[WIP] Write client-side protocol doc #86
Conversation
|
TODO: Make sure to include assumptions about attacks, Tofu etc. |
arlolra
force-pushed
the
cgo-client
branch
2 times, most recently
from
3445f4f
to
953f8fd
Compare
|
|
||
| - The client sends a registration request | ||
| reg_req = (username, key) | ||
| to the server (may be validated by a registration bot; see |
There was a problem hiding this comment.
Doesn't the client actually always send its request to the bot instead of the coniks-/key-server? At least the code looks like it isn't possible that the client contacts the server directly for registration.
There was a problem hiding this comment.
There was a problem hiding this comment.
It does in our implementation, though the bot is more of an implementation detail than part of the protocol, so I want to make that distinction clear.
There was a problem hiding this comment.
We should make those lines in server.go configurable. Probably worth opening an issue.
There was a problem hiding this comment.
Thanks for the clarification @masomel!
I think, if this file describes the actual (client-)protocol implementation it should at least mention the fact that the client (currently) sends a registration request to the bot (or, indirectly to the server but through the bot).
I opened an issue as @arlolra suggested (#91)
vqhuy
force-pushed
the
cgo-client
branch
2 times, most recently
from
0cae96e
to
d36d78b
Compare
vqhuy
force-pushed
the
cgo-client
branch
7 times, most recently
from
20b83fa
to
79d547c
Compare
vqhuy
force-pushed
the
cgo-client
branch
4 times, most recently
from
6bc9486
to
0da3c98
Compare
|
I've included all of the assumptions and possible attacks on the registration protocol, but I think (a) this section is actually not specific to the client but rather about the registration protocol as a whole, and (b) really long and possibly more suitable in a separate document (maybe a wiki page?). This way, we can keep this doc specific to the client-side protocol specs. If we separate the spec from this discussion, I think this will make this doc easier to read, and we can refer the reader to the discussion about assumptions and possible attacks. What do you think? |
vqhuy
force-pushed
the
cgo-client
branch
2 times, most recently
from
118acf2
to
695ca32
Compare
I agree, I think this section should belong to the
Yes, since we also want to use this document for |
Hmm, the core registration protocol (as well as the other protocols) is actually implemented in the
That's a good idea! I hadn't considered using this documentation for |
|
My take on this is the question where the documentation should go is the following: Documentation relevant for developers, and documentation describing what the code is doing and maybe briefly describing why (assumptions etc), should go directly in the documentation of that code ( |
| that an attacker may be able to impersonate a legitimate user. This risk | ||
| is slightly mitigated by the fact that usernames in CONIKS diretories | ||
| are unique, so the legitimate user can simply register a different | ||
| username much like she would had aother legitimate user claimed her |
| outlines each of these protocols from a client perspective. | ||
|
|
||
| For the server-side specification of the CONIKS protocols, see | ||
| https://godoc.org/github.com/coniks-sys/coniks-go/server |
There was a problem hiding this comment.
| Prerequisites: This protocol requires that the client pin both the | ||
| server's public signing key for verifying signed tree roots (STRs) and | ||
| the server's initial private index verification key (i.e. the public | ||
| VRF key). We assume a separate PKI exists to manage the server's keys. |
There was a problem hiding this comment.
Why pin the VRF key? Isn't that in the policy?
We assume a separate PKI exists to manage the server's keys.
Is this sentence about TLS?
There was a problem hiding this comment.
No, this sentence isn't about TLS, though, now that you mention it, we do need to pin the server's TLS certificate as well.
I thought we had discussed needing to pin the initial VRF key, since the VRF key in the policy indicates the VRF key that will be used in the next epoch, not the current epoch. Or maybe I'm misremembering what we had decided about which VRF key is included in the policy?
There was a problem hiding this comment.
No, this sentence isn't about TLS
So then what other PKI is necessary besides the pinning? I guess this is the unresolved questions in #47 and #52.
Or maybe I'm misremembering what we had decided about which VRF key is included in the policy?
I think you're confusing the two keys. It's the next signing key that we're considering also including in the policy. The VRF corresponds to a particular epoch so doesn't require any more management.
|
|
||
| - Next, the client verifies that auth_path is a proof of absence by | ||
| checking that its private index is invalid for the username, and its | ||
| commitment is invalid for the public key it registered in reg_req. |
There was a problem hiding this comment.
its commitment is invalid for the public key it registered in reg_req.
Why that?
There was a problem hiding this comment.
This is my mistake. I thought our verification of a proof of absence also does a commitment verification.
| and verifies that str includes the recomputed root in its signature. | ||
|
|
||
| - If the registration proof is invalid, the client notifies the user. The | ||
| Developing the reporting mechanism is planned for a future release. |
| CONIKS key directory (ErrorNameExisted); the server returns a | ||
| privacy-preserving proof of inclusion in its response. (2) The server | ||
| encounters an internal error when attempting to register the name | ||
| (ErrorDirectory). |
There was a problem hiding this comment.
(2) does not seem like a valid reason for denying a registration request. It's an implementation error. I think it can be omitted here.
There was a problem hiding this comment.
Hmm yeah. If there's an implementation error, though, how can the registration request succeed? Plus, the server needs to notify the client that an error occurred in this case.
There was a problem hiding this comment.
I think what @masomel means here is more about the implementation detail, like what @liamsi said in #86 (comment)? Maybe we can use another word instead of "denied"?
There was a problem hiding this comment.
So, because this documentation is meant to be a lower-level description of the client-side protocols for developers, I think it's perfectly reasonable to include relevant implementation details, such as the fact that a registration request won't succeed if the server encounters some internal error.
Maybe "denied" isn't the right term to use in this case, but rather use "success/failure" terminology?
There was a problem hiding this comment.
Ok, at first it just felt like we're saying, your request isn't going to succeed if the program crashes, which I didn't think needed to be made explicit. But if the audience is developers, making sure they distinguish between the error types seems reasonable, since the former contain proofs that can be validated.
Thanks for clarifying.
There was a problem hiding this comment.
Yeah, I'm writing this with the expectation that the audience of our godocs will most be developers (i.e. this should be more of an API doc than a spec). This is probably something I should have made clear from the start, sorry about that!
|
This discussion got me thinking: Since this whole document I've written so far is really a spec, shouldn't it all belong in a specification document on coniks.org (much like Tor maintains spec docs [1])? This doc.go should still include a brief description of each protocol, but only enough to explain how the API is used. The details of the protocol should probably be laid out in a specification document. Thoughts? [1] https://www.torproject.org/docs/documentation.html.en#DesignDoc |
| this attack, but the need for a full prior history check upon registration | ||
| remains under discussion. | ||
|
|
||
| As mentinoed above, for performance reasons, the client does not check |
There was a problem hiding this comment.
I forgot to run the spell checker on this document :(
| the server's prior hisotry upon registering a new name. This enables | ||
| a malicious server to remove a legitimate username from the directory | ||
| and allow another user to re-register the name as the registering | ||
| client would not discover the prior existence of the name. |
There was a problem hiding this comment.
I'm not sure how comfortable I am with this paragraph. It might be better framed as the registering client not being able to tell if its name had previously been registered with the server. At present, it sounds like anyone can register any name they want, which is misleading.
There was a problem hiding this comment.
he registering client not being able to tell if its name had previously been registered with the server. At present, it sounds like anyone can register any name they want, which is misleading.
The registration protocol does allow anyone to register any name they want, and the client doesn't really bind a real-world person with an online name. It's definitely also true that the registering client cannot tell if the user's name has been previously registered. The bot/account verification protocol is what ensures that a client only registers the name its user authorizes. I'll clarify this.
| re-registration of a username. As a countermeasure, CONIKS does not | ||
| currently allow re-registration of retired usernames, | ||
| i.e. the user has deactivated and forfeit her account thereby making her | ||
| username available for use by another user. The design decision is |
There was a problem hiding this comment.
This is by policy, not design, right? We don't have any proof that a name wasn't registered in any previous epoch and then removed, otherwise all the above would be mitigated.
There was a problem hiding this comment.
Right, not allowing re-registrations is by policy, but the append-only property of the tree is by design, though. You're right, there's no proof that a name was registered and then removed, so verifying the entire prior history upon registering a new name would mitigate this issue.
| In general, the CONIKS | ||
| registration protocol cannot prevent an attacker | ||
| from registering a name before a legitimate user does, so there is a chance | ||
| that an attacker may be able to impersonate a legitimate user. This risk |
There was a problem hiding this comment.
Maybe clarify that the attacker would need to obtain control of the user's account though.
vqhuy
force-pushed
the
cgo-client
branch
2 times, most recently
from
dceec17
to
c72ef26
Compare
- Unrevised from coniks-sys/coniks-go#86
|
I've removed the registration protocol spec I started here and will continue working on it at https://github.com/coniks-sys/coniks-spec/tree/protocol-spec. I'll address reviews for 4c48f95 there. Since we're holding off on the cgo hooks for our first release, the only thing in the |
|
I think we can close this and write the documentation for |
vqhuy
force-pushed
the
cgo-client
branch
5 times, most recently
from
53a64eb
to
ff5e838
Compare
Yes, for the API documentation that pull is good candidate for the documentation. For the RFC/spec-like, more general documentation, I agree that https://github.com/coniks-sys/coniks-spec/tree/protocol-spec, is the right choice! |
Part of #82