WingNews logo WingNews
top | item 45305547

(no title)

ursuscamp | 5 months ago

So, I was part of the Nostr community for quite a while and was the author of a popular Nostr extension for Safari, before eventually giving up on Nostr for various reasons.

I haven't read that entire paper. Mainly, I skipped to the section you mention here:

> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.

I think you and the authors perhaps misunderstand the Nostr protocol. Nostr is, effectively, an identity system tied to a public key. The cryptography is sound. Your identity is your public key. When you request a user's profile, or their events, you request it specifically by their public key. That is unforgeable (assuming no bugs in the implementation, like what the authors found in Damus).

This does present UX issues that can manifest as security issues, such as "how can you verify that a user with a certain public is who they say they are instead of an impostor". That is a separate issue from whether the cryptography itself is sound.

discuss

order

tptacek|5 months ago

If you read the entire paper you'll see that the paper presents a formalized set of security goals that acknowledge Nostr uses public keys as identities. They haven't misunderstood the system. Meanwhile: the cryptography is obviously unsound: it relies on unauthenticated CBC, and signatures that aren't verified, and provides attackers with the ability to coerce users into following links.

jonstaab|5 months ago

The cryptography was thrown together in the very early days as a proof of concept, that reached some level of adoption because of how nostr suddenly grew at the end of 2022. The community has since largely switched to a new standard (NIP 44) which has been independently audited, although there are some popular clients that haven't yet transitioned.

vnuge|5 months ago

nostr cryptographic developer here (author of libnoscrypt C library)

Nip04 has been deprecated, and to be clear, in practice the nip04 payload is in a signed nip01 event wrapper.

nip44 replaced nip04, which has been reviewed/audited. Does use authenticated encryption in the message payload with forward secrecy, again in practice wrapped in a nip01 event, singed by the author, usually by the same cryptographic software used to encrypt the message.

nip44 is becoming more widely used for direct messages and other "private" metadata stored on relays. It's chacha20 + hkdf.

sealeck|5 months ago

> how can you verify that a user with a certain public is who they say they are instead of an impostor

This sounds awfully much like a cryptography problem to me!