On 2010/11/09 (Nov), at 4:06 PM, Matthew Toseland wrote:
Yes, the padding is encrypted.
btw, do resends have "new" random padding each time? If that is case
it would also not matter, b/c even a weak attacker could drop your
packets and correlate them to find the precise length (and ignore the
padding).
No, they can't. On the current FNP, the hash (which includes the
padding, as well as the 12 bytes of junk data i.e. hard randomness)
goes first, and influences the encryption for the whole packet (as
an IV). Plus the sequence number is encrypted. On new packet format,
the crypto is determined by the IV which is generated from the
packet number, but we never reuse packet numbers even on resends.
Then it sounds like the source of the padding is not important. I'd
optimize for performance in this case.
Weak-random is already a security improvement over just zeros (which
might still be "acceptable" in this case).
--
Robert Hailey
_______________________________________________
Devl mailing list
[email protected]
http://freenetproject.org/cgi-bin/mailman/listinfo/devl
