What is Yggdrasil security threat model?

yggdrasil-network / yggdrasil-go

An experiment in scalable routing as an encrypted IPv6 overlay network

https://yggdrasil-network.github.io

Other

3.44k stars 238 forks source link

What is Yggdrasil security threat model? #719

Open zhoreeq opened 4 years ago

zhoreeq commented 4 years ago

Can applications with sensitive information theoretically run on top of Yggdrasil without any additional TLS? For example, a banking system.

neilalexander commented 4 years ago

The technical answer is yes, all session traffic that flows across the network is end-to-end encrypted. Therefore even plain HTTP traffic is still encrypted in transit across the network. We use Go's NaCl box implementation to do that.

The sensible answer is, of course, that Yggdrasil has not been formally audited so building an application around it would be at your own risk.

zhoreeq commented 4 years ago

Maybe some security experts could enlighten us about certificate management/revoking requirements which TLS has and Yggdrasil doesn't?

ghost commented 4 years ago

I'm not exactly a security expert, but I can think of two concerns:

Authentication. TLS certificates aren't just necessary to encrypt traffic, but also to prove that you're connected to the right server. I don't doubt the NaCl box library can provide this, but it might take some work to figure out how to fit it together.
Forward secrecy. In modern versions of TLS with modern algorithms, you can get the property that even if an attacker records the request and response and later compromises the server's private key, they still can't read it because the request and response were never actually encrypted with the long-term private key, only with ephemeral keys, which were signed by it and then discarded after use. I don't know if Yggdrasil provides this.

If these can be solved, I'll be thrilled.

jgoerzen commented 2 years ago

Does it still use NaCl and do we know if it has PFS?

eqn-group commented 2 years ago

I'm not exactly a security expert, but I can think of two concerns:

Forward secrecy. In modern versions of TLS with modern algorithms, you can get the property that even if an attacker records the request and response and later compromises the server's private key, they still can't read it because the request and response were never actually encrypted with the long-term private key, only with ephemeral keys, which were signed by it and then discarded after use. I don't know if Yggdrasil provides this.

yggdrasil has base end-to-end encryption between source-destination, if you want forward secrecy you use TLS certificate in your server (or website). so you get another layer of encryption which is independent from base layer encryption provided by yggdrasil