[Ndn-interest] a question on validating pure sha256 in ndn-cxx validator
Lan Wang (lanwang)
lanwang at memphis.edu
Wed Mar 10 11:16:01 PST 2021
My former student Laqin Fan was working on HMAC support. Below is some information in case it’s useful to you. If you are interested, you can continue her work.
------
Here is the patch on Gerri, https://gerrit.named-data.net/c/ndn-cxx/+/5537 . Last year, I was working on my thesis, didn’t get a chance to follow up this issue.
Laqin
------
> On Mar 10, 2021, at 1:59 AM, Justin Park = 세형 via Ndn-interest <ndn-interest at lists.cs.ucla.edu> wrote:
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and trust the content is safe.
>
> Hi all,
>
> I made a patch for digest-sha256 verification and submitted it through gerrit.named-data.net.
> However, I have some follow-up questions.
>
> According to NDN Specification, "SignatureHmacWithSha256" is also assigned as one of SignatureTypes.
> But I think in order for the Validator to verify Hmac packets, the module needs to add the secret key as a parameter to perform Hmac validation.
> Could you tell me the status and plans for Hmac validation?
>
> Best,
>
> Justin
>
> On Mon, Mar 8, 2021 at 5:59 PM Justin Park = 세형 <justin.labry at gmail.com> wrote:
> Thank you Junxiao for the crystal clear explanation.
> Alex, I tried the latest version (master) of ndn-cxx and nfd, but the result was exactly the same.
> I'll try to look into the source code and see what I can do about the sha256 patch.
>
> Justin
>
> On Mon, Mar 8, 2021 at 12:23 PM Alex Afanasyev <aa at cs.fiu.edu> wrote:
> Hi Justin,
>
> Thanks for debugging. Using validator for sha256 (not really a valid signature) may not make too much sense, but we did some fixing in the checker that should get a bit farther (it was actually in the currently the last commit of the master branch). You may want to re-check with the latest commit and see if it fixes your problem, if not, hope you can make and submit a patch.
>
> -
> Alex
>
>> On Mar 7, 2021, at 9:06 PM, Justin Park = 세형 via Ndn-interest <ndn-interest at lists.cs.ucla.edu> wrote:
>>
>> Hi all,
>>
>> Last Friday, I was working with NDN-CXX (0.7.0) for rsa-sha256, ecdsa-sha256, and sha256 validation.
>> The first two (rsa-sha256, ecdsa-256) had no trouble, but I had some issues with sha256.
>> Of course, I followed the instruction below:
>> https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
>>
>> checker
>> {
>> type customized
>> sig-type sha256
>> key-locator
>> {
>> type name
>> name /localhost/identity/digest-sha256
>> relation equal
>> }
>> }
>>
>> However, when I tried something with sig-type sha256, I got “Internal implementation error.”
>>
>> %9Bhq%A82%5B%AF%22%A7G%5E%B7%16%7C%1F8%93%AC?Nonce=f0547aea from forwarder
>> 1615167042.071117 DEBUG: [ndn.Face] <I /data/4?MustBeFresh&Nonce=8f696b08
>> 1615167042.071596 DEBUG: [ndn.Face] >D /data/4
>> 1615167042.071643 DEBUG: [ndn.Face] satisfying /data/4?MustBeFresh&Nonce=8f696b08 from app
>> 1615167042.071655 DEBUG: [ndn.security.Validator] > Start validating data /data/4
>> 1615167042.071660 TRACE: [ndn.security.validator_config.Rule] Trying to match /data/4
>> 1615167042.071675 TRACE: [ndn.security.validator_config.Rule] Trying to check /data/4 with keyLocator /localhost/id│
>> entity/digest-sha256
>> 1615167042.073762 DEBUG: [ndn.security.ValidationState] > Internal implementation error (Validator/policy did not invoke success or failure callback)
>>
>> To find the cause of errors, I followed the ndn-cxx source code from Validator::validate, to ValidationPolicyConfig::checkPolicy
>> to getKeyLocatorName, to Checker::check, to extractIdentityFromKeyName.
>> And I tentatively concluded that ndn-cxx doesn’t have the facility to validate pure “sha256” in the same manner as rsa-sha256 and ecdsa-sha256.
>>
>> I also checked out ndn-cxx have verifyDigest in verification-helper.cpp, but verfiyDigest is only referenced in unit test codes.
>>
>> My question is whether my speculation is rightand I also want to know the status and future plans regarding sha256 verification in Validator.
>>
>> Thank you,
>>
>> Justin
>>
>>
>> ===================================
>> const Name&
>> SigningInfo::getDigestSha256Identity()
>> {
>> static Name digestSha256Identity("/localhost/identity/digest-sha256");
>> return digestSha256Identity;
>> }
>>
>> ===================================
>> Name
>> extractIdentityFromKeyName(const Name& keyName)
>> {
>> if (!isValidKeyName(keyName)) {
>> NDN_THROW(std::invalid_argument("Key name `" + keyName.toUri() + "` "
>> "does not respect the naming conventions"));
>> }
>>
>> return keyName.getPrefix(-Certificate::MIN_KEY_NAME_LENGTH); // trim everything after and including "KEY"
>> }
>> _______________________________________________
>> Ndn-interest mailing list
>> Ndn-interest at lists.cs.ucla.edu
>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>
> ______________
> Alex Afanasyev
> Assistant Professor, SCIS, Florida International University
> 11200 SW 8th Street, PG6 Room 140D, Miami, FL 33199
> phone: +1.305.348.4960 (office); email: aa at cs.fiu.edu
> web: https://users.cs.fiu.edu/~afanasyev/
>
>
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
More information about the Ndn-interest
mailing list