I2P_Developers/i2p.www
3
0
Fork 5
Code Issues 27 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Document why signature in SSU SessionCreated msg is encrypted #37

New Issue
Open
opened 2025-04-21 14:47:56 -04:00 by idk · 2 comments
idk commented 2025-04-21 14:47:56 -04:00
Owner
Copy Link

Opened 5 years ago

Last modified 5 years ago

#1849newenhancement

Document why signature in SSU SessionCreated msg is encrypted

Reported by:zzzOwned by:
Priority:
minor
Milestone:
eventually
Component:
www/i2p
Version:
0.9.26
Keywords:

Cc:

Parent Tickets:

Sensitive:
no

Description

Add to the SSU overview and/or spec.

Also research in java code, mtn commits, and 10-year-old meeting logs, status notes, and emails for additional info.

zzz: Ah, I found out why we need to encrypt the signature

or at least why we do it

zzz: An attacker could substitute the signature with their own signature, and hence claim to have sent the message

zzz: But it does not seems to be applicable to I2P, because both parties know each others RI and hence public keys

EinMByte> zzz: It all comes down to whether or not it is feasible for an attacker to intercept the DatabaseStoreMessage?, and substitute it with their own

But maybe it's a good idea to keep the encryption there anyway, just in case that is probably

For sure, there MUST be a note on there

s/there/that

Subtickets

Opened [5 years ago](/timeline?from=2016-09-16T17%3A56%3A28Z&precision=second "See timeline at Sep 16, 2016 5:56:28 PM") Last modified [5 years ago](/timeline?from=2016-09-17T18%3A10%3A28Z&precision=second "See timeline at Sep 17, 2016 6:10:28 PM") ## [\#1849](/ticket/1849)[new](/query?status=new)[enhancement](/query?status=!closed&type=enhancement) # Document why signature in SSU SessionCreated msg is encrypted Reported by:[zzz](/query?status=!closed&reporter=zzz)Owned by: Priority: [minor](/query?status=!closed&priority=minor) Milestone: [eventually](/milestone/eventually "No date set") Component: [www/i2p](/query?status=!closed&component=www%2Fi2p) Version: [0.9.26](/query?status=!closed&version=0.9.26) Keywords: Cc: Parent Tickets: Sensitive: [no](/query?status=!closed&sensitive=0) ### Description Add to the SSU overview and/or spec. Also research in java code, mtn commits, and 10-year-old meeting logs, status notes, and emails for additional info. <EinMByte> zzz: Ah, I found out why we need to encrypt the signature <EinMByte> or at least why we do it <EinMByte> zzz: An attacker could substitute the signature with their own signature, and hence claim to have sent the message <EinMByte> zzz: But it does not seems to be applicable to I2P, because both parties know each others RI and hence public keys EinMByte> zzz: It all comes down to whether or not it is feasible for an attacker to intercept the DatabaseStoreMessage?, and substitute it with their own <EinMByte> But maybe it's a good idea to keep the encryption there anyway, just in case that is probably <EinMByte> For sure, there MUST be a note on there <EinMByte> s/there/that ### Subtickets
idk added this to the eventually milestone 2025-04-21 14:47:56 -04:00
idk added the
#1849
eventually
i2p
www
 labels 2025-04-21 14:47:56 -04:00
idk commented 2025-04-21 14:47:57 -04:00
Author
Owner
Copy Link

comment:2 Changed 5 years ago by EinMByte

I'd like to make a correction to the above post: only the initiator (Alice) already knows the RI of the other party (Bob), so it is required after all that Alice encrypts her signature.

It is not true (as I mistakenly assumed) that Bob knows Alice's router hash.

So the attack described above would work in the I2P context (if we didn't encrypt signatures), since Mallory can just recreate the signature with his own router hash included (in the scenario of the above post it isn't included at all).

By making Alice encrypt her signature such an attack cannot work:

Alice                Mallory                    Bob
==================================================
X, RH(A) ----------> X, RH(M) ------------------->
<------------------------------------ Y, S_B(X, Y)
E_K(S_A(X, Y))-----> E_K(S_M(X, Y)), K?? -------->
                     ^ Mallory cannot perform this operation.
[comment:2](https://trac.i2p2.de/\#comment:2) Changed [5 years ago](https://trac.i2p2.de//timeline?from=2016-09-17T18%3A10%3A28Z&precision=second "See timeline at Sep 17, 2016 6:10:28 PM") by EinMByte I'd like to make a correction to the above post: _only_ the initiator (Alice) already knows the RI of the other party (Bob), so it is required after all that Alice encrypts her signature. It is not true (as I mistakenly assumed) that Bob knows Alice's router hash. So the attack described above _would_ work in the I2P context (if we didn't encrypt signatures), since Mallory can just recreate the signature with his own router hash included (in the scenario of the above post it isn't included at all). By making Alice encrypt her signature such an attack cannot work: ``` Alice Mallory Bob ================================================== X, RH(A) ----------> X, RH(M) -------------------> <------------------------------------ Y, S_B(X, Y) E_K(S_A(X, Y))-----> E_K(S_M(X, Y)), K?? --------> ^ Mallory cannot perform this operation. ```
idk commented 2025-04-21 14:47:57 -04:00
Author
Owner
Copy Link

comment:1 Changed 5 years ago by EinMByte

More information regarding this attack, and also why it is a good idea to sign both X and Y for both parties can be found in Diffie, W.; van Oorschot P. C.; Wiener M. J., Authentication and Authenticated Key Exchanges. (section 5.1).

To elaborate on the above: it seems like the attack is mainly applicable when certificates (issued by a trusted third party) are used to exchange public keys.

In the I2P context, a peer always attempts to connect to a particular router hash (a router is its RI), so it is not possible to substitute the certificate at all. Importantly, this identity information is included in the exchanged signatures.

I think this consideration also rules out the possibility of unknown key-share attacks to which the protocol might otherwise be vulnerable. The appropriate reference here is Blake-Wilson, S.: Menzes, A., Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol.

For STS-ENC (close to our transport protocols), two attacks are described there

  1. Public key substitution: the attacker is able to register the public key of one of both parties as their own. This is not possible in the I2P context.

  2. An attack based on the assumption that an attacker is able to create an (invalid) RI such that the signature by Alice is also valid for that RI. Such an attack on the ElGamal? signature system (with freely chosen and unchecked parameters) is discussed in that paper, but it is not very practical (and doesn't apply at all to I2P).

So it looks like we don't need the encryption as long as the identity information is being included in the signatures. If this was not the case, consider the following attack

Alice                Mallory                    Bob
==================================================
X, RH(A) ----------> X, RH(M) ------------------->
<------------------------------------ Y, S_B(X, Y)
S_A(X, Y)----------> S_M(X, Y) ------------------>

Bob shares a key with Alice, but in fact thinks this key is shared with Mallory (unknown key-share attack against the responder).

Even using this weak version of the protocol, you cannot trick the initiator in the same way, because Alice knows that she wants to talk to Bob, and will only accept his signature.

Last edited 5 years ago
by EinMByte
( previous)
( diff)

[comment:1](https://trac.i2p2.de/\#comment:1) Changed [5 years ago](https://trac.i2p2.de//timeline?from=2016-09-16T18%3A20%3A14Z&precision=second "See timeline at Sep 16, 2016 6:20:14 PM") by EinMByte More information regarding this attack, and also why it is a good idea to sign both X and Y for both parties can be found in Diffie, W.; van Oorschot P. C.; Wiener M. J., _Authentication and Authenticated Key Exchanges._ (section 5.1). To elaborate on the above: it seems like the attack is mainly applicable when certificates (issued by a trusted third party) are used to exchange public keys. In the I2P context, a peer always attempts to connect to a particular router hash (a router _is_ its RI), so it is not possible to substitute the certificate at all. Importantly, this identity information is included in the exchanged signatures. I think this consideration also rules out the possibility of unknown key-share attacks to which the protocol might otherwise be vulnerable. The appropriate reference here is Blake-Wilson, S.: Menzes, A., _Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol_. For STS-ENC (close to our transport protocols), two attacks are described there 1) Public key substitution: the attacker is able to register the public key of one of both parties as their own. This is not possible in the I2P context. 2) An attack based on the assumption that an attacker is able to create an (invalid) RI such that the signature by Alice is also valid for that RI. Such an attack on the ElGamal? signature system (with freely chosen and unchecked parameters) is discussed in that paper, but it is not very practical (and doesn't apply at all to I2P). So it looks like we don't need the encryption as long as the identity information is being included in the signatures. If this was not the case, consider the following attack ``` Alice Mallory Bob ================================================== X, RH(A) ----------> X, RH(M) -------------------> <------------------------------------ Y, S_B(X, Y) S_A(X, Y)----------> S_M(X, Y) ------------------> ``` Bob shares a key with Alice, but in fact thinks this key is shared with Mallory (unknown key-share attack against the responder). Even using this weak version of the protocol, you cannot trick the initiator in the same way, because Alice knows that she wants to talk to Bob, and will only accept his signature. Last edited [5 years ago](https://trac.i2p2.de//timeline?from=2016-09-17T08%3A56%3A26Z&precision=second "See timeline at Sep 17, 2016 8:56:26 AM") by EinMByte ( [previous](https://trac.i2p2.de//ticket/1849?cversion=3&cnum_hist=1#comment:1)) ( [diff](https://trac.i2p2.de//ticket/1849?action=comment-diff&cnum=1&version=4))
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
#1120
#1147
#1154
#1336
#1344
#1396
#1427
#1442
#1548
#1583
#1677
#1747
#1756
#1759
#1781
#1809
#1849
#1859
#1885
#2192
#2236
#2290
#2400
#2414
#2430
#2538
#2697
#2698
#2752
#2760
#726
#833
0.9.18
eventually
i2p
installer
soon
undecided
www
No Label
#1849
eventually
i2p
www
Milestone
No items
No Milestone eventually
Projects
Clear projects
No project
Assignees
Clear assignees
echelon idk zzz
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.www#37
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?