From rusty at rustcorp.com.au Wed Oct 21 01:11:45 2015 From: rusty at rustcorp.com.au (Rusty Russell) Date: Wed, 21 Oct 2015 11:41:45 +1030 Subject: [Lightning-dev] daemon/p2p protocol In-Reply-To: <20151019220909.GB18268@navy> References: <20151016205355.GA18796@navy> <20151019053003.GB19146@navy> <20151019220909.GB18268@navy> Message-ID: <87eggpf2jy.fsf@rustcorp.com.au> Anthony Towns writes: > On Mon, Oct 19, 2015 at 10:51:52AM +0200, Mats Jerratsch wrote: >> Hm interesting. So far the IP-PubKey-Relationship was public for me >> (furthermore, I even think about adding it to the gossip protocol, see >> other post). > > Yeah, it's definitely easier to think about that way. > >> I think we can mitigate the risks associated fairly well. Suppose >> lightning nodes run on dedicated machines, firewalled against any >> incoming connections (except ones on the lightning port). > > (I don't think lightning wallets can realistically run on dedicated > machines/IPs; so that makes a significant distinction between wallets > for consumers and nodes for routing/merchants I think) > >> Against MITM and eavesdropping your pubkey to a stranger connecting to >> your node, we can change the protocol such that the one initiating the >> connection always sends his signed pubkey object first. > > I don't thnk that works -- if you can MITM Alice and Bob, then you just do > that while they're in the middle of a connection. When Alice reconnects, > she immediately tells you who she is. If Bob tries reconnecting as well, > you find out who he is too. Sending a shared secret nonce instead, > then just sending signatures avoids that; either one can re-establish > the connection if they can actually talk, and if there's a MITM they > reveal nothing, but do discover they can't talk. Having a session nonce does help after first handshake, though it allows correlation, so it needs to change (pretty trivial, it could just be sha256() of some shared secret plus a number which increments on each successful handshake). In practice I think "successful handshake" is a bit vague, so may require allowing +/- 1 nonce. I'd have to think harder about this though. Is this overcomplicating things? Coffee.... Rusty.