Validator key rotation

[nickray]

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

The current implementation has the following definition of validator (according to spec)

type Validator struct {
    Address     []byte
    PubKey      PubKey
    VotingPower int64
}

This implies there is a corresponding private key which is very valuable. In production, either the key is copied to the validating server (at risk of theft), or according to current best practice the key pair is generated on a HSM. In which case the risk of theft is lowered, but still non-zero. Additionally, failover of the validating server becomes impossible unless one has a clone of the HSM pre-attached to a different machine. I remark that in case of theft, there is no on-chain mechanism to deal with this, except a slow painful death by slashing (in Cosmos) for those who do not unbond fast enough...

In order to be concrete, as a basis for discussion, I propose changing the validator struct to the following:

type Validator struct {
    Address       []byte
    OwningPubKey  PubKey  // used to authorize changes of SigningPubKey
    SigningPubKey PubKey  // used to sign proposals+votes
    VotingPower   int64
}

Where

• the OwningPubKey can send a transaction to change the SigningPubKey to an arbitary value
• the consensus protocol would generally accept such a transaction.

From my understanding of the consensus reactor, the ProposalMessage and VoteMessage would be signed by the current SigningPubKey, whereas a new "SigningKeyChangeMessage" would be added, to be signed by the OwningPubKey.

Effectively, the OwningPubKey becomes a certification authority for its SigningPubKey, taking cues from PKI theory:

• Setting the SigningPubKey to zero means revoking the key.
• Setting a new non-zero value means rotating the key.

I believe this change would not weaken the safety of the protocol, but I do not have a deep enough understanding to make such a claim. Does it?

This proposal allows keeping the OwningPubKey completely offline and separated from the operational setup. It also allows anonymous owners of bonded stake (in the Cosmos case) to listen to changes in the SigningPubKey.

Possible additional extensions (not proposed here, mentioned to illustrate the advantage of separating the roles of the current "one PubKey to rule them all"):

• field Operational bool, indicating if a validator is in operation. Alternatively, a zero SigningPubKey value could imply that a validator is not operational
• additional subkeys could be added, e.g. MessagingPubKey, with associated transaction types, communicating for instance various fees the validator extracts

[nickray]

Alternatively, the Tendermint Validator struct would stay the same, and changes would be handled in state at the Application level? Then SigningPubKey would be a Tendermint concept, while OwningPubKey would be a Cosmos/other app concept.
It may still be useful to model the two validator key roles explicitly.

[nickray]

Clarification in response to a question by "bascule" in the validator chat.

AFAIK how things currently work is:

• Tendermint currently has a list of (validator, weight) pairs (independently of ABCI apps like Cosmos)
• Initial distribution comes from the genesis block
• Updates to this list are generated by polling the app
• Cosmos updates the list according to when accounts bond or unbond Atoms to validator node pubkeys

So:

• the Cosmos app would need a concept of "owner" of a validator (the above owning key, maybe rather an owning address). This is the root key in other terminology.
• this owner can send a Cosmos message to replace the signing pubkey. This entails revoking the old key.
• the Tendermint protocol technically only still only needs the signing pubkey. If it were aware of the owner concept however, it could maintain better continuity (e.g. for the round based proposer election)

[tarcieri]

As an alternative, a more traditional approach to solving this problem is to use some sort of PKI with support for certificate chains and certificate revocation lists CRLs. When I say "some sort" it could be the X.509 PKI, but it doesn't have to be: several things use artisanal homebrew certificates, including OpenPGP, SSH, dnscrypt, and ØMQ.

In a system with a PKI, the validator struct would probably end up looking something like this:

type Validator struct {
    Address     []byte
    RootCert    Certificate
    VotingPower int64
}

You'd want to make sure whatever certificate system is deployed has a basic feature set, though:

• A root CA certificate/key, analogous to OwningPubKey above, ideally kept completely offline
• Leaf certificates, analogous to SigningPubKey above
• Certificate revocation lists (CRLs) containing a blacklist of previously issued keys which should no longer be trusted, or some other revocation mechanism
• Optional: intermediate certificates, e.g. you could have an offline root, and an online intermediate. This would be helpful for replacing CRLs with online status checks or a "stapling" mechanism

The private key associated with the root certificate in such a system is used to sign both the leaf certificates and the CRL. The CRL needs to be online somewhere (in the X.509 PKI the root CA cert contains a URL where the CRL can be fetched from, for example). It can be fetched the first time a particular leaf certificate is seen and then cached until it expires.

If there is a need to rotate/revoke a key, a new leaf cert can be issued using the root CA, and a new CRL signed. When a new certificate is seen for the first time, the CRL should be re-fetched, and if it's newer than the old one used in its place.

An alternative approach to revocation is the one used by GPG: whenever a leaf is issued, a "revocation certificate" is also issued, which needs to be stored securely but is less sensitive than the root CA cert, so it can be kept online somewhere. If lost, it can be regenerated using the root CA cert. Once it's been published, anyone who sees it should disavow the key it identifies.

The main advantage of a PKI approach over the one @nickray gave is it doesn't require coordination with other validators to issue new leaf certificates, allowing validators to perform key rotations in a coordination-free manner. It's arguably a bit more complicated but stateless from the perspective of the other validators. It's also a more traditional approach to solving this particular problem, and therefore fairly well-studied with lots of precedent to draw on.

A disadvantage would be handling of certificate chains: to validate a signature now, you need the whole chain. Naively you'd have to store the whole chain with every signature, which would significantly increase the space required for signatures. In a more optimized approach, you could pass a certificate chain the first time it is ever used, and from then on refer to the entire chain using some compact identifier, which ideally should be no bigger than a hash.

I'm not saying you should use X.509 in particular, but Go does happen to have one of the most fantastic X.509 libraries ever written built into its standard library:

https://golang.org/pkg/crypto/x509/

Cloudflare wrote a CA which is effectively just a wrapper around it:

https://github.com/cloudflare/cfssl

I think it wouldn't be too hard to write some cosmos-specific tooling for managing an offline CA and using X.509 in a not-completely-obnoxious manner. That is to say, rather than actually using cfssl, you can look to it for guidance about how to write an X.509 CA using the Go standard library, and then produce some cosmos-specific tooling which fits into the existing key generation workflow.

I can look into the state of specification work for using X.509 with Ed25519 but my understanding is it's in "rough consensus and running code" stage and it should just be a matter of using the proper OIDs to identify Ed25519.

[nickray]

Oh my :)

What I don't like about this solution is the external URL it introduces to fetch and update the CRL. Have you thought through the failure modes of this?

It also seems as if one cannot simply start at the genesis block and iterate through the blocks and transactions to verify the chain?

I think we agree that the root key does not belong near any production node in a data center, and the question of what to do if a production signing key/leaf certificate is compromised needs to be thought out before rolling out Cosmos.

Would be good to have some feedback from @ebuchman

[tarcieri]

What I don't like about this solution is the external URL it introduces to fetch and update the CRL. Have you thought through the failure modes of this?

Anyone dealing with an X.509 PKI which uses CRLs has thought through the failure modes of this, a line of inquiry which has lead to things like OCSP to replace CRLs. Failure to fetch the CRL fails closed. CRLs have a number of issues and may not be the best solution, but they're an easy enough one to get started with.

Keep in mind though that the CRL only needs to be fetched when a new certificate is seen for the first time from a given issuer or when the CRL expires.

It also seems as if one cannot simply start at the genesis block and iterate through the blocks and transactions to verify the chain?

This generally seems like a difficult problem unless you store the entire set of certificates which were valid at a given point in time on-chain. As it were, systems like Certificate Transparency and Revocation Transparency actually do that in practice, but implementing something like that out-of-the-gate sounds rather difficult, and I'm not sure verifying signatures for the entire history of the chain even makes sense considering that some of the keys may be compromised anyway.

In your proposal, how do you track which SigningPubKeys were valid at a given point in time? It seems like validators would only know the current state of which SigningPubKeys were valid, which runs afoul of the same issue that they have no context for how to interpret historical SigningPubKeys.

[nickray]

The validators are a dynamic set, defined by Cosmos app, right? The idea is to model the owner of a validator in the app. So the owner can send a transaction changing the signing key (similar to `gaia client tx declare-candidacy/delegate etc.). When this transaction is committed in a block, it takes effect. Am I missing something?

[tarcieri]

If that information is tracked on-chain, then great. I'm still unclear what the workflow for that would look like though, particularly in terms of using the offline root key to, in effect, certify a new signing key, and then publishing that information to the rest of the validators. Somewhere in there you will need to roll what is in effect a simple certificate system, and then publish those certifications.

[nickray]

It's a simplistic model.

Effectively, the private key of the "owning address" plays the role of certificate authority, having the same vulnerability as the private key of the current "validator PubKey" currently has, except it can be kept safely offline. Certifying a new signing key means a) generating a random new one, b) sending something like gaia client tx set-signing-pubkey <validator identifier> <new pubkey>.

I think my proposal evolved a little since formulated. There is no need for an OwningPubKey, just for a unique identifier to keep proposer right rotation consistent. Shall I try and rewrite it?

[tarcieri]

Yes, please do rewrite it, however I think your description above is missing a few steps. You need the following at a minimum to support an offline root:

1. Generate new signing private key (i.e. in an HSM) and obtain the pubkey
2. Copy signing public key to offline root signer. In more traditional PKIX nomenclature the request copied to the offline signer would be a certificate signing request (CSR)
3. Sign the pubkey/CSR with the root private key, obtaining a signature and/or certificate for the new signing subkey
4. Copy the signature/certificate from the offline signer to the validator node
5. Inform the other validators of the new signing key. Note this needs both the new public key and the signature from the root key.

One nice thing about certificates is they encapsulate both the public key and the signature in a single message. So you could do something like:

 gaia client tx set-signing-cert <validator identifier> <new certificate>

Otherwise if you want to use "naked" pubkeys, you'd need something like this:

 gaia client tx set-signing-pubkey <validator identifier> <new pubkey> <pubkey signature>

[tarcieri]

So based on this discussion, I'd recommend something like @nickray's approach, but in conjunction with some sort of simple, non-X.509 certificate system to encapsulate signing requests and signed public keys.

A certificate would need to include the SigningPubKey and signature from the OwningPubKey at a minimum.

I would strongly suggest they also contain the following:

• Algorithm identifiers: the algorithm ID + public key are known as Subject Public Key Info (SPKI) in X.509, and a "SPKI hash" identifies the key
• Nonce: I would recommend this be uniformly random, at least 128-bits, and located at the beginning of the certificate, as nonces of this nature can defend against chosen prefix collisions on whatever hash function is used to compute the certificate digest
• Issuer: the certificate itself commits to the signer

[nickray]

Coming back to this with full support! In my proposal, the mental model was that a Cosmos account "owned" the validator, and so the account's signature (of the CSR, phrased in your/standard terms) was part of the message sent. But I completely agree that the root key of the validator should be a separate entity (of any account key).

So with this, any account can send the signed certificate (which is also nice) and everything is recorded in the blockchain.

I hope this will make it into the launch release!