current Web is obsolete • The Web has been designed to be decentralized BUT… • It’s more and more centralized: Google, Apple, Amazon, Microsoft, … • That makes the spying easier • A lot of DdoS attacks succeed • A single server is not enough even to serve a single popular Youtube video • Hosting changes → URLs are broken
password marketplace? • A common task for security auditors: assess the strength of password hashes • A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers • So the idea is to build a collaborative marketplace with incentives to help: – people submit their password hashes with given rewards – the one who solves a hash is given the corresponding reward
fully decentralized application? (1/2) • We need a fully decentralized application to avoid cheating, censorship, DDoS, downtime… • Several parts should be decentralized: – web back-end (core logic/app) – web front-end (storage of HTML/JS/CSS) – domain name (storage and resolver)
fully decentralized application? (2/2) • I have chosen Ethereum technology with some beta components: – web back-end: Ethereum smart contract – web front-end: Ethereum Swarm – domain name: Ethereum Name Service (ENS)
tricks • For the submitter: – You pay the reward in advance and it is locked (no insolvency) • For the solver: – You have to pay a small fee to submit an answer (no bruteforce) – Answer is verified by thousands of nodes (no corrupted server) • For all users: – Decentralized application (no DoS/DDoS, downtime)
Ethereum blockchain • https://www.ethereum.org/ • More than 22,000 online nodes!: https://www.ethernodes.org most secured/trustable blockchain nowadays • Average block/transaction time: 15 seconds • Allows safe execution of logic through smart contracts • Allow payments with its digital currency, ether (ETH): https://coinmarketcap.com/currencies/ethereum/ • “Ethereum: the World Computer”: https://www.youtube.com/watch?v=j23HnORQXvs
name service: Ethereum Name Service (ENS) • An ENS entry can map a .eth name to: – an individual Ethereum account – a content hash for decentralized storage (Swarm or IPFS) • ENS official web site: https://ens.domains/ • Booking an entry: https://registrar.ens.domains/ • ENS stats: https://ens.codetract.io/
storage: Ethereum Swarm • Peer-to-peer storage and serving solution • DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistant and self-sustaining with incentives (soon) • Swarm protocol: bzz:// • Swarm official web site is stored using… Swarm and is also a Swarm gateway: – http://swarm-gateways.net/ redirects to http://swarm-gateways.net/bzz:/theswarm.eth/ – theswarm.eth resolves to 0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0 – http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/ • Other examples: – Photo album: http://swarm-gateways.net/bzz:/photoalbum.eth/
apps: smart contracts • A smart contract is an application core • Once deployed: – No one can modify the code or stop its execution – The code runs simultaneously on all the nodes • Smart contract + web front-end = “dApp” • Ethereum smart contracts main programming language: Solidity
basics • High-level language, syntax similar to JavaScript • Compiled to bytecode then deployed on the blockchain • Designed to target the Ethereum Virtual Machine (EVM) • Statically typed, supports inheritance, libraries, complex user- defined types... • Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more! • Official documentation: https://solidity.readthedocs.io/en/develop/
& deploying the smart contract • Contract can be written using Browser Solidity: https://ethereum.github.io/browser-solidity/ • Contract can be tested using Truffle framework: http://truffleframework.com/ or Ethereum testnet (currently “Ropsten”) • Contract can be deployed & used using: – Parity: https://parity.io/ – Mist: https://github.com/ethereum/mist/releases
you may need (1/2) • A node/gateway: – IPFS (or a public one: https://ipfs.infura.io ) – Swarm (or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ ) – Ethereum (or a public one: https://mainnet.infura.io/ )
you may need (2/2) • For dApps: – An Ethereum wallet with a small balance (typically 0.005 ETH) – A dApps compatible browser: • Desktop: – Chrome plugins: “ENS Gateway” & “Metamask” – or Ethereum Mist or Parity • Mobile: Cipher, Status or Trust – An entry point: URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)
few words... • Nice and usable proof-of-concept but: – Limited to SHA256 hashes for the moment: lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones a solution would be to use a trusted oracle – Code is quite ugly, need some fixes before being published • Use it, share it, and audit your passwords!
of interest • One of my previous presentation about blockchains & security: https://tinyurl.com/blockchain-security • A French article&interview about my password market: https://tinyurl.com/passwords-eth • Security of light wallets (French MISC magazine, March 2018)
rlifchitz
osx
s_uryu
diracdiego
butsugiri
umepon
kitachan_black
emmiartbook
tossy
shutakahama
tsurubee
kei18
ken57
morganepeng
samanthasiow
ufuk
geoffreycrofte
holman
notwaldorf
malarkey
62gerente
kastner
tanoku
dougneiner
samlambert
