[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Jurisdictionless Distributed Data Havens
With all of the debate on offshore data havens, I've been thinking of a
way to implement a distributed data haven that would not be subject to
(hopefully) any local jurisdiction and therefore, would not need to be
located in the place of cypherpunks wet dreams ;). If this idea has been
mentioned by someone else, I am not aware of it. By distributing the
data over several servers (using RAID like striping), compromise of a
single or multiple servers (depending on implementation specifics) would
not cause a collapse of the data haven.
Here is a way such a data haven could be setup:
The data is split into multiple parts. Each site is responsible for
maintaining only its part. For a client to access a piece of data, he
will have to contact a certain number of sites to reconstruct the data.
The client could also use some sort of anonymizer service to do the data
collection and then do then combining on his local machine.
If one site gets shut down by Big Brother, denial of service attack,
etc., the other sites either find a new site to replicate the missing
part to, or they need to reconstruct the data and re-stripe it for the
remaining servers. (Read any networking book with a section on RAID to
see what all this means.)
Another idea is that the data can be encrypted, and the client pays the
key-holder for the key. The key holder would preferably be the content
provider and not one of the servers. i.e.: Client finds Bombs R Us and
wants to buy pipe bomb instructions. Bombs R Us gets anonymous payment
from client for the instructions. Bombs R Us says to client: "collect"
page 5 "parts" and use this key to decrypt. In this scheme, using
anonymous digital cash, Bombs R Us can remain anonymous with his data
publicly available but encrypted. He can pay each of the server
maintainers in anonymous digital cash as his expense. Each server cannot
(or should not) be held responsible for disseminating bomb making
instructions because each server does not *have* the instructions in a
complete form (encrypted or otherwise). It would be like someone calling
the cops and saying, I placed a box with XXXXX in it at the airport.
This in itself is not a threat. XXXXX could be anything, including OJ
Simpson's bloody clothes. And if another guy called in and said "pipe
bomb" and hung up, this is meaningless also.
The reason data striping is better than a simple mirroring network is
that no single site contains anything useful in itself for the
authorities to use against the server maintainer. (Similar to a remailer
network perhaps)
An extra feature could be if some major attack was initiated against the
data haven, there could be a dead-man button of some sort to make the
data vanish altogether by sending distress signals to the other servers
(or to at least one server, which could then cascade the signal).
The system could either use RAID Level 5 data striping, or some hybrid
scheme like this:
Site 1 has bits 1 and 5 of data
Site 2 has bits 2 and 6 of data
Site 3 has bits 3 and 7 of data
Site 4 has bits 4 and 8 of data
Site 5 has 2 parity bits (1 parity bit per nibble)
Site 6 has bits 1, 2, 3, and 4
Site 7 has bits 5, 6, 7, and 8
etc.
In this particular scheme, it would take the downing of at least 3 of
the 7 servers to prevent data collection. It would also take at least 2
sites worth of data to reconstruct the data into a usable form. As much
or as little redundancy as needed can be built into the system.
The only time the data is in it's whole is prior to being stripped
across the servers, during data recreation and re-striping, and when in
the hands of the client.
Benefits:
* No single site contains any incriminating evidence
* Allows for a true "virtual company" to exist, with just a mail-box to
receive it's anonymous digital cash payments
Problems:
* Requires a re-striping of data when the data source is changed
* Requires a data regeneration and re-striping when a site goes down and
a replacement site can not be found (could possibly use an idle standby
server to circumvent this problem)
Attacks:
* Government sabotages site 1, then watches site 2 for data regeneration
before re-striping (Can be thwarted by having data regeneration
happening on a randomly picked server)
Clarifications:
When I say digital cash, I am not referring to Chaum's DigiCash.
DigiCash will never work in my book because it requires an account,
amongst other reasons. YMMV.
Comments welcome.
Kevin Stephenson
-Silence is Security
WWIIish Poster