Tenfingers @lemmy.mindoki.com Valmond @lemmy.mindoki.com 2mo ago

Vulnerability 1 [WIP]

Thank you [email protected] for detecting this vulnerability.

A vulnerability was found:

A malevolent node can spoof data if:

It is sharing the specific data
It has access to the link file

Note: both conditions must be met.

Because it has now access to the AES key pair in the link file and can encode bad data and serve it to an eventual client.

Solution:

Add a payload to each data which is generated like this:

SHA256 the data
Encrypt the SHA with the private RSA key

Check it with the public RSA that is already in the link file when downloading data by:

When the data is fully downloaded:

Remove the SHA256 from the data
Decrypt it with the public RSA key in the link file
SHA256 the data (the data without the SHA256)
Compare the two SHA, if not identical then there has been errors or tampering.

1 comments

The version is now also verified so that a malevolent node cannot masquerade and serve an old, correct, dataset like it was a newer version.