The Free Haven Project
The Free Haven Project
February 22, 2000
Scribe: Kevin Fu
There does not exist a system to anonymously retrieve documents
when the location of the document is also anonymous. Without this
anonymity, opposition can easily remove publications. For instance,
the Church of Scientology bullies governments into preventing
distribution of their religious documents.
The Free Haven Project consists of:
- The Servnet consists of a set of independent servnet nodes.
Each node accepts opaque data for publication. A Servnet node
publishes the data.
- A collection of machines which anonymize communications.
Specific implementations could work over email, IP, or any
The Free Haven Project uses an information dispersal algorithm.
One ASRG member asked whether the Tornado algorithm would help with an
O(n) reconstruction time.
Shares of a publication will check each other for validity.
Most anonymous storage systems perform the same functions as the
Free Haven Project, but there is a significant difference in
anonymity. Most projects define anonymity as "persons requesting a
document cannot identify the publisher." The Free Haven Project uses
a different tack.
The Free Haven Project intends to deploy a system that provides a
good infrastructure for stronger anonymity. Specifically, this means
that the publisher of a given document should not be known; that
clients requesting the document should not have to identify themselves
to anyone; and that the current location of the document should not be
known. Additionally, it would be preferable to limit the number of
opportunities where an outsider can show that a given document passed
through a given computer.
ASRG participants raised several questions:
- Q: How does a person locate a document?
- A: Documents are named by a file handle which consists of a
cryptographic hash of a public key. Providing a directory service is
not the goal of the Free Haven Project. There is no native provision
for directory lookups. Users are expected to do this out of band.
- Q: It seems that searching for information will be difficult. Why?
- A: A directory allows censorship. A government could search for
the file handle in a directory, then censor the file lookup.
- Q: So isn't it hard to trust directory contents that are built
out of band?
- A: The Free Haven Project does not want to solve the directory problem
within the main system. Directories would require frequent updates.
The Free Haven project has latencies in hours or days. You wouldn't
want a directory service like this. Free Haven is a base
infrastructure for anonymous publication. It's not a web server.
It's not a directory. It neither allows or prevents others to add
this functionality at a higher layer.
- Q: How many public keys are there per file fragment?
- A: Each file is associated with one public key. The corresponding
shares/fragments share the same key.
- Q: What are the potential bottlenecks?
- A: Periodically each servnet node broadcasts to every other servnet
node it knows about. Each message is individually encrypted and
signed to each other node. This can be expensive.
- Q: Describe the GUI. How easy is it to use compared to PGP or
the LCS anonymous remailer?
- A: Point and click. Users need only have the file handle (hash of the
public key) of a document to locate the document content.
Client code is underway to hide the cryptography from the user.
- Q: What's the first thing you'll do with the Free Haven?
- A: The first thing going into the system is the client code because it
may contain potentially patented algorithms. :-)
Roger Dingledine. Free Haven Thesis
Proposal [draft], February 2000.
Brought to you by the MIT LCS Applied Security Reading