Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anti-DoS Library State Validations #3

Open
marcoonroad opened this issue Nov 20, 2018 · 0 comments
Open

Anti-DoS Library State Validations #3

marcoonroad opened this issue Nov 20, 2018 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed question Further information is requested

Comments

@marcoonroad
Copy link
Owner

The replicated and distributed nature of Git may lead to huge security breaches. Nowadays, Git repositories are wrapped under either HTTPS or SSH to accept updates performed by git push. The cloning may be unauthenticated. Therefore, this scheme implies in a rather centralized approach to protect Git repositories.

In our planned solution, a good approach might be to receive the update order from any node, but to validate the consistence of the provided commits by using Git Hooks. Keep in mind that nodes might provide valid commits and yet, at the same time, attack the internal state by flooding, aiming a DoS. A Proof-of-Work scheme can help here.

The replication may be performed by Swarm/P2P networks, but it's not our responsibility to implement that. Our responsibility is only the mergeable nature of the application state repository, by avoiding any prior kind of Network Replication, the replication can be made in many ways, for instance, extracting and packing ZIP files, etc.

An implemented quite good and strong encryption algorithm (such as Twofish) could be used to protect the seeds/private keys, and therefore, backup the user's wallet keys by the mean of data replication. A Post-Quantum mechanism to sign the commits (akin to GPG keys) is interesting as well, and it's possible to bootstrap this library to sign its own Git state repository through the Irmin's commit information layer.

Note:

It doesn't mean that our library will maintain a fully sync and up-to-date internal Git state by blockchain-alike replication. Really, our goal is not to create the next blockchain. Well, perhaps not just within this library. Our goal is to enable a client wallet be usable in many kind of devices, such as smart phones and notebooks. By dropping the network replication assumption and only focus on the mergeability, the customer/user can use a layered authentication mechanism on top of that, which would enable the synchronization of the state among his devices.

The validation here is not just to avoid intentional attacks, but also unintentional mistakes which could introduce bugs and typos on the internal persisted library state. An error correction algorithm for the Git state would fit well here.
@marcoonroad marcoonroad added enhancement New feature or request help wanted Extra attention is needed question Further information is requested labels Nov 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcoonroad