Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/hashmatter/libp2p-onion-routing
libp2p-onion-routing
demonstrates how to use onion routing for a
strong privacy preserving routing protocol to be used over DHTs and other
decentralized networks. The onion routing aims at protecting users from
local passive adversaries that spoof DHT requests to link lookups to its initiators.
We will release a video tutorial
where we go through the code and explain how use delegated lookups in
libp2p with onion routing and p3lib-sphinx.
p3lib-sphinx is used to construct and process the onion packet.
1) Initiator selects set of relay nodes and gets its public keys and addresses
// discovers and connects to numRelays relays
pinfo, relayAddrs, relayPubKeys, err := selectRelays(ctx, numRelays, timeout,
host, kad)
In production, the selectRelays()
should select a set of relays anonymously,
i.e., no one should be able to infer which relays were selected.
2) Initiator constructs the onion packet
// the payload consist of information for the exit relay (last relay in the
// circuit) to perform the a DHT lookup. in this example, the initiator
// delegates the lookup of the content addressed file 'QmSAR...K8Eem721p'
var payload [256]byte
copy(payload[:], []byte("GET QmSAR9Zw6bvVqMt35uBfnETaWkmxhZ6mWyQeRK8Eem721p")[:])
// the final address is not relevant in this context since the exit relay will
// perform a network request (DHT lookup) rather than
// connecting to a specific peer.
finalAddr := []byte("")
// uses p3lib-sphinx library to construct an onion routing packet
packet, err := sphinx.NewPacket(&privKey, relayPubKeys, finalAddr, relayAddrs, payload)
3) Initiator encodes and forwards the onion packet to first relay
// encodes onion packet and wires it to the first relay in the circuit
var buf bytes.Buffer
enc := gob.NewEncoder(&buf)
enc.Encode(packet)
// forward packet to first relay. the relay that the packet is relayed must
// map to the first relay in the input when constructing the onion packet
firstRelay := pinfo[0]
stream, _ := host.NewStream(context.Background(), firstRelay.ID, protoPacket)
_, err = stream.Write(buf.Bytes())
stream.Close()
4) Relay receives the onion packet, processes it and gets the address of next relay
var packet sphinx.Packet
out, _ := ioutil.ReadAll(stream)
r := bytes.NewReader(out)
dec := gob.NewDecoder(r)
dec.Decode(&packet)
nextAddr, nextPacket, err := relayContext.ProcessPacket(&packet)
5) Step 5 repeats until last relay processes the packet
6) After processing the packet, the last Relay performs DHT lookup set by initiator
if nextPacket.IsLast() {
log.Println("LAST PACKET | exit relayer information:")
performDelegatedRequest(nextPacket.Payload[:])
return
}
The circuit nodes (relays) are able to process the received by "peeling" a layer of the onion and forward the packet to the next relay. Once the packet has been all processed and forwarded by all relays in the circuit, the last relay will have enough information to perform the DHT request delegated by the initiator (i.e. the initial node which created the onion packet). The primitives for relays to process onion packets are also implemented by p3lib-sphinx.
This delegation pattern in combination with provably secure onion encryption is similar to what is used by other anonymous P2P networks, such as Tor.
SURBs (Single Use Reply Blocks) are used to allow the exit node to send a response to the initiator through the established secure path with expected security properties. The initiator prepares an onion packet for the exit relay to fill with the results and send back. If you'd like to help with the SURB implementation in p3lib-sphinx, check p3lib-sphinx.
Scalable and anonymous relay selection with partial network view
Measure and understand entropy requirements for security
There are many more open problems to achieve practical metadata resistance in distributed hash tables and P2P networks. If you are interested in discussing and working on these problems, check what hashmatter has been working on and reach out!
Because we all want security, privacy and decentralized networks to go mainstream! Also check In Pursuit of Private DHTs!
The code in this repository is part of an experimental research project to implement practical privacy preserving network protocols and primitives. The code in this repo is highly experimental and for demo purposes only, do not use it in production.
Please bear in mind that the relay discovery protocol used in this repo will defeat the purposes of onion routing security by the identity of the initiator to all the relays in the circuit. This is not safe and should not be used in production.
[1] Privacy preserving lookups with In-DHT Onion Routing
[2] Sphinx: A Compact and Provably Secure Mix Format
[3] Using Sphinx to Improve Onion Routing Circuit Construction
MIT
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.