Developers.Idea.Unblockable

From Shareaza Wiki
Revision as of 23:02, 21 February 2010 by Old death (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Unblockable

This is a one act play, by Zootella, [1]

Cast of Characters

Mark is the IT manager of a large organisation. His mission is to protect the computer users from themselves. He helps peopole with Excel and e-mail attachments. He reads eWeek magazine, and likes it. He has an unlimited budget and an army of lower level IT minions at his call.

Sven is our hero. He wishes that Mark would stop telling him to install Windows XP Service Pack 2. He is totally responsible for his personal computer, and actually knows how to use it. He thinks the Internet should be end-to-end. Every connection to it should be the same. It should move data from one computer to another quickly and without getting in the way.

Sven wants to run Gnutella software on his computer. Mark wants to make this impossible. Sven can program the leading Gnutella client, and even change the Gnutella network. Mark can design, buy and install anything between Sven's computer and the Internet.

Scene I: Being Externally Contactable

Sven: Can I have a real IP address on the Internet?

Mark: No.

Sven: Can you forward a port from one to my computer?

Mark: No.

Sven: Can you turn UPnP back on?

Mark: No.

At this point, it looks like Sven is not going to be able to be externally contactable on the Internet. I'm not sure if there is some UDP trick that might still trip Mark up, but will write more here if I find out about it.

Scene II: The Port Number

Sven: I am contacting other computers running Gnutella on port 6346.

Mark: OK, I am blocking all outgoing traffic to port 6346.

Sven: I have redesigned all the clients to choose a random port every time. We won't sit neatly on 6346 for you to block us anymore.

Mark: Damn you.

Most Gnutella traffic is still on the default port, 6346. It is far too easy for an ISP or IT department to meter or block traffic labeled with this port number. Shareaza and other clients should start choosing a random port number instead.

Scene III: Stateful Packet Inspection

Mark: Alright, now I have purchased a really expensive stateful packet inspection firewall. It looks at the handshake. If the first bytes a computer wants to say to another are "GNUTELLA", it blocks them from communicating. Port numbers don't matter at all anymore. Get through that.

Sven: My new Gnutella client contacts a remote peer as though we were a Web client and Web server making a totally normal page request. All the headers are HTTP and exactly like the Web. Then, we setup communication for HTTPS, also exactly as the Web does. Once the socket is encrypted, then we start talking Gnutella.

Mark: I've setup the network so the root certificate for HTTPS isn't on your computer, but mine. This lets me look at HTTP and HTTPS traffic.

Sven: I've formatted my computer and installed Windows again to get the HTTPS certificate back on my computer.

Mark: My firewall won't even give your computer a connection unless it has the root HTTPS certificate. Also, I have a new firewall that can just plain break HTTPS, as the encryption that makes it work is well understood and not very strong.

Sven was not able to hide behind HTTPS.

Scene IV: Disguising the Handshake

Sven: The very first thing a computer says to another is GNUTELLA. This is just screaming "block me!" I've changed it to just G.

Mark: OK, now I'm blocking just G.

Disguising the handshake doesn't work. Whatever Sven's computer sends first, the remote computer must be able to understand it. And if the remote computer can understand it, so can Mark's firewall.

Scene V: Just a Normal Web Request

Sven: Now my computer wants to make a normal Web request.

Mark: I see it. It looks like this:

<source lang="c"> -HTTP Web Headers -Blank Line -Content Body </source>

It looks like Sven just clicked a link in Internet Explorer to download a big file. The headers are exactly right. They don't say GNUTELLA or talk about Ultrapeers or anything like that. The content body looks like nonsense bytes, but this is just the start of the file. I can't block this.

Sven: The HTTP Web Headers are decoy headers. They are not used at all. They are just there to confuse you. I can make them anything, and change them at any time. No information in them is useful to me.

When I found out I could try connecting to this computer, I got 3 pieces of information about it:

  1. IP address and port number
  2. GUID on the Gnutella network
  3. Key for symmetric encryption

I use the key to remove the encryption from the content body. Now everything looks like this:

<source lang="c"> -HTTP Web Headers (decoy headers) -Blank Line -Content Body (is actually) -Gnutella handshake

                           -Blank line
                           -Gnutella packets

</source>

Mark: My firewall is fancy. I can decrypt the content body and find the Gnutella handshake there too.

Sven: No, you can't. The key isn't passed anywhere in this communication, so you don't know what it is.

Mark: You have beaten me.

A fancy way to program all this would be to use a separate encryption key, and the Windows CryptoAPI. An easy way to program all this would be to just shove the GUID into the zlib stream at the start, seeding and offsetting all the data that follows.

Scene VI: Public and Private Keys

Mark: Why is this play still going on? You know I can't block you.

Sven: Yes, but I've thought of an even better way to do it. This way, I don't have to go out of band to do the key exchange. Each computer sends this to its neighbour:

<source lang="c"> -HTTP Web Headers (decoy headers) -Blank Line -Content Body (is actually) -Public key

                           -Encrypted stream (decrypted to) -Gnutella handshake
                                                            -Blank line
                                                            -Gnutella packets

</source>

The computer initiating the connection puts together some decoy headers that make it look like it's doing a HTTP POST to a Web server to download a big .zip file. The receiving computer replies with some decoy headers that make it look like it has the binary file, and here it comes. Nothing in the decoy headers matters as far as the real Gnutella communication the compuers will later perform is concerned.

Each computer puts its public key in the start of the content body. The public keys are different, and there is nothing about them that makes them look like public keys. So, Mark can't notice them. The public keys have a predefined size, so each computer knows how many bytes to read. The encrypted stream begins immediately after the public key. To Mark, it all looks like bytes of the same big binary file.

Once a computer has received its neighbour's public key, it uses it to encrypt the Gnutella handshake, and sends that down the wire. This begins the encrypted stream. Only the matching private key can decrypt the stream, and only the receiving computer has it. So, Mark can't break the encryption.

Mark can't tell that Sven isn't just browsing the Web. Sven can negotiate the Gnutella handshake and exchange Gnutella packets without having to change them at all or worry about their detection.

fin::