.
p≡p is starting with securing e-mailcommunications for Mail User Agents(MUAs) like Thunderbird, Apple Mailand Outlook providing add-ons, plug-insand apps for smartphone operating sys-tems like Android and iOS. p≡p shallalso be integrated and shipped withalready popular messaging systemswherever possible.
guage or any of the languages in the realm of ISO 639-1 code; cf. URL https://cacert.pep.foundation/trac/wiki/Trustwords.
9This, of course, is assuming no malware of any kind is present at one or both end points and no back-door is present at any end point in the system.
10That is including the fact each active Internet user might have at least one e-mail address and the useof most (web) services require an active e-mail address to be used. Also in business situations, e-mail ispersisting being prevalent.
8
3.5 100% peer-to-peer: no central providers
By default, communications be-tween p≡p peers always work end-to-end encrypted – no eavesdrop-ping in between shall be possibleby design. p≡p users are neverforced to use a proprietary platform.
Concerning communication by e-mail using OpenPGP cryptography,this means every user or organiza-tion can decide by themselves if theywant to run an own e-mail server orto use third party services to com-municate with other peers via e-mail.
In any case, p≡p will do its best tohide as much as possible of thecommunicated information fromattackers – including metadata –increasing attackers’ costs to themaximum (cf. 4 for more details).
p≡p delivers a synchronization proto-col11 allowing a user to own differentdevices (e. g. a laptop and a smart-phone) sharing a common DeviceGroup key pair, such that messagescan be sent and read across differentdevices.
11Cf. URL https://cacert.pep.foundation/trac/wiki/p%E2%89%A1p%20sync%20protocol for asketch.
9
4 Cryptography being used and communication strategy
Following the principle of privacy with-out compromise p≡p is making surethe p≡p engine always chooses thecheapest available and most secureway of communicating possible, thatis choosing the most feasible commu-nication route, which at the same timeis the most expensive for attackers.
The current communication strategylooks like the following:
1. When two p≡p users are communi-cating:
a. if on-line communication avail-able: OTR (or Axolotl) throughGNUnet
b. if on-line communication notavailable:
i. if anonymizing platformavailable, p≡p static encryp-tion based on OpenPGPthrough anonymizing plat-form (e.g. Qabel12)
ii. if anonymizing platform notavailable, fallback to p≡pstatic encryption based onOpenPGP
2. when a p≡p user is communicatingwith a non-p≡p user then dependingon the capabilities of the non-p≡puser:
a. if anonymizing and forward se-crecy is possible, use that (i. e.OTR over GNUnet)
b. if anonymizing but no forwardsecrecy is possible, use that (i.e. OpenPGP over Qabel)
c. if forward secrecy is possible,use that (i. e. OTR)
d. if hard cryptography but no for-ward secrecy is possible, usethat (i. e. OpenPGP)
e. if only weak cryptography ispossible, use that (i. e. S/MIMEwith commercial CAs)
f. send unencrypted
12Cf. URL https://qabel.de/ or any similar solution.
10
5 Architectural aspects: p≡p engine and adapters
p≡p consists13 of three components:
• p≡p engine
• p≡p adapters
• p≡p plug-ins, add-ons and apps
For portability reasons14, the p≡pengine is written in C99 program-ming language. p≡p engine is im-plementing formats, applying cryp-tography, managing keys and trustand driving message transports.
Part of the p≡p engine distribution isa replacement for GnuPG, NetPGP-et15, a PGP implementation for plat-forms where GnuPG is not available.
Any developer of add-ons, plug-ins,apps or desktop applications doesnot need to deal with cryptographicfunctionalities accessible by the p≡p
engine; instead p≡p adapters are pro-viding an easy API in the languageand the development environmentof the application programmer.
Examples of adapters, which are al-ready available under the GNU GPL v3license by the p≡p foundation include:
• p≡p Qt Adapter for graphical environ-ments based on Qt (e. g. KDE desk-top systems)16
• p≡p Java Native Interface (JNI)adapter (e. g. for Android plat-forms)17
• p≡p iOS adapter for iOS-based sys-tems (iPhones and iPads)18
• p≡p COM server adapter for Mi-crosoft Windows, supporting a .NETAPI (e. g. needed for Outlook)19
More p≡p adapters to follow.
13For the most detailed, complete and up-to-date (work-in-progress) resource in this regard, the publiclyavailable trac site of the p≡p foundation should be consulted: cf. URL https://cacert.pep.foundation/trac/.
14p≡p can also be made available for microcontrollers (on IoT components) with only minimalistic hard-ware.
15Cf. https://cacert.pep-project.org/trac/browser/netpgp-et/16Cf. URL https://cacert.pep.foundation/trac/browser/pepqtadapter17Cf. URL https://cacert.pep.foundation/trac/browser/pepjniadapter18Cf. URL https://cacert.pep.foundation/trac/browser/pepiosadapter19Cf. URL https://cacert.pep.foundation/trac/browser/pepcomserveradapter
11
