v2 message transport protocol
play

V2 MESSAGE TRANSPORT PROTOCOL V2 MESSAGE TRANSPORT PROTOCOL Jonas - PowerPoint PPT Presentation

Sep 29, 2022 •172 likes •620 views

BIP324 Jonas Schnelli / dev@jonasschnelli.ch / Breaking Bitcoin 8th June 2019 PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D V2 MESSAGE TRANSPORT PROTOCOL V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Goals of the v2

  1. BIP324 Jonas Schnelli / dev@jonasschnelli.ch / Breaking Bitcoin 8th June 2019 
 PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D V2 MESSAGE TRANSPORT PROTOCOL

  2. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Goals of the v2 proposal ‣ Opportunistic Encryption ‣ Eliminate passive non detectable observing ‣ Eliminate non detectable message manipulation ‣ Optimize protocol ‣ Extendable with various authentication schemes

  3. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Why V2? ‣ People did start implementing BIP151 ‣ Major differences to BIP151 ‣ New message structure ‣ New service flag ‣ Short Command IDs ‣ Opportunistic encryption

  4. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Why encryption? ‣ The blockchain data is public, the general traffic of the Bitcoin network is not ‣ The Bitcoin network is under active surveillance ‣ Eliminate passive non detectable observing ‣ Eliminate non detectable message tempering ‣ Building block for secure connections

  5. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Required crypto primitives ‣ ECDH secp256k1 ‣ HKDF SHA256 L32 ‣ ChaCha20 ‣ Poly1305

  6. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Handshake Initiator (V2) Responder (V2) 32 bytes Read 32 pubkey bytes No Has net magic & „version“? 32 bytes ECDH pubkey Yes ECDH V1 protocol Enable encryption Enable Read version encryption msg

  7. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Handshake Initiator Responder x, X := Generate Secp256k1 Keypair (only odd pub keys are allowed) send pubkey X (no message structure, pure 32 bytes) y, Y := Generate Secp256k1 Keypair (only odd pub keys are allowed) SS := Secp256k1_ECDH(X, y) send pubkey Y (no message structure, pure 32 bytes) SS := Secp256k1_ECDH (Y, x)

  8. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Handshake ‣ No message structure ‣ Pure 32byte handshake payload ‣ Only ODD pubkeys ‣ Only pubkeys not starting with the V1 network magic ‣ V1 Compatibility: fallback option to a version msg

  9. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Session ID and keys PRK = HKDF_SHA256_L32( BitcoinSharedSecret || INITIATOR_32BYTES_PUBKEY||RESPONDER_32BYTES_PUBKEY ) k1-k4 = HKDF_SHA256_L32_EXPAND(PRK, „ BitcoinK_1 - K4“ ) SessionID = HKDF_SHA256_L32_EXPAND(PRK, „ BitcoinSessionID“ )

  10. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Handshake MITM Initiator (V2) MITM Responder (V2) HandShake Handshake Request Request Handshake Handshake Response Response Encrypted Encrypted message message Encrypted Encrypted message message

  11. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Handshake Initiator (V2) MITM Responder (V2) Session ID X Session ID X Session ID Y Session ID Y HandShake Handshake Request Request Handshake Handshake Response Response Encrypted Encrypted message message Encrypted Encrypted message message Session ID X != Session ID Y

  12. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Authentication / MITM «Bip151 provides excellent defence against government attackers with MITM capability: you can detect such attacks, and change behaviour. This is a huge improvement over the status quo of having no way of knowing if we’re being attacked.» Peter Todd

  13. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Authentication? NO TOFU, no CA 
 T RUST O N F IRST U SE C ertificate A uthorities

  14. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 CA

  15. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 SSH tofu ECDSA key fingerprint is SHA256:jkhd+oTybtJwDoMqPwLThFjgIZfO56IukmqMfN2TUq8. Are you sure you want to continue connecting (yes/no)?

  16. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Make v2 faster and smaller !

  17. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 V2 Message Structure

  18. V1 vs V2 Message Structure V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 V1 12 bytes message command 4 bytes length 4 bytes double-SHA256 checksum 4 bytes net magic ? bytes payload ≥ 24 bytes … V2 1-13 bytes message command 3 bytes encrypted length ? bytes payload 16 bytes MAC (message authentication code) ≥ 20 bytes … …

  19. V1 vs V2 Message Structure V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 V1 - message command string (pchCommand) The message command space is always 12 bytes examples: INV000000000 BLOCK0000000 V2 - message command string (or short id) First byte is size or short command id The threshold is 12 (<=12 it’s a length, >12 is a short id ) examples: 3INV 23 10GIGAMEGBLK

  20. V1 vs V2 Message Structure V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Number Command Number Command ADDR GETHEADERS 13 21 14 BLOCK 22 HEADERS 15 BLOCKTXN 23 INV 16 CMPCTBLOCK 24 MERKLEBLOCK FEEFILTER NOTFOUND 17 25 GETADDR PING 18 26 19 GETBLOCKTXN 27 PONG 20 GETDATA 28 SENDCMPCT 21 GETHEADERS 29 SENDHEADERS HEADERS TX 22 30 23 INV 31 VERACK 30 TX 32 VERSION

  21. V1 vs V2 Message Structure V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 V1 - INV (single) 12 bytes message command 4 bytes double-SHA256 checksum 4 bytes length 4 bytes net magic 37 bytes payload == 61 bytes V2 - INV (single) 37 bytes payload 16 bytes MAC (message authentication code) 3 bytes encrypted length 1 bytes message command short id == 57 bytes (93.4%)

  22. V1 vs V2 Message Structure V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 V2 length field 3 bytes == 24 bits 23 bits for length + 1 rekey trigger bit Maximal Message length is 0x7FFFFF = ~8MB Longer messages (e.g. gigamegblocks) could use multi-part messages .

  23. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Rekey ‣ Can be triggered by setting the most significant bit in the 3 bytes length field ‣ MUST not encrypt more then 1GB of data with the same key ‣ Avoid nonce reuse ‣ Rekey is SHA256(SHA256(session ID || old_symmetric_cipher_key))

  24. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Custom AEAD construct: ChaCha20Poly1305 @Bitcoin stream cipher MAC

  25. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20 ‣ Faster on systems without AES NI ‣ Not vulnerable to cache-timing attacks (ARX) ‣ randomly accessible output stream (parallelizable)

  26. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20Poly1305 @Bitcoin ‣ Based on ChaCha20Poly1305@ OpenSSH which is. based on ChaCha20Poly1305 IETF RFC 7539

  27. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20Poly1305 IETF RFC 7539 Change AD, Encrypt Length ChaCha20Poly1305 @OpenSSH More e ffi cient AD encryption ChaCha20Poly1305 @Bitcoin Optimized for bitcoins tra ffi c

  28. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20Poly1305 @OpenSSH HandShake Key 2 Key 1 1 x ChaCha20 64 bytes 64bytes keystream 1x ChaCha20 Encrypt Length (4 bytes 32bytes for Poly1305 AD) key n x ChaCha20 Encrypt Payload …

  29. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20Poly1305 @Bitcoin AD ChaCha20 round HandShake only on every 21 message Key 2 Key 1 1 x ChaCha20 64 bytes 64bytes keystream 1x ChaCha20 32bytes for Poly1305 Encrypt Length ( 3 bytes AD) at the calculated o ff site key n x ChaCha20 Use 3 byte AD instead of 4 Encrypt Payload …

  30. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 ChaCha20Poly1305 @Bitcoin >= ~2.048 ChaCha20 „rounds“ per message ChaCha20Poly1305 @OpenSSH >= 3 ChaCha20 „rounds“ per message

  31. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Bitcoin Core send message count with standard settings, random 24h addr 46’256 alert 2’611 block 133’753 blocktxn 493 cmpctblock 7’668 feefilter 3’892 getaddr 62 getblocktxn 11 getdata 235’692 getheaders 1’803 headers 8’576 inv 1’359’386 merkleblock 30’580 notfound 34’033 ping 88’239 pong 358’283 sendcmpct 7’077 sendheaders 3’984 tx 616’688 verack 7’191 version 7’215 0 350000 700000 1050000 1400000 number of messages

  32. V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Bitcoin Core send message bytes with standard settings, random 24h addr 43’889’156 alert 438’648 block 28’385’105’107 blocktxn 103’052’213 cmpctblock 111’999’152 feefilter 31’136 getaddr 0 getblocktxn 413 getdata 14’454’648 getheaders 1’843’575 headers 70’963’994 inv 621’129’068 merkleblock 4’509’778 notfound 2’657’783 ping 695’608 pong 2’866’264 sendcmpct 63’693 sendheaders 0 tx 329’581’872 verack 0 version 743’145 0 7500000000 15000000000 22500000000 30000000000 Bytes

Recommend

ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

473 views • 10 slides
Transmission Control Protocol (TCP) Segmentation -- breaks message into packets Error

Transmission Control Protocol (TCP) Segmentation -- breaks message into packets Error

TCP: Transmission Control Protocol z TCP must perform typical transport layer functions: Transmission Control Protocol (TCP) Segmentation -- breaks message into packets Error recovery -- since IP is an unreliable service Srinidhi

371 views • 3 slides
IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

261 views • 12 slides
Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP

Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP

Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP must perform typical transport layer functions: Segmentation -- breaks message into packets Error recovery -- since IP is an unreliable

323 views • 16 slides
Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message

Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message

Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message Body Session information describing the media to be exchanged between the parties SDP, RFC 2327 (initial publication) A number of

671 views • 21 slides
1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

Internet apps: their protocols and transport protocols Application Underlying layer protocol Application transport protocol e-mail smtp [RFC 821] World Wide Web TCP remote terminal access telnet [RFC 854] TCP Web http [RFC 2068] TCP

438 views • 5 slides
1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

Transport Layer Transport Layer Chapter 3: Transport Layer Mobile network Our goals: Global ISP understand principles learn about transport Chapter 3 behind transport layer protocols in the Transport Layer Internet: layer

678 views • 5 slides
Internetworking Internetworking Address Resolution Protocol Address Resolution Protocol z

Internetworking Internetworking Address Resolution Protocol Address Resolution Protocol z

Internet Protocol Suite: Transport Internet Protocol Suite: Transport TCP: Transmission Control Protocol Byte stream transfer Internet Protocol Suite Internet Protocol Suite Reliable, connection-oriented service Point-to-point

374 views • 3 slides
User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the

User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the

User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the Internet architecture Only adds demultiplexing capability to basic best-effort delivery provided by IP Needs to identify target process

834 views • 36 slides
Purpose Notation Protocol is a sequence of message between participants Write A B : M if

Purpose Notation Protocol is a sequence of message between participants Write A B : M if

Purpose Notation Protocol is a sequence of message between participants Write A B : M if Alice sends Bob the message M Key exchange protocols ensure that both parties have same In the literature encryption of M with key K often written as

189 views • 3 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and

THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and

THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and demultiplexing UDP: User Datagram Protocol TCP: Transport Control Protocol General features TRANSPORT LAYER IN THE INTERNET In the

563 views • 29 slides
Transport Protocols in the Internet Introduction to TCP TCP - Transmission Control Protocol

Transport Protocols in the Internet Introduction to TCP TCP - Transmission Control Protocol

IN2140: Introduction to Operating Systems and Data Communication Transport Protocols in the Internet Introduction to TCP TCP - Transmission Control Protocol TCP is the main transport protocol of the Internet TCP provides Reliable

154 views • 11 slides
Computer Communication Networks Transport ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Transport ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Transport ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 End-to-end Protocols Common properties that a transport protocol can be expected to provide Guarantees message delivery Delivers messages in the

1.34k views • 122 slides
SCTP: An innovative transport layer protocol for the web (Position paper) P. Natarajan, J.

SCTP: An innovative transport layer protocol for the web (Position paper) P. Natarajan, J.

SCTP: An innovative transport layer protocol for the web (Position paper) P. Natarajan, J. Iyengar, P. Amer, &amp; R. Stewart 1 HTTP over TCP Transmission Control Protocol (TCP) has been the default transport for HTTP. HTTP/TCP

216 views • 21 slides
The Real-Time Transport Protocol Framework, HDTV and Standards Development Ladan Gharai

The Real-Time Transport Protocol Framework, HDTV and Standards Development Ladan Gharai

The Real-Time Transport Protocol Framework, HDTV and Standards Development Ladan Gharai University of Southern California/ISI HDTV Transport over IP The Audio/Video Transport (AVT) working group of Internet Engineering Task Force (IETF) is

447 views • 28 slides
Computer Communication Networks Transport Layer IECE / ICSI 416 Spring 2020 Prof. Dola Saha

Computer Communication Networks Transport Layer IECE / ICSI 416 Spring 2020 Prof. Dola Saha

Computer Communication Networks Transport Layer IECE / ICSI 416 Spring 2020 Prof. Dola Saha 1 End-to-end Protocols Common properties that a transport protocol can be expected to provide Guarantees message delivery Delivers

1.56k views • 126 slides
Real-Time Transport Protocol (RTP) August 12, 2001 RTP 2 RTP protocol goals mixers and

Real-Time Transport Protocol (RTP) August 12, 2001 RTP 2 RTP protocol goals mixers and

RTP 1 Real-Time Transport Protocol (RTP) August 12, 2001 RTP 2 RTP protocol goals mixers and translators control: awareness, QOS feedback media adaptation August 12, 2001 RTP 3 RTP the big picture application media

821 views • 42 slides
1 IP datagram IP datagram format format 20 bytes 20 bytes header header (minimum)

1 IP datagram IP datagram format format 20 bytes 20 bytes header header (minimum)

Lecture 11. Lecture 11. The Internet Layer The Internet Layer IP (Internet Protocol) IP (Internet Protocol) &amp; &amp; ICMP (Internet Control Message Protocol) ICMP (Internet Control Message Protocol) Giuseppe Bianchi Internet Protocol

334 views • 18 slides
Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon rgerhards@hq.adiscon.com 2004-02-24 Status around November 2003 RFC 3164, 3195, syslog-sign and -international each specify message format, transport specifics

511 views • 23 slides
The Session Description Protocol The Most Common Message Body Be session information

The Session Description Protocol The Most Common Message Body Be session information

The Session Description Protocol The Most Common Message Body Be session information describing the media to be exchanged between the parties SDP, RFC 2327 (initial publication) SIP uses SDP in an answer/offer mode. An agreement

690 views • 49 slides
Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

t i f a r c A t * C o m * p l * t e n t e A e t * A s i W s E n L e o l C l S C D P * o * c O e s u u m E O e R e n v o t t d e * y s * a a E d l u e a t Protocol-based

543 views • 37 slides
SCTP as Alternative Transport to TCP and UDP Introduction High growth of Internet Most

SCTP as Alternative Transport to TCP and UDP Introduction High growth of Internet Most

SCTP as Alternative Transport to TCP and UDP Introduction High growth of Internet Most internet user are using HTTP HTTP uses TCP as transport Protocol SCTP as a newer transport protocol over few new features Background Theory

234 views • 20 slides
MFTP: a Clean-Slate Transport Protocol for the Informa8on

MFTP: a Clean-Slate Transport Protocol for the Informa8on

MFTP: a Clean-Slate Transport Protocol for the Informa8on Centric MobilityFirst Network Kai Su (presen8ng), Francesco Bronzino, K. K. Ramakrishnan*,

561 views • 18 slides

More recommend