Changeset 10560 for dotorg/trunk_fixed/html/beps/bep_0008.rst

Timestamp:

02/06/2008 02:55:28 AM (11 months ago)

Author:

dave

Message:

Clarify some issues in the "Tracker Peer Obfuscation" BEP.

In particular it is now clear that peers returned in response to a request with sha_ih
can be assumed to implement Message Stream Encryption.

Also the index and RC4 pseudorandom string length are now randomized and obscured.

Aslo some wordsmithing.

Files:

• dotorg/trunk_fixed/html/beps/bep_0008.rst (modified) (18 diffs)

dotorg/trunk_fixed/html/beps/bep_0008.rst

@@ -10 +10 @@
 
 This extends the tracker protocol to support simple obfuscation of the
-peers it returns, using the info hash as a shared secret between the
+peers it returns, using the infohash as a shared secret between the
 peer and the tracker. The obfuscation does not provide any security
 against eavesdroppers that know the infohash of the torrent.  The goal
@@ -22 +22 @@
 to be interpreted as described in IETF `RFC 2119`_. 
 
-.. _`RFC 2119`: http://tools.ietf.org/html/rfc2119
-
-
-announce parameter
+
+Announce Parameter
 ==================
 
@@ -45 +43 @@
 in the peer's announce.
 
-announce response
+Announce Response
 =================
 
@@ -56 +54 @@
 These are discussed in the optimizations_ section.
 
-peer list obfuscation
+Peer List Obfuscation
 =====================
 
@@ -78 +76 @@
 recovers the plaintext by generating the same pseudorandom string and
 XOR'ing it with the ciphertext.  In generating the pseudorandom
-string, the tracker and client MUST discard the first 768 bytes.  All
-indices into the pseudorandom string ignore the first 768 bytes, i.e.,
-index 0 refers to the first undiscarded byte.
+string, the tracker and client MUST discard the first 768 bytes.  
 
 To communicate an initialization vector, the tracker includes in the
@@ -90 +86 @@
 of the infohash are used as the RC4 key.  If the tracker provides an
 initialization vector then the RC4 key is generated by appending the
-vector to the infohash and then hashing with sha1.  The first 64 bits
-of the resulting hash are then used as the RC4 key.
+vector to the infohash and then hashing with SHA-1.  The first 64 bits
+of the resulting hash are then used as the RC4 key.  The string from
+which the RC4 key is derived whether it be the infohash or the SHA-1 of
+the initialization vector appended to the infohash is called the
+*intermediate string*.
 
 For example, given infohash ``aaf4c61ddcc5e8a2dabedef3b482cd9aea9434d``
@@ -99 +98 @@
 ::
  
-   hash = sha1( 'aaf4c61ddcc5e8a2dabedef3b482cd9aea9434dabcd' )
-   key = hash[0:64]
-
-where [i:j] denotes the ith through jth bit including the ith but
-excluding the jth.  The resulting key in hex is ``f36e9cae87cf33e0``.
+   intermediate = sha1( 'aaf4c61ddcc5e8a2dabedef3b482cd9aea9434dabcd' )
+   key = intermediate[0:64]
+
+where [i:j] denotes the ith through *jth* bit including the *ith* but
+excluding the *jth*.  The resulting key in hex is ``f36e9cae87cf33e0``.
 
 A 64-bit key is used to avoid U.S. export restrictions. 
@@ -111 +110 @@
 interval.  The reasoning for this is contained in the rationale.
 
-optimizations
+Optimizations
 =============
 
 The described optimizations are OPTIONAL for the tracker, but the
-corresponding client-side MUST be implemented by those that support
-this extension.  These extensions hobble the strength of the RC4
+corresponding client-side MUST be implemented by clients that support
+this extension.  These optimizations hobble the strength of the RC4
 encryption in order to improve tracker performance.  In the rationale_
 section we discuss why hobbling RC4 is reasonable and in many cases
@@ -139 +138 @@
 The tracker MAY also cache the encrypted tracker peer list.  To
 support this the tracker must pass two additional keys *i* and *n*
-each with integer values.  Decryption starts by XORing from *6i* bytes
-for ipv4 (or *18i* for ipv6) into the pseudorandom string.  Assuming
+each with 32-bit integer values.  If the tracker returns *i* and *n*
+then we reserve the first 8 bytes of the RC4 pseudorandom string to
+obscure *i* and *n*.  We come back to this momentarily.  Decryption
+starts by XORing from *6i* bytes for ipv4 (or *18i* for ipv6) into the
+pseudorandom string after the discarded and reserved bytes.  Assuming
 that the tracker encrypted the tracker peer list starting from the
-first byte in the pseudorandom string then *i* also corresponds to the
-*ith* ip-port pair in the tracker peer list and the starting point of
-the copy into the returned request.  
+first byte after the discarded and reserved bytes in the pseudorandom
+string then *i* also corresponds to the *ith* ip-port pair in the
+tracker peer list and the starting point of the copy into the returned
+request.
 
 So that the client and the tracker do not have to generate an
 arbitrarily long pseudorandom string to support large swarms, we
 assume the tracker bounds the length of the pseudorandom string and
-reports the length in ip-port pairs as the value to key *n*.  We
-RECOMMEND that *n* be equal to the length of the tracker peer list or
-random but within constant factor of the longest peerlist returned by
-the tracker, whichever is smaller.  Thus the tracker encrypts the
-*jth* byte of the *ith* ip-port pair in an ipv4 tracker peer list by
-XORing with the byte *(6i+j)* `mod` *n* bytes into the pseudorandom
-string.
-
-Since providing *i* and *n* significantly reduces the cost for an
-attacker to recover the pseudorandom string, the tracker MUST XOR the
-value of *i* with the 32 bits beginning with the 8th least significant
-byte of the infohash and *n* with the least significant 32 bits of the
-infohash.  We do not use the first 64 bits of the infohash since the
-first 64 bits are used as the RC4 key when not specifying an
-initialization vector.
- 
+reports the length in ip-port pairs as the value to key *n*.  *n*
+excludes reserved and discarded bytes.  We RECOMMEND that *n* be equal
+to the length of the tracker peer list or random but within constant
+factor of the longest peerlist returned by the tracker, whichever is
+smaller.  Thus the tracker encrypts the *jth* byte of the *ith*
+ip-port pair in an ipv4 tracker peer list by XORing with the byte
+*(6i+j)* `mod` *n* bytes into the pseudorandom string.
+
+Transmitting *i* and *n* as plaintext would significantly reduce the
+cost for an attacker to recover the pseudorandom string.  The tracker
+MUST XOR the value of *i* with the first 32 bits of the pseudorandom
+string.  The tracker then XORs *n* with the next 32 bits from the
+pseudorandom string (see Figure 1).
+
+.. figure:: bep_0008_pseudo.png
+
+   **Figure 1:** The first 768 bytes of the RC4 pseudorandom
+   string are discarded.  The key *i* in the tracker response has
+   value ``x xor i``.  The key *n* has value ``y xor n``.
+
 We describe encryption in the following example for an ipv4 tracker peer 
 list consisting of 3 ip-port pairs, and using an RC4 pseudorandom string 
@@ -171 +178 @@
 
 ::
+
   Given the following peer list
   (208.72.193.86, 6881), (209.81.173.15,14321), (128.213.6.8, 6881)
@@ -178 +186 @@
   d048c1561ae1d151ad0f37f180d506081ae1 
 
-  which we XOR with an RC4 pseudorandom string, e.g.,
+  which we XOR with an RC4 pseudorandom string excluding discarded and
+  reserved bytes, e.g.,
 
   a496e5f9b83e835013d42226
@@ -189 +198 @@
 peer list, we wrap to the beginning of the pseudorandom string.
 
-  In the first response, the tracker would return
-
-  *peers=74de24afa2df5201bedb15d7*, *i=0*, *n=2*
-
-  In the second response, the tracker would return
-
-  *peers=5201bedb15d72443e3f1a2df*, *i=1*, *n=2*
+In the first response, the tracker would return::
+
+  peers=74de24afa2df5201bedb15d7, i=0, n=2
+
+In the second response, the tracker would return::
+
+  peers=5201bedb15d72443e3f1a2df, i=1, n=2
 
 The tracker response MUST remain a valid bencoded message.
 
-backwards compatibility
+
+Backwards Compatibility
 =======================
 
@@ -226 +236 @@
 secret.
 
-- any peer that reports a sha_ih is assumed to implement protocol encryption.
-- tracker OPTIONALLY includes a ``flags`` key that contains one byte per
-  peer in the reported peer list.  The first bit of each byte specifies
-  whether the peer support protocol encryption. (How do we protect
-  the flags field from modification?)
-- if no flags field is present then all peers should be assumed to support protocol encryption
-- if a flags field is present then those peers that support protocol
-  a 
-
-rationale
+Any peer that requests with a ``sha_ih`` SHOULD implement Message
+Stream Encryption (MSE) [#MSE]_.  Any peer returned from the tracker
+in response to a request with a ``sha_ih`` SHOULD be assumed to
+support Message Stream Encryption.  We include these provisions
+because if a peer communicates with another peer without using MSE
+then the BitTorrent protocol is trivially identified from the first
+twenty bytes of the BitTorrent header and the ``info_hash`` appears in
+plaintext as the next twenty bytes, hence also defeating the purpose
+of the shared secret.
+
+If the tracker does not know enough peers that support MSE to return
+the desired number of peers then it MAY include peers that are not
+assumed to support MSE.  If a peer closes a connection in response to
+an encrypted header then the initiating peer should try other peers in
+the peer list returning to the peer that closed the connection only
+when all other peers known or not yet known to support MSE have been
+tried and have failed to provide "adequate performance."  We
+intentionally omit any definition of "adequate performance."
+
+
+Rationale
 =========
 
@@ -248 +269 @@
 connections.
 
-This hardware was presumably deployed to get around `BitTorrent
-Protocol Encryption`_.  Peers implementing BitTorrent Protocol
+This hardware was presumably deployed to get around BitTorrent
+Message Stream Encryption [#MSE]_.  Peers implementing BitTorrent Message Stream
 Encryption obfuscate peer-to-peer connections by employing RC4
 encryption on every byte from the first byte transferred. BitTorrent
-Protocol Encryption thus increases the difficulty for a device
+Message Stream Encryption thus increases the difficulty for a device
 observing passing packets to identify BitTorrent peer-to-peer
 connections.
@@ -268 +289 @@
 The obfuscation method meets the following criteria:
 
-- The entire plaintext of the peer list is not easily obtained
-  even if an eavesdropper identifies ip-port pairs from
-  subsequent connections from a peer that has received a tracker response.
+- The entire plaintext of the peer list is not easily obtained even if
+  an eavesdropper identifies ip-port pairs from subsequent connections
+  initiated by a peer that has received a tracker response.
 
 - Even when a subsequent connection from a peer that has received a 
@@ -288 +309 @@
 The objective is NOT to create a cryptographically secure protocol
 that can survive unlimited observation of passing packets and
-substantial computational resources on network timescales.  The object
+substantial computational resources on network timescales.  The objective
 is to raise the bar sufficiently to deter attacks based on observing
 ip-port numbers in peer-to-tracker communications.
@@ -295 +316 @@
 and subsequent connections, it is possible to attack the encryption.
 RC4 is known to have a number of weaknesses especially in the way it
-was used with WEP [and HERE].  However, with tracker peer obfuscation, the
-number of bytes transferred between the tracker and a client is likely
-significantly smaller than transfer between a wireless computer and a
-basestation.  An attacker faces a much larger task in obtaining
-sufficient probable plaintext to directly break the encryption.
+was used with WEP [#Borisov]_ [#Scott]_ [#Stubblefeld]_.  However,
+with tracker peer obfuscation, the number of bytes transferred between
+the tracker and a client is likely significantly smaller than transferred
+between a wireless computer and a basestation.  An attacker faces a
+much larger task in obtaining sufficient probable plaintext to
+directly break the encryption.
 
 Hobbling the RC4 encryption by using a bounded-length RC4 pseudorandom
@@ -328 +350 @@
 small constant factor more expensive than a shuffle on an input string
 of equal length, 2) the generated pseudorandom string is only *n*
-bytes long where recommended *n* is within a small constant factor
-larger than the largest response size and thus much smaller than the
-tracker peer list for large swarms, and 3) the cost of the XOR
-operation is lighter weight than performing a random shuffle.
-
+ip-port pairs long where recommended *n* is within a small constant
+factor larger than the largest *returned peer list* and thus much
+smaller than the *tracker peer list* for large swarms, and 3) the cost
+of the XOR operation is lighter weight than performing a random
+shuffle.
+
+References
+==========
 
 .. _`RFC 2119`: http://tools.ietf.org/html/rfc2119
-.. _`BitTorrent Protocol Encryption`: http://www.bittorrent.org/beps/bep_0013.html
+
+.. [#MSE] BitTorrent Message Stream Encryption
+   (http://www.azureuswiki.com/index.php/Message_Stream_Encryption)
+
+.. [#Borisov] Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting 
+   mobile communications: the insecurity of 802.11. In ACM MobiCom 2001, 
+   pages 180-189. ACM Press, 2001.
+
+.. [#Scott] Scott R. Fluhrer, Itsik Mantin, and Adi
+   Shamir. Weaknesses in the key scheduling algorithm of RC4. In Serge
+   Vaudenay and Amr M. Youssef, editors, Selected Areas in
+   Cryptography 2001, volume 2259 of Lecture Notes in Computer
+   Science, pages 1-24. Springer, 2001.
+
+.. [#Stubblefeld] Adam Stubblefeld, John Ioannidis, and Aviel
+   D. Rubin. A key recovery attack on the 802.11b wired equivalent
+   privacy protocol (WEP). ACM Transactions on Information and System
+   Security, 7(2):319-332, May 2004.