go-perun icon indicating copy to clipboard operation
go-perun copied to clipboard

Published 20 hours ago • verified publisher icon hyperledger-labs

Add authentication to wire commmunication (handshake)

Open DragonDev1906 opened this issue 2 years ago • 2 comments

Location

  • wire.proto
  • wire/net/exchange_addr.go

Problem

Sender not authenticated

While each message currently contains a sender and recipient wire address in its Envelope, those are not yet authenticated, there is no signature in wire.proto. This means anyone can send a message coming from SENDER, without needing the private key, thus allowing to spoof any wire identity.

No TLS

As far as I can tell we're currently using TCP without TLS for the communication. This means that, even when there is a signature in the handshake message (AuthResponseMsg), an Adversary could eavesdrop the communication channel and use the AuthResponseMsg in his own session, thus stealing the wire identity. He could not send updates to the existing channel since he doesn't have the private key for the channel identity, but he could propose new channels (at least they (probably) won't be funded), but it still locks up some resources (time, computation, storage and ETH) for some time while waiting for the channel to be funded.

Proposal (all three are likely needed)

  • Add a signature using the wire identity to AuthResponseMsg and check this signature (AuthResponseMsg message can be completely removed if every envelope contains this signature)
  • Communicate over TLS to prevent eavesdropping (alternatively we could add the signature to every single message, which would still allow an Adversary to read or reorder messages (=> honest-but-curious middle-man proxy, if wanted)
  • One of the following
    • Recommended:: Add signature of sender (wire identity) to all envelopes (instead of just to AuthResponseMsg)
    • Correctly implement the authentication: All Envelopes except AuthResponseMsg MUST NOT be valid if there was no AuthResponseMsg for this sender on this session. - Important: This does not protect against a malicious middle-man proxy that terminates TLS.
    • Don't allow multiple wire identities over the same TCP/TLS session. (probably the case at the moment)

DragonDev1906 avatar Jan 04 '23 10:01 DragonDev1906

It should be possible to implement a wire adapter that provides authentication. AFAIR, there is an implementation that utilizes libp2p to achieve encryption and authentication. @tinnendo should be able to point you to it.

matthiasgeihs avatar Jan 04 '23 17:01 matthiasgeihs

You can send arbitrary Envelopes over any connection and afaik, there is no check that would bind a single connection to a single sender. Neither the wire/net.Bus nor the wire/net.ioConn check for the Sender field of the envelopes, and all received envelopes get multiplexed over a central wire.Publisher.

RmbRT avatar Jan 05 '23 09:01 RmbRT