The Mathematical Mesh
PHB sets out the challenges that the Mathematical Mesh is designed to meet. In particular the three core challenges that make up the 'minimum viable product': managing private keys, exchanging public keys and securing data at rest.
Changing the Internet with 5 billion users and 50 billion connected hosts is hard. In this video, PHB describes the Mesh strategy to overcome that inertia, a strategy he learned working with Sir Tim Berners-Lee who developed the deployment strategy for the World Wide Web.
PHB describes the features the Mesh provides and a high-evel overview of the three principal technologies used to build it. These are described in detail in the following presentations.
PHB describes the key splitting approach used in the Mesh and how it is used to create true end to-end-secure cloud services that can control the decryption of data but cannot decrypt any of it. [Note advanced content]
PHB describes the use of meta-cryptography to combine keys. A technique used in device provisioning and to enable separation of administrative duties in the Mesh.
PHB describes how UDF fingerprints improve upon traditional OpenPGP fingerprints and expand their scope to support encoding of nonces, private keys and key shares. Consistent use of UDF identifiers as the only means of identifying keys in the Mesh allows for 'cryptography on rails'.
PHB shows how UDFs are used to create QR codes that can retrieve and decrypt an encrypted document and Strong Internet Names that bind a security policy to any Internet address with a DNS name.
PHB describes Data At Rest Envelope, the cryptographic syntax used as a container for signed and encrypted data in the Mesh. DARE builds on a profile of JSON Signature and Encryption to provide the same efficiency and capabilities as traditional PCKS#7/CMS encoding and provides support for the DARE Sequence capabilities described in the next video.
PHB describes DARE sequence, an append only log that provides incremental encryption and incremental authentication capabilities. DARE Sequence is used to encode the Catalog and Spool persistence stores used in the Mesh.
PHB describes the use of DARE Sequence to support a ZIP Archive type capability. Although this is not a feature required by the Mesh itself, it is useful to have an archive format in which the encryption and authentication capabilities are implemented using a state of the art approach.
PHB Describes the role and implementation of the Mesh Service. How services are discovered, how communication between the client and service is secured and the features they provide.
PHB continues his description of Mesh Services with a look at the additional features future Mesh services might support. These include trusted time, trusted DNS and a timestamp service.
PHB describes the mechanism used to connect devices to a personal Mesh with strong mutual authentication.
PHB describes the use of the Mesh to store and exchange contact information. These mechanisms enable even A-list celebrities to make their contact information public without being spammed off the net.
PHB describes the Mesh confirmation protocol which provides an improved form of 'second factor authentication'. All 2nd factor authentication systems are in fact a combination of authentication and authorization. The user is not merely authenticating themselves, they are authenticating to authorize a specific action (e.g. access to a VPN). But this authorization is only weakly bound to the action itself and so a second factor token used for multiple purposes is subject to downgrade attack.
Traditional public key encryption allows data to be shared between a fixed group of recipients. Granting access to existing encrypted files to additional users requires every file to be updated. Removing access is not typically possible.
In this video, PHB shows the use of meta-cryptography to enable files to be shared between groups of users whose membership can be changed at any time.
PHB begins by describing the application of the Mesh bookmark and credentials catalogs to provide a seamless and secure user experience across multiple different browsers on multiple devices.
Traditional Web security only secures the connection between the user's client and the Web server holding the content. While this is called 'end-to-end' secure, the true end points of the communication are the user and the original content creator. The meta-cryptography supported by the Mesh allows this true end-to-end secure communication for both static (Web 1.0) and dynamic (Web 2.0) content.
PHB describes the use of the Mesh to manage SSH keys for clients and servers.
PHB describes the application of the Mesh to SMTP email. The Mesh provides a secure means provisioning OpenPGP and S/MIME keys and managing them across devices. The Mesh Contact exchange protocol and contact catalog provide a secure means of acquiring contact information for other users and making them available to devices used to send and receive email.