From 837804ec22521006b51b5c53fe339d6c8ec4bac2 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Fri, 11 Feb 2022 21:23:54 +0000 Subject: [PATCH] Connection: Update comment on replay attack We still have the same problem, but solution do it is much simpler than we first thought.... --- src/lib/transport/Connection.mjs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/lib/transport/Connection.mjs b/src/lib/transport/Connection.mjs index d59a130..4a48bed 100644 --- a/src/lib/transport/Connection.mjs +++ b/src/lib/transport/Connection.mjs @@ -175,10 +175,13 @@ class Connection extends EventEmitter { if(new Date() - this.rekey_last > this.rekey_interval && !this.rekey_in_progress) await this.rekey(); - // TODO: Consider anonymous TLS, with jpake for mututal authentication - // TODO: Consider https://devdocs.io/node/crypto#crypto.createCipheriv() - which lets us use any openssl ciphers we like - e.g. ChaCha20-Poly1305 - - // TODO: We're currently vulnerable to a replay attack. We need to mitigate this somehow - probably by maintaining a sequence number. Instead of sending the sequence number though we should instead compute a MAC that also includes the message length and a bunch of other things etc. Of course, we will also need to make sure we don't fall afoul of mac-then-encrypt, encrypt-then-mac, etc issues... + /* + TODO: Consider anonymous TLS, with jpake for mututal authentication + TODO: Consider https://devdocs.io/node/crypto#crypto.createCipheriv() - which lets us use any openssl ciphers we like - e.g. ChaCha20-Poly1305 + TODO: We're currently vulnerable to a replay attack. We need to mitigate this somehow - probably by maintaining a sequence number. Instead of sending the sequence number though we should instead compute a MAC that also includes the message length and a bunch of other things etc. Of course, we will also need to make sure we don't fall afoul of mac-then-encrypt, encrypt-then-mac, etc issues... + Ref https://www.rfc-editor.org/rfc/rfc4346#appendix-F.2 for the sequence counter in TLS + We do *not* need another manual MAC, as tweetnacl's secretbox uses xsalsa20-poly1305, which is an *authenticated* encryption algorithm. Thus, all we need do is prepend the plaintext with a sequence number. + */ let payload = JSON.stringify({ event, message }); payload = encrypt_bytes(