preventing unauthorized bittorrent peers?

Discussion:

David Wilburn

2005-01-24 16:19:39 UTC

I have a funny security question regarding the bittorrent protocol that
I hope you will answer.

If an organization decided to internally share sensitive documents and
data via a private bittorrent tracker, would it be possible for an
outsider to download that file from peers even when they can't connect
to the tracker?

Such a scenario might happen when you have a laptop user in the
workplace who downloads several sensitive documents, then goes home and
happens to have the bittorrent client up while connected to his home
ISP. What's to stop a malicious person from taking an educated guess at
the IP address, client listening port, and file indexes, and then
connecting and downloading the files? Is there any way to restrict
unwanted peers to prevent this, such as some sort of mutually
authenticating kerberos-like token given to each peer by the tracker?

Thanks,
David Wilburn

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Olaf van der Spek

2005-01-24 20:19:17 UTC

Permalink

Are you saying your sensitive documents are not properly encrypted?

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Bill Cox

2005-01-24 20:47:56 UTC

Permalink

In theory, no they could not download from outside. However, you have
to be careful. Some bittorrent clients (like Azureus) automatically
contact the outside world, looking for updates. Bugs in such systems
might make your site vulnerable. However, I feel pretty safe running
Azureus at my company. If I were guarding information of extreme value,
I probably would not run it. I also probably wouldn't want the
documents going out the door un-encrypted on a laptop.

Post by David Wilburn
Such a scenario might happen when you have a laptop user in the
workplace who downloads several sensitive documents, then goes home and
happens to have the bittorrent client up while connected to his home
ISP. What's to stop a malicious person from taking an educated guess at
the IP address, client listening port, and file indexes, and then
connecting and downloading the files? Is there any way to restrict
unwanted peers to prevent this, such as some sort of mutually
authenticating kerberos-like token given to each peer by the tracker?

This is not very likely in my opinion. To download files, you have to
tell the peer the SHA1 info-hash for the torrent. In other words, you
have to already know the signature for the file you want to download.
So, first the attacker would need access to the .torrent file. If he
had that, it's probably already too late to keep him out.

Of course, some hacker out there will probably prove me wrong...

Here's what I do: All sensitive documents on laptops are saved only on
encfs encrypted file systems (http://freshmeat.net/projects/encfs/).
We've had good luck with it. I think there are similar options under
windows. If you're not already doing something like this, then I'd
guess that running bittorrent on laptops wouldn't be the biggest risk
you're taking. I also try to make sure laptops are behind firewalls at
home (either software on the laptop or a linksys router, etc).

Bill

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

mayor_mccheese76

2005-01-24 21:45:29 UTC

Permalink

I agree that guessing the infohash is unlikely. Bittorrent peers
don't publish lists of available files like other p2p systems do. So
the attacker would need the .torrent file.

One thing to test for is with clients that have built-in trackers.
Trackers do publish the list of infohashes. But do they publish every
torrent the client knows about, or just ones selected by the user?
Even if it published everything, the attacker still wouldn't know the
filenames. Just the raw data from the files. Casual hackers wouldn't
bother, in my opinion.

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Alex

2005-01-24 20:49:49 UTC

Permalink

There are ways of doing this but there isn't an implementation (which
I'm aware of). You could modify the client to support ssl ands certs as
you wish, but the peer connectivity would be more involved. You'd be
much better off encapsulating a security mechanism (eg, encrypt the
content) than to depend on bittorrent in this manner. Also, you're
'educated guess' would have to be a bit more involved.

BitTorrent is for distributing large files efficiently.

Post by David Wilburn
I have a funny security question regarding the bittorrent protocol that
I hope you will answer.
If an organization decided to internally share sensitive documents and
data via a private bittorrent tracker, would it be possible for an
outsider to download that file from peers even when they can't connect
to the tracker?
Such a scenario might happen when you have a laptop user in the
workplace who downloads several sensitive documents, then goes home and
happens to have the bittorrent client up while connected to his home
ISP. What's to stop a malicious person from taking an educated guess at
the IP address, client listening port, and file indexes, and then
connecting and downloading the files? Is there any way to restrict
unwanted peers to prevent this, such as some sort of mutually
authenticating kerberos-like token given to each peer by the tracker?
Thanks,
David Wilburn
Yahoo! Groups Links

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Justin Cormack

2005-01-24 22:33:06 UTC

Permalink

Post by Alex
There are ways of doing this but there isn't an implementation (which
I'm aware of). You could modify the client to support ssl ands certs as
you wish, but the peer connectivity would be more involved. You'd be
much better off encapsulating a security mechanism (eg, encrypt the
content) than to depend on bittorrent in this manner. Also, you're
'educated guess' would have to be a bit more involved.

As you say "sensitive documents" I would encrypt them anyway. Note that you
have to use a private key encryption system (ie everyone shares the same key)
or the document to be shared is not the same. This raises key management
issues.

Alternatively, without changing the protocol you could use IPsec everywhere,
which would allow connections from outside as well potentially, or tunnel
connections over ssh.

Post by Alex
BitTorrent is for distributing large files efficiently.

Presumably these are large sensitive documents...

I actually cant think of many situations where this is an issue on an
internal network (unless it is partitioned between many sites, but even
then an rsynced local server is probably sufficient). However there are
situations when you might want to do this over the internet, where the
bandwidth issues are mroe important.

Post by Alex

Yahoo! Groups Links

Jesus Cea

2005-01-25 14:47:49 UTC

Permalink

Post by Justin Cormack
As you say "sensitive documents" I would encrypt them anyway. Note that you
have to use a private key encryption system (ie everyone shares the same key)
or the document to be shared is not the same. This raises key management
issues.

No. You can crypt the document for multiple recipients, in OpenPGP
compatible soft.
--
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
***@argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/
_/_/ _/_/ _/_/_/_/_/
PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/BitTorrent/

<*> To unsubscribe from this group, send an email to:
BitTorrent-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Mike Ravkine

2005-01-26 21:12:08 UTC

Permalink

There's a few torrent sites that use a web login-based protection scheme.

The server makes the user authenticate via HTTP or some other scheme,
then generates a token for a user's session and request, encoding it an
announce URL of the form
http://hostname:80/tracker/Ipybe1vH1zbS/announce. This allows for a
transition of state from the authenticated web session into a tracker
communication session, if implemented correctly.

--kRYPT

Post by David Wilburn
I have a funny security question regarding the bittorrent protocol that
I hope you will answer.
[snip]...