Implement auditing #151
Comments
I thought the auditors just act like a client? If not, do we need a consensus algorithm for the server and auditors? |
By this you mean that the auditors will query the key server at the beginning of every epoch like clients do?
I think we might need consensus anyway for keeping track of running auditors (much like Tor uses to keep track of running relays). But the protocol itself shouldn't require any consensus algorithm. |
Yes.
I think more about the consensus for the STRs between the key server and auditors. I would like to let the keyserver actively broadcast its STRs to the auditors rather than let the auditors query the key server at the beginning of each epoch. I don't know if we go this way, we can avoid the Clock synchronization issue or not ... |
|
Can publishing STRs to a global append-only ledger like blockchain solve the problem ? If the Identity Provider publishes only the STR in a transaction to a blockchain (not the whole data structure like EthIKS). Each client can then implement a lightweight wallet which tracks only their interested transactions from the blockchain network. This way, there is no need for a separate audition protocol. |
|
Thanks a lot for your feedback!
Won't clients still need to follow and verify the whole (bitcoin)-blockchain to get similar security guarantees as with querying (several) auditors? I know there are the SPV clients. I'm not really familiar with the concept but as far as I know they trust proxies/certain nodes in the network? If there are more advanced techniques can you share pointers to them? I feel that committing to the bitcoin blockchain could be a cool addition to to an auditing mechanism but not really a replacement (at least not currently). Maybe some sort of pro-active "auditing" using CoSi/collective signing or similar approaches could make retro-active auditing obsolete in the future. |
|
@LongNguyenHoang89 If you feel like it: We certainly would be happy if you/someone comes up with a pull-request where the client commits STRs to the bitcoin blockchain and where clients (optionally) queries/follows the blockchain (instead of auditors). I think it would be a very cool (optional) addition. |
|
@liamsi, The SPV client will conect to the Bitcoin P2P network like other nodes but only collect transactions that it is interested in by sending a filter to other nodes in the network. As you mentioned, we need a list of trusted nodes. Generally, client should be able to connect to any full Bitcoin node they want. We can provide a recommendation for popular nodes though. I feel that no matter how you solve the auditor problem, you still need a kind of gossiping/P2P network for them to maintain a consistent view of the system which is similar to blockchain anyway. It would be straight forward if each server broadcasts its STRs in a transaction on Bitcoin where every nodes, CONIKS auditor or not, can agree upon. An overlay structure like Blockstack virtualchain could certainly help with the bandwidth problem. Our team in INRIA, France is working on CONIKS and blockchain, mainly about this auditing and trust recovery. As we know from @masomel last month, you are switching from the Java implementation to coniks-go. We will have a proposal for the blockchain integration and pull request very soon in the coming weeks. |
This is what we describe in the paper, and what I am planning on implementing as well. The issue I point out is about key servers discovering the auditors that they need to publish the STRs in the first place. @LongNguyenHoang89 Thanks for your suggestions, and I look forward to your upcoming proposal to integrate with the blockchain. However, I share the same concerns with @liamsi about what is required of clients in that model. Firstly, the purpose of auditors isn't to reach consensus over what is the current state of a key server's directory. Their main purpose is to make equivocation checks more efficient for clients so they do as little computation as possible to detect equivocation. We actually considered publishing STRs on the blockchain when we were designing and evaluating CONIKS for our paper. We decided against it since our security properties are different (yet complementary) and because we believed the auditor model we ultimately chose was simpler in terms of the protocols and the performance and still gives us the desired consistency guarantees. I'm not very familiar with SPVs, but the idea of having to rely on trusted nodes to return the transactions the clients are interested in gives me pause. I suspect that it would still be possible for a malicious proxy to equivocate about an STR; what's to stop a malicious proxy from returning an STR that isn't on the longest branch of the blockchain? One advantage I think our auditor model has is that auditors aren't trusted, so even if a key server equivocates and auditors collude, the protocol still guarantees a detection of this attack with high probability. Also, to my understanding, using a wallet in order to follow Bitcoin transactions would require each client to manage an additional key, no? This also raises a concern since it wouldn't make sense to manage those keys in CONIKS, so out-of-band key management would be needed, which in turn defeats the purpose of using CONIKS in the first place. So, as @liamsi mentioned above, I believe that an auditing mechanism that uses the Blockchain could be a nice extension to the current protocol. I can imagine how some users who already use Bitcoin would be very interested in such an option. But blockchain-based auditing doesn't replace auditing entirely. I think that a good candidate for proactive attack detection would be collective signing (CoSi), which, if I've understood correctly, could actually obviate the need for blockchain-based auditing as well. |
|
Thanks ! |
* Part of #151 * Add client-auditor messages * Create audit log structure, query API finished * Add/Update docs to include auditor, add ReqUnknownDirectory auditor error * Use single generic verifySTRConsistency to be used by client and auditor * Add tests for audit log, debug audit log * Add assertions to validate auditor messages on client * Add generic STR response handler * # This is a combination of 2 commits. # The first commit's message is: Add TODO to move all generic STR auditing code to a separate module # The 2nd commit message will be skipped: # Use single generic verifySTRConsistency to be used by client and auditor * Fix documentation * Use DirSTR instead of merkletree.SignedTreeRoot in auditlog * Remove all references to auditor-directory communication, make auditor response message generic * STRList -> STRHistoryRange * Fail sooner in GetObservedSTRs * Revert changes to protocol/str.go * Always request epoch range in AuditingRequest, fix Insert() bug * Index audit log by hash of directory's initial STR * Insert latest STR into snapshot map right away * Fix go vet error * Change audit log index from byte array to string * Add test case for getting an STR after an audit log update * Refactor common functions * Use slice for initial history inserted, remove IsKnownDirectory * dirName --> addr, some documentation fixes * Small fixes * Revert "Change audit log index from byte array to string" This reverts commit 7e54087. Conflicts: protocol/auditlog.go * More fixes for reverting
* Add client-auditor messages * Add client-auditor messages * Create audit log structure, query API finished * Add/Update docs to include auditor, add ReqUnknownDirectory auditor error * Use single generic verifySTRConsistency to be used by client and auditor * Add tests for audit log, debug audit log * Add assertions to validate auditor messages on client * Add generic STR response handler * Add TODO to move all generic STR auditing code to a separate module * [WIP] Refactor generic auditing functionality * Add client-auditor messages * Create audit log structure, query API finished * Add/Update docs to include auditor, add ReqUnknownDirectory auditor error * Use single generic verifySTRConsistency to be used by client and auditor * Add tests for audit log, debug audit log * Add assertions to validate auditor messages on client * Add generic STR response handler * # This is a combination of 2 commits. # The first commit's message is: Add TODO to move all generic STR auditing code to a separate module # The 2nd commit message will be skipped: # Use single generic verifySTRConsistency to be used by client and auditor * Fix documentation * Use DirSTR instead of merkletree.SignedTreeRoot in auditlog * Remove all references to auditor-directory communication, make auditor response message generic * STRList -> STRHistoryRange * Fail sooner in GetObservedSTRs * Revert changes to protocol/str.go * Always request epoch range in AuditingRequest, fix Insert() bug * Index audit log by hash of directory's initial STR * Insert latest STR into snapshot map right away * Fix go vet error * Change audit log index from byte array to string * Add test case for getting an STR after an audit log update * Refactor common functions * Create generic auditor interface * Fix go fmt * Fix some merging issues * Refactor generic auditing functionality TODO: * Add tests * Renaming STR verification functions, use generic auditor functionality in auditlog and consistencychecks * h.verifiedSTR -> h.VerifiedSTR() * Refactor common STR verification for STR ranges from server * Fix * Fix documentation and formatting, revert to use map for auditlog snapshots * Minor fixes * Minor fix * Typo * Part of #151
Auditing is a protocol necessary for detection of equivocation. It includes an auditor component, a separate entity that is supposed to check a key server's STR history. The idea is that anybody should be able to run an auditor (regardless of whether they also run a key server), so this implementation will require an executable.
Auditing protocol server-side:
Auditing protocol client-side:
Open questions:
Implementation steps:
The text was updated successfully, but these errors were encountered: