Published on: 2023-09-11T02:20:22+00:00
The email exchange between Christian and Bastien revolves around the topic of implementing security measures within a Hardware Security Module (HSM) for creating runes. Christian agrees with Bastien's point that if they create runes inside the HSM, it will result in the same security model. The decision then comes down to choosing between implementing Bolt 8 or rune management within the HSM. Bastien expresses his preference for Bolt 8 due to its universality and simplicity, but suggests that it might be worth experimenting with both approaches. He also highlights the importance of configuring access control and rights on the lightning node side, emphasizing the need for implementation work to address these details.The email discusses an interesting proposal for implementing a system using runes. The idea is to have the rune managed by a hardware wallet and commit the rune used to authenticate an RPC call commit to the call's payload. This approach ensures that a potentially compromised client cannot authenticate arbitrary calls, as the hardware wallet is required to associate a rune with it, allowing for review. The authentication of RPC calls in this proposal is similar to how it works in greenlight, where the node host is not trusted. In greenlight, authenticated commands are passed forward to the signer for verification before processing any signature request from the node. The decision to authenticate the payload instead of the transport (as done in partonnere) removes the need for a direct connection and provides flexibility in delivering commands.Runes/macaroons do not provide any protection if the machine issuing the RPCs is compromised. In such a scenario, an attacker can modify the parameters of the RPC call, and the lightning node will still execute it without any issues. However, it is important to note that the purpose of Runes/macaroons is to protect certain RPCs that involve payment transactions, such as channel open, channel close, and pay invoice. On the other hand, for "read" RPCs like listing channels, Runes/macaroons are not useful. This means that these types of RPCs can be accessed without any protection. The reason behind this is that performing on-chain operations or making payments through invoices is relatively infrequent for most nodes. Therefore, it makes sense to manually validate these operations. Furthermore, it is worth mentioning that the configuration of Runes/macaroons is fully customizable. This allows users to choose which RPCs they want to protect using Runes/macaroons and which ones they prefer to keep accessible without any additional security measures.The sender questions the need for validating every RPC request with a hardware device and trusted display unless there is a specific use case in mind. They mention their interest in the commando plugin and express the need for additional security features. They highlight that while commando also uses a lightning connection to send commands to a lightning node, it lacks an important aspect that they believe is crucial. The missing feature is the handling of Bolt 8 by the HSM (Hardware Security Module) and the validation of commands using a trusted display. According to the sender, these additions would enhance security without compromising user experience and enable secure remote control from a mobile phone.Bastien has submitted a pull request to the bLIPs repository to document an idea he has been investigating. The idea is to create a simple architecture that allows for securely sending administrative commands to a lightning node from an untrusted machine. This can be done by using a hardware security module (HSM) acting as a whitelisted lightning peer. The architecture utilizes a standard lightning connection as the communication channel and custom lightning messages to send commands. The interesting aspect of this architecture is that it requires minimal changes to the lightning node itself. Bastien mentions that this can be implemented in a custom application running on a Ledger Nano S, which is what he has been exploring. Although the bLIP still needs some work on the actual commands and their encoding, Bastien believes that the most significant part is the HSM app. He suggests that implementing this idea would be very useful and volunteers to provide better specifications and review the implementation. Additionally, he proposes that this work could potentially be done under an open-source grant.
Updated on: 2023-09-12T01:54:23.624242+00:00