Feature/secret keeper and skvs #728
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Secret Keeper has 5 functions.
InitSecretKeeper:
- This function will initialize the key "AUTH_LIST_KEY" with value ["Alice", "Bob"] and key "SECRET_KEY" with value "DefaultSecret".
- This function should only be called once when the application started.
- Of course a malicious user can call this function to reset the value, but this we will assume this is not what an attacker would want to achieve.
RevealSecret:
- This function allow users that in the Authlist ("AUTH_LIST_KEY") able to reveal the value of secret stored under key "SECRET_KEY".
LockSecret:
- This function allow users that in the Authlist ("AUTH_LIST_KEY") able to store a new value of secret under key "SECRET_KEY".
- The old value will be replaced.
AddUser:
- This function allow users that in the Authlist ("AUTH_LIST_KEY") able to add a new user to the Authlist.
- Then the new user can now perform the following four functions (RevealSecret, LockSecret, AddUser, RemoveUser)
RemoveUser:
- This function allow users that in the Authlist ("AUTH_LIST_KEY") able to add remove an existing user off the Authlist.
- Then the removed user can no longer able to perform the following four functions (RevealSecret, LockSecret, AddUser, RemoveUser)
Example using fpc-simple-client:
./fpcclient invoke initSecretKeeper
./fpcclient query revealSecret Alice
./fpcclient invoke lockSecret Bob NewSecret
./fpcclient query revealSecret Alice
./fpcclient invoke removeUser Alice Bob
./fpcclient query revealSecret Alice
./fpcclient query revealSecret Bob // (will failed)
./fpcclient invoke addUser Alice Bob
./fpcclient query revealSecret Bob // (will success)
--------
* implement secret keeper demo
* debug
* create unit test mock rollback attack
---------
Co-authored-by: Chen Chang Lew <[email protected]>
Co-authored-by: tester <tester@fpc>
Signed-off-by: chenchanglew <[email protected]>
Signed-off-by: chenchanglew <[email protected]>
Create a solution for protecting against rollback attack.
Solution: Single Key Value Storage (SKVS)
Just need to apply one line of change in your chaincode main.go to use SKVS solution:
```
secretChaincode, _ := contractapi.NewChaincode(&chaincode.SecretKeeper{})
chaincode := fpc.NewSkvsChaincode(secretChaincode)
```
Skvs solution will store all the key under the main key "SKVS".
before: {"Alice": "DataAlice", "Bob": "DataBob"}
After: {"SKVS": {"Alice": "DataAlice", "Bob": "DataBob"} }
By using this approach we are able to protect against Rollback + key mismatch problem since all the data are now just store under one single key.
Special notes for your reviewer:
This approach is very user friendly because you just need to change one line of your main application to get the properties of rollback protection.
However, which this approach will reduce the performance of FPC a lot because it didn't perform well in concurrent situation because every changes will cause a conflict in their Transactions happened to be in a same block.
Thus if developer would like to use this approach will need to make sure your application doesn't required high throughput and will expected it to update once a while.
----
* add singleKVS wrapper
* able to save into single key
* change to only getState Once
* change storing type and add del state
* refactor part 1 - private can run
* refactor part 2 - skvs run successfully
* remove unnecessary logging change back samples
Signed-off-by: chenchanglew <[email protected]>
Signed-off-by: chenchanglew <[email protected]>
chenchanglew
force-pushed
the
feature/secretKeeperAndSKVS
branch
from
5e48d42
to
35a1862
Compare
|
hi @mbrandenburger, can you help me to review this, thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Add application SecretKeeper and rollback protection SKVS
Which issue(s) this PR fixes:
Part of the solution for #484
Special notes for your reviewer:
to enable SKVS just need to change your application main.go from fpc.NewPrivateChaincode(xxx) to fpc.NewSkvsChaincode(xx)