-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wormhole Seeds #2
Comments
Some thoughts about the UX:
To be fair, this is mostly independent from the protocol, but some details – like exchanging the IDs – are. An alternative would be to make pairings explicit using a |
Thanks for moving / continuing this discussion! Some thoughts after reading above:
|
One more comment to migrate from the old ticket: The API I'm thinking of would be like: w = wormhole.create(stuff)
w.set_code(code)
w.connect() # ...
seed = w.get_seed()
# later
w = wormhole.from_seed(seed)
w.connect() |
Working on this again, and some design questions coming up:
By the way I'm thinking about renaming this to "Wormhole resumption" or something because it's more intuitive. |
It should be a general feature.
99% sure "mailbox" is correct here (but I haven't had time to delve all the way in again). |
Re: naming, I do kind of like more whimsical names sometimes because it helps reduce preconceived notions. A "Wormhole Seed" requires you to look up at least a short definition; "wormhole resumption" lets you immediately decide your own expectation for what "resume" means to you...which can be a bad thing if those don't end up lining up with reality. "Grow a new wormhole from a Seed" might be more accurate than "resume a previous Wormhole" anyway because IIUC the key-material will be different on each wormhole (more like "grow a new one, that's really similar"?) |
Clients should store a mailbox, not a nameplate. We only use nameplates because they're short and easy to dictate/transcribe. As such, they're short lived, and mutable (the And yeah, clients can Agreed that this should be a general feature. +1 on "seed". Apart from the utility as non-preconceived jargon, it also fits the overall whimsical style of Magic Wormhole. Call it part of our "brand" :). |
Thank you for the input. I noticed that handling identifiers is more tricky than I initially thought: since anybody can take anyone's UUID, there still be some collision handling required. I'm evaluating a public/private key pair approach to identify and authenticate wormhole devices. I'm also evaluating the usage of the shared mailbox name or something like that as an identifier. Generally, making connection pairing explicit would make things a lot easier. However, I really like the concept of doing things automatically, because otherwise a lot of people are going to miss this feature. |
The "unique thing" is the mailbox-id. They're long enough that there are no collisions. I thought you'd proposed UUIDs for local serialization; what other purpose might they serve? (Anyway, a long-enough UUID can also be counted on to be unique). |
Okay, this is not the uniqueness-problem I am facing right now. The issue is that users need to be able to identify their peers in a reliable way, but we don't have any central naming instance. See the following threat example:
I know it is a rather weird threat model, but it shows that for seeds you need to trust peers more than I'd like to. It would be fine with manual peering, but I don't think this is acceptable for an automatic mechanism (some people send things to randoms on the internet they don't necessarily want to trust). |
Okay, I agree that there can be issues making sure that users are able to communicate to the software which connection they mean. I think this is up to the frontends though -- that is, a UI/UX issue. I'm not really sure what you mean by "takes the identity of B" above (but I assume some social manipulation to make the other user save that wormhole as a different name...?) For example, a GUI might choose to display a list with names that the user themselves had previously given those connections. In the Python client, I'd probably choose something similar: a user-assigned petname for that connection. I would also have this be "opt-in" only and not automatically remember any connections at all unless told. That is, something like Whether internally those are serialized in a database with UUIDs or use some other mechanism: don't care. We can certainly give guidance as to the desired UX but ultimately this is all up to the UI designers. We could also give some guidance as to the dangers etc that might arise. To relate this back to @warner 's python pseudo-code above: what the application program does between I guess for more context here is how I imagine this functioning for a file-transfer application. If I'm making a GUI client then the basic version just always gives you a code to exchange. A more-featured version might give you the option to save the contact for future use (" |
I think I've further narrowed down the problem I mentioned earlier: It starts with the question of what happens if the two sides get their key out of sync (because of the two armies problem, we must expect this might happen). My suggested solution is to do a key update on every wormhole connection between both peers, even without seeds. Thus, a broken seed could simply be repaired by sending a file with a code; the seed would be self-healing in a way. But that exact update mechanism opens an attack vector for impersonation I mentioned, if not defended by authenticating the connection peers. Adding a bit of public/private key crypto for this is not a big deal IMO, but let me know what you think. An obvious alternative solution would be to always use the same keys for a seed. We would lose the forward secrecy, but it would also give us the possibility for multi-client support. (Is there a way to have multi-client support and forward secrecy?) |
Do you mean the Two Generals Problem? Can you describe what you think might get out of sync (with Seeds)? In the original proposal I don't see any way to update them so I don't see how they can get out of sync...? (That is, my understanding is you'd use the same mailbox-id and the same 256-bit Seed on every new wormhole to the other device for whatever named connection it is -- the actual session key will be different each time though, since the Seed is used as SPAKE2 input not as a key directly). (I can't even really picture what "multi-client support" means in the context of magic-wormhole -- that should probably be a separate discussion no matter what). |
Yes, I remembered the name wrong somehow.
That's where our understanding differs and the most important question to resolve. I understand it that the used code must be derived from the previous session's key in order to provide forward secrecy. On the other hand, without that mechanism the two generals problem indeed disappears. |
Each session is distinct. There's a random value involved in the SPAKE2 protocol, so using the static secret (the Seed) will still result in a new session key each time (i.e. on each connection). So, "breaking" one session won't give you access to any other session. Huge caveat: I am not a cryptographer. I believe this is what "forward secrecy" means here, though..? (If you manage to steal the Seed itself, then of course you could impersonate one side of the connection and it's game over .. but I think that's outside the scope of what the protocol can provide?) |
You are right, the way you understand it kind of gives us forward secrecy.
Hehe, nope. If we regularly do a key rotation by deriving a new code out of a session key (what I was talking about), we get something that is called future secrecy or Post-Compromise Security. At the moment, my main problem while designing a possible protocol for seeds is that PAKE codes can be used for authentification, but not for identification, meaning that each peer must already know to whom to connect beforehand, and which code to use. For example, if we didn't have to pre-commit to one PAKE code beforehand, we could easily recover from a client failure during key rotation. |
Isn't that kind of the whole point of Seeds? That you, the client, assign a name to some previously-established connection / other-device and so then when you re-connect in the future you don't need a human-typed code? (But you do need that same other device to also attempt a re-connect around the same time). That is, you're not connecting to like At some point, I believe I understood how the signal/double-ratchet worked .. but so are you suggesting putting some sort of addressing + PKI into this..? With Seeds as-proposed in the original issue, the post-compromise solution is essentially to simply start over: wipe your entire DB of Seeds and re-establish them as-required. (Or just literally start again with a fresh install). This of course takes a fresh human-typed and out-of-band communicated code once again. I'm not clear on what sort of key-rotation you're suggesting; maybe writing that down would help both of us? (Even if we did some kind of rotation on every connection, wouldn't the post-compromise adversary just have to do a successful connection to become 'the' other party, and make any legitimate attempt fail? -- I don't claim to fully understand that paper you link to above yet, though :) ) |
Well, yes and no. I know to whom (as a person) to connect (as in, one UUID and a known mailbox address), but I might not know which PAKE code to use: two peers may diverge and disagree on which common session was their last.
I was considering it for a while, but found a better solution in the mean time.
That's actually a valid point: the seeds database does not contain mission-critical data.
I think I mentioned it some time earlier, but it's probably lost in the backlog. With "key rotation" I mean "derive a new code from the current session for the next time, the same way the initial seed is generated" I think I have resolved all my conceptual problems, I'll follow up with an alternative proposal for seeds that does key rotation soon™. |
Not sure what you mean here? The user doesn't have to know the PAKE code (you mean like |
Proposal A (as before)
Proposal BThe key difference is that the shared secret is updated on every resumption (automatic code rotation). This (very probably) gives us post-compromise security and some other nice things at the cost of a bit of additional protocol complexity.
|
Small clarification: there are no UUIDs in the original, just a mailbox ID (presumably the same one they used for the initial connection) + ('full-strength') PAKE code. |
You are right, they aren't directly needed for Protocol A, at least from a cryptographic point of view. Any other fixed mailbox would do as well. I still kept them because they made the mapping from names to devices a lot more manageable. If we decide in favor of proposal A, I will re-evaluate whether they are still useful or not. |
Okay, so I'd like to be able to tell for a "normal" connection whether or not a seed with that peer has already been established. This is not required, but it would allow the applications to do give significantly better messages. (Otherwise one would get a generic "this is how to persist a seed regardless of whether we already have one with that person or not.) However, this is tricky to do correctly: We at least need stable client identifiers (UUIDs) but those are problematic because they can be spoofed. Which would again prompt me to use public-private key pairs as identifiers. Alternatively, we could always send a list of known seeds, but this would require session identifiers (And I'd have to evaluate the possibilities of metadata tracking first). With either of these, we get a similar complexity as in proposal B even though we do no key rotation. Edit: After further consideration, I'm kind of giving up on this one for now. I'm still open to discuss the subject if someone wants to tackle it, so feel free. This is still a feature worth having. I may come back to this with some new approaches in the future, once I can lift the requirement of not having to change the server protocol. |
So a use-case for such a feature would be two users who connect with a "normal" code, giving the software an opportunity to say "you already have a connection to this user, called 'Alice'" or similar? I'd think of Seeds as "device identifiers/keys" or so. It's hard to imagine how you'd identify an entirely new device (that might still conceptually be "Alice" to the user .. e.g. a new phone or laptop) as a user without something akin to keypairs or some other "across device" identifier (as you say above). Since in exchange for this, you'd essentially be giving up some amount of privacy, I'm thinking that layering this on top of Seeds as an additional (optional) feature is good. That is, you have something that contains a number of Seeds and probably some other unique thing (public/private key makes the most sense to me too) so that you can tie a bunch of things together as "the devices Alice uses", or so. Anyway, might make it easier to reason about if we have two separate things, one building on the other. There'd also have to be some amount of negotiation (or so?) because I'd ideally want the default to be "as anonymous as currently" (that is, not broadcasting your identity-key on every connection .. although I guess you could just make a new, random one and throw it away if you wanted "whatever anonymity there is currently"). I guess the first device could "opt in" by sending their public-key and the second device opts-in by responding with theirs (possibly "only-if they know about the other side's key already"). Separately, it might be also worth thinking about what the UX looks like for each of these. I guess one approximation could be that if the above dance happens, and both sides know about the other side they can ask the human, "new device X detected for user Alice; add it to their {Pod,Garden,Packet,}..?". (Name TBD obviously, but thinking "something that contains Seeds"). Another aspect to consider is if you want separate identity-keys for each pair. I think "probably", because otherwise two users Bob and Carol could determine that the Alice they both know is the same Alice. (This could also be a feature, maybe). It could probably be optional on the client-side; that is any implementation could decide to have "key-pair per Pod" or could decide "consistent key-pair over all Pods". (Aside: I haven't had any time to put into this project recently, so sorry that I've not been very responsive .. but that should change in the new year) |
I think I have solved all my previous problems with the following solution: Proposal CInitialization on normal connections:
Recognize known seeds on normal connections:
Resumption:
Advantages of this approach compared to my previous attempts:
Challenges that I am facing in my prototype implementation:
Some of these could be improved by fixing the server behavior. Also, I'm again thinking about fixing a nameplate instead of a mailbox. This would at least alleviate the first issue. An alternative solution would be to add a flag that disables crowded checking for clients that opt-in. Clients that do that would need to always check the sides of their communication partners and also only use high entropy passwords that are secure against brute forcing. |
I'm worried we've got too many concerns competing here. What is the point of the "auto discovering intersections" between existing seeds? (That does leak privacy information: it tells both sides part of the social graph). I've always considered Seeds to be just a way to quickly (that is, without humans exchanging codes) re-constitute a previous connection between two devices only if both devices opted-in to that in the first place. This opting-in part is implied by the initial API snippet @warner posted ( It's certainly interesting to consider other use-cases and features, especially if they could be layered on top of Seeds however I think there's benefits from keeping these layers separate. For example, any PKI-type things (identities, etc) should live separately because Magic Wormhole itself doesn't include any "accounts" or identities .. although of course applications could already choose to do identity-related things inside the connections. It is desirable to continue to be able to use magic-wormhole without identities at all.
I think this shortcoming would be solved once Dilation is available. Then a single "session" can spin up any number of sub-connections for whatever use-cases are required (e.g. file transfer in this example). Dilation currently is the best way to do multiple transfers (that is, one sub-connection per file transferred).
This is kind of the same as saying that "the Seed" is sensitive, secret information -- and that the mailbox is part of "the Seed". Right?
This sounds worth enumerating the cases where this happens and considering mitigations. Sounds like one case is where two devices try to start two separate sessions with the same Seed. Would this be mitigated if Dilation was implemented? (i.e. if the file-transfer applications didn't try to start a session for a new transfer, but instead created a new sub-connection?). I guess the more-general case would be a user starting two copies of an application and then re-constituting the same Seed? |
This was motivated by the idea that I'd like to have an "after the facts" possibility to store seeds, i.e. without having a dedicated I can still strip that part out if you don't like it / don't want the complexity. Or we could have both ways, as they are not mutually exclusive.
I have to disagree here. I was talking about independent connections, as in different processes of an application. In order to do what you propose, they'd have to coordinate so that only one of them manages the dilated session. This would effectively force all Wormhole clients to become "single instance" applications, and I'd really dislike that (both as a user and as developer).
The mailbox is derived from the seed, and thus (kind of) part of it. It does not need to be kept secret to ensure security and confidentiality, but for safety. |
Oh, while trying to implement your |
Are you asking, "what if both sides do For a normal send/receive they'd determine this the same as before (e.g. "send" creates a code, "receive" enters it). I'm thinking of "make me a seed" as an option here. Semantically, it means "my human wants to use this connection easily in the future" and if both sides have that set, they both save it as a Seed). So if you're sending, and ask for a Seed-name, and you already have that Seed then you are the initiator (and the software wouldn't allocate and spit out a code .. instead saying "tell the other human to start their software with the corresponding Seed", approximately). |
I see, you're saying that leaking the mailbox is fine for security/confidentiality but allows a third-party to disrupt particular communication-pairs. This makes sense as a bit of a different concern ("availability" basically). And the way to mitigate this is "use TLS", approximately .. although that still allows the server to censor particular mailboxes / communication-pairs. |
Okay, so the problem here is if the same application (hence same configuration / state) re-uses the same Seed at the same time as another instance (and possibly for completely different purposes, i.e. different post-connection protocols). This feels like an application concern that implementations could mitigate .. but also it sure would be nice to not force every application have to do "something" here. |
No, you misread. The question is specifically about your proposed
Yes, but I operate under the assumption that the server wants to provide some service and if it didn't want to, then there would be other ways regardless. |
There's no |
I dislike your proposed method for users to create seeds. Having to specify CLI flags (or some equivalent checkbox) beforehand is very likely to lead to a lot of "oops I forgot it again" situations. Also, the way you describe it renders the concept of clients exchanging names pointless. |
The particulars of the CLI was just meant to be an illustration; different UX could be imagined. |
The UX a client can provide is partially limited by the feature set of the API. The only thing I need to change w.r.t. to Warner's initial proposal is that |
To be clear, you mean "on top of the other suggested changes" -- the original leaves "store the Seed" up to the application code whereas the other proposals put that handling into the wormhole implementations (IIUC). Since both sides need to agree to remember the Seed in order for it to work again in the future any "after the fact" remembering would need some kind of further communication to the other side (i.e. "I am remembering this connection; will you?"). To summarize my understanding of the original proposal from application-code perspective, it needs to:
Some notes:
To take the original "whimsical" phrasing and story (I believe I am channeling @warner correctly here ;): you open a wormhole when two different people speak the same magic phrase at (roughly) the same time. Sometimes, the wormhole spits out a Seed spell. If so, you may sprout the same wormhole later when two people cast their Seed spell at (roughly) the same time. Note that in both cases the two ends of the wormhole still have to "do something" at approximately the same time. The protocol will need to add two-way communication of:
I think to fully support a GUI that wants to offer "save this session" after for example a file-transfer (or other application-level interaction) it makes sense to have two separate messages for "I support Seeds" and a different one for "I will save this particular Seed". (This would allow the application to only correctly offer to save the session when both sides support Seeds -- and can support a "decide up front" or a "decide after application-level stuff" workflow, as desired). I think it makes sense to note what the petname is on either side. Thus, for example, Alice can store her Seed as "workstuff for Bronwen" and inside that seed also store the fact that Bronwen called it "foo". This would be useful when they try to re-establish the wormhole -- instead of saying "transfer with code I think this represents a minimal protocol. We could choose to add more complexity in the future. For example, the sides could agree to rotate the code (and/or mailbox) on some schedule (like "on demand" or "every time the session is re-grown") by adding another message for that. Another example could be "I am deleting my Seed" as one way to handle expiry. |
p.s. re-reading some of the discussion I think I see where our understandings diverged:
I believe both those are made explicit in my above comment. |
Actually, I think we agree on more than what you think – most of my previous points were dropped in my "Proposal C" iteration. To make things more clear, maybe have a look at the current prototype implementation (WIP). The public API looks like this:
Notable features that are missing on purpose:
I hope that this helps to clear up some misunderstandings. |
Use-case from magic-wormhole/magic-wormhole#475 : have a cron-job on computer A that computer B can use to connect (at the prearranged time) to do a transfer. This should be possible with Seeds: do a one-time setup procedure to save a Seed for this connection on both A and B and use that Seed for subsequent transfers. (Also, we should ensure this will work with either "classic" or "Dilated File Transfer") |
Seeds should be tangential to dilation and even the application level protocol used at all |
Yes, for sure .. want to make sure the concrete use-cases work correctly though :) |
Migrated from magic-wormhole/magic-wormhole#77, as I think it's a good idea to discuss feature that are not Python-exclusive here.
Basically, both sides of a Wormhole connection would derive a 128-bit mailbox-id and a 256-bit wormhole secret (from the PAKE session key), and store it for later use as a "Seed". This seed is used exactly like a normal wormhole code, except that the mailbox ID is used directly (instead of being treated as a "nameplate" which then points to a mailbox), and the Seed can be reused.
(we don't strictly need to use PAKE each time, but it happens to provide forward-secrecy, and we already have all the code in place.. it'd actually be more work to use a simple non-PAKE KDF).
(also, the wormhole secret could be considerably shorter, and still be safe, but there's no harm in making it full-sized)
The text was updated successfully, but these errors were encountered: