📅 Original date posted:2016-03-23
📝 Original message:>> I have just PRed a draft version of two BIPs I recently wrote.
>> https://github.com/bitcoin/bips/pull/362
>
> I suggest running a spellchecker ;)
Thanks. Will do.
> * why would you not allow encryption on non-pre-approved connections?
The encryption should be optional.
The proposed authentication scheme does take care of the
identity-management and therefor prevent MITM attacks.
Without the identity management, you might not detect sending/receiving
encrypted data from/to a MITM.
> * we just removed (ssl) encryption from the JSON interface, how do you suggest
> this encryption to be implemented without openSSL?
The proposed encryption schema is based on ECDSA/ECDH (implemented in
libsecp256k1) and AES256CBC (implementation is on the way see
https://github.com/bitcoin/bitcoin/pull/7689).
OpenSSL is not required.
> * What is the reason for using the p2p code to connect a wallet to a node?
> I suggest using one of the other connection methods to connect to the node.
> This avoids a change in the bitcoin protocol for a very specific usecase.
Most known use-case: SPV.
> * Why do you want to do a per-message encryption (wrapping the original)?
> Smaller messages that contain predictable content and are able to be matched
> to the unencrypted versions on the wire send to other nodes will open this
> scheme up to various old statistical attacks.
It's probably extremely inefficient to create a constant time stream.
Even most SSL/SSH application leak information because of the
communication message characteristics.
The current wrapping message proposal is not very efficient.
I will change it so that the p2p message header will contain the
encryption metadata. This should lead to a tiny overhead.
>
>> Responding peers must ignore (banning would lead to fingerprinting) the
> requesting peer after 5 unsuccessfully authentication tries to avoid resource
> attacks.
>
> Any implementation of that kind would itself again be open to resource
> attacks.
> Why 5? Do you want to allow a node to make a typo?
Good point. Maybe one false try should lead to ignoring the peer.
>
>
>> To ensure that no message was dropped or blocked, the complete communication
> must be hashed (sha256). Both peers keep the SHA256 context of the encryption
> session. The complete <code>enc</code> message (leaving out the hash itself)
> must be added to the hash-context by both parties. Before sending a
> <code>enc</code> command, the sha256 context will be copied and finalized.
>
> You write "the complete communication must be hashed" and every message has a
> hash of the state until it is at that point.
> I think you need to explain how that works specifically.
This is a relative simple concept and does not require rehashing the
whole communication. You just append the "new data".
Some pseudocode:
SHA256CTX ctx;
// first com
SHA256CTX_Update(ctx, 1stmessage);
// copy context
SHA256CTX ctxnew = ctx;
// finalize the copied context
sha256hash = SHA256CTX_Finalize(ctxnew); //use as checksum hash
//////// next message
SHA256CTX_Update(ctx, 2ndmessage);
// copy context
SHA256CTX ctxnew = ctx;
// finalize the copied context
sha256hash = SHA256CTX_Finalize(ctxnew); //use as checksum hash
... etc.
</jonas>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160323/3dd53763/attachment-0001.sig>;
Jonas Schnelli [ARCHIVE] /
npub1nf…3dtxs
2023-06-07 17:49:56
in reply to nevent1q…zdqc
Author Public Key
npub1nfrrurat393mqymf3s26pujyn5vujlem3pzcukr5p9d4qpklngxq43dtxsPublished at
2023-06-07 17:49:56Event JSON
{
"id": "c8ce95b99e86baf5702ae167804cfd8fdbf8ded8d533feb304bd673db4854774",
"pubkey": "9a463e0fab8963b013698c15a0f2449d19c97f3b88458e5874095b5006df9a0c",
"created_at": 1686160196,
"kind": 1,
"tags": [
[
"e",
"1c87d471b2f2da141b64e0a9c480b3ca53986e57331a196cd0234d6c8fb75484",
"",
"root"
],
[
"e",
"2beda7fb2e008d51ca61bfcc3234ed2b2c7d5b7ed8a40b7b50f098119d0ea5a5",
"",
"reply"
],
[
"p",
"82205f272f995d9be742779a3c19a2ae08522ca14824c3a3b01525fb5459161e"
]
],
"content": "📅 Original date posted:2016-03-23\n📝 Original message:\u003e\u003e I have just PRed a draft version of two BIPs I recently wrote.\n\u003e\u003e https://github.com/bitcoin/bips/pull/362\n\u003e \n\u003e I suggest running a spellchecker ;)\n\nThanks. Will do.\n\n\n\u003e * why would you not allow encryption on non-pre-approved connections?\n\nThe encryption should be optional.\nThe proposed authentication scheme does take care of the\nidentity-management and therefor prevent MITM attacks.\nWithout the identity management, you might not detect sending/receiving\nencrypted data from/to a MITM.\n\n\u003e * we just removed (ssl) encryption from the JSON interface, how do you suggest \n\u003e this encryption to be implemented without openSSL?\n\nThe proposed encryption schema is based on ECDSA/ECDH (implemented in\nlibsecp256k1) and AES256CBC (implementation is on the way see\nhttps://github.com/bitcoin/bitcoin/pull/7689).\nOpenSSL is not required.\n\n\u003e * What is the reason for using the p2p code to connect a wallet to a node?\n\u003e I suggest using one of the other connection methods to connect to the node. \n\u003e This avoids a change in the bitcoin protocol for a very specific usecase.\n\nMost known use-case: SPV.\n\n\u003e * Why do you want to do a per-message encryption (wrapping the original)? \n\u003e Smaller messages that contain predictable content and are able to be matched \n\u003e to the unencrypted versions on the wire send to other nodes will open this \n\u003e scheme up to various old statistical attacks.\n\nIt's probably extremely inefficient to create a constant time stream.\nEven most SSL/SSH application leak information because of the\ncommunication message characteristics.\n\nThe current wrapping message proposal is not very efficient.\nI will change it so that the p2p message header will contain the\nencryption metadata. This should lead to a tiny overhead.\n\n\n\u003e \n\u003e\u003e Responding peers must ignore (banning would lead to fingerprinting) the \n\u003e requesting peer after 5 unsuccessfully authentication tries to avoid resource \n\u003e attacks.\n\u003e \n\u003e Any implementation of that kind would itself again be open to resource \n\u003e attacks.\n\u003e Why 5? Do you want to allow a node to make a typo?\n\nGood point. Maybe one false try should lead to ignoring the peer.\n\n\u003e \n\u003e \n\u003e\u003e To ensure that no message was dropped or blocked, the complete communication \n\u003e must be hashed (sha256). Both peers keep the SHA256 context of the encryption \n\u003e session. The complete \u003ccode\u003eenc\u003c/code\u003e message (leaving out the hash itself) \n\u003e must be added to the hash-context by both parties. Before sending a \n\u003e \u003ccode\u003eenc\u003c/code\u003e command, the sha256 context will be copied and finalized.\n\u003e \n\u003e You write \"the complete communication must be hashed\" and every message has a \n\u003e hash of the state until it is at that point.\n\u003e I think you need to explain how that works specifically.\n\nThis is a relative simple concept and does not require rehashing the\nwhole communication. You just append the \"new data\".\n\nSome pseudocode:\n\nSHA256CTX ctx;\n\n// first com\nSHA256CTX_Update(ctx, 1stmessage);\n\n// copy context\nSHA256CTX ctxnew = ctx;\n\n// finalize the copied context\nsha256hash = SHA256CTX_Finalize(ctxnew); //use as checksum hash\n\n\n//////// next message\nSHA256CTX_Update(ctx, 2ndmessage);\n\n// copy context\nSHA256CTX ctxnew = ctx;\n\n// finalize the copied context\nsha256hash = SHA256CTX_Finalize(ctxnew); //use as checksum hash\n\n... etc.\n\n\u003c/jonas\u003e\n\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 819 bytes\nDesc: OpenPGP digital signature\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160323/3dd53763/attachment-0001.sig\u003e",
"sig": "9d8c64d5f0ddc0e2039f1fd39065a8332b05b233559aceb1bcbae37e0064266c193d908ba181895bedfc171f3784d6bc5501eb64518b5e388d62f16d170ceb24"
}