Announce nodes can read public keys from onion data packets

[zugz]

Thanks to @jackiszhp for referring in #1108 to the detail of the onion
protocol which leads to the problem discussed below.

When Alice wishes to connect to Bob, she first finds via the onion a node,
Eve, on which Bob is announced. Alice then sends to Eve an onion data packet
as the payload of a data to route request. The onion data packet contains
Alice's long-term pubkey, and it is encrypted to the data pubkey. This data
pubkey is provided to Alice by Eve.

The intention is that the data pubkey was previously generated by Bob and sent
to Eve in Bob's announce request. However, there is nothing to prevent the
Eve generating her own pubkey and sending that to Alice as the data pubkey.

The result is that Eve is able to obtain Alice's long-term pubkey. Meanwhile,
she also knows Bob's long-term pubkey. So, she has determined that the two
pubkeys are friends. This is something the onion was intended to prevent.

Note also that Eve can position herself to be used as an announce node by Bob,
by generating an appropriate DHT key.

It looks like this problem was introduced by commit 639b37d.

[kurnevsky]

Actually all data packets are encrypted twice - first time with friend's real pk, second time with onion data pk. So if Eve substitutes the data key she can only get inner encrypted packet and nothing else.

[zugz]

* Sunday, 2018-08-26 at 02:52 -0700 - Evgeny Kurnevsky <notifications@github.com>:

So if Eve substitutes the data key she can only get inner encrypted packet and nothing else.

The problem is that the inner packet contains the long term public key (see L1083) as well as the data encrypted with that key. Eve can't decrypt the latter, but she can read the former.

[kurnevsky]

@zugz it's taken from inner net_crypto, so it's just a random temporary key. See

c-toxcore/toxcore/Messenger.c

Line 2025 in 80f8458

m->net_crypto = new_net_crypto(m->log, m->mono_time, m->dht, &options->proxy_info);

,

c-toxcore/toxcore/Messenger.c

Line 2038 in 80f8458

m->onion_c = new_onion_client(m->mono_time, m->net_crypto);

and

c-toxcore/toxcore/net_crypto.c

Line 2964 in 80f8458

new_keys(temp);

Am I missing something?

[zugz]

@zugz it's taken from inner net_crypto, so it's just a random temporary key.

The long-term public key gets loaded into net_crypto by Messenger - see https://github.com/TokTok/c-toxcore/blob/80f8458146061e5fe6edd97e06e039f1ad2cf3a9/toxcore/Messenger.c#3080

[kurnevsky]

Ok, this wasn't trivial. Good catch.

[algor1th]

I have created a formal model that shows that announcements are linkable, and note trace equivalent to searches. It can be found here. Linkability here means that a public key of a node can be linked to it's ip adress when announcing.

[emdee-is]

@iphydf @zugz This should be tagged with the Security label, to make it easier to track.