secret connection update #2054
secret connection update #2054
Conversation
ValarDragon
requested review from
ebuchman,
jbibla,
melekes,
xla and
zramsay
as code owners
ValarDragon
force-pushed
the
dev/secret_connection
branch
2 times, most recently
from
e5c61c3 to
88cec7a
Compare
docs/spec/p2p/peer.md
Outdated
| @@ -27,27 +27,24 @@ Both handshakes have configurable timeouts (they should complete quickly). | |||
| ### Authenticated Encryption Handshake | |||
|
|
|||
| Tendermint implements the Station-to-Station protocol | |||
| using ED25519 keys for Diffie-Helman key-exchange and NACL SecretBox for encryption. | |||
| using Ed25519 keys for Diffie-Helman key-exchange and chacha20poly1305 for encryption. | |||
There was a problem hiding this comment.
The Montgomery keys are typically referred to as x25519
There was a problem hiding this comment.
Good catch! Thanks
docs/spec/p2p/peer.md
Outdated
| It goes as follows: | ||
| - generate an emphemeral ED25519 keypair | ||
| - generate an emphemeral Ed25519 keypair |
Codecov Report
@@ Coverage Diff @@
## develop #2054 +/- ##
===========================================
+ Coverage 62.69% 62.72% +0.02%
===========================================
Files 215 215
Lines 17377 17323 -54
===========================================
- Hits 10895 10865 -30
+ Misses 5586 5570 -16
+ Partials 896 888 -8
|
p2p/conn/secret_connection.go
Outdated
| type SecretConnection struct { | ||
| conn io.ReadWriteCloser | ||
| recvBuffer []byte | ||
| recvNonce *[24]byte | ||
| sendNonce *[24]byte | ||
| recvNonce *[chacha20poly1305.NonceSize]byte |
p2p/conn/secret_connection.go
Outdated
| sendNonce *[24]byte | ||
| recvNonce *[chacha20poly1305.NonceSize]byte | ||
| sendNonce *[chacha20poly1305.NonceSize]byte | ||
| recvSecret *[chacha20poly1305.KeySize]byte |
p2p/conn/secret_connection.go
Outdated
| io.ReadFull(hkdf, res[:]) | ||
|
|
||
| challenge = new([32]byte) | ||
| recvSecret = new([32]byte) |
There was a problem hiding this comment.
My concern with aeadKeySize in this function was that it made something relatively simple suddenly seem fairly complicated. (I changed it here, and changed it back before committing)
I guess I could just add more comments to explain whats going on though, so it should hopefully be clear.
p2p/conn/secret_connection.go
Outdated
|
|
||
| // Implements net.Conn | ||
| // SecretConnection implements net.conn. | ||
| // It is (meant to be) an implementation of the STS protocol. |
There was a problem hiding this comment.
Is it or is it really only meant to be?
| }, | ||
| func(_ int) (val interface{}, err error, abort bool) { | ||
| var _remEphPub [32]byte | ||
| var _, err2 = cdc.UnmarshalBinaryReader(conn, &_remEphPub, 1024*1024) // TODO | ||
| if err2 != nil { | ||
| return nil, err2, true // abort | ||
| } else { | ||
| return _remEphPub, nil, false |
There was a problem hiding this comment.
It's a bit odd that the named returns are never used in this method. Do you mind removing these (or use them)?
There was a problem hiding this comment.
I'd prefer to keep as is. The return values are needed for the interface which cmn.parallel requires. The code is much harder to read without named returns, and this isn't something which golint objects to.
Without both of these named returns, this gets pretty confusing I think.
p2p/conn/secret_connection.go
Outdated
| hkdf := hkdf.New(hash, dhSecret[:], nil, []byte("TENDERMINT_SECRET_CONNECTION_KEY_AND_CHALLENGE_GEN")) | ||
| // get enough data for 2 aead keys, and a 32 byte challenge | ||
| res := new([2*aeadKeySize + 32]byte) | ||
| io.ReadFull(hkdf, res[:]) |
There was a problem hiding this comment.
Do not skip the error here, or, explain why we can assume that no error can happen:
https://golang.org/pkg/io/#ReadFull
ValarDragon
force-pushed
the
dev/secret_connection
branch
from
99c42e7 to
49bae51
Compare
Generate keys with HKDF instead of hash functions, which provides better security properties. Add xchacha20poly1305 to secret connection. (Due to rebasing, this code has been removed)
This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
xla
force-pushed
the
dev/secret_connection
branch
from
0cbdfc9 to
7bf28af
Compare
This PR updates secret connection to remove the ripemd primitive, and the salsa primitive. This gives us a resulting secret connection that looks alot more
noiselike.This switches the sender and receiver to use different keys, similar to what noise does. We now use a single hkdf-sha2 invocation on the diffie hellman secret to generate the two keys and a challenge.
Closes #2039