Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: secure P2P

  1. #1

    secure P2P

    Found this article, After the previous discussions, i thought that being out numbered
    5 billion to 1, i would post it to provide some info for the many people involved in P2P.

    With the copyright police increasing its monitoring of popular file-sharing networks like KaZaA and eDonkey, savvy users are turning to WASTE, a new program that relies on file encryption and ad hoc networks of trusted members to escape prying eyes.What makes WASTE different from other file-swapping systems is that it has no central server. Instead it operates as a mesh in which each user connects to a few other users to form a loosely-structured P2P network. However, this group is virtually impenetrable to anyone who hasn't been specifically authorised to join the group using PKE(public/private key encryption) technology. PKE encryption in general works like this;each user has two keys---a private key and a public key. The public key can be given out to anyone, because it only allows them to encrypt a message to you. The same public key cannot be used to decrypt that message. Once you've received the message, you decrypt it with your private key, which you never disclose. WASTE uses public keys to ensure that each user is known on the network, and bona-fide. As each public key is unique, and linked to the private key stored in your copy of WASTE, there's no chance that someone can pretend to be you in order to gain access to the network. The initial setup of WASTE guides you through creating a unique username and private key, as well as automatically generating a matching public key. To be accepted onto a network of WASTE users, a member of that group has to email you their public key, which is simply a block of what looks like random letters and numbers. This is entered into your WASTE client software through the Preferences panel's Public Keys section---the same location to which you export your own public key so it can be shared with someone else. If you're not too concerned with security and are just curious, there's a database of public keys at You'll also need to submit your public key there and wait for at least one other user to manually add your key to their system. Alternatively, you can chat to other WASTE users on IRC. Join the WASTE channel on the http;// server and swap your public key with anyone who's online at the time. To connect to a network of WASTE users, enter the IP address of one user with whom you've swapped public keys into the WASTE connect box. You'll also need to open port 1337 on your firewall, which is the port used by WASTE( this is a joke on the part of WASTE creator Justin Frankel, as 1337 is hacker-speek for "leet"---shorthand for "elite") Once you've both swapped keys, you'll be accepted as a trusted member of the network and permitted to make connections to other people on the same network, because your key is automatically broadcast to the rest of the group and added into their copy of WASTE. You can brows other users' directories, search for specific files,and also chat using the WASTE chat client. Chat sessions and file swapping goes directly between the active computers rather than via the central server. When you start a file transfer it's encrypted using the fast but secure, open source "Blowfish" model to protect you from monitoring. Even 128- bit encryption is vertually crack-proof through brute-force, so you can be certain that any files you transfer, and any discussions you have with other users, are completely secure. Of course, one weakness in WASTE's security model is that it's easy for other users on the same network to get hold of your public key. If you're worried about this, simply reject other users' public keys. Remember; if both of you don't have each other's public keys, neither of you can connect and view what's on the other's computer. To do this, open Preferences, select Pending keys, then remove the tick from Auto-accept broadcasted public keys. The latest WASTE client for Windows is included on this months cover cd set. ( i will post this after posting) There's a Mac OS X client in development that allows encrypted chat and file serving but not downloading from other users( you can find it at A command-line Linux version is in alpha developmentat http;//

    You can download WASTE here

    You can also read more here

  2. #2
    Hmmm ... they make a lot of claims. I suppose that would work best from a home system on a DSL or cable. Intalling that app on a workstation in a network would cause no end of problems, especially in one like mine that uses Kerberos/IPSec and a Certificate Server. It would probably get the workstation kicked off the network and one of use net-dudes would have to go kill a user and then clean up the mess.

    Don't go passing strange keys around in someone else's network.

  3. #3

    Lightbulb A Casual Observation

    Having some experience in security and encryption, I find this article's explanation a bit disturbing.

    If it is, as it states, a shared key community, then that means the community has and is aware of a key.

    What makes KaZaa and Gnutella work is the fact that so many users are able to connect to each other.

    If everyone has to have a key to access the network, suddenly the available hosts from which you can download a file is DRASTICALLY reduced.

    If everyone HAS the key, then the monitoring software will as well. As is the standard, I'm sure the software will use a specific port, or allow for the specification of another port in the original negotiation, so someone who wants to monitor the communication will be able to, if they have the key.

    The moral of this story...
    If only a few people have the key, then there are fewer files available.
    If lots of people have the key, then the monitors will as well.

    Encryption that creates a separate key per connection would be one answer, but the processing overhead would probably be prohibative.

    Another answer would be binary segmentation, basically jumbling the file even before it is transferred, so recombining the TCP packets would not match any signature, since it is not raw data, and not processing intensive encrypted data, but just jumbled with the key as part of the data.

    Yes, that could be broken easily, and there is no easy answer, but as far as blind sniffing of packets, with some re-assembly based on ports, jumbling would be as effective.

    I just perused the source for the linux version, and it is a very nice try. One obvious problem? Now that you have created a key, and that key is yours, guess what? Its yours. You can't say that someone hijacked your machine, or that they spoofed your IP. Your key is YOURS.

    I'm not sure that's a great idea.

    Also, once someone is accepted into the network, it broadcasts the key outward to others who, if they have the default setup, will accept connections from that key.

    And since you have a unique key that identifies YOU, and each connection is, in essence, an authenticated transaction, there seems to be NO way to claim ignorance or that it wasn't you.

    If you DON't accept the keys, then you are limited to a very small group of people with which to share.

    No, I\'m not interested in developing a powerful brain. All I\'m after is just a mediocre brain, something like the president of American Telephone and Telegraph Company.
    -- Alan Turing on the possibilities of a thinking
    machine, 1943.

  4. #4
    Senior Member
    Join Date
    Jun 2003
    The idea of waste is probably a little overboard , but really it is the classic and proper response to being "attacked". The formation of "cells"/decentralization is very important and ceates a very hard target for RIAA and such as the expense/time for them to infiltrate would be very high and prohibitive.Private ftps is probably a better solution than waste, standard, less overhead, easy control of use.... Personally i was thinking of setting up a proxy in a "safe country" and charging $ for USians to make use of it. Good business idea possibly or good way to be sued into oblivion by a billion dollar company?
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  5. #5
    Join Date
    Aug 2003
    If everyone has to have a key to access the network, suddenly the available hosts from which you can download a file is DRASTICALLY reduced.
    Have to agree w/ u on that one.

    Sound like a good prog

  6. #6
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    I can say from experience that having fewer keys out there doesnt mean less being shared. In two or three users you can easily have about 40-60gb, especially if the people are heavy downloaders. In fact I know of one user that has at least 30gb of shared material, so if you have two or three people like that, you set as far as downloads go, the main problem is influx of new material into the network, which either means someone has to buy or copy the matrial, and rip it to the hdd. WASTE isint as much overhead as you would think, I run it on a 1.5ghx Xeon with 1024Mb of RAM, along with other apps, and i hardly notice any slow down, and it doesnt bother my bandwidth either. The only noticable part is when doing the IMs, it encrypts it, sends, and verifies that the message was recieved, which only takes half a second i think. If your paranoid about the RIAA snooping onto you, WASTE is definately the way to go imho.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  7. #7
    Senior Member
    Join Date
    Jun 2003
    on the same topic APC magazine october issue has an article regarding motherboards with built in encryption which come with bootable case you dont have it hard disk is no readable.on the same magazine monthly disc you can find a waste 1.1.
    have a look at if interested
    have fun

  8. #8

    Exclamation One other option...

    I've been using the CryptoAPI top encrypt my file system. Since it isn't broadcast, and it is only dependant on your processor as to how much overhead you can afford, using a 1024bit encryption algorhythm on your filesystem makes it ALOT less likely that once then subpoena your disk, that they will have any evidence.

    Even local accounts don't have access.

    if you are so enclined, you can put a passcode protected program into your boot script for the admin/root user, and if answered wrong, can do a quick format of the filesystem (separate partitions are great) if it is answered incorrectly.

    paranioa is fun!

    P.S. my password is an MD5 checksum of a particular file plus a few characters. Even I don't know what the password is.
    No, I\'m not interested in developing a powerful brain. All I\'m after is just a mediocre brain, something like the president of American Telephone and Telegraph Company.
    -- Alan Turing on the possibilities of a thinking
    machine, 1943.

  9. #9
    Junior Member
    Join Date
    Sep 2003

    Thumbs up A mixed bag of results

    I have been and continue to be a Kazaa user. I'd say a majority of my data has come from the fasttrack network in one form or another.

    That having been said, I've gone to great pains to setup a dedicated waste server for my particular circle of friends, and I've found that the private sharing on waste to be in some ways superior to that of the files found on fasttrack.

    For example, most movies whether they are unsteadycam captures at a local theatre or rips direct from DVD usually go through a certain ammount of degredation during transfer. This is normally not a problem, except when that one file has been traded more than half a dozen times. On fasttrack, it's concievable that a file will change hands at least 10 times before it enters a user's sphere of influence. There are also a few other dynamics that promote sharing files of inferior quality, usually based solely on when the "l33t 0-day \/\/ar3z and /\/\0vi3z" are released.

    Yet with waste, not only am I assured of personally knowing the person I'm trading with, (And one of my requirements for trading keys with someone is that it be done face to face, just like a good ol' PGP party) but I can be relatively sure that the files will conform to a high level of quality. (This is not typical for your average user, but most of my crowd are avid infojunkies, and take great pains to insure good rips.)

    Another benefit I've noticed is in transfer speed. I suspect that this is due to most of my network being supplied by broadband connections, once again due to most of my friends taking media VERY seriously.

    I guess waste isn't a superior form of P2P, but I will say that I appreciate being able to connect directly with people I know to be immediate friends. And perhaps making P2P more community-based instead of having a free-for-all will be a better move anyhow. At least, those of us who use the technology and take it seriously arn't going to let it die... not without a fight anyway!

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    I just want to point out in respect to turing_machines post, this is the use of public/private key encryption. No one will be able to monitor you whether they have a key or not. The public key which is shared can only ENCRYPT data not De-crypt. This means any traffic will be encrypted and render useless to anyone except the PRIVATE key holder (you). Having the public key will not help you other than to encrypt the data before transmitting to the reciever. And as far as the key belonging to you, what does that mean? Its not a drivers license, its a block of numbers and letters, that doesnt mean anything to anyone except you- and you can change keys whenever you want.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts