p2p: Merlin based malleability fixes (#72)

* Update the secret connection spec with the use of merlin to eliminte handshake malleability * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
5 years ago · 452f0b775a
--- a/spec/p2p/peer.md
+++ b/spec/p2p/peer.md
@ -28,22 +28,33 @@ Both handshakes have configurable timeouts (they should complete quickly).

 Tendermint implements the Station-to-Station protocol
 using X25519 keys for Diffie-Helman key-exchange and chacha20poly1305 for encryption.

 Previous versions of this protocol suffered from malleability attacks whereas an active man 
 in the middle attacker could compromise confidentiality as decribed in [Prime, Order Please!
 Revisiting Small Subgroup and Invalid Curve Attacks on
 Protocols using Diffie-Hellman](https://eprint.iacr.org/2019/526.pdf). 

 We have added dependency on the Merlin a keccak based transcript hashing protocol to ensure non-malleability.

 It goes as follows:

 - generate an ephemeral X25519 keypair
 - send the ephemeral public key to the peer
 - wait to receive the peer's ephemeral public key
 - create a new Merlin Transcript with the string "TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH"
 - Sort the ephemeral keys and add the high labeled "EPHEMERAL_UPPER_PUBLIC_KEY" and the low keys labeled "EPHEMERAL_LOWER_PUBLIC_KEY" to the Merlin transcript.
 - compute the Diffie-Hellman shared secret using the peers ephemeral public key and our ephemeral private key
 - add the DH secret to the transcript labeled DH_SECRET.
 - generate two keys to use for encryption (sending and receiving) and a challenge for authentication as follows:
  - create a hkdf-sha256 instance with the key being the diffie hellman shared secret, and info parameter as
    `TENDERMINT_SECRET_CONNECTION_KEY_AND_CHALLENGE_GEN`
  - get 96 bytes of output from hkdf-sha256
  - if we had the smaller ephemeral pubkey, use the first 32 bytes for the key for receiving, the second 32 bytes for sending; else the opposite
  - use the last 32 bytes of output for the challenge
  - get 64 bytes of output from hkdf-sha256
  - if we had the smaller ephemeral pubkey, use the first 32 bytes for the key for receiving, the second 32 bytes for sending; else the opposite.
 - use a separate nonce for receiving and sending. Both nonces start at 0, and should support the full 96 bit nonce range
 - all communications from now on are encrypted in 1024 byte frames,
  using the respective secret and nonce. Each nonce is incremented by one after each use.
 - we now have an encrypted channel, but still need to authenticate
 - extract a 32 bytes challenge from merlin transcript with the label "SECRET_CONNECTION_MAC"
 - sign the common challenge obtained from the hkdf with our persistent private key
 - send the amino encoded persistent pubkey and signature to the peer
 - wait to receive the persistent public key and signature from the peer