On 1/3/20 3:23 PM, carlo von lynX wrote:
> On Fri, Jan 03, 2020 at 10:28:02PM +0900, Schanzenbach, Martin wrote:
>> That sounds like it allows anyone to highjack any (established) channel
>> after a successful kx.
>
> Oh, transport does not guarantee the identity of nodes so CADET
> has to handle authentication itself... great. Still, an attacker
> would not be able to hijack a conversation, just break it.. right?
Transport guarantees it for hop-by-hop, but CADET is end-to-end. So
Transport may assure Anna that she's talking to xrs, and to xrs that
he's talking with Betty, but that doesn't help us for Anna-Betty.
A concern here is an attacker replying an ancient initiation message to
break an ongoing session.
Given that we have 3DH, this should only be about availability, not
confidentiality/integrity.
> dvn has suggested a different approach, to make the
> CADET_CONNECTION_CREATE ensure that both sides have the same
> state, so we are looking into adding extra info there (which
> I understand would be a breaking protocol change, since gnunet
> does not have PSYC's extensibility).
Breaking compatibility to fix these types of bugs is OK.
> btw, figuring out how CADET tunnels get stuck and stop working
> was the amazing work of
> __
> _|_ > __ __ __ _ _ | _ _|_
> | -{ (_ (_ /__) |/ / | |< |
> |_ __> __) __) \___ | \_|_| \ |_
Thanks, t3sserakt!
