Calls:

Send in your ideas. Deadline October 1st, 2020.

 

Internet Hardening Fund

NLnet has an open call as well as thematic funds. This page contains an overview of the projects that fall within the topic Internet Hardening Fund. If you cannot find the project you are looking for, please check the alphabetic index.

ARPA2 Steamworks

ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design.

>> Read more about ARPA2 Steamworks

ARPA2 Steamworks

Computer systems nowadays are entangled with networks, and a simple server may in fact depend on other systems to be online to be able to fulfill its services. This constitutes a degree of fragility that is not always desirable; for instance, where security policies or system access is concerned. To make things worse, there is a growing tendency to combine information sources from various parties, and crossing the technical and political boundaries of organisations can introduce many new issues that complicate normal system management.

So what we need is a system that can share (configuration) information across such parties, and reduce their cross-dependency. This is where SteamWorks steps in; it enables a central site to configure settings for a large conglomeration or a distributed enterprise, and each of the sites can clone this information and spread it internally. Updates are automatically spread out as soon as possible, but in case of network failure the old information is retained and used until the downtime is resolved.

>> Read more about ARPA2 Steamworks

DIME

The DIME project has three distinct goals: to make end-to-end email encryption transparent and automatic, to minimize the leakage of metadata, and to enshrine the standards which make automation resistant to manipulation by advanced persistent threats. This has led to the development of a set of protocols and data formats which combine the best of current technologies into an integrated system that gives adequate protection, yet remains flexible. It allows for people to improve their security without sacrificing functionality.

>> Read more about DIME

Faster and configurable datapath/Linux xfrm

The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems.

>> Read more about Faster and configurable datapath/Linux xfrm

GetDNS

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

>> Read more about GetDNS

GnuTLS

The project summary for this project is not yet available. Please come back soon!

>> Read more about GnuTLS

GUN P2P Encryption

Gun is a realtime, decentralized, offline-first, graph database engine. GUN works peer-to-peer by design, meaning you have no centralized database server to maintain or that could crash. It allows to build decentralized, federated, or centralized apps. The SEA (Security, Encryption, Authorization) framework allows to use the latest native Web Crypto API for cryptographic functions like ECDSA, PBKDF2, AES, and more. With GUN developers can build fully decentralized end-to-end encrypted applications, using a "web of trust" mechanism.

>> Read more about GUN P2P Encryption

Improving Matrix E2E encryption UX

When using end-to-end encryption without a centralized oracle, the mechanisms to distribute and verify keys are critical. Matrix.org is an non-profit open source project dedicated to creating and maintaining an open and secure global network for decentralised real-time communication. Its mission is to make encrypted decentralised open communication a basic human right: empowering users to choose which services they use to communicate without being fragmented and held hostage within proprietary communication silos. Matrix currently has over 1.8M addressable users, 2,800 deployments, and the Matrix.org server receives over 1.1M messages a day. One can consider Matrix an open real-time data fabric for the web, providing somewhere for users and devices to publish and persist arbitrary data that can be subscribed to as desired.

This project tries to fix the biggest blockers of E2E encryption, which partly lie with technology but partly also are due to overall UX issues. It solves various issues such as key sharing completion, making sure that E2E VoIP calls work. At the same time it will address user driven features such as the ability to request history from before the point you're invited to a room and have that safely decrypted for reading. Finally, the project will deal with better UX for displaying keyshare requests rather than modal popup, and delivering configurable paranoia levels per room.

>> Read more about Improving Matrix E2E encryption UX

Key Management

The life cycle of cryptographic credentials which can be used for servers to serve up services with TLS typically contains a lot of manual steps. This administrative burden is a significant cost factor and built-in delay that needs to be overcome if we want to harden the internet at scale. Especially rollovers are cumbersome and error-prone. Automation is needed to make strong encryption the default on the internet, and this project aims to create a set of integrated open source tools to manage cryptographic keys in a provably correct way. The project stems from the ARPA2 project, and builds on/integrates with the NCSC/NLnet funded TLS Pool from the SecureHub project.

>> Read more about Key Management

Magic Wormhole/SPAKE2

SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS.

The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities.

This project will try to make SPAKE2 primitves available to mobile app developers and will support standardisation of SPAKE2 inside the IETF.

>> Read more about Magic Wormhole/SPAKE2

Modular CA

The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The aim of the project is keep the security footprint and the number of dependencies as low as possible.

>> Read more about Modular CA

Namecoin

Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances.

>> Read more about Namecoin

Nixcloud

This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications.

>> Read more about Nixcloud

P2Pcollab

The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places.

>> Read more about P2Pcollab

Pitchfork

The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including "post-quantum"cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security.

>> Read more about Pitchfork

Pitchfork PKCS#11

PKCS

The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including "post-quantum" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security. Stef Marsiske from the Pitchfork project team joined the OASIS PKCS

>> Read more about Pitchfork PKCS#11

PKCS#11 v3 -- PKCS#11 standardisation

PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11.

>> Read more about PKCS#11 v3

Pretty Easy Privacy

The “Emulation over GNUnet for large user numbers and diferent realistic user behavior scenarios plus tuning“ serves as a preparation and prerequisite for the integration of GNUnet into p≡p‘s encryption app-solutions to obfuscate not only content but also metadata of written digital communications. p≡p wants to protect not just the contents of communications, but also its metadata (who communicates with whom, from who etc.) to allow for anonymous communications. p≡p has the goal, to have GNUnet (one of the official GNU projects) integrated in its core technology as the “holy grail” to fully restore privacy by technical means and to bridge people from classical means of communications (email, existing chat protocols) towards the fully decentralized GNUnet peer-to-peer network. With the simulation of GNUnet's behavior for large user numbers and different realistic user behavior scenarios we want to test and improve its stability and scalability.

GNUnet protects metadata by tunneling text messages on identity- as well as account-level. GNUnet is a framework for secure peer-to-peer (P2P) networking, which is censorship-resistant, provides end-to-end encryption and is able to not just protect contents, but also metadata, thus anonymizing who’s communicating with whom and finally restoring full privacy. GNUnet's functioning doesn’t rely on any central infrastructure. It allows to bypass classic communication channels like email, if both peers have GNUnet.

So far there is no information if GNUnet is reliable for large numbers of users. The integration into p≡p will be the first real-world mass-deployment of GNUnet. In order to facilitate a scalable configuration or adaption of GNUnet in p≡p, we thus want to build a simulation of user behavior for p≡p over GNUnet. We will model which shares of written digital communication can be expected on which devices and how GNUnet behaves for these data traffics. The simulation will be done for different user numbers (e.g. 1k, 10k, 100k, 1mio) as well as for various user behavior scenarios and net structures (e.g. preconditions for net neutrality/censorship by governments etc.). Scientific groundwork and expertise (e.g. “Large Scale Distributed Evaluation of Peer-To-Peer Protocols”, Sree Harsha Totakura, 2013) as well as close contact with the GNUnet team is at hand. This simulation will gain crucial insights for GNUnet deployments in real world situations being of major importance for related FOSS projects far beyond the integration into p≡p, so secure communication over a free Internet can be achieved.

>> Read more about Pretty Easy Privacy

Remote PKCS#11

Setting up an encrypted connection across the internet requires establishing trust between the two endpoints. There are multiple ways, one of which is the use of asymetric keys. However, in many cases there will not be a suitable hardware crypto device available - and storing crypto credentials in userspace on lots of insecure devices (such as mobile phones) is quite risky. Managing and auditing usage of those credentials in such a case is a problem. The project entails two innovative ideas to isolate and organise credentials: "Hosted PKCS#11" which allow users to use a trusted remote crypto store instead of a local store (which is of course much easier to audit, assuming that the back end system on which the keys are stored is professionally managed by someone trustworthy), and "Layered PKCS

>> Read more about Remote PKCS#11

Secushare Box

An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices "pair". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords.

>> Read more about Secushare Box

Stubby

Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server.

>> Read more about Stubby

TLS-KDH

This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH (http://tls-kdh.arpa2.net/) that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future.

Additionally, TLS-KDH relies on RFC7250 (https://tools.ietf.org/html/rfc7250). The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys.

This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library).

The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated stil l enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance.

>> Read more about TLS-KDH

Vita

VPN technology is a key enabler for end user security in insecure environments. Vita aims to achieve high performance (beyond 10G speeds) on commodity server hardware. Vita is intended to be both simple in terms of code, as well as in terms of deployment, and non-invasive to deploy in existing networks. Vita also strives to be affordable, in terms of both energy footprint and cost of maintenance: its goal is to make the best possible use of commodity hardware while remaining easy to deploy safely.

>> Read more about Vita

WireGuard

In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry.

>> Read more about WireGuard

WPIA CA Infrastructure

World Privacy and Identity Association is an effort to create and setup a Trusted Service Provider to deploy digital certificates to the public for free. One part of this project (and the association behind it) is the development of software to setup and operate a Certificate Authority. The software is developed from scratch, and is released under an AGPL license. The repository resides on code.wpia.club.

The primary goal of the publication of the software is to grant check and control to the public. Trust is the basis of all. If someone wants to use the software for his own business he may do so. The real target of the project is to provide individuals and organisations with reliable and accountable digital certificates using PKI technique. Certificates should always match the CA/Browser Forum Baseline Requirements and be compatible with ETSI. Individuals will get their certificates for free (free as in free beer). Digital certificates help all people to keep fundamental rights as e.g. privacy and identity. As such, WPIA intends to provide an alternative to Let’s Encrypt.

>> Read more about WPIA CA Infrastructure