tech-security: New project for Summer of Code: bpg

Subject: New project for Summer of Code: bpg
To: None <tech-security@netbsd.org>
From: Manuel Freire <droggo@gmail.com>
List: tech-security
Date: 06/29/2005 04:16:03

This is a multi-part message in MIME format.
--------------090409090604020707030505
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hello,

I'm Manuel Freire and I've been selected by NetBSD to develop a
BSD-licensed, privacy guard. My proposal, which I named bpg (BSD Privacy
Guard), includes writing a modular OpenPGP compatible program.

My mentors in this adventure will be Alistair Crooks and Curt Sampson.
Also, I will need much help from this list and I thank you in advance
for your help.

I attach my proposal for your consideration. It has been revised since
the one I sent to Google (minor changes, like the name of the program
and some errata).

Once I receive initial impressions from my mentors, I'll begin working
on the initial design. I will share the whole development with this
list, so I encourage you to express pros and cons of my proposals,
ideas, design or code, since my main goal this summer is learning.

Finally, I want to say that it's an honor for me to be here. Thanks.

Manuel Freire

--------------090409090604020707030505
Content-Type: text/plain;
name="proposal.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="proposal.txt"

**********************************************************************

Name: Manuel Freire

Email: droggo@gmail.com

Project Title: bpg (BSD Privacy Guard)

**********************************************************************

Synopsis
========

The "BSD Privacy Guard" is my proposal for developing a PGP-like tool for NetBSD. It would provide confidentiality, authentication and integrity in an hybrid (both symmetric and assymmetric) key system.

"BSD Privacy Guard" aims to follow the OpenPGP standard (RFC 2440). This is so because it's crucial that it will be compatible with PGP and GnuPGP, for obvious usability reasons.

This project would be licensed under a BSD license, in order to be able to be included in the NetBSD OS. In the same way that almost all Unixes nowadays include an SSH client and server, I would like to see people having a privacy guard installed by default in their OS's and getting used to utilize it, both with email communications and with regular files in the system.

The license problem would be deep enough to justify writing a new application. But this is also a pretty good chance to fix some of the problems that PGP and GnuPG have:

* They are monolithic. You have one big application for two problems of different nature: key management and message privatization.

* They are interactive (i.e. not typical Unix filters). This is ugly when you are a Unix freak and want to type `elegant' things like:

bpg --sign < message > signed_message

* Their design doesn't allow creating new user interfaces. I would like that the "BSD Privacy Guard" design allow different user interfaces (command-line, ncurses interface, X-Window GUI...). This can be done by storing the application kernel functions in a library ("libbpg").

Project Description
===================

As I expressed in the synopsis, I would bet for a modularized design, being each module built from:

* a library with the functionality and,
* a user interface (if the module constitutes an application by itself).

For instance, the module "bpgkey" would have a library ("libbpgkey") with all the functions (create_pair, read_key...) and a user interface that uses the library, allowing the user to interact with it.

Modules
-------

* bpg: is the main module. It manages all the operations with files (encryption, decription, signing...). It's the kernel of the application.

* bpgkey: the key management module. It's an independent program, and my idea is that it stores keys in the keyrings in the ".keyrings" directory in each user's home directory. The independency of this module would permit some pretty fancy features, like allowing to be run as a daemon in the future and automatically become a key server.

* bpgalgo: this module stores the algorithms. It hasn't a user interface, since it is only a library that contains all the algorithms that the privacy guard will use. Algorithm's code will be obtained from OpenSSL or other BSD-licensed code suggested by NetBSD mentors.

* more modules: there can be more modules to get a thinner granularity if suggested by NetBSD mentors.

Security
--------

Since the "BSD Privacy Guard" will be a cryptographic application it is crucial to design and code with security in mind.

For this, as much code as possible will be reused from other projects if it showed robustness and security. Also, the design of the application and the code I write will be continuously peer-reviewed with users and security experts (I know some, NetBSD surely has many and I also have experience in this area).

Standarization
--------------

The functionality of the program will be extracted from the OpenPGP standard, as I mentioned in the synopsis. My goal is to make it 90% OpenPGP compatible for the end of the summer, and then keep on working to make it 100% compatible and quite stable in a couple of months.

Project Schedule
================

Project start (June 25th): Contacting my mentors and creating the project infrastructure: CVS, web site...

Analysis (June 25th - 28th): Reading the OpenPGP standard and making a list of the features that will be included in the first version (the Summer-of-Code version).

Design (June 29th - July 5th): Here I will discuss the design with my mentors and start writing the skeleton of the modules and tests.

Codification (July 5th - August 15th): Coding, coding and more coding. Intense peer-reviews.

Preliminary release (August 15th - 29th): The CVS snapshot will become the preliminary version. Receiving users feedback for bugs. No more features added. All tests must pass since the preliminary version is released.

Stable release (August 30th): The CVS snapshot in August, 30th will be the first stable version.

**********************************************************************

Bio
===

My name is Manuel Freire. I was born in October 5th, 1983 in Marin (Pontevedra), in the northwest of Spain. I'm nowadays studying and living in Madrid.

I love computers since I was a child (actually, I learned the alphabet when I was 3 with my brother's Amstrad CPC128. Four years ago I began studying Computering Engineering at Antonio de Nebrija University here in Madrid.

My favourite areas in computing are programming, security, cryptography, OS's (Unix) and videogames.

I wrote a PGP-like open-source application some months ago named "myPGP" (http://www.sourceforge.net/mypgp). Despite its not finished and the code was written ad-hoc, I learned many things about PGP and Unix programming. I'm sure this experience will be very useful in order to write the "BSD Privacy Guard".

I am currently working in a biometrics research lab at the Universidad Autonoma de Madrid.

--------------090409090604020707030505--