OneSwarm Forum

User forum for the OneSwarm Friend-to-Friend data sharing network

1. tommy
   Member

   Hello,

   I don't have the time to consult the souce, so I hope someone can answer me here instead.

   When I logon to OneSwarm: For each of my friends, it ads my IP+port, encrypted with my friends public key, indexed by the hash of the concaternation of both our public keys, to the DHT, right?

   Now, say that someone got their hands on my and my friend's public keys, they could get both our encrypted IPs from the DHT. If they could, magically, decrypt that and thus get our IPs, what mechanisms are there in the client to prevent any non-friends from connecting to me? They know everything about me that my friends also know.

   Posted 4 years ago #

2. AxMi-24
   Member

   The whole idea with asymmetric keys is that knowing the public key doesn't matter. It is a one way mathematics function and you need the private key to be able to decrypt it. So in this case there is no danger of anyone using the public key to find out your IP (other than brute force and that is just not feasible).

   Posted 4 years ago #

3. tommy
   Member

   Hi!

   Yes, I know all about asymmetric encryption. (How is the private key stored in OneSwarm, btw?) And brute force is the hardest way to get hold of a private key, indeed: http://xkcd.com/538/

   But lets not talk mathematics here. My question remains: is there some mechanism in OneSwarm to allow access only from those on my friends list? After all, I do know their supposed IPs, if they are online, so anyone else trying to connect should be refused, right?

   Posted 4 years ago #

4. Zwarmen
   Member

   If a malicious 3rd party gets their hands on both your and your friend's private keys, you're in trouble. But, the only known way to do that would be either using brute force on the DHT info as above, or break into both of your computers to get the keys, which is just as unlikely (depending on your level of computer security of course, and to do that they would need your IPs at the very least so there's a nice catch-22).

   Barring that above however, traffic between you and your friend is encrypted using your respective public keys (or most likely an intermediate key exchanged using those). Your friend is expecting information encrypted by your private key, and vice versa. So as long as the private keys remain private, and OneSwarm won't accept unencrypted connections (and I must assume it doesn't), a 3rd party can't impersonate either of you.

   Posted 4 years ago #

5. tommy
   Member

   Hi!

   Sounds reasonable, thanks!

   Posted 4 years ago #

6. isis
   Member

   Zwarmen: The attack vector wouldnt be agains the 1S node itself. Always climb the wall where it is lowest.

   Distribute something with an un-recognized malware through the 1S net, preferable called something like PhotoShop-2010-gold-prerelease.

   Once it starts to phone home, just make it send you the private keys (and all the keyexchanges with that nodes friends)

   Problem solved, now you can impersonate at will.

   Posted 4 years ago #

RSS feed for this topic

Reply

You must log in to post.