Link level encryption∞ in Freenet 0.7 is acheived using a variant on the Station-to-Station protocol using the nodes' public/private keys. JFK (Just fast keying) is a DOS resistant DH variant which supports pre-calculation of almost everything. It comes in 2 variants JFKi and JFKr. JFKi provides active identity protection for the initiator and no identity protection for the responder, whereas JFKr provides active identity protection for the responder and passive identity protection for the initiator. We however have decided to use JFKi.
Why JFKi?
There have discussions in the mailing lists regarding this already. For more on these discussions, look
here∞. The protocol is optimized to protect the responder against DOS attacks on state or computation. The initiator bears the initial computational burden and must establish round-trip communication with the responder before the latter is required to perform expensive operations. At the same time, the protocol is designed to limit the private information revealed by the initiator; she does not reveal her identity until she is sure that only the responder can retrieve it. (An active attacker can replay an old Message (2) as a response to the initiator’s initial message, but he cannot retrieve the initiator’s identity from Message (3) because he cannot complete the Diffie-Hellman computation).
We actually don't need most of what JFK does( like signing the Peer’s identity) precisely because on darknet both sides already know the other,but on an opennet initial-connect-from-seednodes, we do need the exchange of certs etc, and slightly different crypto.
JFKi enjoys the following advantage over JFKr. Whenever a Party P completes a JFKi exchange with peer Q, it is guaranteed that Q has initiated an exchange with P and is aware of P’s existence. This property is not however enjoyed by JFKr.
1 Initiator-Responder:
This is a straightforward
DiffieHellman exponential along with a random nonce.
The Initiator Nonce serves two purposes;it allows the initiator to use the same exponentials during different sessions while ensuring that the resulting session key will be different,can be used to differentiate between parallel sessions
2 Responder-Initiator:
Responder replies with a signed copy of his own exponential, a random nonce and an authenticator calculated from a transient hash key private to the responder.
3 Initiator-Responder:
Initiator echoes the data sent by the responder including the authenticator. This helps the responder verify the authenticity of the returned data. The authenticator is sufficient defense against forgery; replays, however, could cause considerable computation. The defense against this is to cache the corresponding Message (4); if a duplicate Message (3) is seen, the cached response is retransmitted; The key for looking up Message 3's in the cache is the authenticator; this prevents
DoS attacks where the attacker randomly modifies the encrypted
blocks of a valid message, causing a cache miss and thus more processing to be done at the Responder. Rejection messages do not concern us because group information which is sent in
Message2 indicates which groups and algorithms are acceptable avoiding the need for explicit message rejection.
4 Responder-Initiator:
Encrypted message of the signature on both nonces, both exponentials using the same keys as in the previous message.The Initiator can verify that the Responder is present and participating in the session, by decrypting the message and verifying the enclosed signature.
DOS Mitigation
Responder does not keep state on receiving Msg 1
HMAC is produced/verified by the Responder only
HMAC is used to quickly discard
DoS packets
Responder (and Initiator) can reuse g^r and g^i, key but material still changes