-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
noise/: Static key signature does not depend on a peer's challenge #355
Comments
Thanks @dnkolegov - I think you're correct, and it's likely a result of my flawed understanding of Noise when we were speccing this out. It seems like the simplest way to fix this without drastically rewriting the protocol would be to mandate that the "static" noise key be truly ephemeral, instead of allowing it to be reused between sessions. |
Hi @yusefnapora.
I think that's correct. Another mitigation could be using a peer's ephemeral public key ( |
I think this is the only real mitigation, the |
If an attacker is able to sign a static public key once then they will be able to impersonate
the identity key owner forever. This may occur if the attacker has temporary access to a signing module,
or if the static key is otherwise compromised.
Libp2p-noise extends the original Noise XX pattern in the following way:
and static keys): implementations may generate a new static keypair for each new session or a
single static keypair may be generated when libp2p-noise is initialized and used for all sessions
terms,
payload = Sig(id, s)
, whereid
is the sender's identity private key ands
is the senders's staticpublic key.
That said, the signature is computed over the sender's static public key without any input from the
corresponding peer. So, the used static key authentication mechanism violates the basic authenticated
key agreement protocol design principle:
Ephemeral leakage should not allow for long-term impersonation
.The initiator does not provide any challenge (e.g., ephemeral key) for signing and sender always
signs its static key without any random input from the peer. Actually, the sender just prooves that he
or she has a signature over the static public key, but not access to the identity private key. For example,
if an attacker finds a triple
(s_pub, s_priv, Sig(id, s_pub))
for the identity keyid
of the target user then heor she will be able to impersonate that user without any limitation in future.
The text was updated successfully, but these errors were encountered: