š
Original date posted:2015-10-19
š Original message:
Hm interesting. So far the IP-PubKey-Relationship was public for me
(furthermore, I even think about adding it to the gossip protocol, see
other post).
I think we can mitigate the risks associated fairly well. Suppose
lightning nodes run on dedicated machines, firewalled against any
incoming connections (except ones on the lightning port).
Against DDoS attacks it could be sufficient to just close this port as
soon as you are connected to all of the nodes you want to be
connected. Open connections are not affected by this.
However, I think it will be more difficult to establish a connection
between 'Real identity'-'PubKey'. And this relationship should really
be more sensitive. When you pay to someone, he will only provide you
with a rendezvous point and the onion object towards him, which is
encrypted. Lightning nodes can always have a dedicated IP address, to
make it more difficult to relate merchant IP and pubkey.
I think it is important to have a map of IP/PubKey for those who want
to provide it at least. The object which relates your pubkey and IP
will be signed with your private key. If you never sign and send such
an object, no one will be able to tell your IP other than your direct
neighbors. I think though that most nodes should be able to receive
new connections and build channels with foreign nodes. It is a direct
consequence of sufficiently hardening the network against failure. If
you observe a high fee rate for a specific route, you should be able
to establish new connections to help the network.
Against MITM and eavesdropping your pubkey to a stranger connecting to
your node, we can change the protocol such that the one initiating the
connection always sends his signed pubkey object first. It is up to
you to accept it and send yours if you know the other guy or don't
care, or to abort the connection if you don't like strangers.
Cheers
Mats Jerratsch
2015-10-19 7:30 GMT+02:00 Anthony Towns <aj at erisian.com.au>:
> On Sat, Oct 17, 2015 at 06:53:55AM +1000, Anthony Towns wrote:
>> I think treating the relationship between a network address (IPv4/IPv6
>> addr and port, tor service) and the lightning network address as sensitive
>> is valuable. Revealing a network address helps reveal physical identity,
>> makes denial-of-service attacks straightforward, and gives a point of
>> entry for targetted hacking to steal your money.
>
> I guess the attacks I'm thinking of are something like:
>
> Exploits leading to theft:
>
> - if you're a merchant, it's easy to find out your lightning id (just
> buy something from you!) and during the trading day you'll probably
> have a relatively large balance in your lightning channels (up until
> you close it out by committing your profits to the blockchain eg). If
> I can find your IP address and hack into your system, I can steal
> that money.
>
> - if you're making lots of money routing payments, I might be able to
> deduce that from public information (like how cheap your fees are,
> how rarely your fees change, how many connections you have, ...)
> and thus know that you have a lot of money in lightning channels that
> I can steal
>
> - if you're just being a consumer, however, I can't think of a reason
> your lightning id would matter -- if I can snoop on your IP connection,
> I can probably tell you're mostly a consumer by traffic analysis,
> and conclude that you've probably got $10-$100 that could be
> stolen. failure of imagination on my behalf?
>
> Denial of service:
>
> - I might know the lightning id of someone I don't like; a merchant who
> sells something unpopular, or a node that routes payment for people I
> don't like. If I can translate that into an IP address, I might be
> able to DoS them using botnets etc.
>
> Exploits that help you exploit others:
>
> - if I know X has a channel with you; figuring out X's IP might let
> me monitor X's TCP connections (by hacking into their system, or
> by subpoena'ing their ISP), which in turn would help me figure out
> your IP.
>
> I guess there's three ways you can associate the info:
>
> a) given a lightning id, cheaply work out the IP that provides it
>
> b) given an IP, cheaply work out the lightning id associated with it
>
> c) given an IP and a lightning id, confirm/deny whether that lightning
> id is provided by that IP
>
> (a) is what you want if you're planning theft or DoS
>
> (c) is enough if you've got other information about whoever you want to
> attack that can narrow down the lightning ids and IP addresses (eg, you
> want to attack a local business, so you can find out their lightning id
> directly, and narrow down their IP based on local ISPs)
>
> (c) is obviously trivial if you've already got (a) or (b).
>
> You can get to (a) from (b) if (b) is cheap enough and you can build up
> a database that you can query in reverse.
>
> If you're not an attacker, then (a) is useful if you want to have new
> channels not be totally random (eg, to have people be able to connect
> to newly announced beacons). And (c) is presumably necessary if you
> want to reconnect to someone you had a channel with, when you lose your
> internet connction.
>
> One "clever" way to handle (a) might be via a "fund a new channel by
> lightning transaction" operation. ie, if you (Alice) want to open a
> channel with Bob, route a payment to Bob with instructions to forward to
> Alice, and to do that by connecting to a given IP/port and establishing
> a new channel; ie rather than just telling Bob to route to Alice in the
> onion payoad, also included Alice's network address. That way Alice
> reveals her IP precisely to Bob; and Bob only reveals his IP if he
> decides he is interested in opening a channel.
>
> That'd also provide a way of reconnecting with a peer if you lose your
> connection and both of you change your IPs. It assumes that you both
> have an alternative channel that's still functional though.
>
>
> Okay... so how about the following. When making a new p2p connection, when
> you know who you're talking to, you rely on a shared secret X, and send:
>
> Alice: "Hi. I'm <session key A>. My nonce is X."
> Bob: "Good to meet you, I'm <session key B>."
>
> Rest is encrypted to ECDH(A,B).
>
> Alice: SIG_Alice(Alice || Bob || A || ECDH(A,B))
> Bob: SIG_Bob(Bob || Alice || B || ECDH(A,B))
>
> Alice: "Hi Bob!"
> Bob: "Hi Alice!"
>
>
> If you don't know who you're talking to, you don't send a nonce and
> you do the current protocol. Once you're connected (or once you have a
> channel setup) they'll tell you a nonce to use next time:
>
> Alice: "Hi. I'm <session key A>."
> Bob: "Good to meet you, I'm <session key B>."
>
> Rest is encrypted to ECDH(A,B).
>
> Alice: I'm Alice, SIG(Alice || A || ECDH(A,B))
> Bob: I'm Bob, SIG(Bob || B || ECDH(A,B))
> Bob: BTW, next time you connect, use nonce <Y>.
>
> If Bob wants some degree of privacy, while still accepting anonymous
> connections, then he generates a new id to hand out to anonymous
> connections every so often, linking it up to one of his other ids, or
> to one of his neighbours by reusing a pre-existing channel. If you're
> asking someone to connect to you and have a bunch of ids, you give them
> a nonce to use that will select the correct one. You use nonces as a
> hash key to lookup your id, their id, and any channels you have open.
> You don't share or reuse nonces.
>
> (If an attacker knows Alice and Bob have a connection, and can MITM
> Alice trying to connect to X, the above lets them verify which of Alice's
> connections is Bob. If that's a reasonable attack, it'd be avoidable if
> the nonce X was replaced by X and Y; X sent in cleartext as above, but
> Y simply included in the info being signed. That prevents the attacker
> from being able to verify the signature info at all)
>
> Not convinced that's quite right, but maybe something along those lines
> might work out.
>
> Until there's a substantial number of lightning nodes (1000s?), it's
> probably trivial to link network address and lightning id by traffic
> analysis, so I think it's probably sane to leave implementing any of
> the above until later.
>
> Cheers,
> aj
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
Mats Jerratsch [ARCHIVE] /
npub1hzā¦q5x8w
2023-06-09 12:44:53
in reply to nevent1qā¦qq9p
Author Public Key
npub1hz386xq4qszumlx5fsxa3kuxpaf8qvfrqqjg8zdl2l892hrcg55q6q5x8wPublished at
2023-06-09 12:44:53Event JSON
{
"id": "e5c86d6993a8ec61320331a2f9008e831e9ba871d418864050fed6092259bdbe",
"pubkey": "b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528",
"created_at": 1686314693,
"kind": 1,
"tags": [
[
"e",
"3349bac3c0093cc138cf165a35e427e33b66da31c2652f9bf128f3286a54941b",
"",
"root"
],
[
"e",
"e0c2facc614292d4058c1c8dad07d274d6ec625ea6f72fda8baf547596516105",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "š
Original date posted:2015-10-19\nš Original message:\nHm interesting. So far the IP-PubKey-Relationship was public for me\n(furthermore, I even think about adding it to the gossip protocol, see\nother post).\n\nI think we can mitigate the risks associated fairly well. Suppose\nlightning nodes run on dedicated machines, firewalled against any\nincoming connections (except ones on the lightning port).\n\nAgainst DDoS attacks it could be sufficient to just close this port as\nsoon as you are connected to all of the nodes you want to be\nconnected. Open connections are not affected by this.\n\n\nHowever, I think it will be more difficult to establish a connection\nbetween 'Real identity'-'PubKey'. And this relationship should really\nbe more sensitive. When you pay to someone, he will only provide you\nwith a rendezvous point and the onion object towards him, which is\nencrypted. Lightning nodes can always have a dedicated IP address, to\nmake it more difficult to relate merchant IP and pubkey.\n\nI think it is important to have a map of IP/PubKey for those who want\nto provide it at least. The object which relates your pubkey and IP\nwill be signed with your private key. If you never sign and send such\nan object, no one will be able to tell your IP other than your direct\nneighbors. I think though that most nodes should be able to receive\nnew connections and build channels with foreign nodes. It is a direct\nconsequence of sufficiently hardening the network against failure. If\nyou observe a high fee rate for a specific route, you should be able\nto establish new connections to help the network.\n\n\nAgainst MITM and eavesdropping your pubkey to a stranger connecting to\nyour node, we can change the protocol such that the one initiating the\nconnection always sends his signed pubkey object first. It is up to\nyou to accept it and send yours if you know the other guy or don't\ncare, or to abort the connection if you don't like strangers.\n\nCheers\nMats Jerratsch\n\n2015-10-19 7:30 GMT+02:00 Anthony Towns \u003caj at erisian.com.au\u003e:\n\u003e On Sat, Oct 17, 2015 at 06:53:55AM +1000, Anthony Towns wrote:\n\u003e\u003e I think treating the relationship between a network address (IPv4/IPv6\n\u003e\u003e addr and port, tor service) and the lightning network address as sensitive\n\u003e\u003e is valuable. Revealing a network address helps reveal physical identity,\n\u003e\u003e makes denial-of-service attacks straightforward, and gives a point of\n\u003e\u003e entry for targetted hacking to steal your money.\n\u003e\n\u003e I guess the attacks I'm thinking of are something like:\n\u003e\n\u003e Exploits leading to theft:\n\u003e\n\u003e - if you're a merchant, it's easy to find out your lightning id (just\n\u003e buy something from you!) and during the trading day you'll probably\n\u003e have a relatively large balance in your lightning channels (up until\n\u003e you close it out by committing your profits to the blockchain eg). If\n\u003e I can find your IP address and hack into your system, I can steal\n\u003e that money.\n\u003e\n\u003e - if you're making lots of money routing payments, I might be able to\n\u003e deduce that from public information (like how cheap your fees are,\n\u003e how rarely your fees change, how many connections you have, ...)\n\u003e and thus know that you have a lot of money in lightning channels that\n\u003e I can steal\n\u003e\n\u003e - if you're just being a consumer, however, I can't think of a reason\n\u003e your lightning id would matter -- if I can snoop on your IP connection,\n\u003e I can probably tell you're mostly a consumer by traffic analysis,\n\u003e and conclude that you've probably got $10-$100 that could be\n\u003e stolen. failure of imagination on my behalf?\n\u003e\n\u003e Denial of service:\n\u003e\n\u003e - I might know the lightning id of someone I don't like; a merchant who\n\u003e sells something unpopular, or a node that routes payment for people I\n\u003e don't like. If I can translate that into an IP address, I might be\n\u003e able to DoS them using botnets etc.\n\u003e\n\u003e Exploits that help you exploit others:\n\u003e\n\u003e - if I know X has a channel with you; figuring out X's IP might let\n\u003e me monitor X's TCP connections (by hacking into their system, or\n\u003e by subpoena'ing their ISP), which in turn would help me figure out\n\u003e your IP.\n\u003e\n\u003e I guess there's three ways you can associate the info:\n\u003e\n\u003e a) given a lightning id, cheaply work out the IP that provides it\n\u003e\n\u003e b) given an IP, cheaply work out the lightning id associated with it\n\u003e\n\u003e c) given an IP and a lightning id, confirm/deny whether that lightning\n\u003e id is provided by that IP\n\u003e\n\u003e (a) is what you want if you're planning theft or DoS\n\u003e\n\u003e (c) is enough if you've got other information about whoever you want to\n\u003e attack that can narrow down the lightning ids and IP addresses (eg, you\n\u003e want to attack a local business, so you can find out their lightning id\n\u003e directly, and narrow down their IP based on local ISPs)\n\u003e\n\u003e (c) is obviously trivial if you've already got (a) or (b).\n\u003e\n\u003e You can get to (a) from (b) if (b) is cheap enough and you can build up\n\u003e a database that you can query in reverse.\n\u003e\n\u003e If you're not an attacker, then (a) is useful if you want to have new\n\u003e channels not be totally random (eg, to have people be able to connect\n\u003e to newly announced beacons). And (c) is presumably necessary if you\n\u003e want to reconnect to someone you had a channel with, when you lose your\n\u003e internet connction.\n\u003e\n\u003e One \"clever\" way to handle (a) might be via a \"fund a new channel by\n\u003e lightning transaction\" operation. ie, if you (Alice) want to open a\n\u003e channel with Bob, route a payment to Bob with instructions to forward to\n\u003e Alice, and to do that by connecting to a given IP/port and establishing\n\u003e a new channel; ie rather than just telling Bob to route to Alice in the\n\u003e onion payoad, also included Alice's network address. That way Alice\n\u003e reveals her IP precisely to Bob; and Bob only reveals his IP if he\n\u003e decides he is interested in opening a channel.\n\u003e\n\u003e That'd also provide a way of reconnecting with a peer if you lose your\n\u003e connection and both of you change your IPs. It assumes that you both\n\u003e have an alternative channel that's still functional though.\n\u003e\n\u003e\n\u003e Okay... so how about the following. When making a new p2p connection, when\n\u003e you know who you're talking to, you rely on a shared secret X, and send:\n\u003e\n\u003e Alice: \"Hi. I'm \u003csession key A\u003e. My nonce is X.\"\n\u003e Bob: \"Good to meet you, I'm \u003csession key B\u003e.\"\n\u003e\n\u003e Rest is encrypted to ECDH(A,B).\n\u003e\n\u003e Alice: SIG_Alice(Alice || Bob || A || ECDH(A,B))\n\u003e Bob: SIG_Bob(Bob || Alice || B || ECDH(A,B))\n\u003e\n\u003e Alice: \"Hi Bob!\"\n\u003e Bob: \"Hi Alice!\"\n\u003e\n\u003e\n\u003e If you don't know who you're talking to, you don't send a nonce and\n\u003e you do the current protocol. Once you're connected (or once you have a\n\u003e channel setup) they'll tell you a nonce to use next time:\n\u003e\n\u003e Alice: \"Hi. I'm \u003csession key A\u003e.\"\n\u003e Bob: \"Good to meet you, I'm \u003csession key B\u003e.\"\n\u003e\n\u003e Rest is encrypted to ECDH(A,B).\n\u003e\n\u003e Alice: I'm Alice, SIG(Alice || A || ECDH(A,B))\n\u003e Bob: I'm Bob, SIG(Bob || B || ECDH(A,B))\n\u003e Bob: BTW, next time you connect, use nonce \u003cY\u003e.\n\u003e\n\u003e If Bob wants some degree of privacy, while still accepting anonymous\n\u003e connections, then he generates a new id to hand out to anonymous\n\u003e connections every so often, linking it up to one of his other ids, or\n\u003e to one of his neighbours by reusing a pre-existing channel. If you're\n\u003e asking someone to connect to you and have a bunch of ids, you give them\n\u003e a nonce to use that will select the correct one. You use nonces as a\n\u003e hash key to lookup your id, their id, and any channels you have open.\n\u003e You don't share or reuse nonces.\n\u003e\n\u003e (If an attacker knows Alice and Bob have a connection, and can MITM\n\u003e Alice trying to connect to X, the above lets them verify which of Alice's\n\u003e connections is Bob. If that's a reasonable attack, it'd be avoidable if\n\u003e the nonce X was replaced by X and Y; X sent in cleartext as above, but\n\u003e Y simply included in the info being signed. That prevents the attacker\n\u003e from being able to verify the signature info at all)\n\u003e\n\u003e Not convinced that's quite right, but maybe something along those lines\n\u003e might work out.\n\u003e\n\u003e Until there's a substantial number of lightning nodes (1000s?), it's\n\u003e probably trivial to link network address and lightning id by traffic\n\u003e analysis, so I think it's probably sane to leave implementing any of\n\u003e the above until later.\n\u003e\n\u003e Cheers,\n\u003e aj\n\u003e\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev",
"sig": "1f9ea4279b5603a039ac330bcab22bf4dccfb8ea53cc931da3e7889d82b4413546601496008bc45e04e7c844ce24dcc4a5a27ab09700a6e4e4e3b9fc1b3379b3"
}