search

ipfs / kubo

An IPFS implementation in Go
https://docs.ipfs.tech/how-to/command-line-quick-start/
Other
16.1k stars 3.01k forks source link

`secio` => `multi{crypto handshake}-stream` #1503

Closed daviddias closed 5 years ago

daviddias commented 9 years ago

We've talked today about the ideia to use some of the crypto libraries and wrap them around with a stream interface in order to enabled cypher stream muxer connections or per stream basis.

This would enable us (and other people that are interested) to pass a duplex stream with another peer, give the right arguments (depending on the type of cypher used) wait to return another duplex stream, which abstracts a cyphered channel.

Initially, what would be looking for is to have something that at least offers the same crypto handshake that WebRTC has with DTLS.

I'm not 100% sure of how secio is implemented right now, probably already does something close to this and if that is the case, we should abstracted for it to be cross language friendly.

@dominictarr has documented the IPFS crypto stream handshake: https://github.com/auditdrivencrypto/secure-channel/blob/master/prior-art.md#ipfss-secure-channel

jbenet commented 9 years ago

I'm not 100% sure of how secio is implemented right now, probably already does something close to this and if that is the case, we should abstracted for it to be cross language friendly.

Yeah, it already does this. secio is implemented on top of net.Conn which is the generic way to do this sort of stuff in Go. it is the equivalent of:

unencrypted := net.Dial(...)
encrypted := secio.NewSession(unencrypted, params)

but has more ceremony around how the params are chosen, and so on.

a more important thing to consider is to just use some other well-known transport encryption protocol instead of secio altogether

whyrusleeping commented 9 years ago

a more important thing to consider is to just use some other well-known transport encryption protocol instead of secio altogether

without saying "tls", what options do we have?

daviddias commented 9 years ago

Adding @maxogden as he is interested in having this as well.

It would be good/interesting to have DH to set up the private channel as one thing, and then have the TLS handshake to guarantee authenticity as separate step.

A tested/proven example for the first part, is what happens inside WebRTC, but I'm not being able to find some nice implementations for that.

ghost commented 9 years ago

We've talked today about the ideia to use some of the crypto libraries and wrap them around with a stream interface in order to enabled cypher stream muxer connections or per stream basis.

SGTM!

a more important thing to consider is to just use some other well-known transport encryption protocol instead of secio altogether

Maybe that could be piggybacked on top of multihash -- i.e. have the public key representation include a hint about how to shake hands?

without saying "tls", what options do we have?

Caleb came up with a handshake and stream for cjdns: https://github.com/hyperboria/cjdns/blob/master/doc/Whitepaper.md#the-cryptoauth

whyrusleeping commented 9 years ago

@diasdavid @dominictarr did a writeup of our handshake: https://github.com/auditdrivencrypto/secure-channel/blob/master/prior-art.md#ipfss-secure-channel

Kubuxu commented 5 years ago

I think it isn't relevant anymore, we support multistream select before handshake and we are finalizing tls.