ChannelKeys - separate commitment revocation from getting the per-commitment point #655
Conversation
devrandom
force-pushed
the
per-commitment
branch
from
4202fd2 to
df84dd3
Compare
|
@valentinewallace the motivation is that the commitment secret is sensitive - it can be used by an attacker to steal funds if the node also signs the same transaction. In general, the signer should be considered more secure - it will, for example, be implemented in secure hardware. It should not give the rest of the node access to data which can be used by an attacker and it should enforce policy which prevents attacks. In this particular case, some of the policies include: revoke commitments in order, don't sign a revoked transaction, don't revoke a signed transaction. In the third commit I implemented the first |
devrandom
force-pushed
the
per-commitment
branch
from
1782ec7 to
0c98489
Compare
There was a problem hiding this comment.
Code Review ACK 0c98489, that's a good step forward, in case of node compromise, it will prevent to yell a revocation secret to a an attacker already owning a signed commitment and thus freely spendable with counterparty's revocation secret.
lightning/src/chain/keysinterface.rs
Outdated
| @@ -217,6 +225,7 @@ pub trait ChannelKeys : Send+Clone { | |||
| /// Create a signature for a local commitment transaction. This will only ever be called with | |||
| /// the same local_commitment_tx (or a copy thereof), though there are currently no guarantees | |||
| /// that it will not be called multiple times. | |||
| /// The commitment must not have been revoked. | |||
There was a problem hiding this comment.
Did you say this policy enforcement has been implemented, namely "don't sign a revoked transaction" ? I think you need to verify the new revoked_commitment against commitment transaction number. I guess you can access it by unveiling it from LocalCommitmentTransaction 's unsigned_tx. This can be addressed later.
There was a problem hiding this comment.
Oops, I misspoke above. I thought about implementing this, but didn't get to it.
There was a problem hiding this comment.
Maybe since it's not implemented yet, rephrase the line to be a TODO?
There was a problem hiding this comment.
Agreed, but again, I think it should be attached to EnforcingChannelKeys
There was a problem hiding this comment.
I believe all of our other comments are phrased as "what rust-lightning guarantees it will do" ie, instead of "The commitment must not have been revoked" this could read "The commitment transaction contained will not have been revoked by release_commitment_secret, and external signers may wish to enforce this".
There was a problem hiding this comment.
reworded, please take a look
devrandom
force-pushed
the
per-commitment
branch
from
0c98489 to
ebcddd9
Compare
|
Thanks for updating the PR description with the motivation. Could you also include this in the commit message as per the contributing guidelines? This would be useful for those looking through the commit log. Generally, I see the PR description used for the broader motivation for a set of commits, though here there is only one commit. |
lightning/src/chain/keysinterface.rs
Outdated
| @@ -217,6 +225,7 @@ pub trait ChannelKeys : Send+Clone { | |||
| /// Create a signature for a local commitment transaction. This will only ever be called with | |||
| /// the same local_commitment_tx (or a copy thereof), though there are currently no guarantees | |||
| /// that it will not be called multiple times. | |||
| /// The commitment must not have been revoked. | |||
There was a problem hiding this comment.
Maybe since it's not implemented yet, rephrase the line to be a TODO?
devrandom
force-pushed
the
per-commitment
branch
4 times, most recently
from
950fa02 to
b661164
Compare
|
I rephrased a few things and added TODOs. Please take another look. |
There was a problem hiding this comment.
Sorry for the delay on this one - I was playing with it to see if I could make the asserts pass. I believe you got the issue right, so happy take this as-is, but would be nice to get the assertions in sooner or later. I commented on your PR at https://github.com/lightning-signer/rust-lightning/pull/1/files#r457548944.
lightning/src/chain/keysinterface.rs
Outdated
| /// Gets the commitment secret for a specific commitment number as part of the revocation process | ||
| /// | ||
| /// An implementation must error here if the commitment was already signed. | ||
| /// After this method is called, an implementation must ensure that it will refuse sign the relevant |
There was a problem hiding this comment.
I don't think it MUST - in theory we ensure that on the rust-lightning end, certainly it can, at least if you're in a separate memory space :).
lightning/src/chain/keysinterface.rs
Outdated
| @@ -217,6 +225,7 @@ pub trait ChannelKeys : Send+Clone { | |||
| /// Create a signature for a local commitment transaction. This will only ever be called with | |||
| /// the same local_commitment_tx (or a copy thereof), though there are currently no guarantees | |||
| /// that it will not be called multiple times. | |||
| /// The commitment must not have been revoked. | |||
There was a problem hiding this comment.
I believe all of our other comments are phrased as "what rust-lightning guarantees it will do" ie, instead of "The commitment must not have been revoked" this could read "The commitment transaction contained will not have been revoked by release_commitment_secret, and external signers may wish to enforce this".
devrandom
force-pushed
the
per-commitment
branch
from
2f5cdb7 to
fefae6a
Compare
…mitment point The commitment secret is sensitive - it can be used by an attacker to steal funds if the node also signs the same transaction. Therefore, only release the secret from ChannelKeys when we are revoking a transaction.
devrandom
force-pushed
the
per-commitment
branch
from
fefae6a to
b19d447
Compare
|
Done |
The commitment secret is sensitive - it can be used by an attacker to steal funds if the node also signs the same transaction. In general, the signer should be considered more secure - it will, for example, be implemented in secure hardware. It should not give the rest of the node access to data which can be used by an attacker and it should enforce policy which prevents attacks.