Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug in Sphinx padding allows for last hop to learn the route length #42

Closed
david415 opened this issue Nov 17, 2019 · 4 comments · Fixed by #40
Closed

bug in Sphinx padding allows for last hop to learn the route length #42

david415 opened this issue Nov 17, 2019 · 4 comments · Fixed by #40

Comments

@david415
Copy link

I do not know if your use of the Sphinx packet format is such that variable length routes are used... however you should know that your Sphinx packet implementation does leak the route length to the last hop.

According to the recently submitted paper: Breaking and (Partially) Fixing Provably Secure Onion Routing, ( https://arxiv.org/abs/1910.13772 ) there is a padding bug where a sphinx implementation creates a header and in so doing uses zeros to pad the beta field whereas random data should be used instead because of the use of the stream cipher...

https://github.com/UCL-InfoSec/sphinx/blob/c05b7034eaffd8f98454e0619b0b1548a9fa0f42/SphinxClient.py#L67

# The os.urandom used to be a string of 0x00 bytes, but that's wrong
beta = dest + id + os.urandom(((2 * (p.r - nu) + 2)*p.k - len(dest)))
beta = p.xor(beta,
p.rho(p.hrho(asbtuples[nu-1]['s']))[:(2*(p.r-nu)+3)*p.k]) + phi

This bug, that is, if beta were padded with zeros instead of random bytes would allow
an adversary to determine the length of the route. This adversary would have to be the last hop and it could then XOR the beta portion of the header with zero bytes to learn how many skipped hops the Sphinx packet had.
@david415
Copy link
Author

here the zero bytes are created:
https://github.com/lightningnetwork/lightning-onion/blob/master/sphinx.go#L204

this right shift fills the gap with zero as well:
https://github.com/lightningnetwork/lightning-onion/blob/master/sphinx.go#L234

here some data is copied to our mixHeader slice... where the remainder of the slice length
is only zero bytes:
https://github.com/lightningnetwork/lightning-onion/blob/master/sphinx.go#L241

the entire mixHeader slice is then XOR'ed with a stream cipher:
https://github.com/lightningnetwork/lightning-onion/blob/master/sphinx.go#L246

therefore the last hop may in fact XOR the beta portion of the header with zero bytes to learn the number of hops in the route used by the Sphinx packet.

@david415
Copy link
Author

oops hi. i just now realized there's already a pull request to fix this:
#40

@Roasbeef
Copy link
Member

Yep, thanks for making this issue in either case!

@Roasbeef Roasbeef mentioned this issue Nov 22, 2019
Merged
@david415
Copy link
Author

Yep, I had to fix Yawning's Go Sphinx, my Rust Sphinx and one line in our Sphinx spec file :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sphinx: pad out the starting packet with random bytes Roasbeef/lightning-onion
2 participants
@david415 @Roasbeef