I propose to make some relatively minor changes to our HTL mechanism, which will greatly improve security against several types of attacks. These must go in before 0.7.0 IMHO.
Implementation time: less than 2 hours. Network stabilisation: 1-2 days. All we have to do is release a build which is mandatory in 24 hours, then wait 2 days and it should all be done. During the transition there will be more timeouts. Changes: - Reduce pDropAtMaxHTL to 10%. - Eliminate nearestLoc. Keep it in FNPDataRequest and FNPRouteNotFound for now (to avoid more disruptive code changes), but don't use it, set it to -1.0. No longer reset HTL when we get closer to the target than the nearest so far. Justification: Having nearestLoc enables some very nasty attacks. There are two main classes of attack we care about here: 1. Remote attacks. The attacker is a long way away, but able to move relatively easily across the opennet (or even the darknet in some scenarios). nearestLoc allows the attacker to narrow down the location of the originator extremely quickly: If we get a request with nearestLoc = 0.5 and target = 0.7, we know the originator is no closer to the target than 0.5, hence dist(originator, 0.7) >= dist(0.5,0.7), so originator is between 0.5 and 0.9. Assuming we can correlate requests in a splitfile, we will get lots of these samples and can quickly intersect their ranges to narrow down the originator. Note that similar attacks are possible based on the fact that a node received a request for a specific key - but they are much slower and less reliable without nearestLoc. 2. Local attacks. The attacker is connected to the target, and not able to move. His objective is to identify the target (or to identify that he is not connected to the target). If HTL = 10 and nearestLoc is equal to the previous node's location, there is a 1 in (average number of resets + 1) probability that the previous node is the originator. In all other cases, there is a 100% chance that the previous node is NOT the originator. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080130/8a89cce2/attachment.pgp>
