[theamk]

They have re-implemented entire network stack above IP layer. They start from raw IP (protocol 99), and then added "AES, SHA, RSA, and elliptic curve".

So you cannot use TCP/UDP/TLS/QUIC -- they are too insecure; instead let's have a bunch of code designed by unknown people, likely with not professional crypto experience, and not verified by anyone.

Riight....

[dwviel]

Yes, we have found that the set of Internet Protocols were designed before the kind of security we expect today were appreciated. You are correct that we are not professional crypto people. But, crypto is just the starting point for cybersecurity that is a necessary but not sufficient condition for a secure system. What we did was start with crypto, and related technologies like cryptographic hashes, secrets, etc. and built a secure messaging system using the principles mentioned above. This has so far shown itself to be highly successful.

Hi, The reply buttons have apparently been disabled. I guess cybersecurity is too controversial for HN ;)

I will reply here instead.

@theamk

1) UDP leaks information, thereby violating the C in CIAA. TCP is subject to the SYN resource exhaustion attack, and is connection oriented which is brittle. Both are vulnerable to packet replay attacks, which is a particularly troubling problem for controls. 2) The pen testers that evaluated our technology we believe to be highly competent. We are open to having the pen testers (US only) of your choice test our technology.

@pritambaral

Yes, see the quotes on our website. And we do in house testing as well. We are happy to have pen testers (US only) try to defeat the system.

[theamk]

Reply to your message edits:

> 1) UDP leaks information, thereby violating the C in CIAA.

Which information? Properly encrypted UDP only shows destination IP and port number. Your protocol shows destination IP and protocol number (99) -- since very few people use it, protocol 99 is as distinct as UDP port.

Moreover, if you are concerned with UDP port leak, you can just use a random destination port on server, or masquerade as some other UDP protocol. There is no such option with current ControlMQ system

> TCP is subject to the SYN resource exhaustion attack, and is connection oriented which is brittle.

You do know about SYN cookies, right? And you know that SYN flood is easily defeated now -- for example, out of 5 most significant DDOS attacks in 2016 (https://www.tripwire.com/state-of-security/security-data-pro...) , none used SYN flood.

> Both are vulnerable to packet replay attacks, which is a particularly troubling problem for controls.

Any control connection should use encryption. Every popular encryption method (including TLS and QUIC) protects against replay attacks.

> 2) The pen testers that evaluated our technology we believe to be highly competent.

Well, all I have is front page quote, and I see the words "We were unable to [...] observe [...] the message traffic" and "TCP and all the UDP ports only list that they are open/unfiltered". This apparently means they could not even use wireshark to observe the IP message traffic -- they just ran "nmap" and found not ports. This is pretty sad for a pentester. I would expect to see mentions of DOS attacks and fuzz testing.

For example, what happens if I just start sending random packets to your daemon? How many packets per second it can handle before it fails over? What if I compromise a client, extract a session establishment key from it (assuming you have one), and start to establish new sessions? how many will your server handle before failing?

[dwviel]

Good points.

The port number typically indicates a service that is publicly known and repeatable. This is leaked information, as each service will have a unique port number. The IP protocol of 99 is used for all communications so no differentiation of network traffic can be made using this information.

SYN cookies can be a solution, but it has limitations, and to overcome those limitations requires changes to the TCP protocol. It is also preferable not to use TCP for controls in order to avoid the coupling caused by connections. The network between components may also be unreliable thus causing the need for regular reconnections.

Replay attacks protection by TLS, etc uses sequence numbers which expects a continuous connection. There is the setup phase that must be taken into account and then the entire series of packets from that point on can be replayed. The goal is to run on unreliable networks so connections would constantly need to be reestablished.

We consider DOS attacks to be attacks on the network rather than the component.

The number of packets/sec that the daemon can handle is computer resource determined. But, >1000/sec is typical in our testing on commodity H/W. It has never failed due to load in thousands of hours of testing.

If a client (first peer) is compromised then it can send any message it wants to the second peer with which it is configured to communicate. But, only properly formed, valid range messages will be accepted. Let’s say that the receiving component controls a motor that has a valid engineering range of 0 -1000 RPM. If a nefarious command came in to spin to 2000 RPM that would be rejected. The server (second peer) is not connection based so it will handle whatever packet arrive at the rate it can, and drop the rest on the floor.

So, overall we believe it is simpler and less error prone to use our protocol then set up all these complicated extra configurations.

[theamk]

I was going to type in the long, point-by-point response, but then I saw this:

> Replay attacks protection by TLS, etc uses sequence numbers which expects a continuous connection. There is the setup phase that must be taken into account and then the entire series of packets from that point on can be replayed.

WHAT? You do know that you cannot just "take setup phase into account" in TLS unless you have both server and client secret keys, right? There is the whole "key exchange" step make it impossible?

If you write stuff like this, for god's sake, do not design encryption protocols. I am horrified about what your code does if you do not know/don't understand key exchange concept.

[dwviel]

Yes, but the packet replay protection is due to the sequence number of the packet that happens after the session is established.

BTW, our technology uses pre-shared keys.

[theamk]

> Yes, but the packet replay protection is due to the sequence number of the packet that happens after the session is established.

The TLS does not use pre-shared keys. Instead, every time a client establishes a new connection, there is a "key exchange" phase. Here is a simplified explanation:

1. client generates a random number, does some math on it, encrypts with server's certifcate, and sends to server;

2. server generates another random number, does some math on it, and sends to client.

3. after more math (see https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc... ), both client and server get the session key. If the exchange was not tampered with, both client and server get the same session key.

4. client and server exchange messages encrypted with session key. If they both have the same session key, they will be able to decrypt the message properly; otherwise, the connection is closed.

5. Now client can send a command, such as "open door"

The reason replay protection works is because every time session is established, the server will choose a different random number in step 2. So if you try to replay, then step 3 will generate different session keys, and step 4 will fail.

Once the connection is established, there is a separate counter for replay protection, but it does not have to be complicated -- because we know that the session key is unique to this session alone.

This is how TLS / DTLS / QUIC do replay protection. Do you agree that these protocols are fully replay-protected?

[theamk]

Glad to hear from authors!

Question 1: So how is your solution better than UDP/QUIC or TCP/TLS? Yes, you have to properly tune and use protocols, by padding the data properly, and by setting up DDOS mitigations. Still, it will be much less work that writing a new protocol from scratch, and it will be better than your protocol in every single aspect.

Question 2: What do you mean "highly successful"? I did not see anything in the whitepaper (but I have not read it very carefully), and the website has two quotes from hilariously incompetent pentesters. Do you have any other evidence of success?

[pritambaral]

> ... built a secure messaging system using the principles mentioned above.

> This has so far shown itself to be highly successful.

What do you mean by this? Can a system be "highly successful" at being secure without having been targeted, or have you actually hired testers and/or auditors to attack/study the system?

[theamk]

Well, you saw the quotes on the website, they did hire the best pentesters!

For example, one pentester ran "nmap", which did not find any ports open, so he said "There doesn't seem to be an available service to attack." This means the system is SUPER SECURE.

[dwviel]

These were just a selection of quotes that looked good on the web site, particularly the "GREAT JOB!" quote. That's kind of nice to see.

[theamk]

Well, you may want to choose different quotes, or even better, make whole reports available. Because if your pentesters do not know what to do when nmap fails, this means they must be pretty clueless and thus their reports do not have much value.