 All right, so my name is Magnus. I'm a Swedish with security researcher, which also means English is in my native tongue So please bear with me So this is about an anonymity protocol or an anonymity project that I've been looking at and a little bit background first Why is this interesting? the last few years that we've seen a big upswing in Anti-online privacy measures of different kinds like a lot big force behind it is of course a huge pressure pressure for media companies Which have result and other things of course, but which have resulted in for example private organizations tracking users in sites by miscellaneous illegal means ISPs tracking and throttling arbitrary traffic both for for these media company reasons and commercial reasons as a by by effect data retention laws in Europe and other parts of the world why tapping laws in Sweden and in the US to the for example the FISA recent law Proposal or what about Other draconian laws for tracking and punishing peer-to-peer users like the the act that trade agreements proposal and French a French law proposal Proposing to to starting to ban peer-to-peer users if Being caught sharing files three times. They will be banned for one year or three years or something from the internet ISPs are starting to to be forced to police the traffic of the users have to take responsibility for what the users are doing, which is of course hard and quite impossible is Black lists of different kinds you often they often use child porn as some kind of excuse But but these black lists have already been abused for other other kinds of things one quite funny example is there was this Finnish EFF activist who Criticized exposed and criticized these black lists. They had in Finland that were They have the excuse it's what it said child porn blacklist So the ISPs in that nationwide just blocked some IP addresses So we put up a website with criticism against this and his website was put into this blacklist which was of course quite ironic and Also the US ISPs recently have started to block or Stop their users from from getting any access to news groups at all with the excuse of there could be child porn on them But so we let's block them all but of course there are other other forces on behind that other IDs behind that And then of course dictatorships and other regimes oppressing their people blocking them tracking them punishing them for for viewing the wrong websites and Also, there's even a recent European law proposal that to That you should not be able to have your own blog unless you're registered by name and address and so that everyone can Can attract the opinions of everyone writing anything on the internet and make sure that they're not writing anything wrong So so that there's a lot of things Anti-online privacy wise So so because of this I'm quite surprised that there haven't been any bigger adoption of An anonymity protocols anonymity Anonymity solutions used by everyone so we have tour and it's it's a great protocol But but it's not like everyone's using it like like For for file sharing we have de facto standards like bit torrent and so if you get what you're gonna downloads a big file or share a big Bit torrent but but anonymity and not not so many people know about this or use it in spite of all these all these anti-online online privacy measures And also these these existing solutions they in some ways or in quite a few ways are not well suited for for Some of today's and the future's Demand for anonymization and the circumstances surrounding it Well at the same time, they are of course really good in many ways So I thought well if no one else doing it why not Sit down and think about this for a while the new new anonymization standard De facto standard do that that everyone can use for for for most things which which will hopefully solve some of the shortcomings or Yeah, let's show shortcomings of the of the current solutions In in view of current circumstances and that's that's how this project started So what are the goals of the project then? I want it to be some kind of good reference for future work within the field of anonymization So so that others can build upon it I want to start this kind of work for this ID and then hopefully it'll grow and be some kind of inspiration for for Further discussion about what are the optimal requirements for for protocol like this a future anonymization solution like this And of course also to be some kind of starting point in inspiration for for the actual design and development of a global a Project like this a global de facto standard for decentralized generic anonymization What it is not at this point in a way is a Complete detailed specification ready to be implemented. It's rather something some IDs some designs To be built upon discussed and refined into something of this these sorts So some technical limitations or one central technical limit limitation of this is that The protocol like most other anonymization protocols Really don't work or are designed to work if there's an attacker Controlling all controlling or rather eavesdropping all network traffic from all nodes in in the certain network that You are trying to anonymize yourself in It should be noted though that such an attacker will of course never be able to see what the different nodes are talking about only Perhaps in under these extreme conditions who they are communicating with Yeah, and of course that the protocol contains countermeasures in order to counter or decrease the probability that that an any attack it should be able to eavesdrop many nodes Some other assumptions and directives are that Arbitrary peers in the network or of course assumed to be compromised and or adverse because this is a decentralized network Everyone else is just no one is more central or more known to the project than you yourself if you're joining so of course they could be bad and try to break things and also one important directive during during the development of this is that CPU power network bandwidth working memory secondary storage resources all computer resources practically Relatively cheap and will of course be available in ever-increasing quantity Now and even more during coming years so wherever there has been a choice of of a stronger anonymity stronger security or or more throughput or lower resource consumption the The security has always been put in first place So some limitations of this presentation It's only an overview overview some something to to get you get you the starting details about what this is and There then so that you should be interested more in the white paper and also to discuss things with me or on the project website Which you will see later But the what the white paper can be downloaded immediately if you want to take a closer look So let's start with some other design goals set for this project What I wanted to do when I started this I thought like I'm gonna sit down and think really good from the start from the very very Yeah, the design goal goal level What are the requirements of this protocol to make it good in today's today today's world? Yes today and the future So I came up with eight primary Design goals which they're in the list here, but I'm gonna go through them one by one in the following slides So the first design goal is complete decentralization No central or weak points can exist in a network like this because there will be people who don't want Such a solution as this to to exist So people will work against it both legally and technically they will try to Sue the people running it at some point just like most most similar similar solutions have ended or been attacked so far and If that won't work there will be technical attacks of different kinds practically does attacks or takedowns of servers and things like that So it's it's very important that there are no central servers No central point that you can attack in order to bring down the whole solution of the whole network And the so both ownership to protect from legal legal attacks and the technical design to protect from technical attacks must be decentralized which means open open source open open design community owned project and technically decentralized solution A design goal number two maximum dust resistance as mentioned in the last slide that if if you decentralized it like this The practically only way to stop it will be to dust the network find technical flaws in it and exploit them in order to Mess it up bring it bring bring down the network and make it unuseful unusable And as usual it only takes one weakness at some point of the protocol to Bring it down. So defensive thinking throughout the design process is very important and the implementation process Disangle number three theoretically secure anonymization which practically means no security by obscurity No leaving anything to chance thinking. Oh, they wouldn't do that. That would take too much resources or time So rather all the anonymization aspects. I think should be able to to be expressed either as a risk your probability based on known probabilities like how many nodes in the network if 90% of the nodes in the network are controlled by an attacker then the probability to be Exposed is this and that and such things and also cryptographic proofs like if the RSA algorithm is broken This this will fail too. But if it's not broken, this should be secure this part This angle number four Secure and theoretically secure and to end encryption quite quite a Elementary thing in today's internet, but but still very important because confidentiality is not only important in itself But only but also important for anonymity for anonymity because if a connection is eavesdropped for for Enough time. It's highly likely that some sorts of Identifying information will be sent over its so so confidential confidentiality is directly important to an anonymity too So So which means that even if someone would monitor and correlate all traffic in the network With the current design, they will not be able to extract any of the communicated information in it It will only be viewable to that to the exact communicating and end points Just like with SSL or something like this, but this is bounced around a bit first So another one more interesting one is isolation from the normal Internet by normal Internet I mean like the normal IP space you shouldn't be able to say with Tor for example You can say I want to be I want to contact this and that IP address and that port and I want to be anonymous This will of course result in the final final node the exit node or the out proxy Connections can be tracked traced back to this one and he can get trouble if someone hacked a government computer from his From from with him as the last node in going through Tor for example, which would of course make people less likely to Want to use such a solution? so I Rather wanted to make it isolate an isolated network where only all the people who joins that they can they can Decide that we want to be anonymous towards each other But for that sake no one should be able to use this network to go to go out to any other node on the internet IP address on the internet who has not agreed to be to be part of the anonymity solution So it actually has quite a lot of advantages like this, but not so many disadvantages when you come to think about it And Of course out proxies or our exit nodes to watch the normal internet could still easily be implemented at the application level For example a socks proxy connected to this or something like that. So No, no big deal at all. It's just not in the protocol like like tour Disangle number six protection against protocol identification There will as I mentioned before probably probably be a lot of Powerful interests of different kinds who who want to see such a solution stopped And this can result in laws that force ISPs to block it or disable it or throttle it or Something like that Which they are already today doing with some other protocols that are not very liked by by certain organizations So the harder it is you make it to to positively identify That you're using it at all the harder it will of course be to to track throttle and block it So that's one of the major design goals Sangle number seven high volume and throughput capacity With existing solutions like toward this is a big problem You are practically not allowed to send larger amounts of the data through it and in today's internet world Even larger volumes are required for normal internet use each day like just viewing YouTube movies for a few minutes could could Consume hundreds of megabytes, which would be a problem through tour You can even be kicked from from tour Buy it because you're breaking the rules so Yeah, more or less high speed and throughput is necessary for many internet applications today And the popularity of a protocol like this will of course be be be proportionally related to the transfer speed and the throughput capacity of it Otherwise the people who needs more capacity more speed They won't be interested and they won't join it or use it at all and because and since the anonymity of the protocol as Most other anonymity protocols are directly related to the popularity of it or rather to the number of people connected to the solution That data can be routed through this is directly important to to the anonymity of it, too Yeah, this angle number eight the last one a bit more loose a generic well abstracted and backward compatible Just a generic system that which means generic and not that generic network traffic could be Anonymized through it. Not just it's not country to an anonymized IRC client or anonymous FTP client or something like this it could anonymize generic network data Well, a well abstracted system and design will of course allow for a more efficient and distributed design and implementation in general just common software development And Also the the backward compatible things quite important because a system compatible with all Previously existing network applications will of course get a much quicker takeoff and community penetration because everyone can just activated for the the programs they use every day and There were they will don't notice any difference except the slowdown relative slowdown, which we will of course try to minimize But but if as for some other of these solutions you have to compile special programs to be able to use it at all Or use stocks proxies like in this case of Tor many times There will be much bigger threshold for people to start using it at all which is again Of course critical to the to the security of the protocol So a small bird's-eye view to start with the technology or the ID general IDs Can you see this? Yeah So on the internet today, like you have like two nodes out of many who want to communicate with each other They normally do like this create direct connection to each other This though does not only mean that they can send and receive data to and from each other But they also automatically know the identity of each other with which in most cases isn't necessary at all for the for the reasons that you are doing this communication So that's about ID If you want to be anonymous So the the natural thing to do with any or most anonymization protocols is to bounce the data from through a set of different nodes So the data will still reach the the nodes in the end But they will no longer know each other's identity automatically implicitly and in this case you and as with so many other Good protocols good anonymization protocols you do this by by having Paths which the different nodes will route their data through in this particular case the each node will be responsible for creating their own paths so Alpha will create its path and to make ready for communication beta will create its path and make ready for communication and if they want to speak to each other The paths will be interconnected and the data can then flow through between alpha and beta Like any other connection just with with a few computers between instead of just a few routers So these routing paths In order to to make it More secure and more customizable each each of the nodes can can as mentioned before build their own nodes Been the bill around routing path. Sorry. So if alpha is really paranoid it could be the really long path and If beta is less paranoid he can build a shorter path And they will still be able to just interconnect them to be able to speak very basic basic stuff So a little more and high-level design of this protocol You have these routing paths which consist of the the anonymized node the intermediate an intermediate node and an arbitrarily more Into intermediate nodes where the number is chosen by by the anonymized node itself And then in the end a terminating intermediate node that's the exit node or entry node the last intermediate node in that routing path So then something I call routing tunnels that's That's something Well, all the anonymized nodes they create a couple of these Handful of these these routing paths when when just connecting to the network when they're starting their computer or whatever it takes It could take 10 seconds 30 seconds two minutes It's a one. It's a one-time thing or at least very rarely rare thing So it doesn't really matter that it takes it takes a bit of time But once those routing paths are up and they want to make a connection to someone That's when they create a routing tunnel inside the routing path and Yeah, and like I said, and it will just be a virtual connection practically or inside this routing path And the important thing is that it will be set up relatively quick over existing Existing hops and existing TCP connections not exclusively but but anyway as we will see Which will then be connected to a routing tunnel in in the receiving Routing path the routing path of the receiving node which will form a complete anonymized connection As you see there the connection goes out from the from the last terminating intermediate node and will be connected to to the the incoming Routing tunnel of beta and now we have a full anonymized connection so then the concept of AP addresses because this protocol is is separate from the from the Normal internet we have our own address space It is very very similar to to the the address space of internet though for a reason So or even the name AP address IP address. This is called anonymous protocol addresses contrary to internet protocol addresses They are equivalent to IP addresses in their format They are equivalent IP IP addresses in their functionality Except for one important thing the main important thing of course that they that they do not expose the identity of Of the peers just because they can talk to each other So the the reason that that they are so similar is of course that to make it easier to make the protocol backward compatible With all IP applications that the IP applications will just think that they are using normal IP addresses But in reality they will be using AP addresses, but they were they won't be the wiser so so in To make something like this work a completely decentralized Solution you wouldn't you would think that you would need some kind of central directory or or central entity to to Let the nodes be able to find each other and interact so so enter the network database It's you can compare to the routing tables of the normal internet It would someone would state an AP address or you will have an AP address that they want to use and the Network database will contain the information that Will be needed to to send the information to that to the endpoint that they will would like to reach on the normal Internet that would be bouncing through different routers in this protocol It will be bouncing between different different computers or nodes very very much similar to to Tor for example this database will be distributed and decentralized and Suggestively it would be based on Distributed distributed hash table technology. This is proven technology. It's used in Several large-scale implementations like for example the CAD network Which is a cadamlia based distributed hash table network used in emu? The main thing is that there are no central central servers no central anything only the nodes but together they form the Equivalent of a centralized database which people could execute queries against and just like a database Most of these pro distributed hash table technologies have Automatic resilience to constantly disappearing and newly joining nodes because People should be able to just connect to the network and then disconnect when they're finished and the integrity of the database should still be be kept And they also many of them also has Automatic and built-in resilience to some degree of for malicious nodes and that's of course good But as I mentioned the network nodes are the database The network nodes joining the network that is your computer my computer. You're part of the network when as soon as you connect So a few more design details And this is what this is the most detailed part of the part of the presentation I'm not sure if you'll be able to to to grip everything right here now But it's just to be to be able to provide some kind of understanding what's going on So you want when you want to establish this the first the initial routing paths? Alpha we have here alpha. He wants he wants a routing path which he wants to be able to use to make outgoing and incoming connections anonymous connections So the first thing he does is he chooses at random He actually uses the the network database to get a few samples of IP addresses Which are also in the network and this is IP addresses like the IP addresses of your computer my computer Who has also joined this network This information in the database is of course completely decoupled from from the AP address information about nodes which would otherwise Compromise the entire meaning of this protocol So he chooses at random at his own will of he can pick these however He wants to so if he gets a sample of thousand IP addresses from the from the network database He can he can look like okay. Are these in the same CNET? Are these in the same bean at a net are they at the same ISP? Are they in the same country? and by that he can he can Select them in a way, which is to make it's a little problem as Unprobable as possible that they would be controlled by the same attacker Next he chooses a bunch of more nodes in the exact same way, which will be helper nodes only only Contributing to the setup process of the path, but not later, but not in the actual path The X nodes will constitute the actual path So he then orders these nodes in a sequence According to certain rules, which we will see right just in a few seconds Like this one two three four five up to eight So the rules are that no two nodes no two X nodes can be adjacent to each other The X nodes are the ones who will be in the final routing path There should be one Y node located at the one end of the sequence There should be a number of Y nodes located at the other end of the sequence Equal to the total number of X nodes minus one Yeah And one and then when you have selected this sequence you should pick one end of it at Random to be that starting point that is the one where you start now bringing it from one Let's just rearrange this for the further explanation After this the node alpha prepares what we call a can call a goodie box for each of the node So he gets a big box and he puts some small boxes in it The one for each of the nodes and he could also as you see with a gray gray box there put in fake nodes Which we could talk about later or maybe in the Q&A So he sends this packet off to the to the first node in the sequence which will extract its package from from the from the from the big box how he can be able to See which one is his is because in the process of selecting these IP addresses alpha also Retrieved certain public keys from these nodes from the database So he will be able to encrypt things to them encrypt data to them individually Which and they will try just to decrypt all the all the packs in the big box and when they get a Get a good check some at one of them. They know it's their own and And as you saw there, there's also the possibility for the for the nodes in this path to to inject Fake packets into the box every all according to exact instructions found in their own packets Which is of course from out or originating from alpha And one thing that's also in the packet is the IP address of the next node That is the one that that the packet should be sent for sent along to the modified packet and also Individual keys to authenticate between between the next node and himself So the next node will take his packet and Maybe inject one fake packet none no fake packets or many fake packets and then this procedure will just continue Until it has the box have traversed the and has traversed the entire path and all the nodes have received their own Package and which means their own instructions and data which they will extract and save The the connections as you see they will also remain open and the important thing is that that the last node will will send the the box back to alpha which which means that if if If anyone had tried to mess with this with this packet It would it would not be be be able since each of the each of the nodes authenticate each other No one can can rip the packet out of this path and route it through someone else Because no one can see the authentication keys of someone else and they could also not not inject any data because the the checks I'm so checked at each point and just by receiving the packet again at alpha He knows that that everyone is is playing along and everything went well So then for the second round he will alpha with with the create another goodie box for each of the nodes send it along the same connections This time the data will be signed too because this time we no longer have the The no longer is the proof just because the box returns It's not a proof that that nothing was tampered with in the last step The the IPA the information about where to send it would be would be would be compromised So it would never return if someone trying to mess with it But in this case the connections are already set up So the data will be signed by a key or certificates verifiable by certificate found in the first round in each of the boxes As you see the the connection to that to the white node is now disappeared Disappearing for each for each Step that the packet is sent and this is because this is the last step of their Participation in this process as soon as they close send that packet and close that that connection They can forget all about it and the reason for having these white notes at all is that that an attacker would of course Be very interested in having another node Controlled by the same attacker Adjacent to him in the final routing path so in the first step where everyone agrees to be a part of the node No one should have the information of who will be the next node in the routing path and be able to To fake that that node timed out in order to get a new suggestion of a node like that So that that's the entire reason for the white nodes At this point the winos that is connected and at this point when we get to two X nodes the The X5 node will have received instructions in his new packet about you will get an incoming connection from X3 at this IP and this port and with this key and everything like that So he will wait for that there will be secure authentication And after this point whether in the special case node of X3 He will also if this is an inbound routing path register the routing path to the network database with with a specially signed signed the Routing routing table entry which could only be created by alpha After doing that the packet will just continue all the X nodes will be connected in the same way Disconnecting the Y nodes Which will leave us with the complete routing path Which you will recognize from the previous figures like this and now alpha knows that that the process is complete and If it is an inbound routing path That is another routing path that could receive connections to alpha It will also be registered in the in the global network database routing table So a little bit just about what's in the goodie box You will have I will have mentioned many of these things and the routing path construction certificate It's the certificate that will be used to sign the data in the second round the IP import of the next and previous nodes That that's to make make it possible for each individual node to authenticate to each other Random IDs, that's the keys that they identify identify against Against each other with in addition to the IP and port in if someone could have stolen someone's IP address in in between Communication certificate of the next and previous nodes should be mentioned that all all Connections in the entire protocol are wrapped it by SSL So everything that an external attacker will see is only SSL communication Suggestably to port 4432 to make it even harder to to identify that that what's actually going on and separated from web traffic Which is of course very possible with further analysis the data traffic analysis Some seeds and params for dummy package creation some seeds and packet params for stream encryption keys and these keys will be Are the only things in this package with which Have not been used at this point. They will be used in the next process of creating routing Tunnels some flags saying your next node your y node your this is the first round This is the second round and things like that a secure has the entire encrypted setup package Array the entire outside box containing other boxes in order to make it impossible for any node to piggyback Information on this in this box because then then any node will be able to piggyback encrypted information to any other Possible node non-adjacent node later in the in the path which might be controlled by the same attacker and then they can Start and start an outer channel communication and combine their their knowledge to to to compromise the anonymity And finally that the cryptographic has which makes it possible for for nodes to know which packets It's the wrong box is the wrong and in the second round. We also have this this Sound routing table entry for for that last node So the routing tunnels the next step once you have these routing paths You would like to communicate with someone and then we have a process for for creating routing paths And the main goal of this with this with all these things is of course, why do we make this so messy? Why can't you just have alpha communicate with each node say you're in you're in the path here communicate connect to him And what you have this circular circular thing Yes, because otherwise the IP address of alpha would be would be Could possibly connected to the AP address of it, which is the main goal to to stop with this protocol That's why we had this whole circular circular thing with the routing path creation because it's Alpha should never be Connecting directly to the endpoint node because the endpoint node would possibly know the AP address of this path And that should never be connected to the IP address So I'll know how this path and we want to create an outbound connection To a certain AP address This AP address just like with IP addresses you have received from from someone saying this is the IP address to my server This is the AP address to my server. So no different from normal internet communication so Begins by alpha begins by sending a notification package through the through the route path and he also Remembers it The next node reads this package and at this point it Chooses one one of those stream encryption keys I mentioned it in the goodie box which were the only thing not being used at that point So here let's say he got 100 stream encryption keys so he does at random completely random he chooses one of these and remembers then encrypts the packet with it and remembers, okay This is what the packet looked like when I sent it away when it was encrypted and this is the key I used so the next node just does the exact thing it receives a packet it chooses a key It encrypts the packet and it sends it for it to the next node so the last node he gets this and he also chooses a key which he remembers and then he makes a bigger package with with containing both the package that he received and another package which we will talk about in a moment He then creates a completely new TCP connection Or to the previous node the other one is not disconnected It's just great out to show that it will not be used for this connection anymore The the notices both the packets he says ah, this is that yellow packet that I sent before so that must mean it Will be connected to this key so I'll remember this key and bind it to to to These two connections the incoming and the outgoing connection Then I'll encrypt but decrypt both the packets With that key and then of course the yellow packet will be decrypted to that its original form Which was the green packet and the other one will be decrypted to a new form, which we haven't seen before that is red So the next node receives the green he says ah, this is the green packet I recognize that Let's it's that key. So I'll create a connection and I'll Bind that key to it and I'll decrypt both packets and then the black packet Of course reappears and a new packet now being decrypted with the keys of every node that the Turquoise or whatever packet at the bottom and alpha reads both Now that the special package at the bottom, which which the end nodes sent is actually a Yeah, it's put together in a special way practically just repeating the same the same sequence That the meaning with it is to be able to to make it extremely easy to do a brute force success test on it So alpha will be able to to brute force and just do a very very simple test to see what's the brute force key guess successful and Since alpha knows all the the stream encryption keys of the nodes Let's say hundred hundred hundred. So one million keys a Combination of a million keys. He will he can start brute forcing over those keys everyone else In the entire internet or world including the these nodes they they won't know any of these stream encryption keys So if they want to brute force this packet, they will need to brute force the entire let's say 128 bit space Which is quite intractable But alpha will only have to brute force Let's say a million keys and the good thing is that since alpha is there is the is the node who in who initially selected these keys. He he also Can can choose the number of keys to make it exact to make the brute force time exactly 0.1 seconds 0.5 seconds on his specific system so that this operation will never take any any Unnecessary long time or annoyingly long time So let's say one zero point one second later. He finds that okay. These are the keys that were randomly selected by each of these nodes Okay, now that I know this I I can Alpha can decrypt or encrypt messages to the last node which no one else in between will be able to read of course because they only have have a Their own keys. Oh, so one layer of encryption is removed for each step like just like in tour and Now the anonymous node informs the exit node of the AP address It wants to connect to by creating such an encrypted message so he's here encrypts it once and Or actually he encrypts it with with all the keys Of course in the correct order and each each node decrypts the packet with their key Which unwraps a layer of encryption which? Which results after the last encryption by the last node in a message that he can read so at this point he knows that okay, this is an outbound connection. I'm gonna try to to Connect to that to that other AP address. So he looks looks up the AP address in the network database That's all everything needed necessary for that Then he sends just a packet containing random data Back to the to the other nodes stated so that the anonymous node so that he will know that it's everything went okay Now at that point the connection is fully established and at both ends and the application layer can now start communicating over it Just like a TCP connection and of course this is for rounds. So it will be some Delay latency compared to normal TCP connections We're actually quite a bit, but it shouldn't be really much like creating for sending sending a few packets left and forth and back over TCP connections and Creating few new TCP connections. It shouldn't be shouldn't be completely Bad So the inbound Brute process for creating these nodes what it is Done very similarly Which is quite important in this aspect. It's to the intermediate nodes all nodes except the terminating node And the anonymized node it will be completely impossible to know if this is a routing path a routing tunnel created In an incoming tunnel due to an incoming connection or in an outgoing tunnel due to an outgoing connection being initiated So if we can just quickly scroll through This As you can see the black packet so it comes in a box again just like the other case just from the other side and It's also important that this is why the the that sequence that was chosen while initially creating the routing path Why it must why the ends of it you like you have a sequence and then you chose this to be the starting end of the process That is because the intermediate nodes should not be able to conclude Which if it's an outgoing or an incoming routing path at that point either so at this point They will not know where they are in the chain in the in the path. They will not know In which direction the the anonymized node is and they will not know if they are adjacent to the anonymous anonymized node or not So the the beta node can immediately use the brute force to the same brute force method as were used in the initial step And he then knows the keys he can create He can decrypt all data and encrypt all data through the path So the normal normal connections are created sends packets. It's completely symmetrical to to the to the last process of creating outbound nodes It's very much not equivalent in the anonymized node and in the Terminating and on a mice the tournament terminating intermediate node But for all the other intermediate nodes It is completely symmetric and impossible to separate from each other the two processes So now at this point the the incoming connection can be confirmed to the external peer That is the the the outbound routing path of alpha. So it is Well, and then it's just confirmed back to the anonymous node that okay Everything is up and running you can start sending data and tell the application layer that Connection has an incoming connection has occurred So it's the connection is now fully established at both ends and we have a fully anonymized Complete connection between alpha and beta which they can start communicating over But in order to achieve this very important symmetry that we mentioned previously You may have noticed that we have only done three passes three rounds in this process But four in the other one. So we will have to just send Fake packet down down the route Before the terminating node will start routing any data through the through the connections this way this the process is completely symmetrical like that so Now on to the some other things let's leave that processes that was the Boring dry dry part of the communicator of the presentation just showing that showing what happens at the protocol level to give some Kind of idea that this could be done in a completely distributed manner, which is actually the entire Goal of this project not not to deliver a ready ready protocol But just to show that yes, it could you can establish connections you can establish And you can do it quickly you can do to see that it's possible to do this in a decentralized way like this The end-to-end encryption once you have that this this end-to-end can anonymize connection. You can just Perform for example double authenticated SSL over it, which will be not that And a responsibility of the application, but still within the protocol so so that is end-to-end encryption will be oh, sorry We'll be enforced Yeah, and which also means secure authentication will be will be included with it with a Pki structure will actually be be be Implied by by this design, which is quite good useful And The use certificates for this SSL can will of course be stored in the network database in this case Contrary to the other information or certificates which were stored together with the IP addresses It will be stored together with the AP addresses So you say I want to speak to this AP address and you will get some certificates Which you can then verify that you're you're speaking to the right person So a little bit of more about the IP backward compatibility As I mentioned before the the format and functionality is equivalent like address format port semantics connection semantics and for for the very apparent reason of being able to to use previous Applications without them knowing about it. So what you do is you do you you create binary hooks for all common network APIs at the application API level like the connect API with when the The connect the close the bind all all of APIs that I use for for TCP connections and I'm not I saw this This previous talk from Roger of the tour guys who said that this was very hard on windows And not there might be some problems that I have not noticed But but as far as I know it's quite quite easy actually to do it at least at that level in a Quite stable way actually So so this means you won't need any any further any Assistance from the order of the application you won't need any source code and the application won't even know that it's anonymized It would just think oh, I'm sending in I'm connecting to this IP address while in reality is connecting to that AP address Under some conditions that this means that the common internet DNS system could even be be used in the cases where the Clients don't want to anonymize themselves, but but only the server want to anonymize themselves Otherwise you can do the DNS side attack what you have where the where the server has its own DNS server that will identify the users But and also it'll be very simple to start supporting things like IPv6 with this design too because it's not actually Bound to the to the format of the addresses once you're inside the the network database They will just be treated as strings Or similar So a little bit more about the network database it contains mainly two separate tables one Containing information about the IP addresses the IP address table with which will have associated information certificates and similar to to to all the IP addresses in the table in this network and then the AP address table which will contain associated info for all AP addresses in the table and These will of course be completely decoupled and if they were to be connected that would be catastrophe This database can be accessed through a very specific strict API As far as can be enforced which means that no no database queries Unnecessary database queries will be able to be performed I give me all the IP addresses in the net or give me all the IP addresses in the net and things that won't be Necessary for the functionality of the protocol and on top of the DHT distributed hash table implementation You could add things like voting algorithms digital signatures and even enforced entry expiry dates to make it even more secure and be able to To enforce permissions and protect from certain kinds of malicious manipulation of this database and the query results and The network databases should also be resilient to net splits Which is practically when when you have a big cloud of nodes, which have a common thing It's an expression quite well known to to IRC people because then you have several several servers Which which create one net and if you cut them cut cut them off you could you could Accomplish funny effects by isolating certain parts of the network, which is true here too So so you shouldn't be able to do that and the distributed hash table technology actually will make that quite hard And you can make it even harder if you if you just think about it another nice feature to have in a protocol like this would be manual override the command support Which would be quite a powerful emergency measure To enable to protect against these dose attacks Which are to be some somewhat expected and you can also use it to you can use to protect from them You can use it to restore after some possibly more or less successful dose attacks And you could could also use it to protect against malicious nodes that are trying to dust other nodes or dust dust the network So the way it's used is that you can send you can send sign commands to to some kind of central authority like Persons known known by the maintainers of the open source project or certain people are trusted But by their main maintainers could have these keys No one would have no one would be able to to would have to know that that they Who has these keys? The they just have them and it will work anyway So these trusted people would be able to sign commands and flood them all over the network through this distributed hash table Implementation most has distributed hash table implementations actually natively support such a functionality to efficiently flood certain commands to all the nodes in the network without any duplicate traffic and Yeah, and and the verification certificate that is the public key used to verify these commands will of course be hard-coded into the source code of the clients so so if you send a non-sign command it will not be flooded any further than the exact node you send it to which Will prevent dose attacks flooding dose attacks of this kind and also of course sending sending arbitrary commands Which to to destroy the network? These commands will of course not be commands for executing commands on the computers of the clients only commands for operating on the network the anonymous network like Banning certain IP addresses who are trying to do bad things or Manually editing that network database if someone has inserted malicious contents into it But nothing never anything affecting client computers and and there's also no real worry even if the keys of the signing keys would leak because you can just Release version 1.01 and then it will have new signing keys And perhaps the the persons who who were able to crack the keys could yeah They could start you could ban some some people from the network for their limited Hours that that before the new client came out, but it could be easily restored so no worry and this is just a Schematic of an example of a high availability routing path design because some people who see these routing paths They they they would say like but but if only one node in this in this path would disconnect Which is of course quite possible and quite common in a completely decentralized protocol Then the entire connection would break so but there there are Ways to create high availability routing paths while still still Keeping all these important properties of of the routing paths and the routing tunnels that we have discussed It's actually not as easy as could be thought at first sight as could be Probably seen at this picture, but but it could be done and and we have thought about a design for it And this is a schematic of one of these designs As you can see it's it's symmetric with two ends and that's because of one of these problems of keeping the Property of no intermediate node being able to tell if it's adjacent to the anonymized node or at all where it is and The nodes that actually who are adjacent to the anonymous node It will be very hard to make to make a design that would make them not able to derive anything Of such sorts if you know if you don't make it to split to symmetric like this. They're Probably possibly other ways to but but there's quite quite a problem to to Do so in a way we found So a little bit of the aftermath of the implications of this such a protocol Legally legal aspects and implications we have one example where where Private organizations to go after go after users Very very aggressively today, so it's a good example of anyone who would try to to bring down the system legally It's the file sharing example, of course, so today you They bring lawsuits are being brought against people just On the basis of them connecting to a certain torrent for example because that torrent Contains something that they don't want people to share and think it's illegal to share So that's the state today, so but if you use this Protocol They will probably want to to come to this level of of People that you can sue people for only using a file sharing protocol because they think it could it could only be used for Illegal means anyway, which is of course not true but using the a protocol like this will of course prevent that because You will never be able to see that that a certain person is using Using whatever protocol they are using inside the anonymization protocol because it's all tunneled inside So then they will probably try to to bring lawsuits against the endpoints in the anonymization networks Like if they connect to to one of these torrents Yeah The method used today is that that if you want to find out who's using a torrent you can connect to it And then you will get a list of IP addresses Who of the notes being a member of that torrent and then you can start suing them? But but in this case these IP addresses that would be seen would only be the exit nodes of the Random routing paths created and these exit nodes would of course have nothing to do with with With the the concept of file sharing this particular case of file sharing And they won't even have any access at all to the contents of the shared data So that would make it quite a lot harder to at least to be able to successfully sue them and You could also compare it to Somehow to the routers of the internet routers on the internet who route encrypted data are very much similar to Nodes in such in a network like this they are just there to to help people communicate generically and they could happen to to to send Illegal data through them While at the same time not being able to access it if it's encrypted So that shows a little bit that it probably would be a bit harder to sue these nodes So then the next step that that these organizations would probably like to do is to sue People just on the basis of them using a certain anonymization protocol because this anonymization protocol in turn Could be used to use other protocols which in turn could be used to do illegal stuff so As you can hear it's it's it will be a bit hard, but with enough lobbying. I guess you can do anything and That's why why you would like to to to hide the fact that the high Prevent protocol identification, which as previously mentioned was one of the design goals of this protocol So it should make it hard to do that too Then I guess the only things that you could resort to is laws to be able want to sue people who use cryptography Because cryptography can and can be used to to use protocols which can be used to use protocols We could be used to do bad things and yeah, it could could be done I think I think France once had a ban on cryptography I'm not sure if it's still like that cryptography where the government didn't have the some secret keys that they could decrypt it with But it could happen will happen, but but I think it would be it's increasingly harder today to say something like that that Create a ban on cryptography I don't think it'll be hard and the next step the final step if that won't work It's of course to want to ban people Sue people for using the internet, I guess, but that's probably will be quite hard to So so on top of these these technical things to which are made to prevent all these forces who want would want to shut down a protocol like this And so the users of it. I also thought some about License some license trickery that could possibly be be done with with a protocol like this And my ID, which I'm not sure would be would be would be viable or efficient in any way But but but I have some indications that that it could have some of the intended effects You have a license on the main specification saying that a Certain end-user license agreement a eula must accompany all implementations of the protocol so that's that's the license you put on the the main specification or the the the reference Implementation of it or whatever in in addition to the normal open source open source license you add this little clause and So this will make it illegal to create any to compile create or base any implementation of this protocol Without including this end-user license agreement with each implementation this end-user license agreement in turn would say that That through using the the the the certain the implementation in question The user would understand and agree that no note in the anonymous network Can or should be held responsible for any data being run through it due to the simple fact that the user neither has control over it What it may contain nor nor any possibility whatsoever to access the data itself and this is not like I agree I It's not as much as them promising that they cannot sue them It's accepting that they they have been informed of this fact so that it could not be stated later that anything else But the second party is which could be could be phrased in different different matters, but different ways would say say that the user of this implementation Would will agree to not use the implementation to gather Data that could be used in filing a lawsuit or actually to a better formulation would be to to use it to extract and in any way Save store IP address information of the of the clients using this protocol Period So this would have a little interesting effect that if some some of these organizations wanting to sue people Would would like to to harvest IP addresses of Let's say the file sharing example again with with a with a torrent they would have to use some kind of implementation of this this Protocol in first place to be able to just connect to this torrent because it's a completely separate network from the internet and Next they would would start to harvesting the IP addresses of the Adjacent of the nodes of the last nodes of the routing paths but if they do that they will have broken the end-user license agreement and Normally these organizations this kind of organizations are their main goal is to go after people who break end-user license agreements or break break Intellectual property rights, so it would become quite an ironic situation which would be quite quite annoying to them at least And okay, so if then they say okay, we make our own implementation of this protocol and make our client well If you don't you include the end-user license agreement in this implement implementation You will have broken the license of the protocol and again You have broken intellectual property rights, and you're you're there at this ironic situation again, so it could be quite funny and somewhat efficient But but of course you would probably not be able to go go all the way to court and prevent some of the Some of its users to be be if someone tries to sue them They could probably sue them anyway, and but this will probably make it harder at least for them to to to not look like hypocrites And this would could affect the Lawsuits and not to mention their their interest in doing such a thing so we're starting to Come near the end And not quite yet though, but but let's review with the design goals that we set up in the start and see what see if This implementation that I've been designing implementation that I've been speaking about for a while now if how well it fits these design goals So this angle number one the complete decentralization part The protocol has no central points Or even nodes that are individually more valuable to the collective function of the anonymous network than any other So if you attack one node you bring down that node and it's the same thing that if that node would just disconnect this computer and Go to bed. So so which would will be quite common. I guess so so no worries there and There are no single points of the network to attack no server No anything and you know one to sue who runs a server or anything because there are no central servers So I guess we could say that this review design goal is pretty much accomplished This angle number two maximum dust resistance Well dust resistance has at least been a concern during the entire design process And it should be continued to be a concern when this project is this protocol is further developed and implemented in the end hopefully and That should limit the attack vectors substantially it could of course always be improved So so that's the entire reason for having a project like this with many it will need many knowledgeable people who will be able to do input give input And it must be continued to be a constant area of concern and improvement But I guess you could say that this far. It's sort of as far as we know covered So review the 30-sign goal theoretically secure anonymization well all involved risk probabilities Can be expressed in terms of non probabilities with the current design all securities based on cryptography and randomness And it could thus be be explained with crypto defined with cryptographic proofs No obscurity parts nothing is based on obscurity and hopefully no gaping holes have been left to chance or That's some of you will be able to tell me right after this presentation but review and improvements are of course always needed and The good thing is that the similarities with for example the tour Protocol will be able to to make use of many of the valuable Experiences that they have that they have Live through the years like though for example those that Roger mentioned in his previous talk in this room So I guess we can say that that once covered so far Then the the cycle number fourth you vertically secure end-to-end Encryption well all data is encrypted in multiple layers you well known and trusted algorithms should be able to to it should provide end-to-end encryption and Since all connections are read by SSL, which is very well known and well used the protection from external eavesdroppers should under all Circumstances be at least that of equivalent of that of SSL, which is quite okay So we can consider that one accomplished to It's not go number five isolation from the normal internet Well, it is impossible to contact and communicate with any regular IP address. You can't just say I want to Speak to this IP address because there's no way to Tell the protocol that tell the client that you you won't reach it It only understands AP addresses So so that's impossible and therefore the network it can't be used to to anonymously commit illegal acts against any Computer that has not itself joined the network and exposed certain services to it and accepted the risks of allowing anonymous communication with these services So we can consider that one comes to I guess Just I go number six protection against protocol identification Yeah, well SSL connections are used as an external shell for all connections used by the protocol and Suggestably, they would also all use the standard port default standard port of the standard webs server SSL port TCP 443 which would not at least not make it make it Really simple to just filter on the oh SSL on this on that port Because it would be this SSL and it would be the same SSL port as normal web connections But of course that you could you could practically always with enough advanced traffic analysis methods identify Certain kinds of traffic or at least distinguish certain kinds of traffic from from other certain kinds of traffic Which in this case would be normal SSL web connections But the goal is to make it hard enough So because if it's hard enough it will take up too much resources and most of all Produce too many false positives to be to be practically or commercially viable because if you have just let's say a few percent of false positives in a blocking SSL connections From an ISP that the users of that ISP would not be very happy that every Every one or two connections in a hundred are blocked right away from from the when they are surfing to their bank That's good. So I guess we could say that we're well on the way with that one, too It's angle number seven high volume and throughput capacity and this is quite interesting one because due to that the previously Mention factors or facts that there are there's no practical way for a node to know if it's Communicating directly with a certain node or if it's talking with the terminating Intermediate node of a routing path owned by a bias and an anonymized node It actually means that alpha could talk directly to beta and still have have a Reasonable doubt reasonable doubt about who's who they are actually talking to so in many cases you can use Extremely short or no routing paths at all So direct peer-to-peer communication and yes, the IP address would be exposed and in certain under certain conditions That would this would not be good at all but under under under other certain conditions That would this would not really matter since since reasonable doubt would would be the goal in some way so that that would of course Result in very high transfer speeds in those locations that you could Connect directly directly between nodes because it would be like except for the for the multiple layers of encryption Which will be handled just fine by the hundreds of Processor cords that will be in everyone's computer during the coming years There will be really fast communication Yeah So we can we can see that one accomplished to in some way Then the last one whether the protocol supports arbitrary network communication So it's generic the protocol design has been has been Abstracted in a way that each individual level of the protocol can be exchanged and redesigned without the other parts being affected well, just abstracted and Finally the backward compatible Yeah, the protocol does emulate and hook all TCP network APIs and can thus be be externally applied to any application that Uses normal TCP communication and it could be anonymized without without it itself even knowing So we can consider that one done too Now finally now even closer to the end a little comparison with it with other anonymization solutions Just to see see the some certain differences and of course this first one is a bit bit bit provoked provoked even Yeah, and and the toys very very good protocol But as mentioned it lacks some of the design goals that this one has which And these design goals are much important to to many many many anonymization Applications that people would do would use this protocol for so this one is designed from the ground up with a kind of future Practical anonymization needs and demand in mind It is computable Compatible with all existing a future network enable software without any need for adaptions or upgrades and yes There are some as Roger mentioned some Tools to do that for tour but but but as he also mentioned No, no good such tools for for Windows and also it's it's it's It's a kind of ad hoc thing that was not that was not in the real protocol specification We have higher throughput with throughput is Big problem through through the things I just mentioned with the short routing paths with a long routing paths Of course, you don't have the high throughput, but but yeah, we have the possibility for it with reasonable doubt No traffic volume limits, which it's which is quite very very important in tour It said you shouldn't transfer large volumes. You will be kicked you will be breaking the rules So people can't watch their YouTube and whatever they would like to use high traffic volume for It's isolated from the normal internet the phantom protocol, which is also that's also one of the very important points because No one would like to run a distributed protocol where they are automatically an exit node Out proxy if they feel like I could be my door could be kicked in by the FBI any day because The NASA was hacked from my computer. That's not a good thing. And so so With phantom that that can happen with tour that can happen You have end to an encryption Enforced end to an encryption so so so even if Sure users should know themselves that tours not a safe to use unencrypted and In that application developers. Yeah, they should always use use encrypted protocols But but but what it really means is that if I'm not completely sure of the details of all the applications I'm using are they using cryptography are they using secure cryptography or the then I won't I won't dare using them over tour Anyway, so so but in this case it is built into the protocol secure end to an encryption So you will never have to worry just to run your applications as usual and it'll be fine Hopefully Yeah, and also DNS leak is a vulnerability Men that has been been argued against or previously about Roger mentioned it to that that that some applications can be provoked to do DNS lookups And then you can sit there and catch them and connect But in this case since we are already hooking all networks a network APIs that the application can't do anything How much ever it wants to? And so we're blocked that and the last point. I'm not sure of at all so so perhaps perhaps not It better prevents positive protocol identification, but I know tour has put some work into that So the last point could be completely false so just another relatively well-known anonymization protocol not at all as known as a tour but but within the world of Internet anonymization. It's it at least it is at least a little known. It's called I2P and it's actually quite good In many ways and very in many ways were very similar to to phantom But still some differences Phantom is compatible with with With all these existing products while in I2P you have to practically Recompile and redesign every product that should be used with it which which reduces its usability to nothing for normal users. They have one one I think it's a client for for blogging one for four for quite limited product for four Using bit torrent and yeah, that will will will hold adoption beyond any useful levels Which in turn would will reduce keep speed and security down Which which will be very bad for the protocol They also they also don't have end-to-end encryption after a certain version. They had it at first, but then they removed it I'm not sure at all why they did that, but that's the way it is and it The last point item is just as with tour I'm not sure about that one because I haven't been able to to dig up enough technical information about their communication low-level communication protocols, but it might might be a case might might be the case might not be and finally a comparison with other anonymization solutions is the comparison with with Specific programs for example anonymized P2P you have a client that does a certain thing like IRC file sharing and use and then you build an anonymization into this one and I Can't say anything specific about about the Technical points of that one of course because there's no specific application here, but it could very well have have the weaknesses of the of the other Things that I mentioned in the previous slides here with Tor and I to P But I can't say anything because we're not talking about a specific application But there would probably be less work and less interest in such a product than a generic Anonymization product which would which would mean less less resources put into making it safe. So so so That's for the technical part, but It such a product would also Phantom would also be less likely for a general ban like if a certain organizations What would would lobby for now this product should be this protocol this product should be illegal because it could only be used It is only used it could only be used to to share files illegally Why would a file sharing application want to be an anonymous? It's only to break the law So so then it may be that you can make it illegal completely But with with a generic anonymization protocol You can't say that because it can be used for lots of good stuff and it will be used for lots of good good legal things so that's one advantage and Also the generic nature of a generic protocol opens it up Of course infinitely much more potential than just binding the anonymization to certain activity Now we're really closing in to the end and I'm just gonna list a few known weaknesses just to be able to to For everyone to know and think about So if all the nodes in a routing path are being controlled by the same attacker this this attacker can can can Bind connect he can connect the anonymized node to the to the entry or exit node And that would of course connect the IP address with the AP address which would compromise the anonymity And that's not good that's compromised the entire meaning for the protocol But again, no data can still be eavesdropped. No matter if you control every node in every Network link in the entire system Yeah, so you can only conclude which which AP addresses That route is talking to not not what IP addresses in the other end because this is only single routing path And again, it's very important to note that that an attacker who Controls say three nodes in a routing path. He will never be able to to know that okay Are these three nodes do they constitute the entire routing path or? It's the last node that the last compromised nodes speaking to actually yet another intermediate routing path Around intermediate node routing node which makes it makes it very hard to Use even if you would control the entire path You wouldn't know if you if you are controlling the entire path Which would make you unable to act on such on the that information in many ways And again the algorithms for for for the node selection of the routing paths are First they are controlled by the by the nodes themselves The the ones that are the nodes that are protected by that actual routing path so they can select the trade-off between between efficiency and security by themselves and also You can use optimize the algorithm for that to like never use any which Roger also mentioned Like never use any any nodes in the same C network Bnet a net ISP country whatever To the second weakness if an attacker monitors the traffic all nodes in the network That that hacker will be able to conclude the same thing as in the previous weakness the first one Without even having to doubt where the routing path ends because in that case he would be able to to to correlate that Okay, the traffic enters here traffic enters goes out there enters there goes out there and there It isn't any traffic going out there. So then you can add a much higher Probability conclude that that the routing path ends there But this was as you know what I stated as a limitation of the protocol from the start and this situation isn't At least at this point very very likely sure. There are some some countries with data retention And everything today and big big three letter three letter organizations doing lots of Wight-tapping, but there are also a lot of countries who who would not want to cooperate with with those agencies At this point. So if you just bounce it between a few countries or just have one node in such a country then it would be would be more secure and And some anonymization protocols try to counter this kind of attack even this kind of attack By delaying data that each node receives and by by sending out junk data but Since this goes against the high throughput design goal of a phantom we won't do that and we really For most applications. We won't need that kind of security either So so yeah The third and last weakness Individual intermediate nodes in a routing path could try to what they would want is to find another compromised Intermediate node further down the routing routing path Even though it is not adjacent to that one But but with the current design and what our goal is is that if two compromised nodes in a path are not Adjacent they should not be able to conclude in any way that they are in the same routing path and that's Be able to correlate their their knowledge But so what could they do about that? Yeah, they could they could try to to use some kind of Covert channels to communicate this information and probably they would like to communicate the 31 32 bits that Constitute their IP address because after that has been communicated They could of course create create separate channels and communicate whatever information they want to So what could such covert channels be yeah It could be timing of the data that is routed through the path that makes small delays and and encode information into these details or Even more likely and more efficient Encode information to the chunk size of the communicator data like they receive 20 bytes then they send three then two then one and and with very small delay and Only for until they have communicated this data So this is quite a possible attack actually which could be countered to some degree in some ways with splitting up and merging data But it's quite hard to do it in any really really good way without compromising the high volume high transfer rate design goal, so That's probably the biggest problem that should be thought about more But again if they managed to cooperate to to to communicate They will not be able to know if they are at the end of the know at the road path adjacent to the anonymized node Which would luckily Heavily reduce that their usefulness of such an attack So just to sum some things up What was the kind state of the project whether it's a white paper which contains this information and Quite a lot more details So this is That what I've been described is describing and what what the paper contains is an initial suggestion An example for for requirements and design of of such a next generation anonymization protocol But but again, it's not a complete specification ready for immediate implementation But although it is quite detailed and comprehensive So it is more or less a full example of how you could do it just to prove that it could be done It should be worked on more This presentation if you want to see all the fancy animations with which would Perhaps to help help get a faster overview of the communication process. You could download it too and There's also I created a Google code project which contains a code trunk without any code yet discussion group where you can discuss some stuff and Wiki where you could store and Publish that the results of these discussions, I guess and also a blog where interested people could could follow the progress of the project so the final summary The internet and its users are in increasingly bigger need of a good anonymization solution Which which meets the requirements of today and beyond not just the low low Volume communications and other limitations of the current protocols At least in order for this protocol or such a protocol to become some kind of de facto standard for easy anonymous easy as a cure Anonymization that that many people would use So far the Phantom protocol has had the main goals of exploring the optimal requirements for such an anatomy Anonymization solution providing examples of solutions for for all the problems that that would reasonably possibly be related to this kind of project and Also has the goal of inspiring discussions of the design of such a system which we will probably hear more About this conference. You are very welcome to to to contact me for for more questions discussions Anything and I would really like to speak more to that to the to the maintainers and developers of the of the Current projects like Tor and I to P because I'm sure there are lots and lots of things that could be could be done collaboratively and Much to be one there. So, so please contact me any tour or I to P people here And yeah, the final goal is to to be somehow the starting starting point and central point for the emergence of such an Open de facto standard for free secure and ubiquitous internet anonymization So the next phase what would that be? Yeah, we'll be to probably to discuss discuss the problems and and in the end stipulate a final final 1.0 Protocol specification start start to implement it that face That face both with implementation on the design We will need the help and collaboration of many knowledgeable people and dedicated people So again, if you if you feel like this is interesting, please contact me or please join that join on the project's project site Which is at this URL So now we can have the Q&A and I guess we will be moving to another room for that I think So that's all for now and you have my email address here