Packet Formats - ritter.vg

You're browsing without Javascript! If you have no idea what that means, you should ask your technical friend about it.
Otherwise - kudos. The website should work - with the exception of comments. You can learn what they are; however, by visiting /comments.py?postid=blog-cryptodotis-packet_formats_1
If it doesn't, please contact me and let me know.

Packet Formats

05 Jan 2013 23:47:00 EST

This blog post originally appeared on crypto.is. We've since shut down that website, so I have copied the blog post back to my own for archival purposes.

While most of ritter.vg will function without javascript, this blog post is an exception.

A remailer's packet format is the format of the data it passes to the next remailer. The packet format is somewhat independent of the remailer transport protocol itself - just as a letter is independent of how you recieve it. A courier can hand-deliver a letter to you, it can be dropped in your mailbox by a stranger, or the Postal Service can deliver it. But once you've actually recieved it, you can open it, read it, and take action based on it.

Although packet formats are independent of remailer transport protocol, most remailers do not process more than one type of format. While I initially wanted to create a single blog post covering all the major packet formats - that proved to be extremely long, so it's going to be split up across a couple blog posts. This first one will cover the Mixmaster packet format, as used in the Mixmaster remailer network.

Mixmaster Format

The mixmaster packet format is detailed in mixmaster-spec.txt and can be described as 20 Mix Headers followed by a Mix Paylod. The first Mix Header is encrypted to your public key - you can decrypt it and learn where to send the rest of the data. If the message is a Final Hop, you will be able to decrypt the Payload, and send it to the final destination.

If the message is not a Final Hop - if it is an Intermediate Hop - you will find the address of the next remailer in the chain. Before sending it on, you will decrypt all subsequent Headers (numbers 2 - 20) and the Payload - but you will not find any meaningfull data, as they are encrypted multiple times, in an onion, to keys you don't know. The following animated examples should demonstrate the layering:

Mixmaster Final Message, As Seen by the Final Hop

Mixmaster Final Message, As Seen by the Final HopMix HeadersMix Header 1Public Key ID (16 bytes)   0xABCDABCD 0xABCDABCD 0xABCDABCD 0xABCDABCD
Length of RSA Enc-ed Data  0xF0
RSA Encrypted Session Key  0x12345678 0x12345678 0x12345678 0x12345678
         (128 bytes)       0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678

                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678     
                           Decrypts To: 0xDABCDABC 0xDABCDABC 0xDABCDABC
Initialization Vector      0x09090909 0x09090909
Encrypted Header Part
Packet ID (16 bytes)       0x87214365 0x87214365 0x87214365 0x87214365
TDES Key  (24 bytes)       0xFE45FE45 0xFE45FE45 
                           0xFE45FE45 0xFE45FE45
                           0xFE45FE45 0xFE45FE45
Packet Type Identifier     0x01
Packet Information
Message ID (16 bytes)      0x31537597 0x31537597 0x31537597 0x31537597
Initialization Vector      0x0A0A0A0A 0x0A0A0A0A
Timestamp                  0x30303030 0x000506
Message Digest             0x11112222 0x11112222 0x11112222 0x11112222
Padding                    0x01020304 0x05060708 (Fill to 328 Bytes..)
Mix Headers 2-20Random Data (512 bytes)    0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           ....
Mix PayloadLength                     0x12 0x10 0x00 0x00
# of Destination Fields    0x01
Destination Fields         john@example.com 0x00 0x00 0x00  (Padded to 80 bytes)
# of Header Fields         0x01
Header Fields              Subject: Event Details 0x00 0x00 (Padded to 80 bytes)
User Data Section          
Message                    Hey John, 
                           
                           We're planning on started at 10 PM, so if you could
                           show up at 9:00 to help set up, we'd appreciate it.
                           
                           Thanks,
                           Staff
                           0x00 0x00 0x00 0x00 0x00 (padded to 10236 bytes)

Mixmaster Intermediate Message, As Seen by an Intermediate Hop

Mixmaster Final Message, As Seen by the Final Hop
Mix Headers
Mix Header 1
Public Key ID (16 bytes)   0xABCDABCD 0xABCDABCD 0xABCDABCD 0xABCDABCD
Length of RSA Enc-ed Data  0xF0
RSA Encrypted Session Key  0x12345678 0x12345678 0x12345678 0x12345678
         (128 bytes)       0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678

                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678     
                           Decrypts To: 0xDABCDABC 0xDABCDABC 0xDABCDABC
Initialization Vector      0x09090909 0x09090909
Encrypted Header Part
Packet ID (16 bytes)       0x87214365 0x87214365 0x87214365 0x87214365
TDES Key  (24 bytes)       0xFE45FE45 0xFE45FE45 
                           0xFE45FE45 0xFE45FE45
                           0xFE45FE45 0xFE45FE45
Packet Type Identifier     0x02
Packet Information
Initialization Vector1     0x0A0A0A0A 0x0A0A0A0A
Initialization Vector2     0x0B0A0A0A 0x0B0A0A0A
Initialization Vector3     0x0C0A0A0A 0x0C0A0A0A
Initialization Vector4     0x0D0A0A0A 0x0D0A0A0A
Initialization Vector5     0x0E0A0A0A 0x0E0A0A0A
Initialization Vector6     0x0F0A0A0A 0x0F0A0A0A
Initialization Vector7     0x1A0A0A0A 0x1A0A0A0A
Initialization Vector8     0x1B0A0A0A 0x1B0A0A0A
Initialization Vector9     0x1C0A0A0A 0x1C0A0A0A
Initialization Vector10    0x1D0A0A0A 0x1D0A0A0A
Initialization Vector11    0x1F0A0A0A 0x1F0A0A0A
Initialization Vector12    0x2A0A0A0A 0x2A0A0A0A
Initialization Vector13    0x2B0A0A0A 0x2B0A0A0A
Initialization Vector14    0x2C0A0A0A 0x2C0A0A0A
Initialization Vector15    0x2D0A0A0A 0x2D0A0A0A
Initialization Vector16    0x2E0A0A0A 0x2E0A0A0A
Initialization Vector17    0x2F0A0A0A 0x2F0A0A0A
Initialization Vector18    0x3A0A0A0A 0x3A0A0A0A
Initialization Vector19    0x3B0A0A0A 0x3B0A0A0A
Remailer Address           exitremailer@exam.com 0x00 0x00 (Padded to 80 bytes)
Timestamp                  0x30303030 0x000506
Message Digest             0x11112222 0x11112222 0x11112222 0x11112222
Padding                    0x01020304 0x05060708 (Fill to 328 Bytes..)


Mix Header 2
Public Key ID (16 bytes)   0xABCDABCD 0xABCDABCD 0xABCDABCD 0xABCDABCD
Length of RSA Enc-ed Data  0xF0
RSA Encrypted Session Key  0x12345678 0x12345678 0x12345678 0x12345678
         (128 bytes)       0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678

                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678
                           0x12345678 0x12345678 0x12345678 0x12345678     
Initialization Vector      0x09090909 0x09090909
Encrypted Header PartIndecipherable Data


Mix Headers 3-20Indecipherable Data        0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE 0xEEEEEEEE
                           ....

Mix PayloadIndecipherable Data

Transport

The above is the binary format of the protocol. The mixmaster packets are then encoded as follows before transit:

::
Remailer-Type: Mixmaster [version number]

-----BEGIN REMAILER MESSAGE-----
[packet length ]
[message digest]
[encoded packet]
-----END REMAILER MESSAGE-----

Because the Mix Payload is padded to a constant size, and there are always 20 Mix Headers, a Mix Message is a constant size, and the packet length field is always 20480. The Message Digest is computed over the encrypted, binary representation of the Mix Headers+Payload and then base64-ed. Finally, the binary headers+payload themselves are encoded in base64 and broken into lines of 40 characters.

Notes

Some other notes about the Mixmaster Packet Format, tersely:

The Mix Payload packet is a constant 10236 bytes (plus 4 bytes length) - any message larger than that must be split into message chunks (which will be talked more about in another blog post.) But any message smaller than that is still padded to that size.
Obviously, there is only room for 20 Mix Headers, so the maximum hop length of a Mixmaster message is 20 hops.
The format conceals the lenth of the path from each intermediate hop - if you're not the final hop, you don't know how many more hops there are.
The raw packet format, shown above, has many distinct markers, making it easy to reliably detect it in transit. (This is especially bad for Mixmaster, do you know why? Hint: check out the second blog post.)
The algorithm and key lengths are hardcoded into the specification, with no room for alternation. Thus we are stuck with
- RSA 1024 with PKCS #1 v1.5 Padding
- EDE Triple DES in CBC Mode
- MD5 as Message Digest Algorithm
Replay prevention is often built into the packet format, at least partly. In the Mixmaster specification, a server keeps track of all Packet IDs seen so far, and if it sees an identical one, will discard the message as a replay. Mixmaster must expire old packet ids eventually, and so a message can be replayed if the server has expired the packet id. We'll talk more about replay attacks in a future blog post also.
The format is vulnerable to Tagging Attacks, which I'll go over in more detail with an example in a future blog post.

This blog post is licensed under Creative Commons Attribution 3.0 United States License and is inspired by, and makes heavy use of, the images produced by the EFF & Tor Project here.

Previous Step
Close
Next Step

Comments

/comments.py?postid=blog-cryptodotis-packet_formats_1

Add a comment...

Name: required
E-Mail: required, hidden, gravatared
Website:
Comment: required, markdown enabled (help)

you type:	you see:
italics	italics
bold	bold
[stolen from reddit!](http://reddit.com)	stolen from reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"