[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CADET protocol: Anna or Betty?
|
From: |
Christian Grothoff |
|
Subject: |
Re: CADET protocol: Anna or Betty? |
|
Date: |
Sat, 4 Jan 2020 10:37:56 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 |
On 1/3/20 3:23 PM, carlo von lynX wrote:
> On Fri, Jan 03, 2020 at 10:28:02PM +0900, Schanzenbach, Martin wrote:
>> That sounds like it allows anyone to highjack any (established) channel
>> after a successful kx.
>
> Oh, transport does not guarantee the identity of nodes so CADET
> has to handle authentication itself... great. Still, an attacker
> would not be able to hijack a conversation, just break it.. right?
Transport guarantees it for hop-by-hop, but CADET is end-to-end. So
Transport may assure Anna that she's talking to xrs, and to xrs that
he's talking with Betty, but that doesn't help us for Anna-Betty.
A concern here is an attacker replying an ancient initiation message to
break an ongoing session.
Given that we have 3DH, this should only be about availability, not
confidentiality/integrity.
> dvn has suggested a different approach, to make the
> CADET_CONNECTION_CREATE ensure that both sides have the same
> state, so we are looking into adding extra info there (which
> I understand would be a breaking protocol change, since gnunet
> does not have PSYC's extensibility).
Breaking compatibility to fix these types of bugs is OK.
> btw, figuring out how CADET tunnels get stuck and stop working
> was the amazing work of
> __
> _|_ > __ __ __ _ _ | _ _|_
> | -{ (_ (_ /__) |/ / | |< |
> |_ __> __) __) \___ | \_|_| \ |_
Thanks, t3sserakt!