tendermint/docs/tendermint-core/secure-p2p.md

# Secure P2P

The Tendermint p2p protocol uses an authenticated encryption scheme
based on the [Station-to-Station
Protocol](https://en.wikipedia.org/wiki/Station-to-Station_protocol).

Each peer generates an ED25519 key-pair to use as a persistent
(long-term) id.

When two peers establish a TCP connection, they first each generate an
ephemeral ED25519 key-pair to use for this session, and send each other
their respective ephemeral public keys. This happens in the clear.

They then each compute the shared secret. The shared secret is the
multiplication of the peer's ephemeral private key by the other peer's
ephemeral public key. The result is the same for both peers by the magic
of [elliptic
curves](https://en.wikipedia.org/wiki/Elliptic_curve_cryptography). The
shared secret is used as the symmetric key for the encryption algorithm.

The two ephemeral public keys are sorted to establish a canonical order.
Then a 24-byte nonce is generated by concatenating the public keys and
hashing them with Ripemd160. Note Ripemd160 produces 20byte hashes, so
the nonce ends with four 0s.

The nonce is used to seed the encryption - it is critical that the same
nonce never be used twice with the same private key. For convenience,
the last bit of the nonce is flipped, giving us two nonces: one for
encrypting our own messages, one for decrypting our peer's. Which ever
peer has the higher public key uses the "bit-flipped" nonce for
encryption.

Now, a challenge is generated by concatenating the ephemeral public keys
and taking the SHA256 hash.

Each peer signs the challenge with their persistent private key, and
sends the other peer an AuthSigMsg, containing their persistent public
key and the signature. On receiving an AuthSigMsg, the peer verifies the
signature.

The peers are now authenticated.

All future communications can now be encrypted using the shared secret
and the generated nonces, where each nonce is incremented by one each
time it is used. The communications maintain Perfect Forward Secrecy, as
the persistent key pair was not used for generating secrets - only for
authenticating.

## Caveat

This system is still vulnerable to a Man-In-The-Middle attack if the
persistent public key of the remote node is not known in advance. The
only way to mitigate this is with a public key authentication system,
such as the Web-of-Trust or Certificate Authorities. In our case, we can
use the blockchain itself as a certificate authority to ensure that we
are connected to at least one validator.

## Config

Authenticated encryption is enabled by default.

## Specification

The full p2p specification can be found [here](https://github.com/tendermint/tendermint/tree/master/docs/spec/p2p).

## Additional Reading

- [Implementation](https://github.com/tendermint/tendermint/blob/64bae01d007b5bee0d0827ab53259ffd5910b4e6/p2p/conn/secret_connection.go#L47)
- [Original STS paper by Whitfield Diffie, Paul C. van Oorschot and
  Michael J.
  Wiener](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.216.6107&rep=rep1&type=pdf)
- [Further work on secret
  handshakes](https://dominictarr.github.io/secret-handshake-paper/shs.pdf)
Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`# Secure P2P`
docs: organize the specification 2017-08-30 19:16:15 -04:00
			`The Tendermint p2p protocol uses an authenticated encryption scheme`
Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`based on the [Station-to-Station`
			`Protocol](https://en.wikipedia.org/wiki/Station-to-Station_protocol).`
docs: organize the specification 2017-08-30 19:16:15 -04:00
			`Each peer generates an ED25519 key-pair to use as a persistent`
			`(long-term) id.`

			`When two peers establish a TCP connection, they first each generate an`
			`ephemeral ED25519 key-pair to use for this session, and send each other`
			`their respective ephemeral public keys. This happens in the clear.`

			`They then each compute the shared secret. The shared secret is the`
			`multiplication of the peer's ephemeral private key by the other peer's`
			`ephemeral public key. The result is the same for both peers by the magic`
Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`of [elliptic`
			`curves](https://en.wikipedia.org/wiki/Elliptic_curve_cryptography). The`
			`shared secret is used as the symmetric key for the encryption algorithm.`
docs: organize the specification 2017-08-30 19:16:15 -04:00
			`The two ephemeral public keys are sorted to establish a canonical order.`
			`Then a 24-byte nonce is generated by concatenating the public keys and`
			`hashing them with Ripemd160. Note Ripemd160 produces 20byte hashes, so`
			`the nonce ends with four 0s.`

			`The nonce is used to seed the encryption - it is critical that the same`
			`nonce never be used twice with the same private key. For convenience,`
			`the last bit of the nonce is flipped, giving us two nonces: one for`
			`encrypting our own messages, one for decrypting our peer's. Which ever`
			`peer has the higher public key uses the "bit-flipped" nonce for`
			`encryption.`

			`Now, a challenge is generated by concatenating the ephemeral public keys`
			`and taking the SHA256 hash.`

			`Each peer signs the challenge with their persistent private key, and`
			`sends the other peer an AuthSigMsg, containing their persistent public`
			`key and the signature. On receiving an AuthSigMsg, the peer verifies the`
			`signature.`

			`The peers are now authenticated.`

			`All future communications can now be encrypted using the shared secret`
			`and the generated nonces, where each nonce is incremented by one each`
			`time it is used. The communications maintain Perfect Forward Secrecy, as`
			`the persistent key pair was not used for generating secrets - only for`
			`authenticating.`

Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`## Caveat`
docs: organize the specification 2017-08-30 19:16:15 -04:00
			`This system is still vulnerable to a Man-In-The-Middle attack if the`
			`persistent public key of the remote node is not known in advance. The`
			`only way to mitigate this is with a public key authentication system,`
			`such as the Web-of-Trust or Certificate Authorities. In our case, we can`
			`use the blockchain itself as a certificate authority to ensure that we`
			`are connected to at least one validator.`

Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`## Config`
[docs/specification/secure-p2p] add a note about config 2018-04-09 16:12:35 +02:00
Remove auth_enc config option As we didn't hear any voices requesting this feature, we removed the option to disable it and always have peer connection auth encrypted. closes #1518 follow-up #1325 2018-06-01 21:07:20 +02:00			`Authenticated encryption is enabled by default.`
[docs/specification/secure-p2p] add a note about config 2018-04-09 16:12:35 +02:00
Several minor docs & spec cleanup (#2330) * addr_book_strick=false on local nets * link to spec * spec: remove TODO, see #1749 instead * spec: make issues from TODOs * update docs on addr_book_strict option 2018-09-05 02:30:36 -04:00			`## Specification`

			`The full p2p specification can be found [here](https://github.com/tendermint/tendermint/tree/master/docs/spec/p2p).`

Deprecate/refactor content in docs/specification (#1934) * docs: deprecate specification dir, closes #1814 * update genesis * old spec dir, deprecation complete * rm a file 2018-07-11 15:45:10 -04:00			`## Additional Reading`
docs: organize the specification 2017-08-30 19:16:15 -04:00
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 15:33:46 +08:00			`- [Implementation](https://github.com/tendermint/tendermint/blob/64bae01d007b5bee0d0827ab53259ffd5910b4e6/p2p/conn/secret_connection.go#L47)`
			`- [Original STS paper by Whitfield Diffie, Paul C. van Oorschot and`
			`Michael J.`
			`Wiener](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.216.6107&rep=rep1&type=pdf)`
			`- [Further work on secret`
			`handshakes](https://dominictarr.github.io/secret-handshake-paper/shs.pdf)`