-
Notifications
You must be signed in to change notification settings - Fork 74
Cryptography Details
Draft
The cryptographic library used in KadNode is libsodium (a NaCl fork).
The secret/public key pair is generated by the crypto_sign_keypair method.
The authentication process is the task to verify that a node is in possession of a specific secret key.
For this we send a random 16 Byte string, the challenge, to the nodes IP address and DHT port that we want to authenticate.
"AUTH" (4 Bytes) + ID (20 Bytes) + 16 Bytes (Challenge)
We expect the node to send back the challenge, but encrypted (crypto_sign) with it's own secret key.
"AUTH" (4 Bytes) + ID (20 Bytes) + >16 Bytes (encrypted challenge)
If we can decrypt (crypto_sign_open) the message and get our random key, then we have verified that the other node has the secret key.
We send the challenge a few times before giving up.
Possible Problems:
- sending a challenge multiple times might be used for a DDoS when the sender address is spoofed!
- send only one challenge per address per lookup?
- the address of the other side might change right after a successful authentication.
- same attack vector for DNS