Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Encrypted torrents for Bittorrent v2 #68

Open
wants to merge 14 commits into
base: master
Choose a base branch
from

Conversation

the8472
Copy link
Contributor

@the8472 the8472 commented Aug 13, 2017

I have revised my draft to be based around BEP52

  • uses XChaCha20, SHA2-256, scrypt
  • everything is padded to minimize information that can be obtained about payloads
  • IVs are content-derived + random input. hard to get wrong.
    drawback: needs 2 passes over the content
  • creation procedure is now phrased in terms of first creating a plaintext torrent and then wrapping it into an encrypted torrent
  • BEP52 simplifies padding a lot and also allows the verification of correct decryption
  • it's backwards-compatible. first implementations can be done unixy: existing torrent clients do the transfer, external tool or fuse driver does the creation and decryption

It's still a WIP since I need to update my prototype to generate test data

@the8472
Copy link
Contributor Author

the8472 commented Aug 13, 2017

Previous discussion can be found in #18 and #20

As usual, extra eyeballs are needed!

@the8472
Copy link
Contributor Author

the8472 commented Aug 13, 2017

Rendered view

Copy link
Contributor

@ssiloti ssiloti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, other than a few minor editorial issues


If a client has access to at least a shadow key it may want to check consistency, such as the length and number of pieces, between the encrypted representation and the plaintext metadata in the shadow dictionary.
It may also want to display the metadata of the plaintext to the user instead of the encrypted representation.
Since the shadow dictionary also contains merkle roots for each file correct decryption can also be verified at the file granularity level. Transfer of plaintext merkle layers is not supported, but clients can still use deduplication if they other files with identical plaintext.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in last sentence.

if they have other files with identical plaintext.

8. verify ``SIV``
9. derive ``payload_nonce`` from ``infohash_plain`` and ``salt``
10. if ``payload_key`` is available decrypt ``plaintext_padded``
11. split `plaintext_padded`` according to file layout information in the plaintext info dictionary
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing opening backtick for plaintext_padded

17. add the following key value pair to the info dictionary of the encrypted torrent: ``"enc mac": mac``

This construction
* obscures the exact size of the plaintext by rounding to the nearest piece size
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There needs to be a blank line inserted above this one to get the bulleted list formatting.

@the8472
Copy link
Contributor Author

the8472 commented Aug 29, 2017

I have realized that info-dictionary level encryption metadata is in conflict with or would significantly complicate mutable torrents, torrent feeds etc.
I'll move it to the per-file metadata instead to make those features orthogonal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants