[Tech] Proposal: permanent passwords
Matthew Toseland
toad at amphibian.dyndns.org
Tue Mar 6 02:11:33 UTC 2007
Permanent passwords
===================
We could make IP + password play the same role as noderefs do now. They
must be exchanged in both directions, but if you have both passwords you
can initiate a connection and noderefs will be exchanged. This should be
a reasonably simple protocol: Just send a packet which includes proof
that you have both passwords (a hash), and a random nonce for crypto
setup.
This is no more work than out of band verification. However, you cannot
broadcast your IP + password and wait for people to contact you, which
is a distinct advantage in out of band verification: All contacts must
be arranged strictly in advance. And it's not very newbie friendly
either.
Dependancies
------------
UP&P isn't necessary if the exchange is conducted in real time. If it is
almost-real-time then UP&P may be helpful.
Attacks
-------
If the attacker can guess both passwords he can MITM, identify traffic,
etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://emu.freenetproject.org/pipermail/tech/attachments/20070306/7e72aedb/attachment.pgp
More information about the Tech
mailing list