[Bro] Re: Bug on Anon.cc
Ruoming Pang
rpang at cs.princeton.edu
Sat Sep 10 20:25:29 PDT 2005
> FYI, the IP anonymizer code in mode PREFIX_PRESERVING_MD5 didn't do
> what it was supposed to do. Such mode is based on "On the Design and
> Performance of Prefix-Preserving IP Traffic Trace Anonymization", by
> Xu et al (IMW 2001), where it is suggested to anonymize
> X=x_0...x_{n-1} as X'=x'_0...x'_{n-1}, where:
> x_i' = x_i ^ f_{i-1},
> f_{i-1} = LSB(HK(PAD(x_0 ... x_{i-1}), hashkey))
> LSB: less significative bit function
> HK: cryptographic hash function (using hashkey)
> PAD(x_0 ... x_{i-1}) = x_0 ... x_{i-1} 0 ... 0
>
> Two bugs in the old code: (a) it used addresses in network order, so
> prefixes didn't make too much sense.
That's right. I forgot to add an ntohl. Thanks for finding it!
> (b) it did the hash of an 8-byte
> struct composed of the prefix length and the input, instead of the
> prefix of the input (4 bytes).
I think this is not correct. For example, prefix 10.0.0.0/8 is
different from 10.0.0.0/9, and should be hashed differently; otherwise
the 9th and 10th most significant bits will always be flipped the same
way. (Or, try to anonymize 128.0.0.0 with 1000 different keys, and see
how many distinct results one can get.)
Ruoming
More information about the Bro
mailing list