Stebalien
commented
4 years ago cc @anorth we can't drop this.
Open Stebalien opened 4 years ago
Stebalien
commented
4 years ago cc @anorth we can't drop this.
Kubuxu
commented
4 years ago Huge :+1: from me, it was bothering me for a while.
We have two critical contexts here: message and VRF.
nicola
commented
4 years ago I am not familiar about the way that libp2p handles this, but we do use domain separation in many other parts of the protocol (e.g. randomness generation and to my understanding VRF too). We should definitely prefix them by "filecoin-protocol" or similar.
We will investigate whether we need further domain separations to distinguish in filecoin itself and check if the domain separation tags that we believe are in the spec are actually in use.
nikkolasg
commented
4 years ago There is a DST for all VRFs usage I believe already - not sure about signatures on messages / transactions.
Kubuxu
commented
4 years ago There is DST but it is VRF level DST. We need DST on signing level so: VRF, BlockSignature and MessageSignature cannot be mangled together.
Currently, we just sign raw bytes. This means a message signed in one context can be used in any context.
If you take a look at the TLS and Noise libp2p transports, you'll notice that they sign
some-protocol-name:<message bytes>. Then, when verifying, we callVerify(author, "some-protocol-name", message_bytes, signature). This way, if someone passes us a message we don't expect in this context, verification will fail.Note: for performance, we don't include
some-protocol-name:in the actual message, we just prepend it when signing/verifying. I strongly recommend that you follow the same syntax to be consistent with the rest of libp2p. Otherwise, re-using the same key for libp2p & Filecoin would be insecure (ideally users wouldn't do this anyways but...).