-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Announce nodes can read public keys from onion data packets #1121
Comments
Actually all data packets are encrypted twice - first time with friend's real pk, second time with onion data pk. So if Eve substitutes the data key she can only get inner encrypted packet and nothing else. |
* Sunday, 2018-08-26 at 02:52 -0700 - Evgeny Kurnevsky <notifications@github.com>:
So if Eve substitutes the data key she can only get inner encrypted
packet and nothing else.
The problem is that the inner packet contains the long term public key
(see L1083) as well as the data encrypted with that key. Eve can't
decrypt the latter, but she can read the former.
|
@zugz it's taken from inner net_crypto, so it's just a random temporary key. See Line 2025 in 80f8458
Line 2038 in 80f8458
c-toxcore/toxcore/net_crypto.c Line 2964 in 80f8458
Am I missing something? |
@zugz it's taken from inner net_crypto, so it's just a random temporary
key.
The long-term public key gets loaded into net_crypto by Messenger - see
https://github.com/TokTok/c-toxcore/blob/80f8458146061e5fe6edd97e06e039f1ad2cf3a9/toxcore/Messenger.c#3080
|
Ok, this wasn't trivial. Good catch. |
I have created a formal model that shows that announcements are linkable, and note trace equivalent to searches. It can be found here. Linkability here means that a public key of a node can be linked to it's ip adress when announcing. |
Thanks to @jackiszhp for referring in #1108 to the detail of the onion
protocol which leads to the problem discussed below.
When Alice wishes to connect to Bob, she first finds via the onion a node,
Eve, on which Bob is announced. Alice then sends to Eve an onion data packet
as the payload of a data to route request. The onion data packet contains
Alice's long-term pubkey, and it is encrypted to the data pubkey. This data
pubkey is provided to Alice by Eve.
The intention is that the data pubkey was previously generated by Bob and sent
to Eve in Bob's announce request. However, there is nothing to prevent the
Eve generating her own pubkey and sending that to Alice as the data pubkey.
The result is that Eve is able to obtain Alice's long-term pubkey. Meanwhile,
she also knows Bob's long-term pubkey. So, she has determined that the two
pubkeys are friends. This is something the onion was intended to prevent.
Note also that Eve can position herself to be used as an announce node by Bob,
by generating an appropriate DHT key.
It looks like this problem was introduced by commit 639b37d.
The text was updated successfully, but these errors were encountered: