Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Registration should happen in epoch #189

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

vqhuy
Copy link
Member

@vqhuy vqhuy commented Oct 10, 2017

Merge #191 first.

@vqhuy vqhuy requested review from arlolra, masomel and liamsi October 10, 2017 16:01
@vqhuy vqhuy self-assigned this Oct 10, 2017
@vqhuy vqhuy added the protocol label Oct 10, 2017
@vqhuy vqhuy added this to the 0.2.0 milestone Oct 10, 2017
@vqhuy vqhuy force-pushed the register-in-epoch branch from 693e6d8 to 05cecb3 Compare October 11, 2017 12:17
@vqhuy vqhuy added the blocked label Oct 25, 2017
Copy link
Member

@masomel masomel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please explain the assumptions and security guarantees that this enhancement would give us? It's not clear to me what it means to register "in-epoch", and how clients can gain confidence of this if it's enforced on the server-side.

@@ -36,6 +36,7 @@ type Request struct {
// The response to a successful request is a DirectoryProof with a TB for
// the requested username and public key.
type RegistrationRequest struct {
Epoch uint64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What epoch is the client supposed to use here? Is the assumption that the client has fetched the latest STR before it even registers the name for the first time?

return protocol.NewErrorResponse(protocol.ErrMalformedMessage)
}

// check whether this registration request happens in epoch
if req.Epoch < d.LatestSTR().Epoch {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the client really gain anything if we depend on the server to enforce the "in-epoch" property?

@vqhuy
Copy link
Member Author

vqhuy commented Oct 31, 2017

We started the discussion in #173. Also, iirc, we still have an open question: should the client send a key lookup first to get its index and then register with that index instead of "raw" username?

@masomel
Copy link
Member

masomel commented Oct 31, 2017

We started the discussion in #173.

Ok, I couldn't find much discussion around registrations apart from the initial post in the issue. I'm still not 100% clear on what we gain if we let the server tell us if the registration is in-epoch or not. Couldn't a malicious/misconfigured server just always tell us we're late, and never allow us to register? In other words, I don't see how this new mechanism really ensures, or gets us closer to, keeping the client in sync with the server's epochs.

should the client send a key lookup first to get its index and then register with that index instead of "raw" username?

What is the main purpose of doing this? At least in terms of privacy, I don't see much that we can gain by registering the index instead of the raw username. The server can still create mappings of the "raw" username and index at many different points in the protocol since lookups still happen with the raw username. I still find it more important for the client to generate its own salt for the commitment during registration.

@vqhuy
Copy link
Member Author

vqhuy commented Oct 31, 2017

What is the main purpose of doing this?

IIRC this is what we were trying to understand since it is implemented in both Coname and KT.

Couldn't a malicious/misconfigured server just always tell us we're late, and never allow us to register?

If the server doesn't allow us to register, it can use some simple methods like just ignoring the request? And I don't think there is a way for the server to cheat here because:

Since registration has to happen in the latest epoch, if the server receives a request to register in an outdated epoch, it should return an error, and give the client a chance to defer / re-request with exponential backoff. Alternatively, the client can set a monitoring flag to true and prematurely queue other requests until that's done.

In other words, I don't see how this new mechanism really ensures, or gets us closer to, keeping the client in sync with the server's epochs.

We use some mechanisms (e.g., Roughtime or NTP) to make sure the client have the latest STR (or whether the STR was issued on time and whatnot), same as lookup case. It's been a long time so correct me if I say something wrong.

@masomel
Copy link
Member

masomel commented Oct 31, 2017

IIRC this is what we were trying to understand since it is implemented in both Coname and KT.

Got it. If this is the case, we should certainly send Gary an email to find out more.

If the server doesn't allow us to register, it can use some simple methods like just ignoring the request? And I don't think there is a way for the server to cheat here because:

Since registration has to happen in the latest epoch, if the server receives a request to register in an outdated epoch, it should return an error, and give the client a chance to defer / re-request with exponential backoff. Alternatively, the client can set a monitoring flag to true and prematurely queue other requests until that's done.

Right, the server could always deny service. My point was that I don't see how the above mechanism of having the server return an error if it receives a registration request for an outdated epoch prevents the server from cheating. As it's currently implemented, the server just returns an ErrorOutdatedEpoch message with no other information. In order to prevent the server from cheating, I would expect that the server include non-repudiable information a client can use to check if the server is saying the truth about the epoch with an auditor.

We use some mechanisms (e.g., Roughtime or NTP) to make sure the client have the latest STR (or whether the STR was issued on time and whatnot), same as lookup case. It's been a long time so correct me if I say something wrong.

Yes, you're definitely right about this. But the clock sync'ing mechanism is independent from the registration in-epoch mechanism. My question is more, if we have a clock sync'ing mechanism in place, why couldn't we just make sure the clocks between the server and client are sync'd before the client makes a registration request and then just send the request as soon as the new epoch has started? In other words, what does the registration in-epoch mechanism add to our existing clock sync'ing?

@vqhuy vqhuy changed the title Registration should happen in epoch [WIP] Registration should happen in epoch Oct 31, 2017
@vqhuy vqhuy mentioned this pull request Dec 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants