One-time passwords ================== Note that this was not my idea! Colin Davis is probably the most directly responsible person.
Fproxy provides an interface to create, or set, one-time passwords. These are time-limited, single-use, human-readable keys which enable a bootstrap connection to your node. You give a friend your IP address, port number, and a one-time password. This can be used precisely once. It can however be used by a newbie. The recipient sets up a node, or already has one. He types in the IP address, port number and the one-time password. The node connects to that IP address and sends a hash of the password and the current time (and some random data etc to start to set up encryption for the rest of the exchange, encrypted using another hash of the password). If the node recognises the password, a reference exchange ensues and the nodes get connected. Dependancies ------------ The node issuing one-time passwords must be able to receive packets from anywhere on the internet. So we need UP&P. Attacks ------- A brute-force/dictionary attack may be mounted by an attacker. We can either hope that he doesn't hit the right password (reasonable if it is computer generated and long, or is very short lived; not so reasonable otherwise), or we can shut down the introduction mechanism if we see too many attempts (this is turning it into a DoS). A dictionary attack on captured traffic may reveal this protocol, hence allow the attacker to find nodes passively. An active man-in-the-middle attack should not be feasible unless the attacker can guess the password, assuming the protocol is well-designed (it isn't really designed at all right now). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20070306/24022614/attachment.pgp>
