current Web is obsolete • The Web has been designed to be decentralized BUT… • It’s more and more centralized: Google, Apple, Amazon, Microsoft, … • That makes the spying easier • A lot of DdoS attacks succeed • A single server is not enough even to serve a single popular Youtube video • Hosting changes → URLs are broken
password marketplace? • A common task for security auditors: assess the strength of password hashes • A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers • So the idea is to build a collaborative marketplace with incentives to help: – people submit their password hashes with given rewards – the one who solves a hash is given the corresponding reward
fully decentralized application? (1/2) • We need a fully decentralized application to avoid cheating, censorship, DDoS, downtime… • Several parts should be decentralized: – web back-end (core logic/app) – web front-end (storage of HTML/JS/CSS) – domain name (storage and resolver)
fully decentralized application? (2/2) • I have chosen Ethereum technology with some beta components: – web back-end: Ethereum smart contract – web front-end: Ethereum Swarm – domain name: Ethereum Name Service (ENS)
tricks • For the submitter: – You pay the reward in advance and it is locked (no insolvency) • For the solver: – You have to pay a small fee to submit an answer (no bruteforce) – Answer is verified by thousands of nodes (no corrupted server) • For all users: – Decentralized application (no DoS/DDoS, downtime)
Ethereum blockchain • https://www.ethereum.org/ • More than 22,000 online nodes!: https://www.ethernodes.org most secured/trustable blockchain nowadays • Average block/transaction time: 15 seconds • Allows safe execution of logic through smart contracts • Allow payments with its digital currency, ether (ETH): https://coinmarketcap.com/currencies/ethereum/ • “Ethereum: the World Computer”: https://www.youtube.com/watch?v=j23HnORQXvs
name service: Ethereum Name Service (ENS) • An ENS entry can map a .eth name to: – an individual Ethereum account – a content hash for decentralized storage (Swarm or IPFS) • ENS official web site: https://ens.domains/ • Booking an entry: https://registrar.ens.domains/ • ENS stats: https://ens.codetract.io/
storage: Ethereum Swarm • Peer-to-peer storage and serving solution • DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistant and self-sustaining with incentives (soon) • Swarm protocol: bzz:// • Swarm official web site is stored using… Swarm and is also a Swarm gateway: – http://swarm-gateways.net/ redirects to http://swarm-gateways.net/bzz:/theswarm.eth/ – theswarm.eth resolves to 0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0 – http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/ • Other examples: – Photo album: http://swarm-gateways.net/bzz:/photoalbum.eth/
apps: smart contracts • A smart contract is an application core • Once deployed: – No one can modify the code or stop its execution – The code runs simultaneously on all the nodes • Smart contract + web front-end = “dApp” • Ethereum smart contracts main programming language: Solidity
basics • High-level language, syntax similar to JavaScript • Compiled to bytecode then deployed on the blockchain • Designed to target the Ethereum Virtual Machine (EVM) • Statically typed, supports inheritance, libraries, complex user- defined types... • Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more! • Official documentation: https://solidity.readthedocs.io/en/develop/
& deploying the smart contract • Contract can be written using Browser Solidity: https://ethereum.github.io/browser-solidity/ • Contract can be tested using Truffle framework: http://truffleframework.com/ or Ethereum testnet (currently “Ropsten”) • Contract can be deployed & used using: – Parity: https://parity.io/ – Mist: https://github.com/ethereum/mist/releases
you may need (1/2) • A node/gateway: – IPFS (or a public one: https://ipfs.infura.io ) – Swarm (or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ ) – Ethereum (or a public one: https://mainnet.infura.io/ )
you may need (2/2) • For dApps: – An Ethereum wallet with a small balance (typically 0.005 ETH) – A dApps compatible browser: • Desktop: – Chrome plugins: “ENS Gateway” & “Metamask” – or Ethereum Mist or Parity • Mobile: Cipher, Status or Trust – An entry point: URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)
few words... • Nice and usable proof-of-concept but: – Limited to SHA256 hashes for the moment: lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones a solution would be to use a trusted oracle – Code is quite ugly, need some fixes before being published • Use it, share it, and audit your passwords!
of interest • One of my previous presentation about blockchains & security: https://tinyurl.com/blockchain-security • A French article&interview about my password market: https://tinyurl.com/passwords-eth • Security of light wallets (French MISC magazine, March 2018)
rlifchitz
bo0om
scatterlab
monochromegane
flekschas
tathi
sei88888
yuukit
highlow
diracdiego
moore
bkeepers
nonsquared
iamctodd
colly
jasonvnalue
mthomps
smashingmag
jmmastey
paulrobertlloyd
samlambert
aarron
