📅 Original date posted:2018-12-04
📝 Original message:
Thanks Christian, that makes sense. Unfortunately it's not very clear
from the BOLT, at least not for me.
Now that I think of this type of attack: *in general* the HMAC prevents
this kind of attack, but isn't the attack still possible in certain
specific cases?
For instance, the attacking intermediate node might guess that the next
node in the route is the final node; it can test this by completely
replacing the onion packet it sends to the next node with a self-written
onion packet that has the next hop as final node, with the same amount
and payment hash as instructed by the incoming payment. If that
succeeds, it has learned that the next node is indeed the final node
(and nobody gets to know about the attack); if that fails, it might
retry the payment with the original onion packet. In that case, it
learned that the next node is *not* the final node. In this case, the
attack is detectable by the next node though: it first receives an
incoming payment with a payment hash it doesn't recognize, and then it
receives a payment forwarding request with the same payment hash.
Given that the attacker has good knowledge of the shape of the Lightning
network, this type of attack can be generalized to test whether a
certain second-degree neighbor, third-degree neighbor etc. is the final
node; it scales pretty badly with increasing network distance though. An
additional advantage for the attacker is that this gives plausible
deniability: if the attack becomes visible, the attacker can always
claim it wasn't him, but some node upstream in the route. A practical
difficulty for the attacker might be that the exact amount forwarded in
further-away hops is unknown, but it's probably not that difficult to guess.
I think we could stop this type of attack by including some kind of
shared secret in the onion message to the final node:
* Payee generates shared secret and passes this to payer, as part of the
invoice
* Payer includes shared secret in the per hop data to payee
* On receiving the incoming message, payee checks whether the received
shared secret corresponds to the generated one. If this is not the case,
behave in exactly the same way as when the payment hash is unrecognized
(including timing, to prevent timing side-channel attacks).
If this shared secret is encrypted like the rest of the per hop data,
the attacker can't learn the shared secret, and can't include it in his
own replacement onion. He can't copy-paste the encrypted shared secret
from the original onion either, since he has to use his own, different
ephemeral key in his own onion. With this protocol in place, a final
node can no longer be distinguished from a non-final node with this attack.
The shared secret doesn't need to be very large: the number of attempts
per second (to guess the shared secret) is limited by network latency,
bandwidth and maybe some artificial rate limiting. If an attacker can do
100 attempts per second, then a 32-bit shared secret will take (on
average) 2^31 / (100*3600*24) = 248 days to crack, for a single guess of
which node is the final node. In the mean time, people will have noticed
the ongoing attack and will have taken countermeasures. Besides, the
transaction lock time will likely have expired in the mean time as well.
CJP
On 29-11-18 18:13, Christian Decker wrote:
> Hi Corne,
>
> the HMACs are necessary in order to make sure that a hop cannot modify
> the packet before forwarding, and the next node not detecting that
> modification.
>
> One potential attack that could facilitate is that an attacker could
> learn the path length by messing with different per-hop payloads: set
> n=0 the attacker flips bits in the nth per-hop payload, and forwards
> it. If the next node doesn't return an error it was the final recipient,
> if if returns an error, increment n and flip bits in the (n+1)th per-hop
> payload, until no error is returned. Congratulation you just learned the
> path length after you. The same can probably be done with the error
> packet, meaning you can learn the exact position in the route. Add to
> that the information you already know about the network (cltv_deltas,
> amounts, fees, ...) and you can probably detect sender and recipient.
>
> Adding HMACs solves this by ensuring that the next hop will return an
> error if anything was changed, i.e., removing the leak about which node
> would have failed the route.
>
> Cheers,
> Christian
Corné Plooy [ARCHIVE] /
npub1ly…cdx6n
2023-06-09 12:53:19
in reply to nevent1q…7y8q
Author Public Key
npub1ly5vrg5ylhdkxrkj824jhlnfsy2z8fvlg8wcc0jqc4aezma6majsycdx6nPublished at
2023-06-09 12:53:19Event JSON
{
"id": "7f2ba9edbca3d47dbd6efbc70f78a0b39f1987de0c82d4ef260501afa18da551",
"pubkey": "f928c1a284fddb630ed23aab2bfe69811423a59f41dd8c3e40c57b916fbadf65",
"created_at": 1686315199,
"kind": 1,
"tags": [
[
"e",
"2fcb445dd574564835b2068c030ba4e556383d5b915eb5763f6fba62ac8aa302",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2018-12-04\n📝 Original message:\nThanks Christian, that makes sense. Unfortunately it's not very clear\nfrom the BOLT, at least not for me.\n\nNow that I think of this type of attack: *in general* the HMAC prevents\nthis kind of attack, but isn't the attack still possible in certain\nspecific cases?\n\n\nFor instance, the attacking intermediate node might guess that the next\nnode in the route is the final node; it can test this by completely\nreplacing the onion packet it sends to the next node with a self-written\nonion packet that has the next hop as final node, with the same amount\nand payment hash as instructed by the incoming payment. If that\nsucceeds, it has learned that the next node is indeed the final node\n(and nobody gets to know about the attack); if that fails, it might\nretry the payment with the original onion packet. In that case, it\nlearned that the next node is *not* the final node. In this case, the\nattack is detectable by the next node though: it first receives an\nincoming payment with a payment hash it doesn't recognize, and then it\nreceives a payment forwarding request with the same payment hash.\n\n\nGiven that the attacker has good knowledge of the shape of the Lightning\nnetwork, this type of attack can be generalized to test whether a\ncertain second-degree neighbor, third-degree neighbor etc. is the final\nnode; it scales pretty badly with increasing network distance though. An\nadditional advantage for the attacker is that this gives plausible\ndeniability: if the attack becomes visible, the attacker can always\nclaim it wasn't him, but some node upstream in the route. A practical\ndifficulty for the attacker might be that the exact amount forwarded in\nfurther-away hops is unknown, but it's probably not that difficult to guess.\n\n\nI think we could stop this type of attack by including some kind of\nshared secret in the onion message to the final node:\n\n* Payee generates shared secret and passes this to payer, as part of the\ninvoice\n\n* Payer includes shared secret in the per hop data to payee\n\n* On receiving the incoming message, payee checks whether the received\nshared secret corresponds to the generated one. If this is not the case,\nbehave in exactly the same way as when the payment hash is unrecognized\n(including timing, to prevent timing side-channel attacks).\n\nIf this shared secret is encrypted like the rest of the per hop data,\nthe attacker can't learn the shared secret, and can't include it in his\nown replacement onion. He can't copy-paste the encrypted shared secret\nfrom the original onion either, since he has to use his own, different\nephemeral key in his own onion. With this protocol in place, a final\nnode can no longer be distinguished from a non-final node with this attack.\n\n\nThe shared secret doesn't need to be very large: the number of attempts\nper second (to guess the shared secret) is limited by network latency,\nbandwidth and maybe some artificial rate limiting. If an attacker can do\n100 attempts per second, then a 32-bit shared secret will take (on\naverage) 2^31 / (100*3600*24) = 248 days to crack, for a single guess of\nwhich node is the final node. In the mean time, people will have noticed\nthe ongoing attack and will have taken countermeasures. Besides, the\ntransaction lock time will likely have expired in the mean time as well.\n\n\nCJP\n\n\nOn 29-11-18 18:13, Christian Decker wrote:\n\u003e Hi Corne,\n\u003e\n\u003e the HMACs are necessary in order to make sure that a hop cannot modify\n\u003e the packet before forwarding, and the next node not detecting that\n\u003e modification.\n\u003e\n\u003e One potential attack that could facilitate is that an attacker could\n\u003e learn the path length by messing with different per-hop payloads: set\n\u003e n=0 the attacker flips bits in the nth per-hop payload, and forwards\n\u003e it. If the next node doesn't return an error it was the final recipient,\n\u003e if if returns an error, increment n and flip bits in the (n+1)th per-hop\n\u003e payload, until no error is returned. Congratulation you just learned the\n\u003e path length after you. The same can probably be done with the error\n\u003e packet, meaning you can learn the exact position in the route. Add to\n\u003e that the information you already know about the network (cltv_deltas,\n\u003e amounts, fees, ...) and you can probably detect sender and recipient.\n\u003e\n\u003e Adding HMACs solves this by ensuring that the next hop will return an\n\u003e error if anything was changed, i.e., removing the leak about which node\n\u003e would have failed the route.\n\u003e\n\u003e Cheers,\n\u003e Christian",
"sig": "912dfa295183f4b8fcd3174a21d91baa6510f8b274bd94085ae632c5d58139f056ea3778db82349c0dcb332541e6b0ec18087a4ffb9ae83826256295c68e17f8"
}