-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > This would allow us to change the nodes now to respond to that > DHKeyExchange command with some kind of error message. The client could > then fall back to a non encrypted exchange. This is what I had in mind > earlier when I asked about backwards compatibility. Yes, but it makes identifying freenet connections easy, and thus makes them easier to attack/block/ban/filter.
> I don't think it is all that helpful to hide the choice of which cipher > is used. In practice there are only a few options so it doesn't add > much security. No, but again, this is only to mask the fact that it is a particular type of transaction taking place. > > The benchmark protocol for secure communications is SSL. Generally I > try to follow its principles in terms of what attacks it guards against. > SSL does not try to hide which symmetric cipher is used. And of course > it can't hide what kind of asymmetric ciphering is done since that has > to be the first step. I don't care if we bellow at the top of our lungs what cipher we use. The idea isn't to try and implement security by obscurity. > However one thing SSL does avoid is using the DH key exchange value > directly as you suggest. It always gets hashed before being used. > This is because there could theoretically be some structure in that > value due to the highly mathematical way it is designed. So I would > suggest hashing the value to set up the cipher keys. I like this idea. > SSL also uses two different cipher keys for the two directions of > communications. I think this is mostly a defense against certain active > attacks, but it does give a cryptanalyst somewhat less data encrypted > with each key. Thats simple enough, since the key exchange is going to give us more bits than we really need. > Leaving aside the question of whether this exchange needs to be encrypted, > note that Bob has enough information once he receives Alice's message > to know which cipher will be chosen. Therefore the usual response for > Bob is to simply pick one of Alice's ciphers and return that (or return > a refusal if none of them are acceptable). Also true. > One final point: this kind of protocol is very secure against passive > attacks, where an eavesdropper wants to know what is being said. > But it does not defend against active attacks, where the adversary can > intervene in the message stream, altering, removing or adding messages. > To prevent those it is necessary to share information ahead of time, > such as long term public keys used for signatures. This is something > that can be added later as it requires a much larger infrastructure. Yes. Once again, this is just the initial system. When we fully develop the entire structure, it will likely use pervasive pkk. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5CdzFpXyM95IyRhURAg4MAJsEZ8+23W6LwluQw64wiUZabIw/lQCg1btG AlbZv4GmAcZy3/CsyVIe0tA= =hYhO -----END PGP SIGNATURE----- _______________________________________________ Freenet-dev mailing list Freenet-dev at lists.sourceforge.net http://lists.sourceforge.net/mailman/listinfo/freenet-dev
