4-implementation.tex (23371B)
1 \section{\faIcon{code} Specification \& Implementation} 2 3 \begin{frame}{\faIcon{code} Overview} 4 % Implemented, tested and reviewed -> good state, but needs sec audit 5 \begin{columns}[T] 6 \begin{column}{.48\textwidth} 7 Implemented \& Tested: 8 \begin{itemize} 9 \item Cryptographic routines in GNUnet 10 \item Cryptographic utilities in the Exchange 11 \item Security Module for CS and crypto-helper 12 \item Key Management 13 \item New Endpoint to get $R_0,R_1$ 14 \item Withdraw protocol 15 \item Deposit protocol 16 \end{itemize} 17 \end{column} 18 \hfill 19 \begin{column}{.48\textwidth} 20 Not Implemented: 21 \begin{itemize} 22 \item Merchant (primarily Spend Protocol) 23 \item Wallet support for two denomination types 24 \item Tipping protocol 25 \end{itemize} 26 \end{column} 27 \end{columns} 28 \end{frame} 29 30 \begin{frame}{\faIcon{code} Testing} 31 \begin{itemize} 32 \item Specification and test implementation hand in hand 33 \item Cryptographic routines: unit tests, benchmark, test vectors 34 \item Taler cryptographic utilities: unit tests 35 \item CS security module: functionality tests, benchmark 36 \item Exchange HTTP server: functionality tests (simulate wallet) 37 \end{itemize} 38 \end{frame} 39 40 41 42 % Übersicht allgemein (was implementiert, wie implementiert, wie getestet) 43 % GNUnet 44 % Testing, Test vectors, benchmarks 45 % API, Data Types, special stuff 46 47 % Taler cryptographic utilities 48 \begin{frame}{\faIcon{code} Implementation of cryptographic routines} 49 \framesubtitle{Cryptographic routines in GNUnet} 50 % Implementation Signaturschema: GNUnet, free software, libsodium 51 \begin{columns}[T] % align columns 52 \begin{column}{.74\textwidth} 53 \vspace{0.5cm} 54 Cryptographic routines for Clause Blind Schnorr signatures: 55 \begin{itemize} 56 \item Programming language: C 57 \item Implemented as free software in the GNUnet project 58 \item Implemented on Curve25519 59 \item Libsodium is used for group operations 60 \item Implemented including testing, benchmarks and test-vector generator 61 \item Other primitives from GNUnet reused 62 \begin{itemize} 63 \item HKDF 64 \item KDF mod 65 \item Hash functions 66 \end{itemize} 67 \end{itemize} 68 \end{column}% 69 \hfill% 70 \begin{column}{.25\textwidth} 71 \vspace{2cm} 72 \includegraphics[height=2cm]{images/gnunet-logo.png} 73 \end{column}% 74 \end{columns} 75 \vspace{0.2cm} 76 {\tiny graphics source: https://www.gnunet.org/images/gnunet-logo-dark-no-text.png} 77 \end{frame} 78 79 \begin{frame}{\faIcon{code} Implementation of cryptographic routines} 80 \framesubtitle{Implementation details} 81 \begin{columns}[T] 82 \begin{column}{.48\textwidth} 83 \resizebox{0.58\textwidth}{!}{\begin{minipage}{\textwidth} 84 \begin{table} 85 \colorlet{BFH-table}{BFH-MediumBlue!10} 86 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 87 \setupBfhTabular 88 \begin{tabular}{ll} 89 \rowcolor{BFH-tablehead} 90 \textbf{Operation} & \textbf{API} \\\hline 91 Key Generation & {\footnotesize GNUNET\_CRYPTO\_cs\_private\_key\_generate()} \\\hline 92 Get public key & {\footnotesize GNUNET\_CRYPTO\_cs\_private\_key\_get\_public($sk$)} \\\hline 93 Derive $r_0,r_1$ & {\footnotesize GNUNET\_CRYPTO\_cs\_derive\_r(nonce, lts, $r$[2])} \\\hline 94 Get public $R$ & {\footnotesize GNUNET\_CRYPTO\_cs\_r\_get\_public($r$)} \\\hline 95 Derive blinding secrets (bs) & {\footnotesize GNUNET\_CRYPTO\_cs\_blinding\_secrets\_derive(seed)} \\\hline 96 Calculate blinded $c$ & {\footnotesize GNUNET\_CRYPTO\_cs\_calc\_blinded\_c(bs, $R$[2], $pk$, msg)} \\\hline 97 Sign and get $b$ & {\footnotesize GNUNET\_CRYPTO\_cs\_sign\_derive($sk$, $r$[2], $c$[2], nonce)} \\\hline 98 Unblind & {\footnotesize GNUNET\_CRYPTO\_cs\_unblind(blind\_sig, $pk$, msg)} \\\hline 99 Verify & {\footnotesize GNUNET\_CRYPTO\_cs\_verify(sig, $pk$, msg)} \\\hline 100 \end{tabular} 101 \end{table} 102 \begin{itemize} 103 \item {\normalsize API designed to prevent misuse} 104 \item {\normalsize API includes "Clause" part} 105 \item {\normalsize Internal functionality: CS-FDH, clamping} 106 \end{itemize} 107 \end{minipage}} 108 \end{column}% 109 \hfill% 110 \begin{column}{.48\textwidth} 111 \hspace{1cm} 112 \resizebox{0.52\textwidth}{!}{\begin{minipage}{\textwidth} 113 \begin{table} 114 \colorlet{BFH-table}{BFH-MediumBlue!10} 115 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 116 \setupBfhTabular 117 \begin{tabular}{ll} 118 \rowcolor{BFH-tablehead} 119 \textbf{Values} & \textbf{Data Structure} \\\hline 120 Curve25519 Scalar & {\small GNUNET\_CRYPTO\_Cs25519Scalar} \\\hline 121 Curve25519 Point & {\small GNUNET\_CRYPTO\_Cs25519Point} \\\hline 122 Private Key & {\small GNUNET\_CRYPTO\_CsPrivateKey} \\\hline 123 Public Key & {\small GNUNET\_CRYPTO\_CsPublicKey} \\\hline 124 $\alpha, \beta$ & {\small GNUNET\_CRYPTO\_CsBlindingSecret} \\\hline 125 $r$ & {\small GNUNET\_CRYPTO\_CsRSecret} \\\hline 126 $R$ & {\small GNUNET\_CRYPTO\_CsRPublic} \\\hline 127 $c$ & {\small GNUNET\_CRYPTO\_CsC} \\\hline 128 $s$ & {\small GNUNET\_CRYPTO\_CsBlindS} \\\hline 129 $s'$ & {\small GNUNET\_CRYPTO\_CsS} \\\hline 130 $\sigma := \langle s',R' \rangle$ & {\small GNUNET\_CRYPTO\_CsSignature} \\\hline 131 Nonce & {\small GNUNET\_CRYPTO\_CsNonce} \\\hline 132 \end{tabular} 133 \end{table} 134 \end{minipage}} 135 \end{column}% 136 \end{columns} 137 \end{frame} 138 139 \begin{frame}{\faIcon{code} Exchange Architecture} 140 % Exchange Architektur 141 \begin{center} 142 \includegraphics[width=8cm]{images/architecture-exchange.jpg} 143 \end{center} 144 {\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} 145 \end{frame} 146 147 \begin{frame}{\faIcon{code} Taler cryptographic utilities} 148 \framesubtitle{Cryptographic utilities around crypto routines and planchets} 149 \begin{columns}[T] % align columns 150 \begin{column}{.48\textwidth} 151 Cryptographic utilities to use the crypto routines 152 \begin{itemize} 153 \item sign 154 \item blind 155 \item unblind 156 \item key generation 157 \item derive\_r 158 \item various utility functions 159 \end{itemize} 160 \end{column}% 161 \hfill% 162 \begin{column}{.48\textwidth} 163 Utility functions around planchets 164 \begin{itemize} 165 \item derive/generate nonce 166 \item blinding secrets 167 \item planchet setup \& prepare 168 \item planchet to coin 169 \item coin ev hash 170 \end{itemize} 171 \end{column}% 172 \end{columns} 173 \end{frame} 174 175 \begin{frame}{\faIcon{code} CS Security Module} 176 \framesubtitle{CS Security Module \& corresponding crypto helper} 177 \begin{columns}[T] % align columns 178 \begin{column}{.48\textwidth} 179 CS Security Module: 180 \begin{itemize} 181 \item Standalone process 182 \item The CS Security Module have sole access to the denomination private key 183 %on httpd compromise attacker has no access to priv key 184 % But can sign arbitrary messages 185 \item All operations requiring the private key are done by the secuity module 186 \begin{itemize} 187 \item Generate new keypair 188 \item Sign a message 189 \item Revoke keys 190 \item Derive private $r$ 191 \end{itemize} 192 \item API can use fixed-length structs (compared to RSA) 193 \end{itemize} 194 \end{column}% 195 \hfill% 196 \begin{column}{.48\textwidth} 197 CS Crypto Helper: 198 \begin{itemize} 199 \item Talks to the security module for operations requiring the denominations private key 200 \item Is part of the httpd service 201 \item Unix Domain Sockets are used for Inter-Process Communication with the security module 202 \end{itemize} 203 \end{column}% 204 \end{columns} 205 \end{frame} 206 207 \begin{frame}{\faIcon{code} Key Management} 208 \begin{itemize} 209 \item Collect new denominations, security module public key from CS security module 210 \item {\color{blue}\texttt{GET /management/keys}}: Offer future keys to exchange-offline 211 % FIXME: not yet signed 212 \item {\color{blue}\texttt{POST /management/keys}}: Return signatures created with offline-signing key 213 \item {\color{blue}\texttt{GET /keys}}: Make new denominations available for wallet: 214 \item Currently requires both RSA and CS security modules to be running 215 \end{itemize} 216 \end{frame} 217 218 \begin{frame}{\faIcon{code} Endpoint for $ R $} 219 \begin{itemize} 220 \item New endpoint used for withdraw and refresh protocols 221 \item Available under {\color{blue}\texttt{POST /csr}} 222 \item Request: \\ 223 \begin{table}[ht] 224 \hspace{-1.5cm} 225 \resizebox{0.9\textwidth}{!}{\begin{minipage}{\textwidth} 226 \colorlet{BFH-table}{BFH-MediumBlue!10} 227 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 228 \setupBfhTabular 229 \begin{tabular}{lll} 230 \rowcolor{BFH-tablehead} 231 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 232 nonce & String & 32 Bytes encoded in Crockford base32 Hex \\ 233 denom\_pub\_hash & String & Denomination Public Key encoded in Crockford base32 Hex \\ 234 \end{tabular} 235 \end{minipage}} 236 \end{table} 237 \item Exchange checks denomination (including cipher type) 238 \end{itemize} 239 \end{frame} 240 241 \begin{frame}{\faIcon{code} Endpoint for $ R $} 242 \begin{itemize} 243 \item Exchange derives $ R $ based on supplied nonce and denomination 244 \item Request passed down to security module 245 \item No persistence necessary 246 \item Response: \\ 247 \begin{table}[ht] 248 \hspace{-1.5cm} 249 \resizebox{0.9\textwidth}{!}{\begin{minipage}{\textwidth} 250 \colorlet{BFH-table}{BFH-MediumBlue!10} 251 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 252 \setupBfhTabular 253 \begin{tabular}{lll} 254 \rowcolor{BFH-tablehead} 255 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 256 r\_pub\_0 & String & 32 Bytes encoded in Crockford base32 Hex \\ 257 r\_pub\_1 & String & 32 Bytes encoded in Crockford base32 Hex \\ 258 \end{tabular} 259 \end{minipage}} 260 \end{table} 261 \end{itemize} 262 \end{frame} 263 264 \begin{frame}{\faIcon{code} Withdraw Protocol} 265 \begin{columns}[c] 266 \begin{column}{.48\textwidth} 267 \begin{itemize} 268 \item Available under {\color{blue}\texttt{POST /reserves/[reserve]/withdraw}} 269 \item Request data: \\ 270 \begin{table}[ht] 271 \hspace{-3cm} 272 \resizebox{0.55\textwidth}{!}{\begin{minipage}{\textwidth} 273 \colorlet{BFH-table}{BFH-MediumBlue!10} 274 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 275 \setupBfhTabular 276 \begin{tabular}{ll} 277 \rowcolor{BFH-tablehead} 278 \textbf{Field} & \textbf{Value} \\ 279 denom\_pub\_hash & Denomination Public Key \\ 280 coin\_ev & RSA blinded coin public key \\ 281 reserve\_sig & Signature over the request using the reserve's private key \\ 282 \end{tabular} 283 \end{minipage}} 284 \end{table} 285 \item Adjusted coin\_ev field (RSA): \\ 286 \begin{table}[ht] 287 \hspace{-3cm} 288 \resizebox{0.58\textwidth}{!}{\begin{minipage}{\textwidth} 289 \colorlet{BFH-table}{BFH-MediumBlue!10} 290 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 291 \setupBfhTabular 292 \begin{tabular}{lll} 293 \rowcolor{BFH-tablehead} 294 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 295 cipher & Integer & Denomination cipher: 1 stands for RSA \\ 296 rsa\_blinded\_planchet & String & RSA blinded coin public key \\ 297 \end{tabular} 298 \end{minipage}} 299 \end{table} 300 \end{itemize} 301 \end{column} 302 \hfill 303 \begin{column}{.48\textwidth} 304 \begin{itemize} 305 \item CS coin\_ev field: \\ 306 \begin{table}[ht] 307 \hspace{-3cm} 308 \resizebox{0.55\textwidth}{!}{\begin{minipage}{\textwidth} 309 \colorlet{BFH-table}{BFH-MediumBlue!10} 310 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 311 \setupBfhTabular 312 \begin{tabular}{lll} 313 \rowcolor{BFH-tablehead} 314 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 315 cipher & Integer & Denomination cipher: 2 stands for CS \\ 316 cs\_nonce & String & 32 Bytes encoded in Crockford base32 Hex \\ 317 cs\_blinded\_c0 & String & 32 Bytes encoded in Crockford base32 Hex \\ 318 cs\_blinded\_c1 & String & 32 Bytes encoded in Crockford base32 Hex \\ 319 \end{tabular} 320 \end{minipage}} 321 \end{table} 322 \item Response: \\ 323 \begin{table}[ht] 324 \hspace{-3.5cm} 325 \resizebox{0.5\textwidth}{!}{\begin{minipage}{\textwidth} 326 \colorlet{BFH-table}{BFH-MediumBlue!10} 327 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 328 \setupBfhTabular 329 \begin{tabular}{lll} 330 \rowcolor{BFH-tablehead} 331 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 332 cipher & Integer & Denomination cipher: 2 stands for CS \\ 333 b & Integer & CS signature session identifier (either 0 or 1) \\ 334 s & String & signature scalar (32 Bytes encoded in Crockford base32 Hex) \\ 335 \end{tabular} 336 \end{minipage}} 337 \end{table} 338 \end{itemize} 339 \end{column} 340 \end{columns} 341 \end{frame} 342 343 \begin{frame}{\faIcon{code} Withdraw Protocol} 344 \framesubtitle{Implementation details} 345 \begin{itemize} 346 \item Idempotency check - has the coin already been withdrawn? 347 \begin{itemize} 348 \item RSA: Hash over message (blinded coin) 349 \item CS: Hash over nonce and denomination public key 350 \end{itemize} 351 \item Additional denomination cipher check 352 \item Various changes related to parsing, persistence and response 353 \end{itemize} 354 \end{frame} 355 356 \begin{frame}{\faIcon{code} Minor Security Fix} 357 \begin{itemize} 358 \item Recap: RSA idempotency check uses blinded coin hash 359 \item Issue: 360 \begin{itemize} 361 \item Wallet withdraws a coin 362 \item Withdraw same coin referencing different denomination 363 \item Exchange returns signature of first withdraw due to idempotency check 364 \item Invalid signature - open complaint at auditor 365 \item Auditor is able to disprove 366 \end{itemize} 367 \item Solution: add denomination to coin hash 368 \end{itemize} 369 \end{frame} 370 371 \begin{frame}{\faIcon{code} Deposit Protocol} 372 \begin{columns}[c] 373 \begin{column}{.48\textwidth} 374 \begin{itemize} 375 \item Available under {\color{blue}\texttt{POST /coins/[coin public key]/deposit}} 376 \item Request: many fields, only coin\_sig relevant for CS 377 \item Content (RSA): \\ 378 \begin{table}[ht] 379 \hspace{-2cm} 380 \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} 381 \colorlet{BFH-table}{BFH-MediumBlue!10} 382 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 383 \setupBfhTabular 384 \begin{tabular}{lll} 385 \rowcolor{BFH-tablehead} 386 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 387 cipher & Integer & Denomination cipher: 1 stands for RSA \\ 388 rsa\_signature & String & Unblinded RSA signature \\ 389 \end{tabular} 390 \end{minipage}} 391 \end{table} 392 \end{itemize} 393 \end{column} 394 \hfill 395 \begin{column}{.48\textwidth} 396 \begin{itemize} 397 \item coin\_sig content for CS: \\ 398 \begin{table}[ht] 399 \hspace{-3.3cm} 400 \resizebox{0.45\textwidth}{!}{\begin{minipage}{\textwidth} 401 \colorlet{BFH-table}{BFH-MediumBlue!10} 402 \colorlet{BFH-tablehead}{BFH-MediumBlue!50} 403 \setupBfhTabular 404 \begin{tabular}{lll} 405 \rowcolor{BFH-tablehead} 406 \textbf{Field} & \textbf{Type} & \textbf{Value} \\ 407 cipher & Integer & Denomination cipher: 2 stands for CS \\ 408 cs\_signature\_r & String & Curve point $ R' $ (32 Bytes encoded in Crockford base32 Hex) \\ 409 cs\_signature\_s & String & Signature scalar (32 Bytes encoded in Crockford base32 Hex) \\ 410 \end{tabular} 411 \end{minipage}} 412 \end{table} 413 \item Add denomination cipher check 414 \item Signature verification (CS security module) 415 \item Adjusted persistence 416 \end{itemize} 417 \end{column} 418 \end{columns} 419 \end{frame} 420 421 422 % TODO: Refresh 423 424 425 % Wallet 426 \begin{frame}{\faIcon{wallet} {\color{red} \textit{New:} } Wallet Cryptographic Routines} 427 \framesubtitle{Wallet Implementation} 428 \begin{columns}[T] % align columns 429 \begin{column}{.48\textwidth} 430 \begin{itemize} 431 \item Programming language: Typescript 432 \item libsodium.js for group operations 433 \item cryptographic routines implemented 434 \item tested with test vectors from C implementation 435 \end{itemize} 436 437 Missing: 438 \begin{itemize} 439 \item Add support for two denomination types (together with Taler team) 440 \item integration test with exchange 441 \end{itemize} 442 \end{column}% 443 \hfill% 444 \begin{column}{.48\textwidth} 445 \begin{center} 446 \includegraphics[width=4.8cm]{images/stock1s.jpg} 447 \end{center} 448 {\tiny graphics source: \url{https://taler.net/images/stock1s.jpg}} 449 \end{column}% 450 \end{columns} 451 \end{frame}