yaronyg
commented
8 years ago Once #741 is resolved then hopefully this bug goes away.
Open yaronyg opened 8 years ago
yaronyg
commented
8 years ago Once #741 is resolved then hopefully this bug goes away.
yaronyg
commented
8 years ago We either get this for free because we get the right cipher suite or we can't do it.
To actually connect two devices we use data from the discovery process to generate a secret that is then used with TLS PSK. Ideally we should be able to provide perfect forward secrecy. But the algorithm used to generate the PSK uses static entries based on the device's public keys. This means that an attacker can record a TLS session and if the attacker can later get one of the devices to give up its public key it should be possible to regenerate the secret and retrieve the session contents.
We were well aware of this threat when the discovery system was designed and our assumption was that we would use one of the TLS PSK cipher suites that provides perfect forward secrecy by introducing an extra set of ephemeral keys. Any of the ECDHEPSK* suites would do nicely.
The problem is that the version of OpenSSL used in JXcore is so old that it doesn't support any of those suites!
The only sane solution to this problem is to upgrade the OpenSSL version we use with JXcore to one that supports an appropriate cipher suite.
If anyone suggests adding perfect forward secrecy to the discovery protocol directly rather than using the existing facilities in OpenSSL please ask them to consider a different line of work than security. We already committed a grave sin by implementing the Discovery cryptographic protocol (we didn't have a choice, there is literally nothing available off the shelf to match it), extending it to support forward secrecy would just be irresponsible. This is a complex area and we need to take advantage of existing, well tested code. Not inventing our own solutions.