On Friday 16 November 2007 19:16, Michael Rogers wrote: > Matthew Toseland wrote: > > Invites with a temporary keypair (invite = H(pubkey_temp), IP:port; > > obfuscation key = H(pubkey_temp)) > > Minor point: obfuscation key = H(nonce + H(pubkey_temp)).
So when the pubkey is exchanged, we also send the nonce? What is the point? > Or if you > accept the argument in my other message that we need mutual > authentication, obfuscation key = H(nonce + H(pubkey_temp_R) + > H(pubkey_temp_I)). I don't see what the problem is with one-time invites. Obviously if we have an MITM during out-of-band exchange of invites, we're screwed, but that's the case with anything we set up. > > > Short noderefs (ref = H(real_pubkey), IP:port; obfuscation key = H(pubkey_R + > > H(pubkey_I)) ) > > Again, H(nonce + H(pubkey_R) + H(pubkey_I)). But if we're doing a > two-way exchange anyway, is there any advantage to using refs instead of > invites? Should we get rid of refs altogether and just use invites? Maybe we should. A creates an invite, gives it to B; A's node notices that it's NATed so requests IP:port from B. That's still basically one-way. How would two-way invites work and why do we need them? > > > And possibly SRP. > > PRO: We can use easy-to-remember/communicate (low entropy) passphrases, rather > > than 32 bytes (64 hex chars, 43 base64). > > PRO: And it's still secure, provided that we have a limited number of attempts > > per password (so for SRP-based invites we will need IP:port, invite counter, > > passphrase). > > Tempting, but not secure - anyone who sees the invite can MITM the > handshake. If they see the password, yes. However the advantage is that the password can be easily and safely exchanged out of band i.e. on a piece of paper, over the phone etc. > I think we need to be realistic about user behaviour: most > people don't exchange keys face to face, the most they're likely to do > is use a real-time medium that's easy to eavesdrop but hard to MITM. It depends. We need to design it so that the Correct Behaviour is easy. In terms of true darknet, maybe half of the folk a typical user would connect to would be either known in person or to telephone. What we do not want to do is make #freenet-refs , which is the Worst Possible Behaviour, any easier. If making true darknet easier causes #freenet-refs to also be easier then that's collateral damage, but it's certainly not my intention! > > The furthest I've ever known someone to go is emailing a public key and > phoning to confirm a few digits of the fingerprint, and that's someone > who makes their living from network security. Most users will just cross > their fingers and email the password if we give them that option. Lots and lots of geeks exchange GPG signatures at conferences. Lots and lots of geeks know other geeks at work, at university, at LUGs/2600's/whatever. If it's going to be emailed, they may as well just email a full noderef. It will be unpacked at the other end and it should be a few clicks to add the ref. We're not talking about email here. Maybe instant messaging, but again, a file is easy to send with most IM clients. And above all it depends on just how hostile the environment is. Right now it's not very hostile most places; we need to build a true darknet so that the network will work when it becomes more hostile. That depends on making it easy. > > Cheers, > Michael
pgpI2oZhkqS7c.pgp
Description: PGP signature
_______________________________________________ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
