Ämne:
Re: [dcdev] Encrypting ADC - a second approach
Från:
Gustaf Räntilä <[email protected]>
Datum:
2005-03-11 11:22
Till:
Direct Connect developers

Zdenek Stangl wrote:
With all due respect, Im still not sure what good is the encrypted connection for DC. I was out for longer time. Are there any troubles with anti-pirate organizations?

Well, yes. As well as new EU laws (which my country is pushing for, which is embarassing). But the most important is the privacy for users. I think it's fair to implement encryption as a basic privacy model for people no matter protocol. Big brother is getting paranoid.

Jacek Sieka wrote:

Well, this has crossed my mind a few times, I actually downloaded a few ssl libs the other day to have a look around...
In any case, while being a good (verbose) initiative, there are some technical flaws, like:
1) Reinventing a secure handshake - dangerous, it took the ssl folks 3 versions, and hopefully they knew more than us about this stuff...

Well yes, and they depend on third-party organizations like Verisign. If you site is verisign:ed then you are to be trusted... Maybe we should beg users to pay tenths of dollars for a signed certificate ;)
But I agree, handshaking is critical.

2) No perfect forward secrecy - lose the key to someone and any recorded data can be decrypted (authorities spring to mind)

Lose how? The symmetric keys are temporary for each session/connection, and never stored. How the assymetric keys are locally stored, can be made safe quite easily. However, this problem occurs to any program implementing asymmetric ciphers. In Unix you depend on filesystem rights for the private keys etc.

3) No algorithm negotiation - locked to one algorithm pair, and algorithms tend to lose credibility over the years

Today you can "choose" from a set of symmetric keys (in SSL). But AES is by far the best one afaik. I don't know of inheriting the entire ssl set of ciphers are good, would anyone ever want to use DES/3DES? It's both much slower and more insecure than AES. The same with all fishes (blowfish, twofish etc). Surely one would like Some sort of negotation though, I fully agree on that.

4) No separation between adc and encryption (what's that cid etc doing in the initial negotiation?)

The CID is there because we poor P2P users have a tendancy of switching IP numbers very frequently, and CID is used for storing public keys, just like SSH does. It's not at all necessary, but efficient and slightly increases security. So they say ;)

5) Still identifyable as ADC with all the packetfilter problems that follow

What packetfilter problems? Sure it's identifyable unless one uses a common cipher-handshake such as ssl/tls gives you. I don't have an opinion on whether this is an issue or not... Unless 'they' can read the traffic, do we care if they know what it's for? Maybe.

6) Server speaks first - in general the server shouldn't waste resources sending data until the client has made an effort

This was inteded so that hubs send their public key. Therefor one should at least trust a hub's key. Also this makes the client responsible for generating the symmetric keys. Not that this is much of a burden, but still...
Surely clients could go off first, by requesting the key, maybe by sending a TTH of the stored key (if they have one), and only if it differs hubs send their new key.

7) On a more philosofical note - who is this encryption targeted against? ISP listening in? hub listening in? neighbour on the same subnet listening in? As I read it there's one encrpytion layer between hub and client and then another one in that between clients when speaking through the hub...those are two completely separate use-cases and should thus imho be covered in separate extensions - if encrypted c-c messages through the hubs should be supported at all...

This is very interesting. Developing a fully waterproof solution is not feasible. Personally i think ISP's and authorities in general are the target of the reason for privacy.
About encrypted c-c, well, isn't this the reason for the FourCC? Hubs shouldn't care what clients send to each other, it should only broadcast B's, broadcast to actives by A's etc...? Then clients should have the possibility of sending what lookes like junk to each other, but that is encrypted traffic. This is probably only a client issue anyway.

8) No authentication - vulnerable to the good ole' man in the middle attack

Yes, you're welcome to setup an own certificate authority if you like ;)
This is actually possible. Having like the hublist-servers to be authentication servers is a possibility. It would look like a one way kerberos sollution, by depending on a third part. It makes sense, but *trying to express myself as if I were a hub developer* it adds complexity ;)

9) I can probably thing of more - these were just the first things that sprung to mind...

Well, I'm satisified that you looked into it.

Instead I was just about to do something a lot more simple with dc++ and adchpp; SSL tunneling for both c-c and c-h connections, solves all those issues above. there are a few details to be considered though, mainly regarding key distribution, i e should the hub sign keys of its users (probably not) or should all keys that can be verified by querying the user for their hash with a d message be seen as valid? One potential issue is that we can't up-negotiate the protocol to encrypted mode if we want to make it http-lookalike - which means that the server must either have a unique port open or use some ugly heurestics (or perhaps best - support only encrypted connections)...

Only support encrypted connections is by far the easiest way. Tunneling ssl, by that you mean to for example implement the openssl's ssl part, and not only its ciphers? To actually let the library handle the connections? Well, it's a possibility. I personally just dislike the so called 'certificates' that are being generated. I'm not sure they fit a p2p system. They depend on dns names and so on iirc...

Opera
-- 
DC Developers mailinglist
http://3jane.ashpool.org/cgi-bin/mailman/listinfo/dcdev