search

maqp / tfc

Tinfoil Chat - Onion-routed, endpoint secure messaging system
GNU General Public License v3.0
1.23k stars 88 forks source link

[Can TFC endpoint be used as an endpoint secure server from which data can be automatically requested?] #12

Closed artiommocrenco closed 4 years ago

artiommocrenco commented 4 years ago

According to Wikipedia page "History of the Internet" (https://en.wikipedia.org/wiki/History_of_the_Internet#Networks_that_led_to_the_Internet), ARPANET started like this:

"We set up a telephone connection between us and the guys at SRI ...", Kleinrock ... said in an interview:

"We typed the L and we asked on the phone, "Do you see the L?" "Yes, we see the L," came the response. We typed the O, and we asked, "Do you see the O." "Yes, we see the O." Then we typed the G, and the system crashed ... Yet a revolution had begun" ....

... a revolution that brought us to where we are now. What about a more secure alternative? Isn't the current state of TFC close to the state of ARPANET from 1969?

In theory, can one develop a similar security model for something like watching cat videos or browsing imageboards? Where each user has a private network address similar to the TFC address. That will work over Internet (and potentially over Tor, I2P or similar). Tor, I2P are good but vulnerable. We need something in addition that makes them good.

I see that requests & replies are manually supplied by user on different computers (on image they are represented like laptops). Can there be an additional element, also immune to CNE, which works with both source and destination computer, so that it would be possible for user to interact with this element and see (and/or hear, etc.) the resulting information (e.g. cat videos)?

I am just thinking how it can become a more user-friendly and more multi-purpose (not just chat) system while maintaining the same level of protection from CNE.

What about KVM switch + single-board computers like raspberry pie's? What about OpenWRT router on raspberry pi instead of "Networked Computer"?

Eventually the whole setup (without I/O devices) could EASILY look like a tiny box of mini-ATX-sized computer case and cost $100-$200 to build (having tools, knowledge and desire), no rocket-science involved.

maqp commented 4 years ago

In theory, can one develop a similar security model for something like watching cat videos or browsing imageboards?

Can there be an additional element, also immune to CNE, which works with both source and destination computer, so that it would be possible for user to interact with this element and see (and/or hear, etc.) the resulting information (e.g. cat videos)?

I'm quite sure it isn't possible. TFC's security model assumes the reply never automatically depends on what was received. It requires an analog input to ensure exfiltration security. If you wanted to get a cat video, you would have to send some operator a message and ask for a cat video. The person on the other end would then have to get a cat video from safe source to prevent infection of their Source Computer. That would pretty much require they film it and import it directly from the camera to the Source Computer -- because if they were to obtain it from another computer (perhaps one that is connected to the Internet) and to move it to their Source Computer, that alone could ruin the endpoint security model. TFC works when e.g. a journalist wants to send photos from their camera to a newsroom (that has a printer connected to the Destination Computer to reduce the chance of key exfiltration). TFC can not operate as a server because a server has an automated reply mechanism. The moment you automate Source Computer to act on what Destination Computer receives, you introduce a channel that might infect the Source Computer and cause it to spit out keys to the Networked Computer.

Isn't the current state of TFC close to the state of ARPANET from 1969?

So to answer this, TFC does what the architecture allows it to do. You could of course implement many niceties like a GUI, and a faster data diode would enable stuff like (video) calls, provided there were libraries for that. It's a slow work in progress

Tor, I2P are good but vulnerable.

That's why TFC's confidentiality doesn't rely on security of Tor. Tor provides the anonymity layer and Onion Services allow NAT punching. No networked endpoint is guaranteed to be secure, ever, so you have to rely on security updates.

We need something in addition that makes them good.

That's why TFC is being developed. It ensures messages have confidentiality/integrity/authenticity even if Tor would be compromised. The metadata about who talks to whom might be compromised, but TFC can help with hiding the type, quantity and schedule of communication. If there's a way to make Tor more safe, it's not in TFC's domain.

What about KVM switch + single-board computers like raspberry pie's?

It would depend on how mechanical the KVM is -- are the peripherals physically disconnected from one device before being plugged to another. Also, HID devices are a huge security risk, see USB rubbery ducky. If the Destination Computer receives malware through data diode that re-programs the keyboard to a type sensitive key and press enter immediately after user has typed. e.g. "Hello Bob" and pressed enter, it invalidates all security. This is because of computers' inherent trust towards HIDs. It would probably require dumb hardware such as old PS/2 keyboards -- but I'm not an expert in this area, so I'm not saying that's all it takes, or that it's even a valid solution. If you use netbooks for Source/Destination Computers, you'll get a nice integrated per-device keyboard, mouse, battery, and display. They'll even throw in the charger.

Also, if you look at how the US does it, all networks are isolated with dedicated peripherals. It looks like an older image and if it wasn't safe back then, I'm quite sure it isn't safe now.

As for RPis, the CPUs nowadays sandwitch a WLAN chip inside it, so I don't think the Destination Computer can be reliably airgapped. See e.g. NSA's SOMBERKNAVE software implant page 24 that phones home over any open Wi-Fi network. (It's for WXP but they've had 12 years to write one for Linux). It's possible to use SoCs, but as I've said earlier, once you add a fast SD-card, a decent display, peripherals, a battery and a charging solution for it, the price difference between cheap netbooks isn't worth the hassle IMO, even if you used earlier generation RPis or other SoCs that could be air gapped.

Eventually the whole setup (without I/O devices) could EASILY look like a tiny box of mini-ATX-sized computer case and cost $100-$200 to build (having tools, knowledge and desire), no rocket-science involved.

It's probably not possible at that price point. The data diode alone can cost about 80 US dollars (much less if the SoC has UART) -- which is dirt cheap compared to commercial devices. You'll also want decent displays (I've tried cheap RCA-connected car rear view screens with RPis but they just hurt my eyes) and dedicated peripherals. So again, my recommendation is two airgappable netbooks of about $200 each plus the data diode. That sets you around the price of the phone you replace every few years.

I am just thinking how it can become a more user-friendly and more multi-purpose (not just chat) system while maintaining the same level of protection from CNE.

So my conjecture is this: Making a usable endpoint secure chat system is comparable to putting the man on the moon. Making an endpoint secure server system is comparable to putting the man on the sun. Securing chats alone is a big goal and just because there are limitations doesn't mean there isn't huge value in doing what can be done -- protecting our communication.

artiommocrenco commented 4 years ago

Thanks for this great answer and I see that a lot of research went into developing TFC.

However! Are you saying that one can not use TFC to search for cat videos?

As a typical user, I would like to both chat and watch cat videos.

What I care about, is that my chats are not compromised after me watching cat videos. And my cat videos watching habits are not known to those with whom I chat. I don't really care that instead of me getting a cat video I can get the "Never Gonna Give You Up" video, with Internet this should be expected.

I mean person-to-person chat is awesome. What about chatbots on the other end?

/search google cat videos
/search bing cat videos
/search duckduckgo cat videos
/search wikipedia History of the Internet

You will type it on source computer, and get a response on destination computer. Every request should not be traceable (by means of unique ID) to the author of the previous one.

Yes, one of the cat videos can encrypt your PC some day. Or you can get a 1st April joke picture from the NSA instead of cat videos. But at least no exfil of chats is possible (not taking into account RF and other channels)

maqp commented 4 years ago

However! Are you saying that one can not use TFC to search for cat videos?

Sorry if it wasn't clear. With the architecture, no, you can't have automated system to request cat videos from a server.

But you can have other personal services. For example, you can have a backup system to which you can send data over the network. Note that you can't request the data remotely, you can only access it later physically. But maybe that's a good thing, if e.g. you need to ensure your photo's can't be deleted when you cross the border to leave some oppressive regime (Edit Dec 2022: Getting a bit tired of predicting our dystopian future: https://twitter.com/MsMelChen/status/1597807914395500545)

As a typical user, I would like to both chat and watch cat videos.

What I care about, is that my chats are not compromised after me watching cat videos.

You can watch cat videos on the Internet with the Networked Computer. If the computer's running Tails, Tor will anonymize you viewing the videos. But if someone has hacked the Networked Computer, they can see you watching the video. However, at that point, thanks to the architecture where messages are encrypted on the Source Computer side, the attacker can't see the content of the messages.

If OTOH your contacts who have cats are willing to film and send you cat videos, it's entirely possible to receive them over TFC and watch them on the Destination Computer. Just don't expect video services to employ people who import and send videos to you over TFC.

What about chatbots on the other end?

You will type it on source computer, and get a response on destination computer.

A Chatbot is again a one type of server. The bot would have to react on the command you send to recipient's (whose bot is running) Receiver Program, and the bot would also have to control the Transmitter Program of the person running it, in order to reply to you with requested data. This would require the bot to be located on both the Source Computer and Destination Computer, and there would have to be direct link from Destination Computer to Source Computer so the bot can also output data. This has the problem that the bot on Source Computer is acting on commands from the internet. This invalidates the endpoint security that the project is all about: if the bot is hacked by exploiting some vulnerability, it can send keys from Source Computer to Networked Computer.

In theory, the bot could run on the contact's Networked Computer and operate solely on encrypted data. It could e.g. send you some cached ciphertext containing a cat video if requested, but that would require you know the random-looking ID for the file you're requesting. To explain this requirement: If you could send the recipient's Relay Program /send all encrypted cat videos command, the bot could match those search terms to some table that contained e.g. file name and hashes of the ciphertexts.

brown_cat.mp4 : 7a322ba6e212a951055fa1d576cc39c437a8ffeaca4d7ff77a3a60368bcacf7f   // sent because file has word cat in it
black_cat.mp4 : 767bd98f73e9c240e9e9dd3035cb490761fff5c7716a7f701b2b5c631384b54e  // also sent
white_dog.mp4 : 0ae772bc903e08af32b7bfd5bee5f44166f7442a518ea291b0dc3c9267c6e805  // not sent
...

The bot could then send your Destination Computer the ciphertexts that matched search terms. But like you said, you won't know beforehand if the bot returns you a Rick Astley video instead. The problem here is, any adversary who has compromised the Networked Computer running the bot, would obtain metadata about what you're requesting from it by looking at the search terms it receives. Even if the bot creator hashed the search terms before outputting them as a table from the Source Computer, the attacker could still build a massive rainbow table of likely search terms. You'd need to use keyed hashes, and those require the maintainer of the bot to send you the key over TFC. So again, it can't be made fully automatic. The problem would also be hashes and keyed hashes will only match an exact search term.

Even if we assume we can solve the search problem, the problem would be the decryption key for the cached files would have no forward secrecy, and that the operator of the file server would have to send you the key that encrypted all the files, and that could only be done with Source Computer. If the decryption key (or key for keyed hashing) can be obtained from the bot on the Networked Computer, that would mean anyone who hacks the Networked Computer can also decrypt the files or build the rainbow table. At that point you might as well just watch YouTube from Networked Computer over Tor.

So if you'd throw away the forward secrecy requirement, you could build a semi-automatic server for requesting files. But it'll never be fully automatic, each user needs to be attended by a human at least once to share the necessary keys and prior to that, to complete the TFC key exchange (i.e. to input your X448 public key to their Source Computer and to verify your key fingerprints so they know to whom they're sharing the file decryption keys).

johndoe-validator commented 4 years ago

Hello @artiommocrenco sorry, but I think that TFC is not for usual-cat-watcher users. Let's I explain what I mean - Tor is the user-friendly project and anyone can download tor browser -> automatically get access to Tor network/bridges -> receive safe web surfing. But because Tor project easy to use some of users started use it for download torrents and etc. And it's problem. For so-so securety chatting, cat videos, homemade photos usual-cat-watcher users could use telegram/signal/whatsup. TFC for me it's system for user who want to receive maximum available safe and security without using third party product from big companies and etc.

Hello @maqp thanks, as I understood you prefer to use 3 small laptops + diode instead of 1 laptop + 2 SoCs + diode. I think for persons who often change their locations will be better to have 1 laptop+2SoCs+diode but I keep thinking about it. Maybe I will create small guide in future how I released this idea for my partners and me. Anyway, thank you.

artiommocrenco commented 4 years ago

@maqp @johndoe-validator thanks a lot for responses so clear, I think some parts of my questions & @maqp answers can be worth adding to FAQ

for me there is no doubt that TFC is the most secure messaging system by design, well done!

maqp commented 4 years ago

@artiommocrenco I agree this is an important question and you're not the first one to ask about it so I added it to the FAQ. I edited your ticket title to hopefully better reflect what the discussion was about, and to make it easier to correlate with the FAQ question.