SECIO spec #106
SECIO spec #106
Conversation
ghost
assigned 
There was a problem hiding this comment.
General comment: this reads more like a walk though the go-libp2p secio implementation and less like a spec. It would be nice if this were a bit more declarative (list out the message types, explain how they are composed, then explain how to use them) and less "run this, then this, then this".
secio/README.md
Outdated
| proposal as follows: | ||
|
|
||
| *Note: the public key should be serialized per the `Bytes` method from | ||
| [go-libp2p-crypto](https://godoc.org/github.com/libp2p/go-libp2p-crypto#Key).* |
There was a problem hiding this comment.
Let's point at #100 (once it's merged)
secio/README.md
Outdated
| Pubkey: <public key bytes>, | ||
| Exchanges: <comma separated string of supported key exchanges>, | ||
| Ciphers: <comma separated string of supported ciphers>, | ||
| Hashes: <comma separated string of supported hashes>, |
There was a problem hiding this comment.
Let's put the actual protobuf here (and say that it's a protobuf).
secio/README.md
Outdated
|
|
||
| Both peers serialize this message and send it over the wire. Upon deserializing | ||
| their peer's message, they verify that the pubkey matches that described by the | ||
| peer's peer ID (NOTE: this is sometimes only possible for the peer *initiating* |
There was a problem hiding this comment.
Given that this is just the spec, I'd just say:
At this point, each peer should check that the public key matches the expected peer ID, if known.
Or something like that. We don't need to explicitly tell the programmer how to implement the protocol step-by-step (i.e., "calculate the peer ID and store it for later").
secio/README.md
Outdated
| Now the peers prepare a key exchange. Both peers generate an ephemeral key based | ||
| on the agreed upon exchange (currently support is only available for elliptic | ||
| curve algorithms). Ephemeral keys are generated via | ||
| [go-libp2p-crypto](https://godoc.org/github.com/libp2p/go-libp2p-crypto#GenerateEKeyPair). |
There was a problem hiding this comment.
We should actually spec this.
There was a problem hiding this comment.
That's standard ECDHE if I'm not mistaken.
secio/README.md
Outdated
| Epubkey: <ephemeral pubkey>, | ||
| Signature: <sign corpus with local private key>, | ||
| } | ||
| ``` |
There was a problem hiding this comment.
Again, let's just use the protobuf definition.
secio/README.md
Outdated
| ephemeral key generation, passing it the remote peer's ephemeral key. With the | ||
| shared secret generated, both peers stretch the key using the algorithm | ||
| described by | ||
| [go-libp2p-crypto](https://godoc.org/github.com/libp2p/go-libp2p-crypto#KeyStretcher). |
| opened. Each packet is of the form: | ||
|
|
||
| ``` | ||
| [uint32 length of packet | encrypted body | hmac signature of encrypted body] |
There was a problem hiding this comment.
- We encode the lengths as big-endian (network-order).
- Need to specify what "encrypt" means.
- Need to specify how we mac.
There was a problem hiding this comment.
Does the padding style for encrypt need to be specified?
There was a problem hiding this comment.
Really, we should specify everything. Ideally, we'd point to an RFC. However, we should optimize for merging something that's correct rather than waiting for something that's perfect.
There was a problem hiding this comment.
I'm assuming that the length includes the encrypted body and the hmac signature.
secio/README.md
Outdated
| and `k2` the remote peer's key. | ||
|
|
||
| Each peer now generates a MAC key and cipher for the remote and local keys | ||
| generated in the previous step using the `MacKey` and `CipherKey` from the |
There was a problem hiding this comment.
Need to specify the order within the result of the stretching.
|
|
||
| The SECIO wire protocol features two message types defined in the | ||
| [protobuf description language](https://github.com/libp2p/go-libp2p-secio/blob/master/pb/spipe.proto). | ||
| These two messages, `Propose` and `Exchange` are the only serialized types |
There was a problem hiding this comment.
Let's dump the current state of the protobufs here. Relying on a reference that can mutate can render the spec incoherent at a later time. Also, we're seeking to version specs in general, so capturing the current state and versioning the spec as it evolves is fair play.
There was a problem hiding this comment.
Nevermind, I see this feedback is recurrent below.
secio/README.md
Outdated
|
|
||
| ### Proposal Generation | ||
|
|
||
| SECIO channel negotiation begins with a proposal phase. Both sides generate a |
There was a problem hiding this comment.
As a prerequisite for SECIO, we need a dedicated channel where both parties have agreed to proceed with SECIO handshake by means of a multiplexer or else.
secio/README.md
Outdated
|
|
||
| ### Key Stretching | ||
|
|
||
| Peers now generate their shared secret based on the function generated by the |
There was a problem hiding this comment.
IIRC, that function is referred to in literature as the KDF (key derivation function), and the overall process is called ECDH key agreement. Let's use these terms to evoke familiar concepts.
There was a problem hiding this comment.
I think its official name is ECSVDP-DH
| - P-384 | ||
| - P-521 | ||
|
|
||
| ### Ciphers |
There was a problem hiding this comment.
Ciphers used for key stretching and for message encryption once SECIO channel is established.
There was a problem hiding this comment.
Why is a deprecated cipher (Blowfish) supported? From the Go package docs:
Blowfish is a legacy cipher and its short block size makes it vulnerable to birthday bound attacks (see https://sweet32.info). It should only be used where compatibility with legacy systems, not security, is the goal.
Deprecated: any new system should use AES (from crypto/aes, if necessary in an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from golang.org/x/crypto/chacha20poly1305).
Since the spec is not yet finalized, it would be cool if support was removed. If there is some mitigating circumstance (I haven't gone through the source very thoroughly!), a note about it would be helpful.
There was a problem hiding this comment.
It would also be worth noting what mode the AES ciphers should use. From the Go implementation, it looks like it's CTR!
Also, more generally, is this an implementation of any well-reviewed specification? If not, is there a reason why? I would imagine there are a number of specs for low-overhead, encrypted channels which may prevent future pitfalls.
There was a problem hiding this comment.
This is definitely not well-reviewed and will be will be deprecated in favor of TLS quite soon. See: https://github.com/libp2p/go-libp2p-tls/.
(go-ipfs now has experimental support which we'll likely upgrade to default support after a release or two).
There was a problem hiding this comment.
Gotcha, makes sense! And that answers my follow-up questions as well :)
secio/README.md
Outdated
| SECIO allows participating peers to support a subset of the following | ||
| algorithms. | ||
|
|
||
| ### Exhchanges |
There was a problem hiding this comment.
Elliptic curves used for ephemeral key generation.
| - AES-128 | ||
| - Blowfish | ||
|
|
||
| ### Hashes |
There was a problem hiding this comment.
Hashes used for key stretching, and for HMACs once SECIO channel is established.
There was a problem hiding this comment.
What mode and padding is AES-* using? Are there any parameters for Blowfish?
secio/README.md
Outdated
| preferred peer. After swapping if necessary, `k1` becomes the local peer's key | ||
| and `k2` the remote peer's key. | ||
|
|
||
| Each peer now generates a MAC key and cipher for the remote and local keys |
There was a problem hiding this comment.
These are not generated here. The MAC key is already generated during key stretching above. The cipher was selected above when comparing Propose messages.
What the Go implementation does at this point is prepare the constructs for HMAC and encryption/decryption. I think that's what needs to be stated, i.e. the implementation now has the required parameters to initialise the cryptographic constructs.
secio/README.md
Outdated
| ``` | ||
|
|
||
| The first packet transmitted by each peer must be the remote peer's nonce. Peers | ||
| validate that the remote peer sent them their nonce, closing if unsuccessful. |
There was a problem hiding this comment.
The target of validation is actually the (d)encryption and HMAC'ing logic. We use a known value (nonce) to send a predictable message so we can validate that both parties have set up the encrypted channels correctly.
secio/README.md
Outdated
|
|
||
| ## Table of Contents | ||
|
|
||
| - [Algorithm Support](#algorithm-support) |
secio/README.md
Outdated
| ### Hashes | ||
|
|
||
| - SHA-256 | ||
| - SHA-512 |
There was a problem hiding this comment.
Current go implementation does not use dashes in the hash name; see al.go.
|
@bigs status on this? Are you planning on continuing this work in the near future? |
|
yep @whyrusleeping just lower priority than testbed work at the moment. lotta good feedback re: shaping this into a more formal spec |
| exchanges. Each peer computes: | ||
|
|
||
| ``` | ||
| oh1 := sha256(concat(remotePeerPubKeyBytes, myNonce)) |
There was a problem hiding this comment.
This is the first use of the word "nonce". Does it refer to the rand field of the Propose message?
|
Hey all, I took a stab at addressing the review feedback here. I'd love if people with more experience could give it a review. One thing I didn't address was using more standard nomenclature (e.g. KDF, ECDH), as I'm not super confident I'd use the terms correctly. I might read up a bit more and give that a go for the next round. |
yusefnapora
added
the
maturity:recommendation
|
I'm going to go ahead and merge this, since I think it's in a decent state. If I added anyone to the interest group (@Stebalien, @richardschneider, @tomaka, @raulk) that doesn't want to be there, let me know. |
Introduces a spec for SECIO. Various crypto algorithms living in
*-libp2p-cryptohave been omitted for the time being.