On Tuesday 09 November 2010 22:00:27 Robert Hailey wrote: > > On 2010/11/09 (Nov), at 2:59 PM, Matthew Toseland wrote: > > > On master, we use the hard RNG (Yarrow) to generate padding for data > > packets, but not for auth packets, which use fastWeakRandom. With > > anon-auth we often don't have a PeerNode object on which to put a > > per-peer RNG... > > > > On zidel/packetFormat (the new packet format branch), for a while > > fastWeakRandom was used to generate padding for packets; now it's a > > per-peer weak RNG. On that branch, the crypto is dependant on the > > IV, not on the packet hash, so arguably the strength of the padding > > is less important, but it's still probably a bad idea to pad with > > predictable data? > > It looks like the current code encrypts the padding before transit > anyway. If the new code does not finally encrypt the padding, then > other concerns might be exposing so much direct output from the rng > that it's seed becomes guessable, or using up entropy (if that is > possible here).
Yes, the padding is encrypted. > > btw, do resends have "new" random padding each time? If that is case > it would also not matter, b/c even a weak attacker could drop your > packets and correlate them to find the precise length (and ignore the > padding). No, they can't. On the current FNP, the hash (which includes the padding, as well as the 12 bytes of junk data i.e. hard randomness) goes first, and influences the encryption for the whole packet (as an IV). Plus the sequence number is encrypted. On new packet format, the crypto is determined by the IV which is generated from the packet number, but we never reuse packet numbers even on resends. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20101109/0ccdbae5/attachment.pgp>
