Discussion:
[bitcoin-dev] BIP 151 MITM
Alfie John via bitcoin-dev
2016-06-08 23:47:28 UTC
Permalink
Hi folks,

Overall I think BIP 151 is a good idea. However unless I'm mistaken, what's to
prevent someone between peers to suppress the initial 'encinit' message during
negotiation, causing both to fallback to plaintext?

Peers should negotiate a secure channel from the outset or backout entirely
with no option of falling back. This can be indicated loudly by the daemon
listening on an entirely new port.

Alfie
--
Alfie John
https://www.alfie.wtf
Gregory Maxwell via bitcoin-dev
2016-06-09 01:24:09 UTC
Permalink
On Wed, Jun 8, 2016 at 11:47 PM, Alfie John via bitcoin-dev
Post by Alfie John via bitcoin-dev
Hi folks,
Overall I think BIP 151 is a good idea. However unless I'm mistaken, what's to
prevent someone between peers to suppress the initial 'encinit' message during
negotiation, causing both to fallback to plaintext?
Peers should negotiate a secure channel from the outset or backout entirely
with no option of falling back. This can be indicated loudly by the daemon
listening on an entirely new port.
Reduction to plaintext isn't an interesting attack vector for an
active attacker: they can simply impersonate the remote side.

This is addressed via authentication, where available, which is done
by a separate specification that builds on this one.

Without authentication this only provides protection against passive attackers.
Alfie John via bitcoin-dev
2016-06-09 01:42:59 UTC
Permalink
Reduction to plaintext isn't an interesting attack vector for an active
attacker: they can simply impersonate the remote side.
This is addressed via authentication, where available, which is done by a
separate specification that builds on this one.
Are there any links to discussions on how authentication may be done?

Thanks,

Alfie
--
Alfie John
https://www.alfie.wtf
Jonas Schnelli via bitcoin-dev
2016-06-09 06:57:29 UTC
Permalink
Hi
Post by Alfie John via bitcoin-dev
Reduction to plaintext isn't an interesting attack vector for an active
attacker: they can simply impersonate the remote side.
This is addressed via authentication, where available, which is done by a
separate specification that builds on this one.
Are there any links to discussions on how authentication may be done?
I'm currently working on the Auth-BIP which is not worth reviewing it
right now (I will post it to the mailing list once it has been reached a
stable level where it can be discusses).

If you can't wait, here is the current work:
https://github.com/jonasschnelli/bips/blob/35d7e382cdd6955ff42726c3d06c44e33f61ae52/bip-undef-0.mediawiki


Most recent MITM/auth discussion (there where plenty of discussions on
IRC about this topic):
https://botbot.me/freenode/bitcoin-core-dev/2016-04-04/?msg=63463826&page=3


</jonas>
Alfie John via bitcoin-dev
2016-06-09 07:00:51 UTC
Permalink
Post by Jonas Schnelli via bitcoin-dev
Post by Alfie John via bitcoin-dev
Are there any links to discussions on how authentication may be done?
I'm currently working on the Auth-BIP which is not worth reviewing it
right now (I will post it to the mailing list once it has been reached a
stable level where it can be discusses).
https://github.com/jonasschnelli/bips/blob/35d7e382cdd6955ff42726c3d06c44e33f61ae52/bip-undef-0.mediawiki
Most recent MITM/auth discussion (there where plenty of discussions on
https://botbot.me/freenode/bitcoin-core-dev/2016-04-04/?msg=63463826&page=3
Awesome, thanks for the link Jonas.

Alfie
--
Alfie John
https://www.alfie.wtf
Loading...