-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
first implementation of the teamchain auditor #13544
Conversation
There's a bug somewhere in here that CI just found, likely in kbweb, so I added more debugging here: https://github.com/keybase/keybase/commit/3b566ab66f8290f5d39e44ff0a3d6e763883d3d0 |
ah, I confused math/rand with crypto/rand, you're right.
…On Wed, Sep 5, 2018 at 4:17 PM Maxwell Krohn ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In go/teams/audit.go
<#13544 (comment)>:
> + return nil
+ }
+ for _, tuple := range probeTuples {
+ m.CDebugf("preProbe: checking probe at merkle %d", tuple.merkle)
+ if tuple.team != keybase1.Seqno(0) || !tuple.linkID.IsNil() {
+ return NewAuditError("merkle root at %v should have been nil for %v; got %s/%d",
+ tuple.merkle, history.ID, tuple.linkID, tuple.team)
+ }
+ }
+ return nil
+}
+
+func randSeqno(lo keybase1.Seqno, hi keybase1.Seqno) (keybase1.Seqno, error) {
+ rng := hi - lo + 1
+ rngBig := big.NewInt(int64(rng))
+ n, err := rand.Int(rand.Reader, rngBig)
thanks for checking this, though I believe it is!
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#13544 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AbYebpFIht9a3Q_iuR2EFvtylQyuYuCRks5uYDE_gaJpZM4WVw2d>
.
|
go/teams/audit.go
Outdated
// ProbabilisticMerkleTeamAudit runs an audit on the links of the given team chain (or subchain). | ||
// The security factor of the audit is a function of the platform type, and the amount of time | ||
// since the last audit. This method should use some sort of long-lived cache (via local DB) so that | ||
// previous audits can be combined with the current one. | ||
func ProbabilisticMerkleTeamAudit(m libkb.MetaContext, id keybase1.TeamID, startMerkleSeqno keybase1.Seqno, chain []SCChainLink) (err error) { | ||
return errors.New("stubbed out") | ||
func (a *Auditor) AuditTeam(m libkb.MetaContext, id keybase1.TeamID, isPublic bool, headMerkle keybase1.MerkleRootV2, chain map[keybase1.Seqno]keybase1.LinkID, maxSeqno keybase1.Seqno) (err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment ProbabilisticMerkleTeamAudit
-> AuditTeam
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does subchain in the comment mean slice like for users or pick and choose like high set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment to remember what these args are
- headMerkle: merkle root claimed by the first link in the team
- maxSeqno: seqno of the tail of the team sigchain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, it's just the most recent chain links we got from the server.
1553855
to
5bc6951
Compare
@mlsteele / @heronhaye ok or do you guys want to keep reviewing? |
- the goal of the teamchain auditor is to prevent the server from pulling off an "odd/even" attack. That is, when showing team acme to alice, the server sends even merkle roots, that show view A of the team. When showing team acme to bob, the server sends odd merkle roots, that show view B of the team. Where A and B might not agree at all. The server can hide these patterns in the merkle tree in arbitrary ways, with the goal to get alice and bob to see two different ideas of the same team, without forking the merkle tree globally. - our approach is for alice and bob to make random "probes". the probe the team before the team was created, the time after the team was created, and ensure a consistent view. - after 1000 new merkle roots, the audit repeats, with alice and bob idependently auditing the recent roots. - for now, we've hardcoded parameters, but we'll likely want to tune them in the future. - write all audit results to disk cache.
36d124e
to
371a387
Compare
- the goal of the teamchain auditor is to prevent the server from pulling off an "odd/even" attack. That is, when showing team acme to alice, the server sends even merkle roots, that show view A of the team. When showing team acme to bob, the server sends odd merkle roots, that show view B of the team. Where A and B might not agree at all. The server can hide these patterns in the merkle tree in arbitrary ways, with the goal to get alice and bob to see two different ideas of the same team, without forking the merkle tree globally. - our approach is for alice and bob to make random "probes". the probe the team before the team was created, the time after the team was created, and ensure a consistent view. - after 1000 new merkle roots, the audit repeats, with alice and bob idependently auditing the recent roots. - for now, we've hardcoded parameters, but we'll likely want to tune them in the future. - write all audit results to disk cache. - merge by hand since github is down - also @mlsteele might have further comments
- the goal of the teamchain auditor is to prevent the server from pulling off an "odd/even" attack. That is, when showing team acme to alice, the server sends even merkle roots, that show view A of the team. When showing team acme to bob, the server sends odd merkle roots, that show view B of the team. Where A and B might not agree at all. The server can hide these patterns in the merkle tree in arbitrary ways, with the goal to get alice and bob to see two different ideas of the same team, without forking the merkle tree globally. - our approach is for alice and bob to make random "probes". the probe the team before the team was created, the time after the team was created, and ensure a consistent view. - after 1000 new merkle roots, the audit repeats, with alice and bob idependently auditing the recent roots. - for now, we've hardcoded parameters, but we'll likely want to tune them in the future. - write all audit results to disk cache. - merge by hand since github is down - also @mlsteele might have further comments
- the goal of the teamchain auditor is to prevent the server from pulling off an "odd/even" attack. That is, when showing team acme to alice, the server sends even merkle roots, that show view A of the team. When showing team acme to bob, the server sends odd merkle roots, that show view B of the team. Where A and B might not agree at all. The server can hide these patterns in the merkle tree in arbitrary ways, with the goal to get alice and bob to see two different ideas of the same team, without forking the merkle tree globally. - our approach is for alice and bob to make random "probes". the probe the team before the team was created, the time after the team was created, and ensure a consistent view. - after 1000 new merkle roots, the audit repeats, with alice and bob idependently auditing the recent roots. - for now, we've hardcoded parameters, but we'll likely want to tune them in the future. - write all audit results to disk cache. - merge by hand since github is down - also @mlsteele might have further comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense. Seems like a lot of complexity, which might stem from storing the history that way. Has anyone written anything about the probabilities of discovering an attack this way?
No, we should try to come up with a proof of some sort given my back-of-the-envelope calculations. The logic is similar to Miller-Rabin primality testing. |
alice, the server sends even merkle roots, that show view A of the team. When showing team acme to bob, the server sends odd
merkle roots, that show view B of the team. Where A and B might not agree at all. The server can hide these patterns in the
merkle tree in arbitrary ways, with the goal to get alice and bob to see two different ideas of the same team, without forking
the merkle tree globally.
team was created, and ensure a consistent view.