rns.recipes

Folks a very random thought and question about RNS traffic, LoRa (or any radio) and privacy.

Assumptions:

• Link requests contain the destination and random Link ID keys in the clear. Not encrypted.
• Link proofs are signed by destination keys and can be verified = always tied back to the destination (keys known from the announce, routers need them to validate the proof).
• Packets with Link IDs can be tracked like breadcrumbs hop by hop.
• Transport path resolution is not encrypted and can be tracked hop by hop (breadcrumbs with same destination and return Transport IDs).
• Announces are not encrypted and contain the public keys + Transport ID.

Now the problem:

Transmitting all of that over the radio is prone to traffic analysis via https://en.wikipedia.org/wiki/Signals_intelligence#Direction-finding or https://en.wikipedia.org/wiki/Time_of_arrival

Governments do have networks of listening stations and essentially "unlimited" resources for stuff like https://www.rohde-schwarz.com/us/products/aerospace-defense-security/radiomonitoring-systems_334287.html

Motivated individuals can perform that too with SDR devices and a bit of https://en.wikipedia.org/wiki/Wardriving and its expansion to https://www.rtl-sdr.com/aeda-crowd-sourced-rtl-sdr-spectrum-analysis-and-tdoa-direction-finding-platform/

Conclusion:

The attacker will not know the content of the messages, but will identify who is talking to whom. Neither Transport ID, nor Link ID are cryptographically linked to the user identity, but RDF will link them together spatially, all the IDs will originate and return to a single physical location.

The original RNS can use alternative transports that are not that easy to watch (for individuals). But LoRa is pretty much line of sight, the hops are short and easy to follow to the source.

Am I right in thinking that this poses a de-anonymization risk? Once "they" know a person, cryptography provides no protection - https://www.explainxkcd.com/wiki/index.php/538:_Security

More ideas:

• Can you record an Announce of destination and replay it from somewhere closer to your subject of interest to effectively redirect his traffic through your node?

• Could you use that to perform a Man in the middle attack in case the subject is not validating the destination keys via an independent side-channel?

I have written many times in the Matrix room about this. The R&S systems are just one of the prime examples of the capacity (there are at least 4 other brands, far more unknow widely), but most people do not realize they have been intertwined with very sharply tuned AI capability for wideband analysis and RF data collection, and are more than capable of real-time tracking and identifying transmitters even by fingerprinting their PA distortion patterns. Your worries are valid, but this is not something we could stand up against. LoRa uses state regulated and controlled spectrums, and that's it. If they decide to wipe the spectrum efficiently, they can without any trouble at all, the capacity is there. Also, for example, blocking non-standard TCP ports over internet AP's will just stop RNS dead in it's tracks, as I witnessed myself a week ago, while travelling for work - the office guest-network just blocked it all. Up to now for me RNS has been and is still a "peacetime" alternative. Building a truly resilient network, independent and capable to withstand duress - this has never been on the table. This is an art few master and the work done behind closed doors on actually disallowing this to become reality for the masses and not just for a commercial or state entity is massive, well funded and heavily militarized. I feel there will be a point, at which we will face such obstacles. I hope it is not soon, as no one (afaik) in the community is ready to stand against such threats. Not only network-wise, but psychologically, physically. Because the moment you are proven and detected to successfully circumvent state action, you become a different type of target, with very well defined name, address, current location, habits, weaknesses, illnesses, interests, social position, online life and opinions, all of it. So if a state machine targets us, there is not much we can do at this point. And RNS security will be the least of your problems. (Love the picture on the last link! :D It IS what would happen hahah...)

For use of Reticulum over LoRa, an IFAC should encrypt all of the metadata that could potentially be used for traffic analysis in the ways you describe. There's still the direction-finding and potential geolocation of transmission sources though that is more just an inherent property of LoRa, not very related to Reticulum or its design.

Perhaps you are implicitly referring to IFACs when you argue that following de-anonymization "cryptography provides no protection" because of the risk of violence to coerce decryption secrets? If so, I disagree with this argument, but its unclear if that's actually what you meant so I'll let you answer before elaborating further.

You mention RTNode in the title of your post, and then refer later to "the original RNS". Just to clarify, RTNode is just one of growing number of specific LoRa-oriented Reticulum firmware projects. The implementation of Reticulum it is using is the microReticulum library (this is all C++), and although microReticulum is mostly used in firmware for LoRa devices, it is actually just another implementation of Reticulum so its not inherently limited to being used for LoRa. For example, the RTNode firmware runs on ESP32 devices that also have WiFi connectivity, so in addition to LoRa it supports use as a local transport node for TCP over a WiFI/LAN, and through WiFI can also bridge to the internet and connect to TCP nodes globally.

For the first of the last two question, I'm pretty sure the signature verification of announce packets would cause replays to be rejected, but also I don't think replay of announces is even necessary: if you run a fast node with good connectivity between two destinations that are communicating with each other, you're increasing the chances that your node will pass their traffic. The more important question is, what advantage does it give you to be one of the transport nodes that is being used to pass their traffic? As far as I know there isn't any, but maybe you had something in mind. If there were an interest in only hopping through certain trusted transport nodes, then this also seems like it should be possible using Network Identities, which I haven't experimented with yet but seem interesting.

For the last question, public keys don't need to be verified because the destination address is in itself a cryptographically unique identifier. The only way to "impersonate" that destination is to have access to the identity private key associated with it, which is not really impersonation at that point but more like identity theft which I guess is a different kind of attack than the one you are asking about.

Cleeyv wrote:

For use of Reticulum over LoRa, an IFAC should encrypt all of the metadata that could potentially be used for traffic analysis in the ways you describe. There's still the direction-finding and potential geolocation of transmission sources though that is more just an inherent property of LoRa, not very related to Reticulum or its design.

Yep, any radio is prone to this.

Perhaps you are implicitly referring to IFACs when you argue that following de-anonymization "cryptography provides no protection" because of the risk of violence to coerce decryption secrets? If so, I disagree with this argument, but its unclear if that's actually what you meant so I'll let you answer before elaborating further.

IFAC makes it harder, especially if every link uses a different one. That is a pretty good mitigation. But complicates the logistics of joining the network.

You mention RTNode in the title of your post, and then refer later to "the original RNS".

Yeah, I specifically wondered about the radio exposure. Other transports are harder to observe as a whole. The authorities can tap phone lines, ethernet or optics, but it takes more effort.

For the first of the last two question, I'm pretty sure the signature verification of announce packets would cause replays to be rejected

Hmm, the signature will be valid, because nothing will change (or is incoming transport injected before checking signature?), but most likely the embedded Transport ID would not allow routing, because no valid interface with that transport would exist.

The more important question is, what advantage does it give you to be one of the transport nodes that is being used to pass their traffic?

Metadata. Who talks to whom. IFAC only protects the traffic between Transport nodes, but if you can inject a transport node to the network then you can observe the patterns. TOR was attacked like this multiple times - https://blog.torproject.org/malicious-relays-health-tor-network/

The only way to "impersonate" that destination is to have access to the identity private key associated with it, which is not really impersonation at that point but more like identity theft which I guess is a different kind of attack than the one you are asking about.

Yes, it is not possible to impersonate the destination key. But people are reckless and if someone announces the same "human readable name" (and blocks the valid one) then you might be tempted to send the message anyway. There is a long history of this on the web and ssh (cert authorities and ssh fingerprints nobody reads...).