[cryptography] cjdns review

David McGrew (mcgrew) mcgrew at cisco.com
Thu Oct 4 17:19:29 EDT 2012



On 10/4/12 4:45 PM, "Guus Sliepen" <guus at sliepen.org> wrote:

>On Thu, Oct 04, 2012 at 02:37:53PM +0200, Eugen Leitl wrote:
>
>> I've recently become interested in cjdns
>>http://en.wikipedia.org/wiki/Cjdns
>> which apparently used NaCl in UDP over tun when tunneling.
>> 
>> I'm not aware of any review of the entire system, including
>> key generation etc.
>
>Disclaimer: I only read the Wikipedia article and the whitepaper.
>
>It is very interesting, they use the hash of a public key as the address
>of a
>node. 

Sounds like HIP <http://datatracker.ietf.org/wg/hip/charter/>

>That reminds me of SILC. There is some cost involved in claiming an
>address; one must generate 128 EC keys one average, since the first byte
>of the
>address must always be 0xFC in order to be a valid IPv6 address without
>conflicting with public addresses.
>
>If you know which node you want to talk to, both peers first generate
>ephemeral
>keys, which are signed and encrypted using NaCl's crypto_box() function.
>Then
>these ephemeral keys will be used to encrypt the real data packets, but
>again
>using crypto_box(). That means asymmetric crypto is used for every packet,
>which makes it VERY slow.
>
>Not only that; apart from end-to-end encryption and authentication,
>packets are
>also encrypt+authenticed hop-by-hop (unless the peers are direct
>neighbors).
>Given that it is also possible to do a limited form of source routing,
>this
>might make it robust against traffic analysis and increase anonimity, but
>it
>adds a large burden to intermediate nodes. It also goes against the
>Internet's
>principle of a dumb core with smart edges.
>
>I do not see an obvious flaw in the key generation, encryption and
>authentication. But in the end, you are not going to remember 120 bit
>addresses, so currently they are just running DNS on top, I guess that is
>a
>very weak point in cjdns.
>
>Another issue might be the routing table itself; the whitepaper doesn't
>mention
>much, but the Wikipedia page say they use a DHT similar to Kademlia. I do
>not
>know how well that can route around "damage" or malicious nodes.

Interestingly, that's also a part of HIP
<http://tools.ietf.org/html/rfc6537>

David

>
>-- 
>Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at sliepen.org>




More information about the cryptography mailing list