pi-lar - Neuropil-DHT

DHT based overlay network

Network infrastructure, P2P and VPN

Can you introduce yourself and your project?

pi-lar GmbH was founded in 2014 as a SME in Cologne. It then continued to rise after that. Enterprise Integration and Architecture is its primary area of expertise, with a focus on privacy-preserving and information security solutions.

Since it's foundation, pi-lar has started the open-source project "neuropil". Initially the project was started as a secure replacement for the mqtt protocol, but over the years we have recognized that our implementation embraces various modern concepts like named-data networking, zero-trust architectures, attribute access control and data souvereignty. Within our NGI Assure project "Neuropil-DHT", we establish secured data channels on top of our cybersecurity mesh without compromising privacy. Compared to other zero knowledge access network solutions, our solution is a very light-weight application, and focuses on the protection of data objects, and not primarily on network connections (although we also use mTLS connections).

What are the key issues you see with the state of the internet today?

Data protection is in our opinion the world's current concern. On the internet, data can be easily shared between various receivers, and big data algorithms can extract behaviour of groups and private persons. Without being noticable to each individual, our data and behaviour can be analyzed. On one side (big) tech companies to sell advertisements and make profits, without really giving back to society and their problems (sometimes rather igniting than calming). On the other side totalitarian governments using the extracted data to "educate" their population. Does it really matter? The bottom line is: without protecting privacy of everybody, there is no information security. If we do not protect privacy, e.g. phishing mails can be targeted at exactly one single person. And one single person is exactly enough to start cyber attacks on companies or governments.

Many protocols of the internet secure communication lines without considering extra privacy criteria. E.g. the initially mentioned MQTT protocol requires a broker, which unfortunately also adds the privacy risk of operator sided data leakage. TLS and DNS do not hide your IP adress, each DNS server acts as a broker again. Many activities are out there and try to fix the shortcomings of the internet as it has developed until today. But each adresses only parts of the problem, and some even introduce involuntarily new security and privacy issues.

How does your project contribute to correcting some of those issues?

Neuropil-DHT is an opinionated solution how security and privacy by design networks should be build. It is structured with three layers, and it doesn't depend on external solutions like DNS or NTP (both are built-in into the protocol). The first layer acts as a privacy-preserving abstraction layer and builds unique hash table based on random digital identities (R-ID). It is responsible to establish mTLS connections with peers that are mathematically (hash-distance) and physically (latency) near to each other. The second layer adds personal digital identities (P-ID) for each participating person, application or device. The third layer uses a combination of R-ID and P-ID to derive disposable, temporary digital identities (T-ID) to establish mutual authenticated data channels between groups of P-ID. Each of the three diffferent identities can be identified by their fingerprint: the hash value of their signature. Even data channels are identified by their hash values to obfuscate the setup.

The approach introduces several new security parameters to protect data and their users during communication:

• Scanning the full DHT is not possible, each participant will only receive a limited set of peers
• The connectivity between R-ID doesn't leak the IP addresses to other participants. Only hash values are visible, each node acts as a privacy relay for others
• Each participant will enter the network at a different random location each time he uses it (in fact we can rotate the R-ID's frequently to further obfuscate the address space)
• Data channels can use attributes to narrow down the list of participants
• The data object is always end-to-end encrypted, on top of multiple mTLS connections
• The granularity of data access via data channels can range from network to application or if need be: even down to single data objects
• Suddenly we can differentiate between private, protected, public or virtual data channels!
• Each participant will make the network stronger and more resistant against DDoS and privacy attacks
• The network acts as distributed PKI or federated identity space solution and we can use virtual data channels to derive new cryptographic material from the environment (no passwords anymore)

The bottom line is: Any adversary will find it challenging to grep or decipher any message, unless he really knows what to search for ...

What do you like most about (working on) your project?

The unique features of Neuropil-DHT make it a solution that can be applied to many different sectors and industries. After our initial project phase, we start to see the benefits of embracing a security and privacy by design approach. We believe that we are only at the start of the development of a new kind of application and a new kind of the internet, and that there will be a lot more things to discover. We are curious what we are going to learn next ...

Our NGI Search&Discovery project is a good example for this. In this project we evaluated the setup of a distributed search engine, where each participant can contribute to the storage and the discovery of privacy preserving search records. To our own surprise it is possible to use the neuropil cybersecurity mesh as distributed search engine (the example code is in our repository), reducing the need for centralized data broker solutions.

In addition, the implemented algorithms can also be used to develop a distributed malware detection into our solution, which is one of our next goals. There are of course some caveats to the distributed search solution, but it is a good example how it is possible to re-build our current internet with new technologies without loosing any of the benefits, but adding privacy as a core component.

Where will you take your project next?

Our project brings together the Neuropil Protocol and IoT technology to make these innovations more widely used and accepted. The Neuropil protocol helps keep communication secure and private, which is, in our opinion, crucial for everybody on the internet. By making this technology easier to use, we hope to build a strong community where companies and individuals can work together, to come up with new ideas and implement the neuropil protocol in different environments and for different use cases.

Our main project repository is located at https://gitlab.com/pi-lar/neuropil, and we see it as a reference implementation for others to use or extend it.

There are currently three additional projects that aim to enhance our solution: In one of our projects in co-operation with the FluidOS project we will establish end-to-end encrypted communication channels between different Kubernetes clusters and pods (https://gitlab.com/pi-lar/neuropil-k8s ). In our "Democratic Access Control" project we are looking at some core principles how group attestation should work, and with STEPS we have defined the foundation to implement distributed time measurement and alignment throughout our cybersecruity mesh.

How did NGI Assure help you reach your goals for your project?

NGI Assure helped us to reach our project goals by providing technical and financial assistance. With their help, we can transition from development to full release production. The easy application process and the definition of goals helps especially smaller companies to receive funding from the European Union. In addition, we often get valuable feedback and encouragement from the organizers, especially from the NLnet team. Sometimes you just need another person to bring you back on track.

Do you have advice for people who are considering to apply for NGI funding?

Those that are thinking of applying for NGI funding, in our opinion, should have a clear project vision how they can improve the internet. They require convincing justifications that demonstrate how their accomplishments benefit society, people, and technology—such as Neuropil, which is capable of fighting off attacks and transport data securely. Our advice would be to be realistic about the goals that can be accomplished in the given timeframe. Usually (the/our) tendency is to promise too many features, and during the project phase difficulties cannot be compensated.

Do you have any recommendations to improve future NGI programmes or the wider NGI initiative?

In our opinion during the whole NGI program many solutions have been developed, but the adoption of these new technologies does not happen in Europe. Someone once gave us the expression of the "cemetery of NGI solutions". Though it may sound hard, it surely means that the uptake of new technologies can be improved. We know that there are many events and activities out there which try to help, especially smaller companies, out of this misery. For ourselves, traveling and participating on all those events is unfortunatley in most cases not possible. Nevertheless these kinds of events ought to be held more frequently, and maybe more targeted at specific audiences.

Anything else you'd like to add?

We hope that the initial information provides a better understanding. However, if you need more details, please visit our official website at https://www.neuropil.org for comprehensive information. In case of questions please do not hesitate to open an issue or to contact us directly.

Acknowledgements

Published on September 18, 2024

Neuropil-DHT received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.