[Lightning-dev] Reason for having HMACs in Sphinx
decker.christian at gmail.com
Thu Nov 29 17:13:29 UTC 2018
the HMACs are necessary in order to make sure that a hop cannot modify
the packet before forwarding, and the next node not detecting that
One potential attack that could facilitate is that an attacker could
learn the path length by messing with different per-hop payloads: set
n=0 the attacker flips bits in the nth per-hop payload, and forwards
it. If the next node doesn't return an error it was the final recipient,
if if returns an error, increment n and flip bits in the (n+1)th per-hop
payload, until no error is returned. Congratulation you just learned the
path length after you. The same can probably be done with the error
packet, meaning you can learn the exact position in the route. Add to
that the information you already know about the network (cltv_deltas,
amounts, fees, ...) and you can probably detect sender and recipient.
Adding HMACs solves this by ensuring that the next hop will return an
error if anything was changed, i.e., removing the leak about which node
would have failed the route.
Corné Plooy via Lightning-dev <lightning-dev at lists.linuxfoundation.org> writes:
> Is there a reason why we have HMACs in Sphinx? What could go wrong if we
> A receiving node doesn't know anyway what the origin node is; I don't
> see any attack mode where an attacker wouldn't be able to generate a
> valid HMAC.
> A receiving node only knows which peer sent it a Sphinx packet;
> verification that this peer really sent this Sphinx packet is (I think)
> already done on a lower protocol layer.
> AFAICS, The only real use case of the HMAC value is the special case of
> a 0-valued HMAC, indicating the end of the route. But that's just silly:
> it's essentially a boolean, not any kind of cryptographic verification.
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
More information about the Lightning-dev