[p2p-hackers] amicima MFP and crypto upgrades

Matthew Kaufman matthew at matthew.at
Sat Dec 17 07:04:52 UTC 2005 

We've been busy here at amicima, and thought you'd want to know about some
recent improvements we've made:

1. We upgraded the MFP protocol to be resistant to a potential but unlikely
denial-of-service attack in cases where there's no cryptography or the
session key is the same in each direction. Specifically: an attacker who
intercepts traffic from one end, modifies the session identifier to match
the one sent by the other end, and plays the traffic back might be able in
some cases to erroneously start flows or in extreme cases cause a denial of
service through the IP mobility mechanism.

This is fixed by adding explicit directionality flagging to the MFP packet
header, and the protocol spec and our implementation have been upgraded. The
revised protocol spec (version 1.2) can be found at:

	http://www.amicima.com/developers/documentation.html

2. We've significantly upgraded the "MFP defcrypto" default cryptographic
plug-in. The new version is INCOMPATIBLE will all previous versions, but we
hope our improvements mean that's the only time we'll have to say that. The
previous version supported RSA for public-key crypto and AES128 for
symmetric crypto, and while the key material was generated at both ends
(thanks to suggestions here to make that improvement), the transmission of
keying material was of a fixed length, the combination was identical at each
end (XOR) (so both directions used the same session key), and there was no
provision for any options to be sent between the cryptographic plug-ins at
each end.

The new version has replaced the fixed-length encrypted key data sent in the
Initial Keying packets with a "micro-packet" of data that is exchanged
between each end (and which is protected by the signatures present in the
Initiator Initial Keying and Responder Initial Keying packets, so the data
can't be tampered with). These "micro-packets" can contain variable-length
option information for future cryptosystem upgrades, like changes to AES256
or the addition of HMAC, in such a way that backwards compatibility may be
retained, as well as the necessary keying data (also of variable length, and
which we now combine asymmetrically, such that both ends contribute to the
session keys that are used, but a different session key is used in each
direction now).

This brings us to the next new feature... By popular request, and because we
now have the ability to negotiate such options, we now have optional
HMAC-SHA1 in the default crypto plug-in. The HMAC wraps the encrypted packet
in order to detect any corruption or tampering before it is even decrypted
at the far end and with much more certainty than the internal
post-decryption 16-bit checksum. There is an API to set transmission (always
send, only if requested by the other end, never send) and reception (require
(and request) that it be sent, request (but not require) that it be sent,
verify (but neither request nor require) if sent, and ignore completely)
options, and MFPNet has been upgraded to provide access to the HMAC API as
well. Once HMAC has been negotiated, any packet with the wrong HMAC (or from
which the HMAC has been deleted) will be ignored.

We always said that "if you don't like it, you can plug in a new
cryptographic plug-in", but that doesn't necessarily provide a good
backward-compatible solution for upgrades to running systems with large
numbers of existing peers. We're pretty sure that this does (as would any
other cryptographic plug-in that borrowed these enhancements), but only the
future will tell us if we're right.

The new releases of MObj, MFP, and MFPNet are available on our downloads
page:

	http://www.amicima.com/developers/downloads.html

And details of the default cryptographic plug-in are provided in the MFP
release's README file, available separately here:

	http://www.amicima.com/downloads/mfp/README.txt

3. And finally, because we've rolled out an incompatible (but much better)
default cryptographic plug-in, we've released a new version of amiciPhone,
our demo application that does P2P VOIP calling, user presence, text
messaging, and photo and file sending, you can get the Windows XP version
from our website, and the Macintosh OS X version is coming along nicely and
should be out before too much longer.

The application download is here:

	http://www.amicima.com/applications/

Download a copy and try it out! (For a good time, try calling
"7 at test.amicima.com")

Thanks for the support and feedback from the list and privately, it has
helped make our protocols and implementations better, and we try to return
the favor through the open-source publication of our protocol
implementations.

Matthew Kaufman
matthew at matthew.at
matthew at amicima.com
http://www.amicima.com

More information about the P2p-hackers mailing list