Revision [2482]
Last edited on 2008-01-28 10:38:41 by NextGens [remove the part about patricia trees]Deletions:
Additions:
Initiator echoes the data sent by the responder including the authenticator. This helps the responder verify the authenticity of the returned data. The authenticator is sufficient defense against forgery; replays, however, could cause considerable computation. The defense against this is to cache the corresponding Message (4); if a duplicate Message (3) is seen, the cached response is retransmitted; The key for looking up Message 3's in the cache is the authenticator; this prevents DoS attacks where the attacker randomly modifies the encrypted
blocks of a valid message, causing a cache miss and thus more processing to be done at the Responder. Rejection messages do not concern us because group information which is sent in Message2 indicates which groups and algorithms are acceptable avoiding the need for explicit message rejection.
blocks of a valid message, causing a cache miss and thus more processing to be done at the Responder. Rejection messages do not concern us because group information which is sent in Message2 indicates which groups and algorithms are acceptable avoiding the need for explicit message rejection.
Deletions:
are acceptable avoiding the need for explicit message rejection.
Additions:
[[http://wiki.freenetproject.org/FreenetZeroPointSevenSecurity Link level encryption]] in Freenet 0.7 is acheived using a variant on the Station-to-Station protocol using the nodes' public/private keys. JFK (Just fast keying) is a DOS resistant DH variant which supports pre-calculation of almost everything. It comes in 2 variants JFKi and JFKr. JFKi provides active identity protection for the initiator and no identity protection for the responder, whereas JFKr provides active identity protection for the responder and passive identity protection for the initiator. We however have decided to use JFKi.
**Why JFKi?**
There have discussions in the mailing lists regarding this already. For more on these discussions, look [[http://archives.freenetproject.org/message/20060421.170010.d3216fd2.en.html here]]. The protocol is optimized to protect the responder against DOS attacks on state or computation. The initiator bears the initial computational burden and must establish round-trip communication with the responder before the latter is required to perform expensive operations. At the same time, the protocol is designed to limit the private information revealed by the initiator; she does not reveal her identity until she is sure that only the responder can retrieve it. (An active attacker can replay an old Message (2) as a response to the initiator’s initial message, but he cannot retrieve the initiator’s identity from Message (3) because he cannot complete the Diffie-Hellman computation).
1 Initiator-Responder:
2 Responder-Initiator:
3 Initiator-Responder:
4 Responder-Initiator:
Encrypted message of the signature on both nonces, both exponentials using the same keys as in the previous message.The Initiator can verify that the Responder is present and participating in the session, by decrypting the message and verifying the enclosed signature.
**DOS Mitigation**
**Why JFKi?**
There have discussions in the mailing lists regarding this already. For more on these discussions, look [[http://archives.freenetproject.org/message/20060421.170010.d3216fd2.en.html here]]. The protocol is optimized to protect the responder against DOS attacks on state or computation. The initiator bears the initial computational burden and must establish round-trip communication with the responder before the latter is required to perform expensive operations. At the same time, the protocol is designed to limit the private information revealed by the initiator; she does not reveal her identity until she is sure that only the responder can retrieve it. (An active attacker can replay an old Message (2) as a response to the initiator’s initial message, but he cannot retrieve the initiator’s identity from Message (3) because he cannot complete the Diffie-Hellman computation).
1 Initiator-Responder:
2 Responder-Initiator:
3 Initiator-Responder:
4 Responder-Initiator:
Encrypted message of the signature on both nonces, both exponentials using the same keys as in the previous message.The Initiator can verify that the Responder is present and participating in the session, by decrypting the message and verifying the enclosed signature.
**DOS Mitigation**
Deletions:
Why JFKi?
There have several discussions in the mailing lists regarding this already. The protocol is optimized to protect the responder against DOS attacks on state or computation. The initiator bears the initial computational burden and must establish round-trip communication with the responder before the latter is required to perform expensive operations. At the same time, the protocol is designed to limit the private information revealed by the initiator; she does not reveal her identity until she is sure that only the responder can retrieve it. (An active attacker can replay an old Message (2) as a response to the initiator’s initial message, but he cannot retrieve the initiator’s identity from Message (3) because he cannot complete the Diffie-Hellman computation).
1-Initiator-Responder:
2-Responder-Initiator:
3-Initiator-Responder:
4-Responder-Initiator:
Encrypted message of the signature on both nonces, both exponentials using the same keys as in the previous message
DOS Mitigation
Additions:
Denial of service attack can be directed at Freenet by the attacker in several ways. One way would be to insert a large number of bogus files into the network to attempt to fill the network’s storage capacity. If the attacker can legitimize his bogus files by requesting them from strategic locations where it will be cached onto as many locations as possible,it makes it difficult for the genuine ‘inserts’ to survive long enough to be requested by others and become established. However, if the attacker inserts several bogus files with the same search key as the target file into many nodes that are disconnected from the network, then when these nodes rejoin the network there will be several corrupt copies of the file. Distributed DOS attacks can be launched by the attacker by using several zombie systems to simultaneously launch smurf attacks( spoofed broadcast ping messages to flood the system) because there is nothing to prevent the attacker from using any number of ports on a single host pretending to be an extremely large number of nodes. The attacker could also modify all messages that pass through him by generating false RequestFailed or TimedOut messages to DataRequests or sending messages with extremely large amounts of data. As of now, we use a variant on the Station-to-Station protocol using the nodes' public/private keys. JFK (Just fast keying) is a DOS resistant DH variant which supports pre-calculation of almost everything. It comes in 2 variants JFKi and JFKr. JFKi provides active identity protection for the initiator and no identity protection for the responder, whereas JFKr provides active identity protection for the responder and passive identity protection for the initiator. We however have decided to use JFKi.
Deletions:
by requesting them from strategic locations where it will be cached onto as many locations as possible. This also makes it difficult for
the genuine ‘inserts’ to survive long enough to be requested by others and become established. However, if the attacker inserts several bogus files with the same search key as the target file into many nodes that are disconnected from the network, then when these nodes rejoin the network there will be several corrupt copies of the file. Distributed DOS attacks can be launched by the attacker by using
several zombie systems to simultaneously launch smurf attacks( spoofed broadcast ping messages to flood the system) because there is nothing to prevent the attacker from using any number of ports on a single host pretending to be an extremely large number of nodes.( I think this has been taken care of now though) The attacker could also modify all messages that pass through him by generating false RequestFailed or TimedOut messages to DataRequests or sending messages with extremely large amounts of data.
Reset when Hkr is changed
