Handle recent security additions to attestation.jar in Authenticator

SmartTokenLabs / attestation

Paper and implementation of blockchain attestations

MIT License

48 stars 10 forks source link

Handle recent security additions to attestation.jar in Authenticator #258

Closed jot2re closed 2 years ago

jot2re commented 2 years ago

In PR #248 I have added several security enhancements to the attestation.jar. Since we are currently using Authenticator as the Heroku backend app, these should also be implemented in Authenticator.

In general this task is about getting the Authenticator code up-to-date with attestation.jar.

In particular the only classes that seems to be strictly relevant to update is ProofOfExponent, FullProofOfExponent, UsageProofOfExponent, SignaturUtility and AttestationCrypto.

This issue also handles the problem Curve points are not validated in token-negotiator as discussed in section 2.2.2 in The NFT minting security report. See Jira issue 291

oleggrib commented 2 years ago

Hi, @jot2re , this PR is bit challenging to implement with JS it use some methods, which I dont know how to implement with JS examples:

point.normalize()
new HMacDSAKCalculator(new KeccakDigest(256))
normalizedPoint.getAffineXCoord()

can you help me?

jot2re commented 2 years ago

Of course! First of all I can say that things don't look super complex when it comes to TS. Basically the way you have implemented elliptic curve arithmetic is using affine coordinates... This basically means that you have implemented as anyone new would expect it to be implemented; as an x and y coordinate where the y coordinate is computed as y^2=x^3+ax+b. This means that the x and y in a Point object is already normalised and in the affine form. So hose can be used directly.

In relation to HMacDSAKCalculator I cannot see where anything new is done with this? It is only used to compute a deterministic signature based on the standard of EIP 2, which is what the TS code has been doing since the beginning using some web3 libraries.

jot2re commented 2 years ago

Let me try to implement a draft of validatePointToCurve, then maybe you can adjust and fix the appropriate places to call it?

jot2re commented 2 years ago

I have made a new branch off PR #248 and tried to implement what I think should happen in validatePointToCurve. Is this sufficient for you to continue with, or should I try to implement some other code segments as well?

jot2re commented 2 years ago

Closed with the merge of PR #248