Re: [Monotone-devel] netsync transport encryption?

[Cem Karan]

Poking through the Botan sources, I saw that it supports AES all the  
way through 256 bit keys, and there seems to be support for the  
various modes of encryption (CBC, CFB, etc.), so once the session  
keys are setup, the rest should be pretty easy.  I vaguely remember  
something about RSA and the  fact that you need to pass your public  
keys around in order to authenticate in Monotone which makes passing  
session keys around pretty easy.  I'm pretty sure that everyone here  
already knows how to do this, so I'm going to be really brief.  The  
algorithm I've got came out of chapter 3 of Applied Cryptography by  
Bruce Schneier.

Here is my suggestion for what to do:

1) The initiating side generates a random session key, encrypts it  
with the receiving sides public key, and sends it on to the receiving  
side.
2) The receiving side does exactly the same thing back.  This solves  
the really weird race condition where both sides want to initiate  
communications at the same time.
3) Each side uses the session key it created to set up a pipe/filter  
(got this out of the Botan docs on http://botan.randombit.net/) that  
performs compression and encryption.  Follow whatever the Botan docs  
recommend on this, and read up on what is available at http:// 
csrc.nist.gov/CryptoToolkit/ and SP 800-38A 2001 Ed (http:// 
csrc.nist.gov/CryptoToolkit/tkmodes.html).  I'm suggesting  
compression because of what Brue Schneier says about how it make  
cryptanalysis harder, and makes encryption/decryption faster.  If  
Monotone already does a good job of compressing its data, then this  
isn't as necessary (this would require testing to see what works  
faster/better).
4) Each side uses the session key it received to decrypt data on its  
receive side, and uses the key it sent on its send side.

The pair of pipes can be used asynchronously, and since the session  
keys were encrypted with the public keys of the receivers (and signed  
by the senders) both sides are authenticated (assuming everyone has  
exchanged public keys correctly prior to talking to one another).  So  
from a communications standpoint, it should be pretty easy to do all  
this.

As for encrypting the database, protecting the hosts, etc....  
truthfully, I'm not too worried about that from Monotone's  
standpoint.  I mean, is it Monotone's fault if someone loses their  
laptop, or if someone puts some malware onto a computer that acts as  
a keylogger?  As long as the communications are all solid (which IS  
within Monotone's bailiwick), then I'd say Monotone has done all that  
it should do.  The end user can think about full disk encryption,  
securing their machines, etc.

Finally, before anyone suggests I work on this myself... because of  
where I work, any code that I wrote would be legally encumbered (and  
that is according to the lawyers I just talked to here)  The most I  
can do is give general outlines of what to do.  Hope someone is  
willing to pick this up and run with it! :D

Thanks,
Cem Karan