Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Announce nodes can read public keys from onion data packets #1121

Open
zugz opened this issue Aug 25, 2018 · 7 comments
Open

Announce nodes can read public keys from onion data packets #1121

zugz opened this issue Aug 25, 2018 · 7 comments
Labels
P3 Low priority
Milestone
v0.2.x

Comments

@zugz
Copy link

zugz commented Aug 25, 2018

Thanks to @jackiszhp for referring in #1108 to the detail of the onion
protocol which leads to the problem discussed below.

When Alice wishes to connect to Bob, she first finds via the onion a node,
Eve, on which Bob is announced. Alice then sends to Eve an onion data packet
as the payload of a data to route request. The onion data packet contains
Alice's long-term pubkey, and it is encrypted to the data pubkey. This data
pubkey is provided to Alice by Eve.

The intention is that the data pubkey was previously generated by Bob and sent
to Eve in Bob's announce request. However, there is nothing to prevent the
Eve generating her own pubkey and sending that to Alice as the data pubkey.

The result is that Eve is able to obtain Alice's long-term pubkey. Meanwhile,
she also knows Bob's long-term pubkey. So, she has determined that the two
pubkeys are friends. This is something the onion was intended to prevent.

Note also that Eve can position herself to be used as an announce node by Bob,
by generating an appropriate DHT key.

It looks like this problem was introduced by commit 639b37d.
@kurnevsky
Copy link

Actually all data packets are encrypted twice - first time with friend's real pk, second time with onion data pk. So if Eve substitutes the data key she can only get inner encrypted packet and nothing else.

@zugz
Copy link
Author

zugz commented Aug 26, 2018 via email

@kurnevsky
Copy link

kurnevsky commented Aug 26, 2018
edited
Loading

@zugz it's taken from inner net_crypto, so it's just a random temporary key. See

c-toxcore/toxcore/Messenger.c

Line 2025 in 80f8458

m->net_crypto = new_net_crypto(m->log, m->mono_time, m->dht, &options->proxy_info);
,

c-toxcore/toxcore/Messenger.c

Line 2038 in 80f8458

m->onion_c = new_onion_client(m->mono_time, m->net_crypto);
and

c-toxcore/toxcore/net_crypto.c

Line 2964 in 80f8458

new_keys(temp);

Am I missing something?

@zugz
Copy link
Author

zugz commented Aug 26, 2018 via email

@kurnevsky
Copy link

Ok, this wasn't trivial. Good catch.

@iphydf iphydf added this to the v0.2.x milestone Aug 26, 2018
@zugz zugz mentioned this issue Nov 5, 2018
Open
@algor1th
Copy link

algor1th commented Apr 6, 2019

I have created a formal model that shows that announcements are linkable, and note trace equivalent to searches. It can be found here. Linkability here means that a public key of a node can be linked to it's ip adress when announcing.

@iphydf iphydf added the P3 Low priority label Apr 27, 2020
@emdee-is
Copy link

@iphydf @zugz This should be tagged with the Security label, to make it easier to track.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P3 Low priority
Projects
None yet
Milestone
v0.2.x
Development

No branches or pull requests
5 participants
@zugz @kurnevsky @algor1th @iphydf @emdee-is