From a conceptual point of view, although they rely on similar or even identical technologies, privacy and security are nowadays separate or even antagonistic properties.
Privacy is often a by-product of security technologies (typically VPN services or even Tor). Snowpack starts from the idea that in order to attack a content, one must first be able to identify it. Its concept is therefore based on a mutual reinforcement of these properties.
In practice, Snowpack brings a radically different approach to the threat model of network security and privacy technologies, which are essentially based on encryption techniques (E2EE, VPN). Today, end-to-end data flows contain all the information. In theory, the current symmetrical flow encryption mechanisms (e.g. AES 128 or 256) guarantee a very high level of information security because brute force attacks are in practice impossible. However, the public key exchange mechanism offers fewer guarantees. Moreover, history has shown that attacks can still be conducted: man-in-the-middle, vulnerability in pseudo-random number generators, attacks on certificates, or directly on keys. In general, encryption will rely on the principle of trust in the PKI infrastructure and/or technology providers.
An alternative approach to prevent this type of attack is to circulate complementary information on separate routes with secret sharing. Accessing the information then requires identifying all of the complementary fragments (our snowflakes), as retrieving the original information by intercepting a single fragment (or n-1) is impossible. This idea has been explored since the early 2000s and has been subject of a large number of publications and even a few patents. However, since these fragments are transferred directly via classical protocols or more advanced ones such as mptcp (multipath tcp), an external observer can easily detect the complementary fragment(s), especially by observing the traffic concentration areas (backbone, submarine cables…). Snowpack introduces a new approach by making these fragments anonymous and circulating them on anonymously created circuits.
Thus, an attacker using classical “industrial” probes on the backbone will certainly have a high probability of “seeing” the complementary fragments, but since they are anonymous and similar (same size, no intelligible content), he will have to recombine them with all the others in order to identify complementarities. As the traffic factorial grows much more strongly than the computing capacity, a brute-force attack becomes unrealistic. In practice, Snowpack will also implement 3 additional encryption levels (between nodes, at the fragment level and at the packet level) to provide privacy performance natively on each circuit equivalent to the Tor platform.
The first level is already implemented and we are pursuing research activities to define the best approaches for the additional levels.The only realistic way to conduct an attack is for the attacker to get close to the targeted user, i.e. to control the edge of the Internet. However, such an attack is not industrializable, even for attackers with almost unlimited resources such as states, especially the foreign ones.
Overall, our architecture makes possible to introduce the notion of “Beyond Trust” or “No Trust” to the ICT sector. Indeed, Snowpack architecture guarantees by construction that none of the system nodes is able to have the complete information. Thus, provided that the infrastructure is sufficiently heterogeneous, an attack by compromising the infrastructure becomes impossible. As a result, thanks to Snowpack, users do not need to trust the hardware and software infrastructure, including the security and Snowpack layers.
Similar to VPNs or anonymization networks, Snowpack is fully transparent for applications.
Network heterogeneity is an important element which re-enforces security. As such, Snowpack network is made of nodes fully operated by Snowpack, others deployed at customer’s premises (for customers requiring the highest level of security) and finally some at independent operators.
Two different nodes can be distinguished: S-node which can be consider as a relay and Holonode which is used for the Privacy/Browsing mode. A customer establishes a “route” consisting of at least two “ways” by choosing a subset of nodes. These circuits are built anonymously via an auto-discovery mechanism. All the IP packets exchanged by the client and its interlocutor are then “separated” into complementary fragments by secret sharing that circulate along the circuits. Since these fragments are anonymous, a node can neither identify the end-points nor access the content in any way.
Privacy / Browsing Mode
In the privacy mode, Snowpack allows users to create their own hologram to contact Internet services. This hologram is then considered the correspondent of the service and allows to guarantee the anonymous navigation of our user.
The user selects the S-nodes he wants to use to create his routes as well as the holonode which will serve as his hologram to communicate with the service.
- He then creates his circuits with the input nodes of the network.
- Then he anonymously creates circuits between the following nodes.
- The user designates a “master” node, S-node3 in the video, which will be responsible for reformatting the message. To be able to do so, it must find the complementary route which is achieved thanks to a self-discovery mechanism based on secret sharing message exchanged on the complementary routes.
- Each of the exit S-nodes receives the information of the holonode to be used and creates a circuit with it to recover the output messages.
During a communication, the user fragments the message into complementary fragments that he sends on separate routes. Each node relays to the next node and when S-node3 has received the two fragments, it recombines them and sends the message to the service by spoofing the holonode address. The service then considers it is communicating with holonode and sends its response back to holonode. From there, holonode fragments the message and sends a fragment to each of the S-nodes to which it is connected. The S-nodes then route the message to the user who only has to recompose the message.
Communication privacy is guaranteed against a possible network node compromise thanks to an architecture built to prevent any network element from having access to all the elements of the communication: {Sender, Recipient, Message content} as shown at the end of the video.
Security / Peer-to-peer mode
In the peer-to-peer mode, both parties aims to connect anonymously and securely. First, they establish independently circuits up to the middle of the Snowpack network.
Then, thanks to a self-discovery mechanism based on a defined secret, exchanged through a secure channel, the two pieces connect to each other. The connection is established. The connection is then fully bi-directional.