Open dnkolegov opened 3 years ago
Thanks @dnkolegov - I think you're correct, and it's likely a result of my flawed understanding of Noise when we were speccing this out.
It seems like the simplest way to fix this without drastically rewriting the protocol would be to mandate that the "static" noise key be truly ephemeral, instead of allowing it to be reused between sessions.
Hi @yusefnapora.
It seems like the simplest way to fix this without drastically rewriting the protocol would be to mandate that the "static" noise key be truly ephemeral
I think that's correct.
Another mitigation could be using a peer's ephemeral public key (re
) as an unpredictable challenge in signing data = "noise-libp2p-static-key : " || re || s
. This is not a "drastically rewriting", but it will require changing the code a little bit.
Another mitigation could be using a peer's ephemeral public key (re) as an unpredictable challenge in signing data = "noise-libp2p-static-key : " || re || s. This is not a "drastically rewriting", but it will require changing the code a little bit.
I think this is the only real mitigation, the the "static" noise key be truly ephemeral,
wouldn't really mitigate the impersonation issue as described by @dnkolegov.
If an attacker is able to sign a static public key once then they will be able to impersonate the identity key owner forever. This may occur if the attacker has temporary access to a signing module, or if the static key is otherwise compromised.
Libp2p-noise extends the original Noise XX pattern in the following way:
payload = Sig(id, s)
, whereid
is the sender's identity private key ands
is the senders's static public key.That said, the signature is computed over the sender's static public key without any input from the corresponding peer. So, the used static key authentication mechanism violates the basic authenticated key agreement protocol design principle:
Ephemeral leakage should not allow for long-term impersonation
.The initiator does not provide any challenge (e.g., ephemeral key) for signing and sender always signs its static key without any random input from the peer. Actually, the sender just prooves that he or she has a signature over the static public key, but not access to the identity private key. For example, if an attacker finds a triple
(s_pub, s_priv, Sig(id, s_pub))
for the identity keyid
of the target user then he or she will be able to impersonate that user without any limitation in future.