Signed wallet messages can be forged #4878
Comments
|
Should we change the signing method in Tari crypto to bind the public nonce regardless? This would remove a bunch of footguns where people don't realise that the challenge is expected to already include whatever you're binding to it. And the way to implement this is to add an additional method, so as not to break existing clients, and deprecate the current method (which would throw a warning when compiling code using the current method) |
|
Do you mean keep the same API (where the caller provides a challenge) but then modify the challenge in some way to additionally bind to the transcript data? I don't see a real advantage to that versus abstracting away the challenge entirely, if use cases permit. Binding the public key is important to avoid another type of forgery, where the attacker is able to forge messages on keys that it cannot control directly. That is, any particular forgery would then yield a verifying public key that the attacker can't choose in advance. |
|
After discussion, looks like the strategy will be twofold. First up will be to update the wallet sign and verify functions to properly handling transcripting by:
This will break any existing signatures, but that's a good thing! Any existing signatures could have been trivially forged and should be rejected by the verifier; this will happen automatically because of the hash function properties. Next up will be to add a new API for safer handling of signatures, where the caller has no control over the robotic innards. This will add a new |
|
Sorely needed, there are at least 2 cases where I've abstracted challenge construction w.r.t the nonce and public key for specific cases, just for reference. https://github.com/tari-project/tari/blob/development/comms/dht/src/message_signature.rs The only case we have where it is valid to construct a potentially invalid signature is when constructing a signature from a network message for verification purposes. This is currently a <public nonce, sig scalar> pair constructed as: let signature = Signature::new(msg.R, msg.s);Ideally, we would encode and decode the signature as one binary blob, but this would break any message with a signature and be a larger refactor. let signature = Signature2_0::from_bytes(&msg.signature).unwrap();
signature.verify(challenge)I think we want to avoid |
stringhandler
added
S-high-severity
|
The new API being developed in this PR from |
|
Removed the offending code in #4891 but will leave this open until the pr is merged in tari-crypto |
|
You'll still intend to create new versions of these functions that wrap the |
|
Can I close this? |
|
The offending methods have been removed from the wallet. All of the current places in the wallet that sign transactions are aggregate signatures of the kernel, so the nonce is pre-determined and needs to use |
Sounds good. I suppose the remaining task is just a chore to migrate existing |
The wallet permits signing of arbitrary messages, and verification of message signatures. These functions are wrappers for Schnorr signature functionality in the
tari-cryptocrate.However, these signatures can be trivially forged, such that an attacker can generate valid signatures for any public key on messages of its choice. The challenge generated for the signature instance binds only to the message, and not to the public key or public nonce. As a result, an attacker in possession of only the public key and any message can sample the response
svalue at random, and then simply solve the verification equation for the public nonce.The correct approach for Schnorr challenge generation is to bind to the public key, public nonce, and message. The new hashing API should be used for this purpose, as it takes additional steps to ensure this binding is done correctly.
The text was updated successfully, but these errors were encountered: