Skip to content
This repository has been archived by the owner on Apr 29, 2020. It is now read-only.

How Does Node Identity Work? #238

Closed
glowkeeper opened this issue Mar 16, 2017 · 9 comments
Closed

How Does Node Identity Work? #238

glowkeeper opened this issue Mar 16, 2017 · 9 comments

Comments

@glowkeeper
Copy link

I'm trying to understand how identities work in IPFS. This question is related to #236

Anyway; I run this to initialise an IPFs repository:

ipfs init
initializing ipfs node at /Users/auser/.ipfs
generating 2048-bit RSA keypair...done
peer identity: Qmcpo2iLBikrdf1d6QU6vXuNb6P7hwrbNPW9kLAH8eG67z

The IPFS architecture specs (https://github.com/ipfs/specs/tree/master/architecture), state this:

The IPFS network uses PKI-based identity. An "ipfs node" is a program that can find, publish, and replicate merkledag objects. Its identity is defined by a private key. Specifically:

privateKey, publicKey := keygen()
nodeID := multihash(publicKey)

So is this 'PKI-based identity' a self-signed certificate using the RSA keypair? How is that 2048-bit RSA keypair generated? Is there some default/automated passphrase or some such used? Forgive me if it's obvious, but I'd really appreciate a thorough explanation.
@hsanjuan
Copy link
Member

hsanjuan commented Mar 16, 2017
edited
Loading

IPFS generates a regular RSA key pair.

The Peer ID is the hash of the public key. When peers connect to each other they exchange public keys. The communications are encrypted using those keys. You can check that the peer ID matches the hash of the public key provided by a peer to ensure you are talking to the right person.

IPFS stores the [private] RSA key in the configuration. No passphrase. There is no self-signed certificate involved in the whole process.

@glowkeeper
Copy link
Author

@hsanjuan thanks! Where is that [private] RSA key stored?

@glowkeeper
Copy link
Author

And how does the RSA key generation work, exactly? Does it just pick a modulus and exponent at random?

@hsanjuan
Copy link
Member

hsanjuan commented Mar 16, 2017
edited
Loading

@glowkeeper stored in ~/.ipfs/config by default.

It uses https://golang.org/pkg/crypto/rsa/#GenerateKey with a random source seeded with current time nanoseconds. (https://godoc.org/github.com/libp2p/go-libp2p-crypto)

@Kubuxu
Copy link

Kubuxu commented Mar 16, 2017

with a random source seeded with current time nanoseconds.

That is not true, it uses Golang's crypto/rand module that uses entropy sources provided by system.

@hsanjuan
Copy link
Member

@Kubuxu thanks, I should have checked before speaking

@glowkeeper
Copy link
Author

@hsanjuan, earlier you said: "You can check that the peer ID matches the hash of the public key provided by a peer to ensure you are talking to the right person." That checking is where I'd imagine a signature or some such like would come into play, but there is no signature. So how does that process work?

Forgive me for blathering on. And feel free to tell me: "go look for yourself!" and point me in the direction of the source ;)

@hsanjuan
Copy link
Member

@glowkeeper you don't need a signature because your name (peer ID) is the hash of your public key. If a node tried to use someone else identify it would not be able to provide a public key which had the same hash as the original to match the ID that it is trying to use. (I mean, it would be able to provide the original public key from the true peer, but it would not have the private key so it couldn't decode any of the data sent to it).

Other than that there is no trust-schemes or authorities like say, with web certificates.

@flyingzumwalt
Copy link
Contributor

This issue was moved to https://discuss.ipfs.io/t/how-does-node-identity-work/317

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flyingzumwalt @hsanjuan @Kubuxu @glowkeeper