Return-Path: <dev@jonasschnelli.ch>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 8400C958
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  8 Aug 2016 15:00:59 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from server3 (server3.include7.ch [144.76.194.38])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id C80771E8
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  8 Aug 2016 15:00:57 +0000 (UTC)
Received: by server3 (Postfix, from userid 115)
	id 78E6B2E60572; Mon,  8 Aug 2016 17:00:56 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, FSL_HELO_NON_FQDN_1
	autolearn=ham version=3.3.1
Received: from Jonass-MacBook-Pro-2.local (84-73-208-41.dclient.hispeed.ch
	[84.73.208.41]) by server3 (Postfix) with ESMTPSA id 7CC1D2D0073A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  8 Aug 2016 17:00:55 +0200 (CEST)
To: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
From: Jonas Schnelli <dev@jonasschnelli.ch>
Message-ID: <57A89EA3.4020101@jonasschnelli.ch>
Date: Mon, 8 Aug 2016 17:00:51 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
	Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="GpdrVq6O2WETTiWevj0IRHwD3AKIoLnBv"
Subject: [bitcoin-dev] Authentication BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 15:00:59 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--GpdrVq6O2WETTiWevj0IRHwD3AKIoLnBv
Content-Type: multipart/mixed; boundary="iJskBjT1IfA1cnmdVb5cbRKIV295IoGWQ"
From: Jonas Schnelli <dev@jonasschnelli.ch>
To: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <57A89EA3.4020101@jonasschnelli.ch>
Subject: Authentication BIP

--iJskBjT1IfA1cnmdVb5cbRKIV295IoGWQ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi

As already mentioned in the recent BIP151 thread
(https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-June/012826=
=2Ehtml),
I propose the following authentication scheme to basically allow MITM
detection and rejection in conjunction with BIP151.

The proposed authentication BIP does require BIP151.

The propose BIP does assume, node operators want to build trusted
connections for various reasons.

BIPs mediawiki github page available here:
https://github.com/bitcoin/bips/compare/master...jonasschnelli:2016/07/au=
th_bip?expand=3D1

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D

  BIP: ???
  Title: Peer Authentication
  Author: Jonas Schnelli <dev@jonasschnelli.ch>
  Status: Draft
  Type: Standards Track
  Created: 2016-03-23

=3D=3D Abstract =3D=3D

This BIP describes a way how peers can authenticate =E2=80=93 without ope=
ning
fingerprinting possibilities =E2=80=93 to other peers to guarantee owners=
hip
and/or allowing to access additional or limited services.

=3D=3D Motivation =3D=3D

We assume peer operators want to limit the access of different services
or increase datastream priorities to a selective subset of peers. Also
we assume peers want to connect to specific peers to broadcast or filter
transactions (or similar action that reveals sensitive informations) and
therefore they want to authenticate the remote peer and make sure that
they have not connected to a MITM.

Benefits with peer authentication:
* Peers could detect MITM attacks when connecting to known peers
* Peers could allow resource hungry transaction filtering only to
specific peers
* Peers could allow access to sensitive information that can lead to
node fingerprinting (fee estimation)
* Peers could allow custom message types (private extensions) to
authenticated peers

A simple authentication scheme based on elliptic cryptography will allow
peers to identify each other and selective allow access to restricted
services or reject the connection if the identity could not be verified.

=3D=3D Specification =3D=3D

The authentication scheme proposed in this BIP uses ECDSA, ___secrets
will never be transmitted___.

___Authentication initialization must only happen if encrypted channels
have been established (according to BIP-151 [1]).___

The ___encryption-session-ID___ is available once channels are encrypted
(according to BIP-151 [1]).

The identity-public-keys used for the authentication must be pre-shared
over a different channel (Mail/PGP, physical paper exchange, etc.). This
BIP does not cover a "trust on first use" (TOFU) concept.

The authentication state must be kept until the encryption/connection
terminates.

Only one authentication process is allowed per connection.
Re-authenticate require re-establishing the connection.

=3D=3D=3D Known-peers and authorized-peers database =3D=3D=3D
Each peer that supports p2p authentication must provide two users
editable "databases"

# ___known-peers___ contains known identity-public-keys together with a
network identifier (IP & port), similar to the "known-host" file
supported by openssh.
# ___authorized-peers___ contains authorized identity-public-keys

=3D=3D=3D Local identity key management =3D=3D=3D
Each peer can configure one identity-key (ECC, 32 bytes) per listening
network interface (IPv4, IPv6, tor).
The according identity-public-key can be shared over a different channel
with other node-operators (or non-validating clients) to grant
authorized access.

=3D=3D=3D Authentication procedure =3D=3D=3D
Authentication after this BIP will require both sides to authenticate.
Signatures/public-keys will only be revealed if the remote peer could
prove that they already know the remote identity-public-key.

# -> Requesting peer sends `AUTHCHALLENGE` (hash)
# <- Responding peer sends `AUTHREPLY` (signature)
# -> Requesting peer sends `AUTHPROPOSE` (hash)
# <- Responding peer sends `AUTHCHALLENGE` (hash)
# -> Requesting peer sends `AUTHREPLY` (signature)

For privacy reasons, dropping the connection or aborting during the
authentication process must not be possible.

=3D=3D=3D `AUTHCHALLENGE` message =3D=3D=3D
A peer can send an authentication challenge to see if the responding
peer can produce a valid signature with the expected responding peers
identity-public-key by sending an `AUTHCHALLENGE`-message to the remote
peer.

The responding peer needs to check if the hash matches the hash
calculated with his own local identity-public-key. Fingerprinting the
requesting peer is not possible.

32bytes challenge-hash `hash(encryption-session-ID || challenge_type ||
remote-peers-expected-identity-public-key)`

`challenge_type` is a single character. `i` if the
`AUTHCHALLENGE`-message is the first, requesting challenge or `r` if
it's the second, remote peers challenge message.

=3D=3D=3D `AUTHREPLY` message =3D=3D=3D
A peer must reply an `AUTHCHALLENGE`-message with an `AUTHREPLY`-message.=



| 64bytes || signature || normalized comp.-signature || A signature of
the encryption-session-ID done with the identity-key


If the challenge-hash from the `AUTHCHALLENGE`-message did not match the
local authentication public-key, the signature must contain 64bytes of
zeros.

The requesting peer can check the responding peers identity by checking
the validity of the sent signature against with the pre-shared remote
peers identity-public-key.

If the signature was invalid, the requesting peer must still proceed
with the authentication by sending an `AUTHPROPOSE`-message with 32
random bytes.

=3D=3D=3D `AUTHPROPOSE` message =3D=3D=3D
A peer can propose authentication of the channel by sending an
`AUTHPROPOSE`-message to the remote peer.

If the signature sent in `AUTHREPLY` was invalid, the peer must still
send an `AUTHPROPOSE`-message containing 32 random bytes.

The `AUTHPROPOSE` message must be answered with an
`AUTHCHALLENGE`-message =E2=80=93 even if the proposed requesting-peers
identity-public-key has not been found in the authorized_peers database.
In case of no match, the responding `AUTHCHALLENGE`-message must
contains 32 bytes of zeros.


| 32bytes || auth-propose-hash || hash || `hash(encryption-session-ID


=3D=3D Post-Authentication Re-Keying =3D=3D

After the second `AUTHREPLY` message (requesting peers signature ->
responding peer), both clients must re-key the symmetric encryption
according to BIP151 while using ___a slightly  different re-key key
derivation hash___.

They both re-key with `hash(encryption-session-ID ||
old_symmetric_cipher_key || requesting-peer-identity-public-key ||
responding-peer-identity-public-key)`

=3D=3D Identity-Addresses =3D=3D
The peers should display/log the identity-public-key as an
identity-address to the users, which is a base58-check encoded
ripemd160(sha256) hash. The purpose of this is for better visual
comparison (logs, accept-dialogs).
The base58check identity byte is `0x0F` followed by an identity-address
version number (=3D`0xFF01`).

An identity address would look like
`TfG4ScDgysrSpodWD4Re5UtXmcLbY5CiUHA` and can be interpreted as a remote
peers fingerprint.

=3D=3D Compatibility =3D=3D

This proposal is backward compatible. Non-supporting peers will ignore
the new `AUTH*` messages.

=3D=3D Example of an auth interaction =3D=3D

Before authentication (once during peer setup or upgrade)
# Requesting peer and responding peer create each an identity-keypair
(standard ECC priv/pubkey)
# Requesting and responding peer share the identity-public-key over a
different channel (PGP mail, physical exchange, etc.)
# Responding peer stores requesting peers identity-public-key in its
authorized-peers database (A)
# Requesting peer stores responding peers identity-public-key in its
known-peers database together with its IP and port (B)

Encryption
# Encrypted channels must be established (according to BIP-151 [1])

Authentication
# Requesting peer sends an `AUTHCHALLENGE` message
  AUTHCHALLENGE:
    [32 bytes, hash(encryption-session-ID || "i" ||
<remote-peers-expected-identity-public-key>)]

# Responding peer does create the same hash `(encryption-session-ID ||
"i" || <remote-peers-expected-identity-public-key>)` with its local
identity-public-key
# If the hash does not match, response with an `AUTHREPLY` message
containing 64bytes of zeros.
# In case of a match, response with an `AUTHREPLY` message
  AUTHREPLY:
    [64 bytes normalized compact ECDSA signature (H)] (sig of the
encryption-session-ID done with the identity-key)

# Requesting peer does verify the signature with the
`remote-peers-identity-public-key`
# If the signature is invalid, requesting peer answers with an
`AUTHREPLY` message containing 32 random bytes
# In case of a valid signature, requesting peer sends an `AUTHPROPOSE`
message
  AUTHPROPOSE:
    [32 bytes, hash(encryption-session-ID || "p" ||
<client-identity-public-key>)]

# Responding peer iterates over authorized-peers database (A), hashes
the identical data and looks for a match.
# If the hash does not match, responding peer answer with an
`AUTHCHALLENGE` message containing 32 bytes of zeros.
# In case of a match, responding peer sends an `AUTHCHALLENGE` message
with the hashed client public-key
  AUTHCHALLENGE:
    [32 bytes, hash(encryption-session-ID || "r" ||
<client-identity-public-key>)]
# Requesting peer sends an `AUTHREPLY` message containing 64 bytes of
zeros if server failed to authenticate
# Otherwise, response with signature in the `AUTHREPLY` message
  AUTHREPLY:
    [64 bytes normalized compact ECDSA signature (H)] (sig of the
encryption-session-ID done with the identity-key)
# Responding peer must verify the signature and can grant access to
restricted services.
# Both peers re-key the encryption after BIP151 including the
requesting-peer-identity-public-key and responding-peer-identity-public-k=
ey

=3D=3D Disadvantages =3D=3D

The protocol may be slow if a peer has a large authorized-peers database
due to the requirement of iterating and hashing over all available
authorized peers identity-public-keys.

=3D=3D Reference implementation =3D=3D

=3D=3D References =3D=3D

* [1] [[bip-0151.mediawiki|BIP 151: Peer-to-Peer Communication Encryption=
]]

=3D=3D Acknowledgements =3D=3D
* Gregory Maxwell and Pieter Wuille for most of the ideas in this BIP.

=3D=3D Copyright =3D=3D
This work is placed in the public domain.







--iJskBjT1IfA1cnmdVb5cbRKIV295IoGWQ--

--GpdrVq6O2WETTiWevj0IRHwD3AKIoLnBv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXqJ6kAAoJECnUvLZBb1PsB+8QALZxfv6o2F9IHei/13CITaAZ
2ytKTRa5mBuw1XVBBaBKKs4xPvHEjY1+6CM3X2Oxysy/WJIyzEIJSyhuvrEx+ZDx
zLqMEPMTTduIZVvILrQ2398uPHjE1d9tlH/7S9JCwxtG0i9h9XGagL9lJTvKAiCy
wqXTiJVW1RgTMVL9AtEB4F058nrEGRAlbA+6MOQsdso9qtlpXEbeF41+YnaViyxa
ozuJZW/hmow3A0ldEz7r84GIZ+HTQRwUn/lPIuGhFVPBrolbrcmWheqVPmukvCu1
EwUmHG4WYK/WrcA7E0uyoJj9ARy9uGqPikKzaIBgp0ljFwbsZI1RXVini6zQ5Co+
UFgu2y9b8SrdEKKQ7MvrtiP+JeobP/u7ATGteQZgxWtliyNnQ2byZObzVUv2gOyv
c9oFjray/IluYzPaByqnGTTqNqxZevmz7pzDbCCO/m8L9MpwXHOsM22EnO/D00MC
keUeE3EWPC4DxnFXbJosTJTVMGRfZvSmondupTBSMF7oZj12pbrzWA+nSXgvfcUp
XVDpNor8tV4aiRNlA59bHJ8RrDuGl7bKa8xaleOuZ1gt2ZZN5Wn5BKVGSMNUNjSL
6mgiq0S8aRMzpC20PmFbO0zUWpM+oT3WLUFkoDbsV7xoUV9/axPgmHN4jJV8UNOe
/QDm3oglX1EVrZF2l+lO
=fU1B
-----END PGP SIGNATURE-----

--GpdrVq6O2WETTiWevj0IRHwD3AKIoLnBv--