[olsr-dev] Implementing an attack into olsrd
Mon Jun 19 17:44:54 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Sven-Ola Tuecke wrote:
> using Pub/Priv keypairs is not really an option:
> - U need the openssl/matrixssl lib installed (>1Mb footprint)
I think there are smaller libs available, or it could be reduced
dramaticly by stripping out stuff which isn't needed. rsa, some sort of
hash algorithm and a symetric cipher should be enough.
> - Much cpu overhead to calculate keys each time you receive
> a message (no hardware enc in the WRT), this will kill any
> embedded box > 2 neighbours.
Using rsa for every message isn't a good idea. Nobody uses it that way ;)
You would need some sort of protocol handshake once in a while (like
every hour) where nodes exchange a key which will be used for a symetric
cipher. The messages received will be hashed (a very simple one with
enough entropy should do it) and this hash xored with the symetric key
from the exchange. If the key exchange is often enough, even small keys
and a not very crypto save but fast hash function should be save enough.
msg = payload + counter + hash
hash1 = hashfunction(payload + counter)
hash = hash1 xor key
counter avoids having timestamps for delyed and duplicated delivery attacks.
every message those counter is smaller then the last received will be
> - Need to fiddle with all neighbours to fetch their pubkeys ->
> mesh network is not open any more / very hard to handle
> the org. Need to setup an Key-Expire-Infrastructure too.
What must have some sort of distrubution is the key revocation list. But
this is not so much a problem, because this list would simply be signed
by the ca itself. Because you will have to get the ca key trough some
other channel (like the webpage or embedded in your firmware, you can
always if the list is correct).
> I think it is more effective, to spot the location of a new
> vandal and make a personal visit with a couple of mesh
> members. In most cases this will be more easy than on the
> internet - Wifi range isn't too large...
Thats a option, too
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Olsr-dev