On Monday 22 October 2007 12:22, nextgens at freenetproject.org wrote:
> Author: nextgens
> Date: 2007-10-22 11:22:47 +0000 (Mon, 22 Oct 2007)
> New Revision: 15471
>
> Modified:
> trunk/freenet/src/freenet/node/FNPPacketMangler.java
> Log:
> JFK:
> Re-queue DH exponents so that we don't end up serving always the same
> even
if we are under attack.
I'm not convinced that this is necessary... the only case where it helps is if
the attacker doesn't see the responses to his packets, so it's a matter of IP
spoofing. It shouldn't hurt if it's well-implemented. In any case, as I said
on the previous mail, the only reasons to change DH exponents are:
1) If there's an undiscovered weak DH key, it would be best if we didn't use
it for all our connections!
2) Limiting exposure (decryptability of old traffic) if the node is
compromised i.e. forward secrecy (see Perfect Forward Secrecy). The thing is,
all open connections can be decrypted from the period they last connected or
rekeyed *anyway*.
3) Possibly leaking information about the exponents on each new connection
with some new undiscovered attack. Hopefully this will be very slow.
JFK is built around the principle that you don't have to change the exponents
on every new connection: the nonces will ensure that each connection gets a
different key.
You might want to make it more deterministic though: have a vector, rotate
through it, and every 30 seconds remove the beginning and add a new context
at the end. Then contexts have a limited lifespan.
>
> Modified: trunk/freenet/src/freenet/node/FNPPacketMangler.java
> ===================================================================
> --- trunk/freenet/src/freenet/node/FNPPacketMangler.java 2007-10-22
> 10:48:27
UTC (rev 15470)
> +++ trunk/freenet/src/freenet/node/FNPPacketMangler.java 2007-10-22
> 11:22:47
UTC (rev 15471)
> @@ -2460,60 +2460,64 @@
> }
>
> private DiffieHellmanLightContext _genLightDiffieHellmanContext() {
> - DiffieHellmanLightContext ctx =
> DiffieHellman.generateLightContext();
> + final DiffieHellmanLightContext ctx =
DiffieHellman.generateLightContext();
>
ctx.setSignature(crypto.sign(SHA256.digest(assembleDHParams(ctx.myExponential,
crypto.getCryptoGroup()))));
>
> return ctx;
> }
>
> + private final void _fillJFKDHFIFO() {
> + // Use the ticket to do it off-thread
> + node.getTicker().queueTimedJob(new Runnable() {
> + public void run() {
> + synchronized (dhContextFIFO) {
> +
> dhContextFIFO.addLast(_genLightDiffieHellmanContext());
> + }
> + }
> + }, 0);
> + }
> +
> /**
> * Change the DH Exponents on a regular basis but at most once every
> 30sec
> *
> * @return {@link DiffieHellmanLightContext}
> + *
> + * FIXME: is it acceptable that some elements will stay around for a
*long* time ?
> + * They will eventually be replaced but noone know when.
> */
> private DiffieHellmanLightContext getLightDiffieHellmanContext() {
> final long now = System.currentTimeMillis();
>
> - boolean changeDHExponents = false;
> - boolean generateOnThread = false;
> - int dhContextBufferSize = 0;
> + int dhContextFIFOSize = 0;
> + boolean requeueElement = true;
>
> + DiffieHellmanLightContext result = null;
> +
> synchronized (dhContextFIFO) {
> - dhContextBufferSize = dhContextFIFO.size();
> + dhContextFIFOSize = dhContextFIFO.size();
>
> - if(dhContextBufferSize < 1) {
> + if(dhContextFIFOSize < 1) {
> // We need one exponent, generate it at all
> cost! (startup)
> - changeDHExponents = true;
> - generateOnThread = true;
> - } else if((dhContextBufferSize <
> DH_CONTEXT_BUFFER_SIZE) &&
(jfkDHLastGenerationTimestamp + 30000 /*30sec*/) < now) {
> - changeDHExponents = true;
> - jfkDHLastGenerationTimestamp = now;
> - }
> - }
> -
> - if(changeDHExponents) {
> - if(generateOnThread) {
> Logger.minor(this, "No DH exponent have been
> created; generate the
context on-thread!");
> - // No need to synchronize here as we are
> on-thread
> -
> dhContextFIFO.add(_genLightDiffieHellmanContext());
> + for(int i=dhContextFIFOSize;
> i<DH_CONTEXT_BUFFER_SIZE-1; i++)
> + _fillJFKDHFIFO();
> +
> + result = _genLightDiffieHellmanContext();
> } else {
> - // Use the ticket to do it off-thread
> - node.getTicker().queueTimedJob(new Runnable() {
> - public void run() {
> - synchronized (dhContextFIFO) {
> -
> dhContextFIFO.addLast(_genLightDiffieHellmanContext());
> - }
> - }
> - }, 0);
> - Logger.minor(this, "The DH exponents will been
> renewed soonish");
> + result = (DiffieHellmanLightContext)
> dhContextFIFO.removeFirst();
> +
> + // Shall we replace one element of the queue ?
> + if((jfkDHLastGenerationTimestamp + 30000
> /*30sec*/) < now) {
> + jfkDHLastGenerationTimestamp = now;
> + requeueElement = false;
> + _fillJFKDHFIFO();
> + }
> }
> +
> + if(requeueElement)
> + dhContextFIFO.addLast(result);
> }
> -
> - DiffieHellmanLightContext result;
> - synchronized (dhContextFIFO) {
> - // Don't remove the exponent from the list if it's the
> only remaining
one.
> - result = (DiffieHellmanLightContext)
> (dhContextBufferSize < 2 ?
dhContextFIFO.getFirst() : dhContextFIFO.removeFirst());
> - }
> +
> return result;
> }
>
>
> _______________________________________________
> cvs mailing list
> cvs at freenetproject.org
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20071023/b08f88d3/attachment.pgp>
