LEAP logo

LEAP Encryption Access Project

Architecture comparison

A comparison of the trade-offs made by different communication archectures
Esta página aún no ha sido traducida del Inglés.

You can't have it all

Every messaging architecture makes certain design choices that privilege one property of information security over another. Although there is no intrinsically necessary trade off among different information security properties, when we examine the technical limitations of actual implementations we see clearly that existing architectures are structurally biased toward certain properties and against others.

A fancy table

This table provides a rough comparison of the choices made by common messaging architectures. See below for details regarding the column and row headings.

Table 1. Information security of common messaging architectures
Silo
Texto plano
Federated
Texto plano
Silo
Cifrado
Federated
Cifrado
Peer to Peer
Cifrado
Message
Security
Confidencialidad None None High High High
Integridad None None High High High
Disponibilidad High Medium High Medium Low
Identity
Security
Autenticidad None None None Low Low
Anonymity None None Low Low Medium
Unmappability None None None None Medium
User
Freedom
Control None Medium None Medium High
Compatibilidad None High None Medium None
Usabilidad High Medium High Low Low

Reasonable people may disagree: this table represents one defensible assessment of the various architecture categories. Many people would adjust one or two cells, but on the whole we believe this table is a fair and accurate comparison. Some squares get low marks because of user error. For example, peer-to-peer systems have a hard time with user friendly keys, leading to high user error and low effective authenticity.

In table 2 we see a simplified representation that highlights the relative differences between the encrypted architectures:

Table 2. Relative trade-offs of encrypted messaging architectures
Peer to Peer
Cifrado
Silo
Cifrado
Federated
Cifrado
Disponibilidad Lower Higher Lower
Usabilidad Lower Higher Lower
Compatibilidad Lower Lower Higher
Autenticidad Higher Lower Higher
Control Higher Lower Higher
Anonymity Higher Lower Lower

Relatively better is not necessarily good. For example, federated and peer-to-peer models have better authenticity than silo models, but still in practice have many authenticity problems.

The LEAP strategy

In a nutshell, the LEAP strategy is this: take a federated architecture and improve the authenticity, unmappability, and usability. In table form, that looks like this:

Table 3. The LEAP strategy for improving federated architectures
Federated
Texto plano
Federated
Cifrado
LEAP
Cifrado
Message
Security
Confidencialidad None High High
Integridad None High High
Disponibilidad Medium Medium Medium
Identity
Security
Autenticidad None Low High
Anonymity None Low Low
Unmappability None None High
User
Freedom
Control Medium Medium Medium
Compatibilidad High Medium Low
Usabilidad Medium Low High

Why this focus on authenticity, unmappability, and usability?

First, there is a lot of room for improvement. We believe that there is actually no particular structural reason why these properties are so low in existing federated encrypted architectures.

Second, these property are extremely important and yet are typically given low priority or are ignored completely.

  • Authenticity: Message security rests entirely on a foundation of authenticity. Without proper validation of encryption keys, you cannot be assured of confidentiality or integrity. Unfortunately, current system of establishing message authenticity are so difficult to use that most users simply ignore this step. LEAP will address these problems with a system of strong and automatic identity validation.
  • Usability: There are plenty of high security tools that are nearly impossible for the common user to use correctly. If the tool is too difficult, it will not be widely adopted and will likely be used incorrectly by those who do adopt it. LEAP with address these problems with the LEAP client that is tightly coupled with the server-side software and is autoconfiguring.
  • Unmappability: Recent advances in social network analysis and the greatly expanded of ability state and corporate actors to gather social graph information have made unmappability an urgent requirement for any architecture that seeks to address the surveillance situation we face today. LEAP will address these problems with our proposal for graph resistant routing.

Improvement in these areas will come at a price. Although LEAP communication tools will be backward compatible with existing federated standards, a user of the LEAP platform will not have the same degree of choice in client software and provider as does a user of a traditional federated system. Our goal is to actively help providers adopt the LEAP platform, in order to give users more options in the long run.

Decoding the table

Communication architectures (columns)

(to be written)

Aspects of information security (rows)

Classical information security consists of a trio of properties: confidentiality, integrity, availability. To this list, others have added authenticity, control, and anonymity (among many others).

For our purposes here, we also add usability, compatibility, and unmappability. What do all these mean? Let's use the example of a single message, and group these nine properties in three categories:

Message Security

Confidentiality A message has highly confidentiality if only the intended recipients are able to read the message.
Integrity A message has high integrity if the recipient is assured the message has not been altered.
Availability A message has high availability if the user is able to get to the message when they so desire.

Identity Security

Authenticity A message has high authenticity if the recipient is certain who sent the message and the sender is certain who received it.
Anonymity A message has high anonymity if the identity of the sender cannot be established by examining the message or the pattern of message delivery.
Unmappability A message has high unmappability if the social network that you communicate with cannot be easily discovered. Unmappability is often collapsed under anonymity. This is unfortunate. It is true the anonymity is one of the issue at stake with social network mapping, but it is just one of many. Because of recent advances in social network analysis and the ability to gather social graph information, we feel that unmappability deserves to be highlighted on its own.

User Freedom

Control If a user is in possession of their own data and can do with it exactly what they want (and others cannot use the data in ways contrary to the wishes of the user), then we say that they have high control.
Usability For a communication system to have high usability, the common user must be able to operate the system in a way that does not compromise their security.
Compatibility For a system to have high compatibility, the user must not be locked into a particular provider or technology, but should have competing and compatible options available to them. In other words, a user's data should be portable and they should have a choice of clients.