Steem & BitShares Cryptographic Security Update

in #steem8 years ago (edited)

It just came to my attention that the community has been discussing "quirks" in our usage of canonical signatures. @faddat and others is ready to burn us at the stake for our incompetence. I want to clear things up because all accusations are coming from a point of ignorance of the history of the code, crypto, and signatures.

Signature Malleability

Bitcoin exchanges suffered great losses due to transaction malleability, the ability for someone to modify a transaction into another equally valid transaction without invalidating the signature. It turns out that anyone can take your signed transaction and create 4 different perfectly valid signatures without knowing your private key. If these signatures produce a different transaction ID then it makes it impossible to track / check for the inclusion of your transaction with single canonical identifier.

At one point in time this malleability issue allowed the replay of transactions up to 4 times because each transaction had a unique ID. We fixed this by requiring canonical signatures AND by identifying transactions by their digest which is independent of the transaction signatures.

Here is the relevant information from the Bitcoin WIki

The first form of malleability is in the signatures themselves. Each signature has exactly one DER-encoded ASN.1 octet representation, but OpenSSL does not enforce this, and as long as a signature isn't horribly malformed, it will be accepted.[1] In addition for every ECDSA signature (r,s), the signature (r, -s (mod N)) is a valid signature of the same message.[2]

As of block 363724[3], the BIP66 soft fork has made it mandatory for all new transactions in the block chain to strictly follow the DER-encoded ASN.1 standard. Further efforts are still under way to close other possible malleability within DER signatures.

Canonical Signatures

Given that every time you sign something anyone can create 4 variations on the signature, we simply require that all signatures be in 1 of the 4 forms and reject signatures that are valid but in the wrong form. This means we have a stricter signature requirement than is mathematically required by elliptic curves.

Implementation Options

We had two possible implementation approaches: convert the generated signature into canonical form or generate a new signature and check to see if it is in canonical form. 1 in 4 signatures are randomly canonical in the first place, so it doesn't take many attempts to find a canonical signature.

On the signature checking / validation side of things it is identical. Every signature that is "canonical" also passes under the looser terms.

Conclusion

The take away from this is that people need to be slow to throw stones and that @faddat is picking on a straw man. It shows that if the things he is working on isn't careful, then they will be vulnerable to signature malleability just like Bitcoin and BitShares once were.

Here is a useful info graphic generated to describe how Bitcoin and/or BitShares were once attacked due to lack of canonical signature enforcement.

Sort:  

yes as a sailor I know full well that for a ship to arrive where it wants to go, the captain needs to be at the helm ) Good to see @dan giving us detailed and clear information on things !!

Hi. I'm Paul. I've consulted on some of @faddat's projects. I don't follow Steem development closely, because I'm not on the technical side. I am not a cryptographer, cryptologist, or mathematician. My background is in US taxation and networking/systems.

I think we should acknowledge that there's history. I've witnessed Jake agonize over this code, trying valiantly (does anyone use that word anymore?) to make Steem work from other websites. It's been frustrating for him, and also for many others who've poured a lot of time and resources into what they expected to be a straightforward task. And when he's spoken about it openly (as I would too) there's been some icy reception.

Ultimately, we're talking about his tone here. If he had said essentially the exact same thing without mentioning how unsettling he found it, we wouldn't be having this discussion. And if he turned out to be wrong, so much the better. I think all of us are happier knowing the blockchain is uncompromised.

If he comes off as brusque -- yeah, he does that. He gets a pass from me, because I know his intentions are honest. I also get it if you don't see that.

Can we put this behind us? The world needs blockchain technology, and it needs it badly. Any Steemit hackers are invited to come have a coffee with us here in Siem Reap. Let's make magic happen.

We have many JS libraries that could be used off the shelf that already implement proper canonical signature signing.

You are no doubt right. My intention with this post was instead to the address the lack of trust between the two projects (and indeed, in the broader crypto community). I think we can do better than we're doing.

I think the way in which we could do better is to all stop making excuses for @faddat's unwarranted tantrums and mudslinging.

The code is there for him to review, and all the demands he was making could have been resolved by him taking 5 minutes to read it. (He even had three experienced devs helping him in the comments in the linked thread.)

Instead, he chose to (in order): assign blame, be passive aggressive, play the victim, and then speculate about malice—without basis. We are all now aware of how productive these behaviors turned out to be.

He shouldn't have to speculate very much more to figure out why he is unwelcome in our Slack.

We welcome constructive feedback, positive and negative. This wasn't that.

We are a very small team and reading and responding to this sort of toxic behavior has tangible effects on our productivity.

he chose to (in order): assign blame, be passive aggressive, play the victim, and then speculate about malice—without basis.

Not to mention the DAWN project which I believe he is involved in and their recent cointelegraph article, with the timing in mind you could very well class this as pure FUD.

I read the article @abit linked below. It couldn't be more vague.

sniffs

"Is that vapour in your ware?"

No vapor is found at github.com/dawn-project/glogchain

And we'd be honored to have you as a user, @l0k1.

We didn't want to use javascript, @dantheman. We wanted to use go so we could integrate it on the back end and achieve more than a superficial integration. Since you wrote graphene in C++ I'm sure you know what I'm talking about regarding javascript vs actual systems programming languages like C, C++, java, go, or rust. Ain't no beef in the land of javascript by comparison. If you want beef, you've got to go lower level, and we wanted to build beefy steem integrations.

Please, don't tell me you think your js libs make it all okay, because I know that you know they don't.

Now that @baabeetaa has the answers he needed, we will be integrating on the back end, because @baabeetaa is a badass.

Reposting @phibetaiota
PhiBetaIota.Steem is about open decision support.

Our Mission is about using holistic analytics, true cost economics, and if desired, open source everything engineering, to create open ethical intelligence (decision support) in support of strategic, operational, tactical, and technical decisions, courses of action, and investments. This platform is very important in our mission.

THANK YOU for crafting an excellent explanation to this situation.
There is open censorship on all other platforms. At the very least, there does not appear to be much censorship on SteemIt. I profoundly hope you are not "burned at the stake."
Cooperation is enhanced greatly in times of open standards.
"Get enough eyeballs on it, no bug is invisible."
"The truth at any cost lowers all other costs"

~The Management

Imgur

There's no censorship on steemit, especially not on its blockchain. Some in its front end but it's of the socially understandable type.

There is open censorship on all other platforms. At the very least, there does not appear to be much censorship on SteemIt.

LOL

@cryptoctopus why did you upvote this spam comment?

@sneak: I don't recall voting on this comment, I have trails...I wonder if that's where the upvote for the comment comes from. In any case, I take it back.

That's why I left the comment... I think some people vote with various automated means and sometimes upvote stuff they don't mean to.

Look, another angry racist on Steemit. Sigh.

Be advised, snowflake: we have a tolerant and inclusive community and people like you are not welcome here.

PS: Good luck, I am behind 7 proxies.

Racist and misogynist, check.

Edit:

Here's the record of his tossing around racist slurs: https://steemd.com/tx/f0d62c3c942376b959c9d728a89bdbfdc4252d8c

Here's the second one with the sexist nonsense: https://steemd.com/tx/c35ca356c7e21181da1f85bbea0a2cd242b581df

It's all a game... we are ALL playing. Best to learn when you're the PC or the NPC

Imgur

It's all a game... we are ALL playing. Best to learn when you're the PC or the NPC

Imgur

I thing @faddat is asking questions and he is not getting any answers. That leaves him to speculate why.

Thanks for the poised and solid answer @dantheman! Even all this discussion allows me to learn more about our platform and its security levels.

All for one and one for all. Namaste :)

Thanks for fighting the good fight, Dan. I hope some day your dream of world domination will come true and we can have an active marketplace here to voluntarily spend our STEEM and SBD. Keep up the good work.

By looking at the title I thought we fixed something new. By reading the content I realized it's fixed long before. "Update"?
Anyway, thanks for writing this.

Same here. Maybe the "Info" word would fit better here. However, these were things that I hadn't known, so it was worth reading.
It was a #FlashbackFriday post. :)

How is Graphene 3.0 coming along? Can't wait to see what you think up next.

Shares go on sale Sunday

Bitcoin may end up passing $10,000