Replacing Weary Crypto: Upgrading the I2P network with stronger - - PowerPoint PPT Presentation

replacing weary crypto upgrading the i2p network with
SMART_READER_LITE
LIVE PREVIEW

Replacing Weary Crypto: Upgrading the I2P network with stronger - - PowerPoint PPT Presentation

Jul 14, 2023 289 likes •469 views

Replacing Weary Crypto: Upgrading the I2P network with stronger primitives str4d https://geti2p.net str4d@i2pmail.org @str4d 2016-01-08 Tor and I2P have several similarities... Both started circa 2003 Location anonymity Onion

slide-1
SLIDE 1

Replacing Weary Crypto: Upgrading the I2P network with stronger primitives

str4d https://geti2p.net str4d@i2pmail.org @str4d 2016-01-08

slide-2
SLIDE 2

Tor and I2P have several similarities...

  • Both started circa 2003
  • Location anonymity

– Onion routing

  • Low-latency

– Vulnerability to traffic confirmation attacks!

slide-3
SLIDE 3

… but also significant differences

Tor

  • Centralized*
  • Asymmetric design

– ~8,000 relays – Millions of users

  • TCP
  • Bidirectional tunnels

I2P

  • Decentralized*
  • Symmetric design

– ~40,000 routers

  • TCP, UDP, RAW, ...
  • Unidirectional tunnels
slide-4
SLIDE 4

Tunnel layout

slide-5
SLIDE 5

I2P uses three layers of crypto

A C D E A B F G H B A B Application Destination RouterInfo Cryptography Outbound Inbound

slide-6
SLIDE 6

Link encryption

A C D E A B F G H B A B Application Destination RouterInfo Cryptography Outbound Inbound

NTCP (2006) - TCP

  • 2048-bit DH
  • 2-way auth
  • AES-256/CBC with

last 16 bytes of prev. message as IV SSU (2005) - UDP

  • 2048-bit DH
  • 2-way auth
  • AES-256/CBC with

random IV and MAC (HMAC-MD5-128*)

slide-7
SLIDE 7

Tunnel encryption

A C D E A B F G H B A B Application Destination RouterInfo Cryptography Outbound Inbound

AES-256/CBC + truncated SHA256 Packet: 4-byte Tunnel ID + 16-byte IV + Ciphertext IV encrypted before and after each hop with AES-256/ECB (ie. one block)

slide-8
SLIDE 8

End-to-end encryption

A C D E A B F G H B A B Application Destination RouterInfo Cryptography Outbound Inbound

ElGamal/AES+SessionTags First packet:

  • 514-byte

ElG(PKB, (sk, pre-IV))

  • AES-CBC(sk,

SHA256(pre-IV)[:16], (list of 32-byte nonces + payload)) Subsequent packets:

  • 32-byte nonce
  • AES-CBC(sk,

SHA256(nonce)[:16], payload)

slide-9
SLIDE 9

Original primitives

  • ElGamal-2048

– Using Oakley primes – Use short exponent [1] on non-(64-bit x86) hardware

  • DSA-1024
  • AES-256/CBC
  • SHA256
  • Non-standard HMAC-MD5-128 (only for SSU)

[1] On Diffie-Hellman Key Agreement with Short Exponents - van Oorschot, Weiner at EuroCrypt 96

slide-10
SLIDE 10

We have good update propagation

  • Automatic in-net updates since 2009
  • Via in-net torrents since 2013/14
slide-11
SLIDE 11

Legacy data structures...

256B 1B 2B 128B Destination PK (unused) SPK Cert 256B 128B LeaseSet PK SPK Leases revocation (unused) Dest Sig Length 256B 1B 2B 128B RouterIdentity PK SPK Cert Date Addresses RouterInfo Options RId Sig Length

slide-12
SLIDE 12

Don't break third-party software!

slide-13
SLIDE 13

Key Certificate

256B 1B 2B 128B PK SPK Key cert 2B 2B Excess key material PK type SPK type cert type | length SPK | PK

We now have full flexibility for future key types (up to 64,000 each, 7 SPK defined)

slide-14
SLIDE 14

(Relatively) good uptake

Type Usage DSA_SHA1 73% ECDSA_SHA256_P256 6% EdDSA_SHA512_Ed25519 21%

slide-15
SLIDE 15

We get router key upgrades for free!

  • Can change signing and encryption type

– (becomes “new” router)

  • But no backup for routers without support for

new types → Cut backwards compatibility

slide-16
SLIDE 16

RI signature upgrade is rolling out

0.9.22 0.9.23

slide-17
SLIDE 17

We are continuing the migration

  • E2E crypto: LeaseSet has no free bits→ LS2

– Easy to handle, doesn't change address – Take opportunity to redesign both netDb and LS

  • NTCP is very identifiable→ NTCP2

– Based on nTor? Ace? – We require 2WAKE

Design help appreciated!