You're still signing data structures the wrong way
5 hours ago
- #cryptography
- #serialization
- #domain-separation
- The article addresses the long-standing issue of properly packaging data for cryptographic algorithms, emphasizing the need for canonical outputs and domain separation.
- It illustrates the domain separation problem with an example using protobufs, where structurally identical messages like TreeRoot and KeyRevoke can be confused, leading to security vulnerabilities such as signature forgery.
- The proposed solution in FOKS's Snowpack involves embedding random, immutable 64-bit domain separators directly into the Interface Definition Language (IDL) to prevent type confusion.
- Snowpack ensures that domain separators are unique within a project and are not included in serialization to save bytes, with type systems in languages like Go and TypeScript enforcing security by requiring these separators for cryptographic operations.
- The serialization in Snowpack uses JSON-like positional arrays for encoding, ensuring canonical outputs through Msgpack with restrictions on integer encodings and avoiding dictionary ordering issues.
- The system supports forward and backward compatibility, allowing old decoders to handle new message formats by using nil placeholders for retired or added fields.
- Snowpack also includes support for lists, options, and variants, making it versatile for various use cases, and is open-sourced on GitHub with initial support for Go and TypeScript.