wpharris92/panorama
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Panorama
Multi-Path SSL Authentication using Peer Network Perspectives
===============================================================================
WHAT
Panorama aims to provide authenticity for SSL connections without Certificate
Authorities. It is based on the Perspectives and Convergence projects:
Perspectives: http://perspectives-project.org/
Convergence: http://convergence.io/
Panorama aims to provide a wider view than either of the projects by utilizing
peer network perspectives.
----------------
General Concepts
----------------
Authenticity - Essentially, knowing that you're talking to who you intend to
talk to.
Certificate - A binding of a public key to an identity. Alice's certificate
contains her identity and public key. She would present this certificate
to Bob, so that Bob can encrypt data to Alice.
Man-In-The-Middle (MITM) Attack - An attack that is possible when a
connection lacks authenticity. As an example, Alice asks for Bob's
certificate, but Eve intercepts her connection and provides a certificate
with Bob's identity and Eve's public key. Eve then would connect to Bob,
pretending to be Alice, and could then see the traffic between Bob and
Alice.
Certificate Authority (CA) - The first attempt at providing authenticity to
connections on the web. In theory, a CA will verify (out of band) that the
private key for a certificate's public key is owned by the entity
identified on the certificate.
Perspectives (project) - An alternative to the CA system, that instead uses
multiple network perspectives to verify the identity of a server. It is
based on the idea that, though it would be easy to play MITM with a single
entity, doing so with many distributed connections is very hard. A client
will get the server's certificate, and verify with semi-authoritive
'notaries' that they also see the same certificate.
Panorama is based on the same idea as Perspectives, but instead uses other peers
to provide distributed network vantage points.
Clients will connect to a server and can make requests for domains, which will
be routed to other connected clients. Those clients will grab the certificate
for the requested domain and reply to the server, which will route the request
back to the original client. The client can then decide whether to trust the
connection based on what other peers have seen.
In addition, the server may create a cache of recently accessed domains and
return them without asking clients.
===============================================================================
WHY
Most browsers come preloaded with a list of CAs to trust. Browsers then check
that a certificate is signed by one of the trusted CA's and that the identity
matches that of the website they are connecting to. This is secure as long as
we assume that certificate authorities correctly verify each certificate they
sign.
Certificate Authorities have delegated their certificate signing to over 600
organizations, according to the EFF.
https://www.eff.org/observatory
Many of the organizations aren't tracked or audited by browser companies, but
browsers will trust their certificates by default.
There have been a number of cases where false certificates were created, which
would allow an attacker to play MITM with every browser, since the certificate
would be trusted by all browsers.
===============================================================================
HOW
------------
Dependencies
------------
Panorama is written in Python.
Get Python:
https://www.python.org/downloads/
MySQL is used by the server to store client views.
Get MySQL:
http://www.mysql.com/downloads/
pyMySQL is needed for Python to be able to talk to MySQL.
Get pyMySQL:
https://github.com/PyMySQL/PyMySQL/
peewee is used as a layer above MySQL, to simplify communication with the
database.
Get peewee:
http://docs.peewee-orm.com/en/1.0.0/peewee/installation.html
ZeroMQ is used to communicate between client and server. The Python bindings are
in PyZMQ.
Get PyZMQ:
https://github.com/zeromq/pyzmq
----------------
Before you begin
----------------
### Server Database
The server holds a database of previous client 'views'. This is now a MySql
database, and must be created before running the server.
The database name and user must be specified within PanoramaServer.py. Sorry.
### Certificates
To make sure you're connecting to the server (and not someone pretending to be
the server), you must get the server's certificate.
For now, this is generated when you start the server. 'server.key' is the name
of the server key. Woop.
In addition, each client must use this certificate. An example of passing the
server certificate to the PanoramaClient is seen easily in
PanoramaClientGroup.py.
----------------------
Starting up the Server
----------------------
To start the server, simply run:
python PanoramaServer.py
This will start up the server, which will generate its own key, 'server.key' (if
it doesn't already exist). It will also bind to 'tcp://127.0.0.1:12345',
since this is just an example.
But that's it! Assuming your database is set up already, you're now ready for
connections. Every 5 seconds, the server will report how many clients are
connected, and will ping inactive clients.
As of now, the server exists as a single entity and not something modularized.
Sorry.
--------------------
Example Usage / Demo
--------------------
After starting up a server, and in another terminal window, run:
python PanoramaClientGroup.py
This will start up 10 clients and connect them to the server. Nice! They will
be used to respond to our requests for domains.
In a third window, run:
python InteractivePanoramaClient.py
In this window, you can make requests for certificates, and watch the responses
from the other clients.
Let's try making a request for www.google.com:
>> request www.google.com
You should see the server tell you about where the replies are coming from,
either responses from the database or as requests to other connected clients.
In the window where you started up the client group, you should see a bunch of
attempts at writing 'Got request for url: www.google.com'. They might be a
bit jumbled, that's okay. We're working with threads!
Back to the window we made the request from, you should see a printout of what
your client saw, and a map of what other clients saw, followed by a final
decision of whether or not to trust the connection. At this point, you should
be trusting whatever certificate 'www.google.com' returns, since you're
making the request from the same perspective.
Cool! Nice work. But this isn't a very fun example, since everyone agrees.
Let's throw some comprimised folks in with the mix! In yet another window, run:
python EvilPanoramaClients.py
These 10 guys will respond to any request with 'BAD_CERTIFICATE_INFO'
So again, let's go to our interactive client:
>> request www.amazon.com
You will see that we got responses of certificate hashes and the bad certificate
info. But... there's only 5 responses. You'd like to do more.
Another argument after the domain in the request will change the number of
replies the server will try to return to you:
>> request www.amazon.com 20
This will request from all 20 other connected clients. You should get something
like:
{'<an actual hashcode>': 10, 'BAD_CERTIFICATE_INFO': 10}
I WOULD trust this connection.
By default, this will trust a connection if 50% or more peers agree with what
you saw. To change this, add another argument (in the range 0 to 1):
>> request www.amazon.com 20 .7
...
I would NOT trust this connection
Congratulations! That's my whole project.
-----------------------
Using a Panorama Client
-----------------------
Add this import line:
from panorama import PanoramaClient
Now create a PanoramaClient:
client = PanoramaClient(server_address, server_key, client_key_prefix)
where:
server_address is the zmq-style address of the server
server_key is the key loaded from the server's certificate file
client_key_prefix is the prefix (without '.key') of the client's key file
if the file doesn't exist, it is created
Now you can go ahead and make requests!
client.request('www.google.com')
This will return a map of (cert hash) -> (# of peers with this opinion), and
the decision to trust the connection is left to the caller.
===============================================================================
FUTURE WORK
- Make things more configurable (server key, database, endpoint)
- Modularize the server
- Add into a browser extension
- Also handle global request configuration (I always want to request 20 replies,
and I will trust the connection if at least 60% agree with me)
-Present a call that, given a domain, will return True or False as a trust
decision
- Within the server, identify clients by their private key/certificate
- Currently, the zmq-generated id is used, which could cause multiple
views for the same client who's connected multiple times to be returned.
===============================================================================
WHERE
Perspectives is available on GitHub at:
https://github.com/wpharris92/panorama
===============================================================================
WHO
Will Harris
wpharris92@gmail.com
About
Multi-path SSL Authentication using Peer Network Perspectives
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published