Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Anonymity Network for Short Messages

Sean Cassidy sean.a.cassidy at gmail.com
Tue Jun 11 10:47:21 PDT 2013


On Tue, Jun 11, 2013 at 10:29 AM, Steve Weis <steveweis at gmail.com> wrote:
> Hi. I took a quick look while procrastinating at work and found a few
> potential issues:

Thanks for taking a look. I'll be sure to incorporate your feedback.
>
> - What's up with this hard-coded salt?

Lack of love for the text client. I should just delete that code. The
primary user interface is the HTTP endpoint.

> - Any specific reason you picked CTR?

CTR is widely recommended. Cryptography Engineering specifically recommends it.

> - Use mlock here? I don't think that will help you if you run within a guest
> VM though.
> - Buffer overflow on password input

Absolutely true.

> - Is this safe for non-terminated strings?

Gah, must have missed that in my review.

> - Why do you have this checksum if you just HMACed the ciphertext?

This checksum is an important part of DiNet. Each packet comes with a
checksum that each router uses to verify the message integrity (not
authenticate, mind you) and to make sure it hasn't seen this message
before. As each router sends every packet it hasn't seen recently to
every machine that is connected to it, it is important to not re-send
data.

> - HMAC verification is vulnerable to a timing attack. Since you're using
> CTR, it's that much easier to forge messages.

I will have to look into this in my Javascript client as well. Do you
have any recommendations?

> - There's no forward security.

I am aware. This is a feature I would love to add to the Javascript client.

>
> This is by no means comprehensive. I've only been looking at a couple files.

Thanks for looking! I appreciate the feedback.

Sean

>
>
> On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cassidy at gmail.com>
> wrote:
>>
>> Hello all,
>>
>> I have created a simple anonymity network that broadcasts all messages
>> to participants so that you cannot associate chatters.
>>
>> https://bitbucket.org/scassidy/dinet
>>
>> There is a simple sample client available, but you could write your
>> own client to build your own features atop the network.
>>
>> http://projects.existentialize.com/dinet/client.html
>>
>> Please let me know if you have any comments.
>>
>> Sean
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at companys at stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech



More information about the liberationtech mailing list