Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Decentralized DNS & PKI

Decentralized DNS & PKI

CITP Luncheon Speaker Series:
Muneeb Ali – Experiences with Building a Global PKI with Blockchains

Cryptocurrency blockchains like Bitcoin and Namecoin and their respective P2P networks have seen significant adoption in the past few years, and show promise as naming systems with no trusted parties. Users can register human-readable names and securely associate data with them; only the owner of a particular private-key can write or update the name/value pair. In theory, many decentralized systems can be built using these cryptocurrency networks, such as new, decentralized versions of DNS or PKI. As the technology is relatively new and evolving rapidly, however, little production data or experience is available to guide design tradeoffs.

In this talk, we describe our experience operating a large, real-world deployment of a decentralized PKI service built on top of the Namecoin blockchain. We present various challenges (network reliability, throughput, security issues) that we needed to overcome while registering/updating over 33,000 entries on the blockchain which involved over 200,000 transactions on the Namecoin network. Further, we discuss how our experience informed the design of a new blockchain-based naming system, Blockstack. We detail why we changed from Namecoin to the Bitcoin network for the new system, as well as operational lessons from this migration. Blockstack is released as open source and currently powers a production PKI system for 46,000 users. See more details here.

Ryan Shea

March 08, 2016
Tweet

More Decks by Ryan Shea

Other Decks in Technology

Transcript

  1. Step 1: How do I talk to facebook.com? Step 2:

    Is this the correct facebook.com? — DNS gives route to facebook.com — PKI verifies authenticity of facebook.com
  2. Step 3: How do I login to facebook.com? — Facebook

    does account management — Facebook gives usernames/passwords
  3. Problems with DNS + PKI: — Internet censorship — Central

    points of trust and failure — Ease of use and deployment
  4. Problems with DNS + PKI: — Internet censorship — Central

    points of trust and failure — Ease of use and deployment Goals for a decentralized DNS + PKI: — Extremely hard to censor — No central points of trust or failure — Low cost, keypair ownership by default
  5. How Blockchains Work: — It’s a file! — Append-only global

    log — Every node on the network has a consistent copy — Writes are slow, reads are fast Blockchain
  6. Production system on Namecoin: — Used u/ namespace — Live

    between March 2014 and August 2015 — 33,000 registrations — Over 200,000 transactions
  7. Lessons from Namecoin: — Storage limitations (blockchain bloat) — Introducing

    new features (hard fork) — Failure of merged-mining — Security / throughput of blockchain — Other engineering challenges
  8. General Challenges with Blockchains: — Storage limitations (blockchain bloat) —

    Introducing new features (hard fork) — Introducing new features (hard fork) — Slow writes — Endless ledger problem
  9. name_op, hash name_op, hash name_op, hash name_op, hash name_op, hash

    Cryptocurrency Blockchain Virtual Blockchain DHT (routing info) Storage System A (data) Storage System B (data) lookup route lookup data lookup data Layer-1 Layer-2 Layer-3 Layer-4 Data Routing
  10. Blockchain name_op, hash name_op, hash name_op, hash name_op, hash name_op,

    hash Bitcoin Blockchain Virtual Blockchain Control Plane Data Plane Storage Drivers S3 Dropbox Linux Unlimited Data Storage:
  11. Fast Bootstrapping: (1) Records are organized into a Merkle tree

    (2) whose root is fed into the consensus hash, (3) along with a geometric series of prior consensus hashes
  12. General Challenges with Blockchains: — Storage limitations (blockchain bloat) —>

    Unlimited data — Introducing new features (hard fork) — Introducing new features (hard fork) —> Virtualchain — Slow writes —> Get updates off blockchain path — Endless ledger problem —> Fast bootstrapping Goals for a decentralized DNS + PKI: — Extremely hard to censor —> state level actor — No central points of trust or failure —> check — Low cost, keypair ownership by default —> check
  13. Blockstack CLI Blockstack gives you fast, secure, and easy-to-use DNS,

    PKI, identity management, and custom namespaces on the blockchain
  14. In the pipeline: — Securing DHTs with Blockstack — Unbound

    (DNS server) integration — Bootstrapping trust for cloud infrastructure (OpenCloud) — Identity and authentication services (Blockstack Auth) — Stateless servers (blogging, email, etc)