[liberationtech] New Anonymity Network for Short Messages

Steve Weis steveweis at gmail.com
Tue Jun 11 10:29:17 PDT 2013 

Hi. I took a quick look while procrastinating at work and found a few
potential issues:

- What's up with this hard-coded
salt<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-16>
?
- Any specific reason you picked
CTR<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-88>
?
- Use mlock<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-238>
here?
I don't think that will help you if you run within a guest VM though.
- Buffer overflow<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-241>on
password input
- Is this safe for non-terminated
strings<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/common.c?at=master#cl-41>
?
- Why do you have this
checksum<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-112>if
you just HMACed the ciphertext?
- HMAC verification is vulnerable to a timing
attack<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-129>.
Since you're using CTR, it's that much easier to forge messages.
- There's no forward security.

This is by no means comprehensive. I've only been looking at a couple files.


On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cassidy at gmail.com>wrote:

> Hello all,
>
> I have created a simple anonymity network that broadcasts all messages
> to participants so that you cannot associate chatters.
>
> https://bitbucket.org/scassidy/dinet
>
> There is a simple sample client available, but you could write your
> own client to build your own features atop the network.
>
> http://projects.existentialize.com/dinet/client.html
>
> Please let me know if you have any comments.
>
> Sean
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130611/9809221d/attachment.html>

More information about the liberationtech mailing list