Pages:
Author

Topic: Nxt source code flaw reports - page 17. (Read 113378 times)

sr. member
Activity: 299
Merit: 250
January 14, 2014, 06:04:07 PM
Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?

It was already reported.

Where? What am I missing? Why isn't this a big deal?
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 12:38:39 PM
In the same way, I can prepare many other id_n with a secret phase set n and generate subsequent blocks,

It's too expensive.
newbie
Activity: 26
Merit: 0
January 14, 2014, 12:37:08 PM
let's see this.
As far as I know, only transaction sender or block generator will get his public key put into Account. So if I create an account a_1 with secret phase s_1, public key p_1, ID id_1. and send some nxt to it. note the public p_1 will not known to public as a_1 is just reciever.

Now I can just prepare many accounts with ID id_1 but diff s_n and p_n due to public key -> id collision. after a_1 get mature after 1440 blocks, I choose the best one of my infinite secret phases s_1....s_n to generate next block with very high success possibility.
this is possible because in Transaction.verify() and Block.verifyBlockSignature(), we only check:
Code:
Account account = accounts.get(Account.getId(generatorPublicKey));
if (account == null) {

return false;

} else if (account.publicKey == null) {

account.publicKey = generatorPublicKey; // we will get here and pass the checking below

} else if (!Arrays.equals(generatorPublicKey, account.publicKey)) {

return false;

}

In the same way, I can prepare many other id_n with a secret phase set n and generate subsequent blocks,

Now, can I predict future?... Wink
newbie
Activity: 26
Merit: 0
January 14, 2014, 12:15:55 PM
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
Remember that famous payloadLength=2147483647?...
what's that, 2^31 - 1?
hero member
Activity: 784
Merit: 501
January 14, 2014, 11:44:15 AM
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
Yes...
First of all, I hope there's some limit to response size on Jetty side, else attacker can spam nodes with very long answer to any request.
Then, NRS should test blocks from "getNextBlocks" response on:
1. Matching with ids from "getNextBlockIds" response.
2. Matching each other before put to futureBlocks. You can do almost all checks you do in pushBlock()!
At least it makes attaker's life harder. Right now he can send any garbage to "getNextBlock" response, that is parseable as empty block for example.

There's is common problem with peering code in NRS: you test only cryptographic part of data (hashes, keys and so on), but assume that data structures is correct. Remember that famous payloadLength=2147483647?...
newbie
Activity: 26
Merit: 0
January 14, 2014, 10:42:52 AM
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 10:09:52 AM
Does the fatal flaw have to do with creation of blocks from 1 to say 1440? Maybe to 720.


Pardon? I don't get the question.
full member
Activity: 126
Merit: 100
January 14, 2014, 10:07:51 AM
Does the fatal flaw have to do with creation of blocks from 1 to say 1440? Maybe to 720.
hero member
Activity: 784
Merit: 501
January 14, 2014, 09:50:40 AM
Devs, can you do Peer.sendToAllPeers() in new thread? At least for "sendMoney". It's takes minutes to send request to 150+ peers.
Workaround is to press F5 and re-unlock account immediately, just to watch transaction confirmation.
legendary
Activity: 866
Merit: 1002
January 14, 2014, 08:50:44 AM

If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions?

Thanks.

Changing it won't be easy and won't be instant, but should be doable.

Basically, the code would have to be released earlier with some hardcoded number  - let's call it X - where to start "new" signature system.
After block X all sigs would be checked with NEW system

More problematic is that public keys would have to be updated, but still doable, NXT could require to send first transaction signed with both NEW and old privkeys.

P.S. more problematic would be what to do with user IDs...
legendary
Activity: 866
Merit: 1002
January 14, 2014, 08:35:05 AM
No, i have not. Only equations of the algorithm. Trying to understand if Curve.sign|verify does what its supposed to. Join the irc channel and we can talk further.. if you want. There are some good guys in there, ZjP is one of them.
Regards
j0b

Can you please ask that guy what the reasoning behind the strange is_negative(long10 x) function is? It's kind of hard to understand.

I'm also interested in this.
a) why there is is_overflow at all... (I thought it'd be simpler to have element of long10 have always reduced mod q....)
b) the second part is magic, as there shouldn't be something like "negative", so I assume job of that xor is to split values into two groups... (why?)

(edit: added is_negative, snippet)
Code:
/* checks if x is "negative", requires reduced input */
private static final int is_negative(long10 x) {
return (int)(((is_overflow(x) || (x._9 < 0))?1:0) ^ (x._0 & 1));
}
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 07:31:15 AM
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.

Currently we don't need it coz Curve25519 works fine.

Hi all experts on crypto science, I'm wondering whether I understand it clear, so I have some naive questions here.

Is there any flaw in Curve25519? So we need to have an independent review of those crypto class and sign/verify function? If it's an open question or argument, then it should be an academic research on Curve25519 and I don't think one independent reviewer can conclude it in a short time.

Is Ed25519 better than Curve25519? Is it because Ed25519 is slow in Java that Nxt doesn't use Ed25519?

If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions?

Thanks.

Ed25519 is a cryptographic system. Curve25519 is a cryptographic primitive. If u want to compare something u have to compare Ed25519 and [EC-KCDSA based on Curve25519].
full member
Activity: 238
Merit: 100
January 14, 2014, 07:18:04 AM
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.

Currently we don't need it coz Curve25519 works fine.

Hi all experts on crypto science, I'm wondering whether I understand it clear, so I have some naive questions here.

Is there any flaw in Curve25519? So we need to have an independent review of those crypto class and sign/verify function? If it's an open question or argument, then it should be an academic research on Curve25519 and I don't think one independent reviewer can conclude it in a short time.

Is Ed25519 better than Curve25519? Is it because Ed25519 is slow in Java that Nxt doesn't use Ed25519?

If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions?

Thanks.
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 04:58:54 AM
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.

Currently we don't need it coz Curve25519 works fine.
legendary
Activity: 866
Merit: 1002
January 14, 2014, 04:57:05 AM
@CfB, have the developers considered switching to Ed25519 instead?

Do u have fast java implementation?

I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.
hero member
Activity: 834
Merit: 524
Nxt NEM
January 14, 2014, 03:48:43 AM
looks like a needless if-block

Code:
for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}

or does it have any purpose? At least a place for a breakpoint ... Smiley


U should ask the author of the code.
Smiley  yes ... hmmmm, no... maybe the one should ask, who decides to compile that Wink
newbie
Activity: 26
Merit: 0
January 14, 2014, 01:46:28 AM
8921045556724335400  Grin thx

I also doubt if it is the flaw. Fine, let's keep dig
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 01:40:35 AM
someone can generate a block in legit way and try to modify some bytes so that it has block_id = 0,  as pushBlock only check blocks.get(block.getId()) != null where it does = null, the next generated block will override genesis block in analyze()
Code:
if (previousBlock == 0) {

lastBlock = GENESIS_BLOCK_ID;
blocks.put(lastBlock, this);
baseTarget = initialBaseTarget;
cumulativeDifficulty = BigInteger.ZERO;

Account.addAccount(CREATOR_ID);

}

Good catch. Post ur Nxt account, plz.

PS: This is not the flaw.
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 01:37:34 AM
I came across this: http://crypto.stackexchange.com/questions/12743/is-curve25519-java-secure. So it seems like curve25519 doesn't natively support signing. I'm curious as to why it was chosen?

It's one of the best crypto-primitives, it's not supposed to "natively support signing". Different signing schemes could use Curve25519.
legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 01:29:01 AM
I don't think anyone has replied to this yet.

It will be changed soon.
Pages:
Jump to:
© 2020, Bitcointalksearch.org