Publius is a web protocol developed by Lorrie Cranor, Avi Rubin and Marc Waldman that gives individuals the ability to publish information on the web anonymously and with a high guarantee that their publications will not be censored or modified by a third party.
Contents
Design goals
The nine design goals of the Publius development team are:
Overview
The Publius web system consists of the following agents:
The Publius system relies on a static list of m web servers. When a publisher wishes to add a contents M to the web, it first encrypts M using some random symmetric key K. Then K is split into n shares (parts) where at least k<n shares are required for the reconstruction of K (see also Secret sharing). A subset of the m servers receives another share of K and the encryption result of M using the key K, E(M,K).
When a retriever wishes to obtain the original contents M, it follows a generated URL which corresponds to the contents M combined with the portion of K as it appears on a subset of servers from the list. Gathering k different shares and a copy of E(M,K) allows the retriever to reconstruct the key K out of the shares and decrypt E(M,K) back into M. Modification or removal of the server hosted contents can be issued only by the original publishers using a combination of password and the hosting server domain name.
At present, Publius supports the hosting of HTML pages, images and other file formats such as PDFs and PostScripts.
Operations
The Publius protocol allows the following operations:
When a publisher wishes to add a web contents in the Publius web, its Publius client software (Publius Client Proxy) executes the following steps:
- Random symmetric key K is generated.
- The original content M is encrypted under Symmetric-key algorithm with the key K. Resulting with the encryption E(M,K).
- K is split into n shares using Shamir's Secret Sharing method in such that at least k<n shares are required for the reconstruction of K under the method of interpolation.
- For each of the n shares, the following computation takes place:
n a m e i = w r a p ( H ( M ∗ s h a r e i ) ) whereM ∗ s h a r e i s h a r e i - The hosting servers are chosen out of the servers list; the chosen locations in the servers list are determined by
l o c a t i o n i = ( n a m e i m o d m ) + 1 in order to obtain n values in the range [1,m]. If less than k unique locations were found, this step is repeated tilld >= k unique locations are found. - In each server which appears in the servers list at
l o c a t i o n i n a m e i E ( M , K ) , the chosen server's share of key K (namely,s h a r e i - A unique Publius URL is constructed by concatenation of the d different
n a m e i
Diagram describing the selection of servers out of the servers list to hold encrypted contents under hashed directory names.
After the publish operation is done, each chosen server at location
When a retriever wishes to browse for a web contents in the Publius web, its Publius client software (Publius Client Proxy)executes the following steps:
- The URL is parsed back into 8 bytes units (which are the
n a m e i - For each
n a m e i l o c a t i o n i = ( n a m e i m o d m ) + 1 which indicates on the server's location in the list. - k servers are chosen arbitrarily out of the located servers in order to reconstruct the key K using an interpolation over the retrieved k shares, one from each chosen server.
- Among those k chosen servers, one is chosen for retrieving the encrypted contents E(M,K). This is issued using an HTTP GET request to the server for a file named file stored in the server directory named
n a m e i - The k shares of the key K are fetched in a similar way, known to be located in a server file named share under the
n a m e i - The original message is decrypted from E(M,K) using the reconstructed key K.
- The retriever then verifies that the contents M wasn't modified nor did the key share
s h a r e i w r a p ( H ( M ∗ s h a r e i ) ) and comparing it with the correspondingn a m e i - If a mismatch was found, another set of k servers can be tried, or maybe the contents should have been downloaded from another server.
- If verified successfully, the original contents M can be viewed by the web browser.
The delete operation is implemented by invoking a CGI script running over the servers. To each server the hash result of
The update operation similarly uses the hashed concatenation of the server domain name with publisher's password in order to authenticate the original ownership of the hosted contents. Under this operation, the update itself is done by adding additional update file under the
Publius URLs
Encrypted web contents in the Publius protocol are traceable by their Publius URLs. Those have the following format:
Where