Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privval: authenticate and persist keys for tcp conns #3105

Closed
3 tasks
ebuchman opened this issue Jan 11, 2019 · 8 comments
Closed
3 tasks

privval: authenticate and persist keys for tcp conns #3105

ebuchman opened this issue Jan 11, 2019 · 8 comments
Labels
T:validator Type: Validator related
Milestone
Wishlist

Comments

@ebuchman
Copy link
Contributor

The TCPVal uses a SecretConnection over TCP, but does not currently authenticate the connection against a known node ID.

For the TCPVal, we need to:

  • persist (and encrypt) the TCPVal.secretConnKey

For the RemoteSigner (and any KMS implementation), we need to:

  • format address to dial as ID@host:port or ID@tcp://host:port
  • authenticate the dialed ID against the remote ID from the SecretConnection

Replaces part of #2549
@ebuchman ebuchman added the T:validator Type: Validator related label Jan 11, 2019
@ebuchman ebuchman added this to the v1.0 milestone Jan 11, 2019
This was referenced Jan 11, 2019
Closed
Closed
@ebuchman ebuchman changed the title privval: authenticate and persist keys in TCPVal privval: authenticate and persist keys for tcp conns Jan 19, 2019
@liamsi liamsi mentioned this issue Mar 14, 2019
Merged
@tarcieri tarcieri mentioned this issue Mar 14, 2019
Closed
3 tasks
@tarcieri
Copy link

I implemented the KMS side of peer verification for the priv_validator_laddr listener here:

tendermint/tmkms#219

It works! But we're running into the keys not being persistent.

I'm tracking that on the KMS side in this issue: tendermint/tmkms#111

@tarcieri
Copy link

@ebuchman I think you can check off the first "For the RemoteSigner (and any KMS implementation)" box as of tendermint/tmkms#219 (it uses tcp://ID@host:port with a presently optional ID@, which is what gaiad's config.toml uses).

Regarding persisting the key on the Tendermint side, I'd suggest just using the existing node key. This is how I've typically seen mutually authenticated TLS deployed (i.e. there is a single key identifying TLS principals for all client and server connections), and I don't see any potential threats using an additional key would mitigate.

thanethomson added a commit to tendermint/tmkms that referenced this issue Mar 21, 2019
@thanethomson
Remove validator ID until tendermint/tendermint#3105 is addressed
76474e7
@thanethomson thanethomson mentioned this issue Mar 21, 2019
Closed
@tarcieri tarcieri mentioned this issue Dec 11, 2019
Closed
@tac0turtle
Copy link
Contributor

With the migration to gRPC I don't believe this is relevant anymore?

@tarcieri
Copy link

@marbar3778 I imagine we'll migrate to X.509 certificates? So long as the validator has a stable key / certificate for the KMS to verify, this won't be an issue.

@tac0turtle
Copy link
Contributor

x509 are the default used certificates with gRPC. I don't think there is a way to use anything else but haven't looked into it.

In another issue, Hendrik mentioned that having TLS is a plus but if we document well that the port should only be exposed to your KMS it should be fine as well. I will document how to do both with TLS and without.

will close this issue

@tarcieri
Copy link

I would strongly suggest always encrypting the connection between the validator and the KMS.

@tac0turtle
Copy link
Contributor

This will be the recommendation made in the docs

@tarcieri
Copy link

tarcieri commented Jun 18, 2020
edited

gRPC is HTTP/2-based, and many HTTP/2 implementations are always-encrypted, so I'm not sure it will even be possible to support a plaintext option

@tony-iqlusion tony-iqlusion mentioned this issue Sep 17, 2020
Closed
@tony-iqlusion tony-iqlusion mentioned this issue Aug 24, 2022
Closed
@jaeseung-bae jaeseung-bae mentioned this issue Mar 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T:validator Type: Validator related
Projects
None yet
Milestone
Wishlist
Development

No branches or pull requests
3 participants
@tarcieri @ebuchman @tac0turtle