I’ve been thinking about a peer-to-peer message passing network for short-range radio communications. The system should be useful for various scales of devices, from longer-range mobile installations (in a vehicle using commercial bands) to short-range person-to-person systems implemented in the ISM bands. Hardware like TI’s eZ430-RF2500 eval kit would be an ideal development platform.
One problem inherently present in such a system is that of identification of other nodes. In an open network, any available node may accept and transmit messages (though only the intended recipient may read them). However, in order for efficient message passing, there must be a system to identify nodes.
Not all users will be comfortable with the idea of broadcasting their identity to the world at large. They may only be comfortable participating as an anonymous node. Others may prefer only to reveal their identity to other nodes they trust. This presents a problem: How do two nodes identify themselves securely to each other, without revealing their identity to untrusted parties?
I propose an exchange system as follows:
Alice sees a nearby unidentified node (Bob).
Alice sends a message asking if Bob wishes to know her identity.
Bob responds with a randomly generated one-use key to encrypt the next message with.
Alice responds with a message encrypted with the public keys of all her trusted nodes, and further encrypts this message using Bob’s one-use key.
Bob decrypts the outer message using the one-time key, then attempts to decrypt the enclosed message using his private key.
If Alice trusts Bob, he can do this, and finds within her message a temporary key to use for further communications with her.
Bob continues communication with Alice using this new key.
At this point, Alice knows that she trusts Bob, but does not actually know his identity, unless he chooses to reciprocate the authentication steps.
The one-time encryption key wrapper used by Bob is a measure to prevent Carol, who is also trusted by Alice, from decrypting the key exchange message and spoofing communications from Bob.
Because no node broadcasts a canonical name, an attempt to decrypt each packet with each available key must be made. This quickly becomes impractical in any multi-node situation. To solve this problem, a node prefixes each message sequence with a randomly generated “conversation” id. This way, if Alice and Bob are talking, Carol only has to attempt to decrypt one packet from each, and can then safely ignore any messages using those conversation ids. In the event of a conflict (two nodes happen to use the same conversation id), both nodes should immediately select a new, not-recently-seen key. Key negotiation conversations are prefixed with a temporary identifier, in addition to the conversation key. Temporary conversation keys are dropped from the ignore list much faster (perhaps 30 seconds).
Messages must contain conversation sequence numbers inside the encrypted payload. These should be initialised randomly. Packet loss may occur, which means that some messages may arrive with a packet ID several higher than the last, but key renegotiation should take place if the difference is too great, or a packet with a sequence number lower than the highest known arrives (an indication of an attempted replay attack). This number should roll over to 0 when it reaches the maximum value.
There are a number of areas of potential information leakage. If Mallory can determine that Carol is ignoring messages with the conversation ids used earlier by Alice and Bob, Mallory can conclude that Carol is not Alice or Bob. To counteract this and other scenarios, the default behavior MUST be to ignore all invalid or unexpected messages. Error messages for these circumstances, even encrypted, may leak information.
Post a Comment