mirror of
https://github.com/vacp2p/rfc.git
synced 2025-02-04 19:14:23 +00:00
removes DoS and adds a note about privacy cost
This commit is contained in:
Sanaz
Sanaz Taheri Boshrooyeh
parent
234a326946
commit
8aeb2843dc
@ -10,14 +10,11 @@ authors: Oskar Thorén <oskar@status.im>, Dean Eigenmann <dean@status.im>, Hanno
|
||||
- [Abstract](#abstract)
|
||||
- [Content filtering](#content-filtering)
|
||||
- [Rationale](#rationale)
|
||||
- [Security Requirements](#security-requirements)
|
||||
- [Terminology](#terminology)
|
||||
- [Adversarial Model](#adversarial-model)
|
||||
- [Security Consideration](#security-consideration)
|
||||
- [Protobuf](#protobuf)
|
||||
- [FilterRPC](#filterrpc)
|
||||
- [FilterRequest](#filterrequest)
|
||||
- [MessagePush](#messagepush)
|
||||
- [Security Analysis](#security-analysis)
|
||||
- [Future Work](#future-work)
|
||||
- [Changelog](#changelog)
|
||||
- [Next](#next)
|
||||
@ -55,22 +52,9 @@ It is worth noting that a light node could get by with only using the `store`
|
||||
protocol to query for a recent time window, provided it is acceptable to do
|
||||
frequent polling.
|
||||
|
||||
# Security Requirements
|
||||
|
||||
The `WakuFilter` protocol supports the following security features.
|
||||
|
||||
- **Prevention of Denial of Service (DoS)**: Denial of service signifies the case where an adversarial requesting node exhausts a full node's bandwidth and make it unavailable to the rest of the system. This may happen by either submitting a content filter covering all the existing contents (effectively applying no filter) or by launching a Sybil attack (i.e., creating a large number of nodes) and loading the full node with a mass of subscription requests.
|
||||
|
||||
## Terminology
|
||||
The term Personally identifiable information (PII) refers to any piece of data that can be used to uniquely identify a user. For example, the signature verification key, and the hash of one's static IP address are unique for each user and hence count as PII.
|
||||
|
||||
# Adversarial Model
|
||||
Any node running the `WakuFilter` protocol i.e., both the subscriber node and the queried node are considered as an adversary. Furthermore, we consider the adversary as a passive entity that attempts to collect information from other nodes to conduct an attack but it does so without violating protocol definitions and instructions. For example, under the passive adversarial model, no malicious node intentionally hides the messages matching to one's subscribed content filter as it is against the description of the `WakuFilter` protocol.
|
||||
|
||||
The following are not considered as part of the adversarial model:
|
||||
- An adversary with a global view of all the nodes and their connections.
|
||||
- An adversary that can eavesdrop on communication links between arbitrary pairs of nodes (unless the adversary is one end of the communication). In specific, the communication channels are assumed to be secure.
|
||||
# Security Consideration
|
||||
|
||||
Note that while using `WakuFilter` allows light nodes to save bandwidth, it comes with a privacy cost in the sense that they need to disclose their liking topics to the full nodes to retrieve the relevant messages.
|
||||
|
||||
## Protobuf
|
||||
|
||||
@ -147,11 +131,7 @@ period of time (e.g. a TTL), then the filter node MAY choose to not push these
|
||||
messages to the node. This period is up to the consumer of the protocol and node
|
||||
implementation, though a reasonable default is one minute.
|
||||
|
||||
---
|
||||
# Security Analysis
|
||||
|
||||
- **Prevention of Denial of Service**: DoS attack can be mitigated through accounting model as provided by [Waku Swap Accounting specs](https://github.com/vacp2p/specs/blob/master/specs/waku/v2/waku-swap-accounting.md). In a nutshell, nodes have to pay for the service they obtain from each other, which means, in terms of the `WakuFilter` protocol, the subscribing node will be charged for the messages that it obtains from other full nodes. In addition to incentivizing the service provider, accounting also makes DoS attacks costly for malicious nodes.
|
||||
|
||||
---
|
||||
# Future Work
|
||||
<!-- Alternative title: Filter-subscriber unlinkability -->
|
||||
- **Anonymous filter subscription**: This feature guarantees that nodes can anonymously subscribe for a message filter (i.e., without revealing their exact content filter). As such, no adversary in the `WakuFilter` protocol would be able to link nodes to their subscribed content filers. The current version of the `WakuFilter` protocol does not provide anonymity as the subscribing node has a direct connection to the full node and explicitly submits its content filter to be notified about the matching messages. However, one can consider preserving anonymity through one of the following ways:
|
||||
@ -159,7 +139,6 @@ implementation, though a reasonable default is one minute.
|
||||
Note that the current structure of filter requests i.e., `FilterRPC` does not embody any piece of PII, otherwise, such data fields must be treated carefully to achieve anonymity.
|
||||
- By deploying secure 2-party computations in which the subscribing node obtains the messages matching a content filter whereas the full node learns nothing about the content filter as well as the messages pushed to the subscribing node. Examples of such 2PC protocols are [Oblivious Transfers](https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_9#:~:text=Oblivious%20transfer%20(OT)%20is%20a,information%20the%20receiver%20actually%20obtains.) and one-way Private Set Intersections (PSI).
|
||||
|
||||
|
||||
# Changelog
|
||||
|
||||
### Next
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user