[freenet-dev] What we are really after was Re: Short refs was Re: alternative to #freenet-refs

Matthew Toseland toad at amphibian.dyndns.org
Fri Nov 16 20:28:26 UTC 2007 

On Friday 16 November 2007 19:16, Michael Rogers wrote:
> Matthew Toseland wrote:
> > Invites with a temporary keypair (invite = H(pubkey_temp), IP:port; 
> > obfuscation key = H(pubkey_temp))
> 
> Minor point: obfuscation key = H(nonce + H(pubkey_temp)). 

So when the pubkey is exchanged, we also send the nonce? What is the point?

> Or if you 
> accept the argument in my other message that we need mutual
> authentication, obfuscation key = H(nonce + H(pubkey_temp_R) +
> H(pubkey_temp_I)).

I don't see what the problem is with one-time invites. Obviously if we have an 
MITM during out-of-band exchange of invites, we're screwed, but that's the 
case with anything we set up.
> 
> > Short noderefs (ref = H(real_pubkey), IP:port; obfuscation key = 
H(pubkey_R + 
> > H(pubkey_I)) )
> 
> Again, H(nonce + H(pubkey_R) + H(pubkey_I)). But if we're doing a
> two-way exchange anyway, is there any advantage to using refs instead of
> invites? Should we get rid of refs altogether and just use invites?

Maybe we should. A creates an invite, gives it to B; A's node notices that 
it's NATed so requests IP:port from B. That's still basically one-way. How 
would two-way invites work and why do we need them?
> 
> > And possibly SRP. 
> > PRO: We can use easy-to-remember/communicate (low entropy) passphrases, 
rather 
> > than 32 bytes (64 hex chars, 43 base64).
> > PRO: And it's still secure, provided that we have a limited number of 
attempts 
> > per password (so for SRP-based invites we will need IP:port, invite 
counter, 
> > passphrase).
> 
> Tempting, but not secure - anyone who sees the invite can MITM the
> handshake. 

If they see the password, yes. However the advantage is that the password can 
be easily and safely exchanged out of band i.e. on a piece of paper, over the 
phone etc.

> I think we need to be realistic about user behaviour: most 
> people don't exchange keys face to face, the most they're likely to do
> is use a real-time medium that's easy to eavesdrop but hard to MITM.

It depends. We need to design it so that the Correct Behaviour is easy. In 
terms of true darknet, maybe half of the folk a typical user would connect to 
would be either known in person or to telephone. What we do not want to do is 
make #freenet-refs , which is the Worst Possible Behaviour, any easier. If 
making true darknet easier causes #freenet-refs to also be easier then that's 
collateral damage, but it's certainly not my intention!
> 
> The furthest I've ever known someone to go is emailing a public key and
> phoning to confirm a few digits of the fingerprint, and that's someone
> who makes their living from network security. Most users will just cross
> their fingers and email the password if we give them that option.

Lots and lots of geeks exchange GPG signatures at conferences. Lots and lots 
of geeks know other geeks at work, at university, at LUGs/2600's/whatever.

If it's going to be emailed, they may as well just email a full noderef. It 
will be unpacked at the other end and it should be a few clicks to add the 
ref. We're not talking about email here. Maybe instant messaging, but again, 
a file is easy to send with most IM clients.

And above all it depends on just how hostile the environment is. Right now 
it's not very hostile most places; we need to build a true darknet so that 
the network will work when it becomes more hostile. That depends on making it 
easy.
> 
> Cheers,
> Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://emu.freenetproject.org/pipermail/devl/attachments/20071116/a0dae0a8/attachment.pgp

More information about the Devl mailing list