Search Mailing List Archives
[liberationtech] New Anonymity Network for Short Messages
sean.a.cassidy at gmail.com
Tue Jun 11 10:47:21 PDT 2013
On Tue, Jun 11, 2013 at 10:29 AM, Steve Weis <steveweis at gmail.com> wrote:
> Hi. I took a quick look while procrastinating at work and found a few
> potential issues:
Thanks for taking a look. I'll be sure to incorporate your feedback.
> - What's up with this hard-coded salt?
Lack of love for the text client. I should just delete that code. The
primary user interface is the HTTP endpoint.
> - Any specific reason you picked CTR?
CTR is widely recommended. Cryptography Engineering specifically recommends it.
> - Use mlock here? I don't think that will help you if you run within a guest
> VM though.
> - Buffer overflow on password input
> - Is this safe for non-terminated strings?
Gah, must have missed that in my review.
> - Why do you have this checksum if you just HMACed the ciphertext?
This checksum is an important part of DiNet. Each packet comes with a
checksum that each router uses to verify the message integrity (not
authenticate, mind you) and to make sure it hasn't seen this message
before. As each router sends every packet it hasn't seen recently to
every machine that is connected to it, it is important to not re-send
> - HMAC verification is vulnerable to a timing attack. Since you're using
> CTR, it's that much easier to forge messages.
have any recommendations?
> - There's no forward security.
> This is by no means comprehensive. I've only been looking at a couple files.
Thanks for looking! I appreciate the feedback.
> On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cassidy at gmail.com>
>> Hello all,
>> I have created a simple anonymity network that broadcasts all messages
>> to participants so that you cannot associate chatters.
>> There is a simple sample client available, but you could write your
>> own client to build your own features atop the network.
>> Please let me know if you have any comments.
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at companys at stanford.edu or changing your settings at
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
More information about the liberationtech