📅 Original date posted:2015-10-19
📝 Original message:
On Sat, Oct 17, 2015 at 06:53:55AM +1000, Anthony Towns wrote:
> I think treating the relationship between a network address (IPv4/IPv6
> addr and port, tor service) and the lightning network address as sensitive
> is valuable. Revealing a network address helps reveal physical identity,
> makes denial-of-service attacks straightforward, and gives a point of
> entry for targetted hacking to steal your money.
I guess the attacks I'm thinking of are something like:
Exploits leading to theft:
- if you're a merchant, it's easy to find out your lightning id (just
buy something from you!) and during the trading day you'll probably
have a relatively large balance in your lightning channels (up until
you close it out by committing your profits to the blockchain eg). If
I can find your IP address and hack into your system, I can steal
that money.
- if you're making lots of money routing payments, I might be able to
deduce that from public information (like how cheap your fees are,
how rarely your fees change, how many connections you have, ...)
and thus know that you have a lot of money in lightning channels that
I can steal
- if you're just being a consumer, however, I can't think of a reason
your lightning id would matter -- if I can snoop on your IP connection,
I can probably tell you're mostly a consumer by traffic analysis,
and conclude that you've probably got $10-$100 that could be
stolen. failure of imagination on my behalf?
Denial of service:
- I might know the lightning id of someone I don't like; a merchant who
sells something unpopular, or a node that routes payment for people I
don't like. If I can translate that into an IP address, I might be
able to DoS them using botnets etc.
Exploits that help you exploit others:
- if I know X has a channel with you; figuring out X's IP might let
me monitor X's TCP connections (by hacking into their system, or
by subpoena'ing their ISP), which in turn would help me figure out
your IP.
I guess there's three ways you can associate the info:
a) given a lightning id, cheaply work out the IP that provides it
b) given an IP, cheaply work out the lightning id associated with it
c) given an IP and a lightning id, confirm/deny whether that lightning
id is provided by that IP
(a) is what you want if you're planning theft or DoS
(c) is enough if you've got other information about whoever you want to
attack that can narrow down the lightning ids and IP addresses (eg, you
want to attack a local business, so you can find out their lightning id
directly, and narrow down their IP based on local ISPs)
(c) is obviously trivial if you've already got (a) or (b).
You can get to (a) from (b) if (b) is cheap enough and you can build up
a database that you can query in reverse.
If you're not an attacker, then (a) is useful if you want to have new
channels not be totally random (eg, to have people be able to connect
to newly announced beacons). And (c) is presumably necessary if you
want to reconnect to someone you had a channel with, when you lose your
internet connction.
One "clever" way to handle (a) might be via a "fund a new channel by
lightning transaction" operation. ie, if you (Alice) want to open a
channel with Bob, route a payment to Bob with instructions to forward to
Alice, and to do that by connecting to a given IP/port and establishing
a new channel; ie rather than just telling Bob to route to Alice in the
onion payoad, also included Alice's network address. That way Alice
reveals her IP precisely to Bob; and Bob only reveals his IP if he
decides he is interested in opening a channel.
That'd also provide a way of reconnecting with a peer if you lose your
connection and both of you change your IPs. It assumes that you both
have an alternative channel that's still functional though.
Okay... so how about the following. When making a new p2p connection, when
you know who you're talking to, you rely on a shared secret X, and send:
Alice: "Hi. I'm <session key A>. My nonce is X."
Bob: "Good to meet you, I'm <session key B>."
Rest is encrypted to ECDH(A,B).
Alice: SIG_Alice(Alice || Bob || A || ECDH(A,B))
Bob: SIG_Bob(Bob || Alice || B || ECDH(A,B))
Alice: "Hi Bob!"
Bob: "Hi Alice!"
If you don't know who you're talking to, you don't send a nonce and
you do the current protocol. Once you're connected (or once you have a
channel setup) they'll tell you a nonce to use next time:
Alice: "Hi. I'm <session key A>."
Bob: "Good to meet you, I'm <session key B>."
Rest is encrypted to ECDH(A,B).
Alice: I'm Alice, SIG(Alice || A || ECDH(A,B))
Bob: I'm Bob, SIG(Bob || B || ECDH(A,B))
Bob: BTW, next time you connect, use nonce <Y>.
If Bob wants some degree of privacy, while still accepting anonymous
connections, then he generates a new id to hand out to anonymous
connections every so often, linking it up to one of his other ids, or
to one of his neighbours by reusing a pre-existing channel. If you're
asking someone to connect to you and have a bunch of ids, you give them
a nonce to use that will select the correct one. You use nonces as a
hash key to lookup your id, their id, and any channels you have open.
You don't share or reuse nonces.
(If an attacker knows Alice and Bob have a connection, and can MITM
Alice trying to connect to X, the above lets them verify which of Alice's
connections is Bob. If that's a reasonable attack, it'd be avoidable if
the nonce X was replaced by X and Y; X sent in cleartext as above, but
Y simply included in the info being signed. That prevents the attacker
from being able to verify the signature info at all)
Not convinced that's quite right, but maybe something along those lines
might work out.
Until there's a substantial number of lightning nodes (1000s?), it's
probably trivial to link network address and lightning id by traffic
analysis, so I think it's probably sane to leave implementing any of
the above until later.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:44:53
in reply to nevent1q…eha0
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:44:53Event JSON
{
"id": "e0c2facc614292d4058c1c8dad07d274d6ec625ea6f72fda8baf547596516105",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314693,
"kind": 1,
"tags": [
[
"e",
"3349bac3c0093cc138cf165a35e427e33b66da31c2652f9bf128f3286a54941b",
"",
"root"
],
[
"e",
"a18745e20f82da97c5a000a5159fafe01e12c1465ab942729054a1a5614a5549",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2015-10-19\n📝 Original message:\nOn Sat, Oct 17, 2015 at 06:53:55AM +1000, Anthony Towns wrote:\n\u003e I think treating the relationship between a network address (IPv4/IPv6\n\u003e addr and port, tor service) and the lightning network address as sensitive\n\u003e is valuable. Revealing a network address helps reveal physical identity,\n\u003e makes denial-of-service attacks straightforward, and gives a point of\n\u003e entry for targetted hacking to steal your money.\n\nI guess the attacks I'm thinking of are something like:\n\nExploits leading to theft:\n\n - if you're a merchant, it's easy to find out your lightning id (just\n buy something from you!) and during the trading day you'll probably\n have a relatively large balance in your lightning channels (up until\n you close it out by committing your profits to the blockchain eg). If\n I can find your IP address and hack into your system, I can steal\n that money.\n\n - if you're making lots of money routing payments, I might be able to\n deduce that from public information (like how cheap your fees are,\n how rarely your fees change, how many connections you have, ...)\n and thus know that you have a lot of money in lightning channels that\n I can steal\n\n - if you're just being a consumer, however, I can't think of a reason\n your lightning id would matter -- if I can snoop on your IP connection,\n I can probably tell you're mostly a consumer by traffic analysis,\n and conclude that you've probably got $10-$100 that could be\n stolen. failure of imagination on my behalf?\n\nDenial of service:\n\n - I might know the lightning id of someone I don't like; a merchant who\n sells something unpopular, or a node that routes payment for people I\n don't like. If I can translate that into an IP address, I might be\n able to DoS them using botnets etc.\n\nExploits that help you exploit others:\n\n - if I know X has a channel with you; figuring out X's IP might let\n me monitor X's TCP connections (by hacking into their system, or\n by subpoena'ing their ISP), which in turn would help me figure out\n your IP.\n\nI guess there's three ways you can associate the info:\n\n a) given a lightning id, cheaply work out the IP that provides it\n\n b) given an IP, cheaply work out the lightning id associated with it\n\n c) given an IP and a lightning id, confirm/deny whether that lightning\n id is provided by that IP\n\n(a) is what you want if you're planning theft or DoS\n\n(c) is enough if you've got other information about whoever you want to\n attack that can narrow down the lightning ids and IP addresses (eg, you\n want to attack a local business, so you can find out their lightning id\n directly, and narrow down their IP based on local ISPs)\n\n(c) is obviously trivial if you've already got (a) or (b).\n\nYou can get to (a) from (b) if (b) is cheap enough and you can build up\na database that you can query in reverse.\n\nIf you're not an attacker, then (a) is useful if you want to have new\nchannels not be totally random (eg, to have people be able to connect\nto newly announced beacons). And (c) is presumably necessary if you\nwant to reconnect to someone you had a channel with, when you lose your\ninternet connction.\n\nOne \"clever\" way to handle (a) might be via a \"fund a new channel by\nlightning transaction\" operation. ie, if you (Alice) want to open a\nchannel with Bob, route a payment to Bob with instructions to forward to\nAlice, and to do that by connecting to a given IP/port and establishing\na new channel; ie rather than just telling Bob to route to Alice in the\nonion payoad, also included Alice's network address. That way Alice\nreveals her IP precisely to Bob; and Bob only reveals his IP if he\ndecides he is interested in opening a channel.\n\nThat'd also provide a way of reconnecting with a peer if you lose your\nconnection and both of you change your IPs. It assumes that you both\nhave an alternative channel that's still functional though.\n\n\nOkay... so how about the following. When making a new p2p connection, when\nyou know who you're talking to, you rely on a shared secret X, and send:\n\n Alice: \"Hi. I'm \u003csession key A\u003e. My nonce is X.\"\n Bob: \"Good to meet you, I'm \u003csession key B\u003e.\"\n\nRest is encrypted to ECDH(A,B).\n\n Alice: SIG_Alice(Alice || Bob || A || ECDH(A,B))\n Bob: SIG_Bob(Bob || Alice || B || ECDH(A,B))\n\n Alice: \"Hi Bob!\"\n Bob: \"Hi Alice!\"\n\n\nIf you don't know who you're talking to, you don't send a nonce and\nyou do the current protocol. Once you're connected (or once you have a\nchannel setup) they'll tell you a nonce to use next time:\n\n Alice: \"Hi. I'm \u003csession key A\u003e.\"\n Bob: \"Good to meet you, I'm \u003csession key B\u003e.\"\n\nRest is encrypted to ECDH(A,B).\n\n Alice: I'm Alice, SIG(Alice || A || ECDH(A,B))\n Bob: I'm Bob, SIG(Bob || B || ECDH(A,B))\n Bob: BTW, next time you connect, use nonce \u003cY\u003e.\n\nIf Bob wants some degree of privacy, while still accepting anonymous\nconnections, then he generates a new id to hand out to anonymous\nconnections every so often, linking it up to one of his other ids, or\nto one of his neighbours by reusing a pre-existing channel. If you're\nasking someone to connect to you and have a bunch of ids, you give them\na nonce to use that will select the correct one. You use nonces as a\nhash key to lookup your id, their id, and any channels you have open.\nYou don't share or reuse nonces.\n\n(If an attacker knows Alice and Bob have a connection, and can MITM\nAlice trying to connect to X, the above lets them verify which of Alice's\nconnections is Bob. If that's a reasonable attack, it'd be avoidable if\nthe nonce X was replaced by X and Y; X sent in cleartext as above, but\nY simply included in the info being signed. That prevents the attacker\nfrom being able to verify the signature info at all)\n\nNot convinced that's quite right, but maybe something along those lines\nmight work out.\n\nUntil there's a substantial number of lightning nodes (1000s?), it's\nprobably trivial to link network address and lightning id by traffic\nanalysis, so I think it's probably sane to leave implementing any of\nthe above until later.\n\nCheers,\naj",
"sig": "916bdb1fc1fb73fd1c4da28c0cd34b823b2723d05f1f8b590a1a0a153c68dd584762d1b12247340baf8f0328f39b75c3a73cb01ba331637591e2f8e097b65c93"
}