Briar: Technical Overview
1. What is Briar?Briar is a secure news and discussion system designed to be used by journalists, activists and civil society groups in authoritarian countries. Briar differs from existing circumvention tools and mesh networks in three significant ways:
- Briar doesn't rely on external infrastructure such as proxy servers or satellite uplinks. A group of non-specialists can build a Briar network using nothing but their personal computers and smartphones.
- Briar can operate over any mixture of available media, including internet connections, Bluetooth, WiFi, dialup modems and even USB sticks. A network can be set up using a convenient medium, such as the internet, and can then fall back to other media if connectivity is lost.
- Briar builds on the social relationships between its users. The software is designed to be distributed person-to-person between trusted friends, making networks difficult to monitor, infiltrate or block.
2. The Structure of a Briar NetworkAt an abstract level, a Briar network consists of nodes and edges. Each node represents an individual person, and each edge represents a social relationship between two people, who are referred to as contacts. At a concrete level, nodes are implemented by software running on personal computers and smartphones, and edges are implemented by nodes communicating across various media.
Each network grows through personal invitation: anyone can start their own network simply by installing the software, and any member of a network can invite someone to join by giving them a copy of the software and exchanging encrypted invitations with them. Existing users (of the same network or of different networks) can likewise become contacts by exchanging invitations.
Once two users have exchanged invitations, their nodes can communicate securely. All communication between nodes is encrypted and authenticated, regardless of the medium over which it occurs.
3. Private MessagesThe simplest way for users to communicate is through private messages, which function like email. Users can only send private messages to their contacts.
4. GroupsMessages can also be sent to groups. Anyone may create a group and make it visible to any subset of their contacts, and anyone who can see a group may subscribe to it and make it visible to any subset of their own contacts. Conversations within each group are organised into threads.
Messages can be posted to groups anonymously or pseudonymously. Pseudonyms allow people who may not know one another's real identities to build up trust in one another's virtual identities. A pseudonym consists of a nickname and a public key; messages are signed with the corresponding private key.
Each group's creator may decide whether the group will be restricted or unrestricted. A restricted group has a public key which is given to all subscribers; messages posted to the group must be signed with the corresponding private key, and subscribers can use the public key to check that every message is authorised. By controlling access to the private key, the group's creator can decide who may post messages to the group. An unrestricted group has no public key - any subscriber can post messages to the group.
A restricted group therefore functions like a blog, enabling an anonymous or pseudonymous author to broadcast messages to an unknown audience of subscribers, whereas an unrestricted group functions more like a newsgroup or listserv, enabling open, multilateral discussions between people who may not know each other's real identities.
When a message is posted to a group, each subscriber forwards the message to any contacts who are known to subscribe to the group. This simple flood-fill approach ensures that every message reaches every subscriber as quickly as possible, even if some of the media used by the network have much higher latency than others. Users only receive messages posted to groups to which they subscribe.
Unrestricted groups may be vulnerable to spam, so Briar uses a mechanism called peer moderation to control how far messages are forwarded in unrestricted groups.
5. ExpiryLike Usenet, Briar uses a store-and-forward architecture in which messages are stored for a limited time by each node that receives them. This ensures reliable message distribution over networks where the underlying media may have very different latencies, from milliseconds to days.
Each node stores messages in an encrypted database. If the database reaches its maximum size, the oldest messages are deleted to make room for new messages. Each node therefore has a retention period that depends on the size of its database and the volume of messages in the groups to which its owner subscribes.
6. Privacy GoalsBriar attempts to achieve the following privacy properties with respect to an imaginary user called Alice.
- Nobody should be able to discover:
- Which messages were written by Alice (unless the content reveals Alice's identity)
- How many contacts Alice has
- Alice's contacts should not be able to discover:
- Whether Alice has a contact who isn't also a contact of theirs
- Whether Alice subscribes to a group she hasn't made visible to them
- What ratings Alice has created in a group she hasn't made visible to them
- Only Alice's contacts should be able to discover:
- Which contacts Alice has in common with them
- Whether Alice subscribes to a group she has made visible to them
- What ratings Alice has created in a group she has made visible to them
7. Threat ModelBriar is designed to resist surveillance and censorship by an adversary with the following capabilities.
- All long-range communication infrastructure (internet, phone network, etc) is comprehensively monitored by the adversary.
- The adversary can block, delay, replay and modify traffic on long-range media.
- The adversary has a limited ability to monitor short-range media (Bluetooth, WiFi, etc).
- The adversary has a limited ability to block, delay, replay and modify traffic on short-range media.
- The adversary can create an unlimited number of nodes.
- There are some users who can keep their nodes secure - those who can't are considered, for the purposes of the threat model, to be controlled by the adversary.
- The adversary has a limited ability to persuade users to trust the adversary's agents - thus the number of social connections between the adversary's nodes and the rest of the network is limited.
- The adversary can't break standard cryptographic primitives.