I noticed on http://wiki.freenetproject.org/FreenetZeroPointSevenSecurity
that there are plans to use JFKi. I was wondering why the choice of
JFKi vs JFKr. Both are similar from a security, complexity, and a DOS
resistance perspective but JFKr has the advantage that a passive
eavesdropper learns nothing of the identity of the peers, and that the
exchange itself doesn't produce any nonrepudable signatures.
For the 0.7 darknet mode, we could achieve a substantial degree of DOS
resistance at a fairly low computational cost while improving security
overall, which could be used in addition to DH style methods for PFS.
It would work like so,
After two nodes (I,T) first establish an encrypted and authenticated
link, they exchange random secrets (Is,Ts). Both nodes remember the
secrets. E(key,data) is encrypt with a symetric cipher (in at least
CBC mode).
Then when node I initiates a connection to T in the future he computes
and sends E('freenet',nonce|H(Is | Ts))|E(Ts,nonce2 |
'freenet')|standard DH stuff.
T can cheaply tell if he's talking to I (worst case he just has to
perform two symmetric decryptions)... The nonce is in there so that
the message never contains any static content that would make freenet
conversations easier to identify. Nonce2 should be either used to
encrypt the DH exchange, or mixed with the key that DH produces.
Once all of a nodes configured peers have connected at least once, the
node can reject any request which doesn't complete the above exchange.
This improves security because it is DOS resistant (doesn't depend on
public key operations, doesn't add round trips), MITM resistant
(presuming that the initial connection was secure), and protects the
identity of the peers (only information about the per-edge secrets is
potentially leaked).
This could be straightforwardly extended with a user provided per-peer
secret which would be used for the initial exchange. If we can assume
the users have a secure way to exchange a per-peer secret (why not, we
expect them to be able to secretly exchange references) we can have a
system which retains some security even if the DHP is someday proven
weak.
