📅 Original date posted:2018-12-04
📝 Original message:
Corné Plooy via Lightning-dev
<lightning-dev at lists.linuxfoundation.org> writes:
> For instance, the attacking intermediate node might guess that the next
> node in the route is the final node; it can test this by completely
> replacing the onion packet it sends to the next node with a self-written
> onion packet that has the next hop as final node, with the same amount
> and payment hash as instructed by the incoming payment. If that
> succeeds, it has learned that the next node is indeed the final node
> (and nobody gets to know about the attack)
This is always true, regardless of construction, with our current
scheme.
> ; if that fails, it might
> retry the payment with the original onion packet. In that case, it
> learned that the next node is *not* the final node. In this case, the
> attack is detectable by the next node though: it first receives an
> incoming payment with a payment hash it doesn't recognize, and then it
> receives a payment forwarding request with the same payment hash.
True. Note that we go as far as preventing forwarding of the same onion
(for traffic analysis), but we don't block this more obvious attack.
> I think we could stop this type of attack by including some kind of
> shared secret in the onion message to the final node:
>
> * Payee generates shared secret and passes this to payer, as part of the
> invoice
>
> * Payer includes shared secret in the per hop data to payee
>
> * On receiving the incoming message, payee checks whether the received
> shared secret corresponds to the generated one. If this is not the case,
> behave in exactly the same way as when the payment hash is unrecognized
> (including timing, to prevent timing side-channel attacks).
This would indeed be an incremental improvement: I generally prefer not
to rely on the privacy of the invoice delivery, but this certainly makes
it no worse.
> The shared secret doesn't need to be very large: the number of attempts
> per second (to guess the shared secret) is limited by network latency,
> bandwidth and maybe some artificial rate limiting. If an attacker can do
> 100 attempts per second, then a 32-bit shared secret will take (on
> average) 2^31 / (100*3600*24) = 248 days to crack, for a single guess of
> which node is the final node. In the mean time, people will have noticed
> the ongoing attack and will have taken countermeasures. Besides, the
> transaction lock time will likely have expired in the mean time as well.
We could really just use the last 4 bytes of the signature, AFAICT.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:53:21
in reply to nevent1q…5kaz
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:53:21Event JSON
{
"id": "1377b271e3d2133aeb0d5e946e6c1a1d87daa52435196d269668de49c5d0e420",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315201,
"kind": 1,
"tags": [
[
"e",
"2fcb445dd574564835b2068c030ba4e556383d5b915eb5763f6fba62ac8aa302",
"",
"root"
],
[
"e",
"814d4f17d735a65fd8746b9d038df0fad12a9ba406bd564520982c9dac096279",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2018-12-04\n📝 Original message:\nCorné Plooy via Lightning-dev\n\u003clightning-dev at lists.linuxfoundation.org\u003e writes:\n\u003e For instance, the attacking intermediate node might guess that the next\n\u003e node in the route is the final node; it can test this by completely\n\u003e replacing the onion packet it sends to the next node with a self-written\n\u003e onion packet that has the next hop as final node, with the same amount\n\u003e and payment hash as instructed by the incoming payment. If that\n\u003e succeeds, it has learned that the next node is indeed the final node\n\u003e (and nobody gets to know about the attack)\n\nThis is always true, regardless of construction, with our current\nscheme.\n\n\u003e ; if that fails, it might\n\u003e retry the payment with the original onion packet. In that case, it\n\u003e learned that the next node is *not* the final node. In this case, the\n\u003e attack is detectable by the next node though: it first receives an\n\u003e incoming payment with a payment hash it doesn't recognize, and then it\n\u003e receives a payment forwarding request with the same payment hash.\n\nTrue. Note that we go as far as preventing forwarding of the same onion\n(for traffic analysis), but we don't block this more obvious attack.\n\n\u003e I think we could stop this type of attack by including some kind of\n\u003e shared secret in the onion message to the final node:\n\u003e\n\u003e * Payee generates shared secret and passes this to payer, as part of the\n\u003e invoice\n\u003e\n\u003e * Payer includes shared secret in the per hop data to payee\n\u003e\n\u003e * On receiving the incoming message, payee checks whether the received\n\u003e shared secret corresponds to the generated one. If this is not the case,\n\u003e behave in exactly the same way as when the payment hash is unrecognized\n\u003e (including timing, to prevent timing side-channel attacks).\n\nThis would indeed be an incremental improvement: I generally prefer not\nto rely on the privacy of the invoice delivery, but this certainly makes\nit no worse.\n\n\u003e The shared secret doesn't need to be very large: the number of attempts\n\u003e per second (to guess the shared secret) is limited by network latency,\n\u003e bandwidth and maybe some artificial rate limiting. If an attacker can do\n\u003e 100 attempts per second, then a 32-bit shared secret will take (on\n\u003e average) 2^31 / (100*3600*24) = 248 days to crack, for a single guess of\n\u003e which node is the final node. In the mean time, people will have noticed\n\u003e the ongoing attack and will have taken countermeasures. Besides, the\n\u003e transaction lock time will likely have expired in the mean time as well.\n\nWe could really just use the last 4 bytes of the signature, AFAICT.\n\nCheers,\nRusty.",
"sig": "8b61d0bfdee43fb162bb2c38cd9d204757e4938daa43b1d7134b2ec56f8c9160f7b22b10f934bfae1b7026600f6c504a843e5bdf808b3b9f5c88d2bf404a1a75"
}