-
Notifications
You must be signed in to change notification settings - Fork 73
Cryptography Details
This site is outdated. libsodium is not used anymore.
The cryptographic library used in KadNode is libsodium (a NaCl fork). The used crypto_sign* operations are an implementation of Ed25519.
-
The secret/public key pair is generated by the crypto_sign_keypair method.
-
The authentication process is the task to verify that a node is in possession of a specific secret key. For this we send a random 16 Byte string, the challenge, to the nodes IP address and DHT port that we want to authenticate.
"AUTH" (4 Bytes) + ID (20 Bytes) + 16 Bytes (Challenge)
-
We expect the node to send back the challenge, but encrypted (crypto_sign) with it's own secret key.
"AUTH" (4 Bytes) + ID (20 Bytes) + >16 Bytes (encrypted challenge)
If we can decrypt (crypto_sign_open) the message and get our random key, then we have verified that the other node has the secret key.
If no reply is received, then the challenge is send a few times before giving up.
Possible Problems:
- sending a challenge multiple times might be used for a DDoS when the sender address is spoofed!
- send only one challenge per address per lookup?
- the address of the other side might change right after a successful authentication.
- same attack vector for DNS