[freenet-dev] Predecessor sampling and tunnel padding was Re: One tunnel per request: justification
Michael Rogers
m.rogers at cs.ucl.ac.uk
Fri Jan 4 01:59:56 UTC 2008
Matthew Toseland wrote:
> If the internal MAC is invalid on a packet, the endpoint silently drops
> the packet.
I think I can get round it.
All attacker-controlled nodes share a symmetric key. When an
attacker-controlled node is asked to participate in a tunnel and it's
not the endpoint, it injects a single packet into the tunnel, replacing
a bogus packet if possible, otherwise replacing a non-bogus packet. The
injected packet contains its predecessor's identity, and is encrypted
and MACed with the attacker's key.
When an attacker-controlled node is selected to be the endpoint of a
tunnel, it looks for packets MACed with the attacker's key and decrypts
them to collect predecessor samples.
If a tunnel contains two non-adjacent attackers, one of which is the
endpoint, the nodes between the attackers can't distinguish the injected
packet from a genuine packet, so they pass it on.
Cheers,
Michael
More information about the Devl
mailing list