You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR: Identity providers must redeploy their SIWB instances immediately with the latest build of ic_siwb_provider.
Impact
The SIWB repository provides an authentication protocol for signing in to the Internet Computer using Bitcoin wallets. The core canister functionality is implemented in ic_siwb_provider.
For successful authentication, a user must perform the following steps:
Call siwb_prepare_login with a Bitcoin wallet address and receive a siwe_message that needs to be signed. The Bitcoin address is the address of the wallet that will perform the signature.
Perform the signature and generate a new session key, which will be part of the delegation chain signed by the canister. The ic_siwb_provider offers two signature variants: Bip322Simple and ECDSA. When using an ECDSA signature, you are required to provide an additional ECDSA public key of the wallet.
Call siwb_login with (signature, address, public_key, session_key, sign_message_type). If all verification steps are successful, a delegation is created, and a user principal is generated for the user.
Note
This user principal is bound to the given address, meaning the user will always receive the same principal for the same address
Call siwb_get_delegation with (address, session_key, expiration) to retrieve the delegation, which can then be used to sign messages for the IC on behalf of the user principal received in the last step.
Note
Delegations are self-contained and remain valid until the specified expiration time.
For successful authentication of an ECDSA signature, the siwb_login must perform the following steps:
Verify that the signature is valid for the corresponding siwe_message.
Recover the public_key from the signature.
Check if the retrieved public_key is the same as the one provided.
Check if the address created from the public key is the one provided.
Caution
The current implementation of SIWB, however, does not perform Step 4, which is a crucial step. Without this verification, an attacker can authenticate to any Bitcoin address of their choice by using a random ECDSA key pair, as the linkability between the address and the public_key is not correctly verified.
Furthermore, since principals are bound to the address, after successful authentication and retrieval of a delegation, the attacker gains access to all the funds in ledgers associated with that particular principal.
A fix has been merged in 184c2ed874c3c800241711b2d5fae6d9acf2faae. Identity providers must redeploy their SIWB instances immediately with the latest build of ic_siwb_provider.
Caution
The canister must be upgraded with the same salt and uri that was used during the installation of the ic_siwb_provider canister. Upgrading with a new seed will result in the canister generating new principals and the funds related to old principals will be permanently lost.
Workarounds
Unfortunately, there is no workaround for this attack. Since the IC does not offer delegation revocation, any delegations created before the canister upgrade remain valid until their expiration.
Caution
TL;DR: Identity providers must redeploy their SIWB instances immediately with the latest build of ic_siwb_provider.
Impact
The SIWB repository provides an authentication protocol for signing in to the Internet Computer using Bitcoin wallets. The core canister functionality is implemented in
ic_siwb_provider.For successful authentication, a user must perform the following steps:
siwb_prepare_loginwith a Bitcoin wallet address and receive asiwe_messagethat needs to be signed. The Bitcoin address is the address of the wallet that will perform the signature.ic_siwb_provideroffers two signature variants:Bip322SimpleandECDSA. When using an ECDSA signature, you are required to provide an additional ECDSA public key of the wallet.siwb_loginwith(signature, address, public_key, session_key, sign_message_type). If all verification steps are successful, a delegation is created, and a user principal is generated for the user.Note
This user principal is bound to the given address, meaning the user will always receive the same principal for the same address
siwb_get_delegationwith(address, session_key, expiration)to retrieve the delegation, which can then be used to sign messages for the IC on behalf of the user principal received in the last step.Note
Delegations are self-contained and remain valid until the specified expiration time.
For successful authentication of an ECDSA signature, the
siwb_loginmust perform the following steps:siwe_message.public_keyfrom the signature.public_keyis the same as the one provided.addresscreated from the public key is the one provided.Caution
The current implementation of SIWB, however, does not perform Step 4, which is a crucial step. Without this verification, an attacker can authenticate to any Bitcoin address of their choice by using a random ECDSA key pair, as the linkability between the
addressand thepublic_keyis not correctly verified.Furthermore, since principals are bound to the address, after successful authentication and retrieval of a delegation, the attacker gains access to all the funds in ledgers associated with that particular principal.
ic-siwb/packages/ic_siwb/src/login.rs
Lines 183 to 189 in 246740a
All SIWB deployments made until 246740a4e29747462ae8fa36cf71c36a95992525 are vulnerable to this attack.
Patches
A fix has been merged in 184c2ed874c3c800241711b2d5fae6d9acf2faae. Identity providers must redeploy their SIWB instances immediately with the latest build of
ic_siwb_provider.Caution
The canister must be upgraded with the same
saltandurithat was used during the installation of theic_siwb_providercanister. Upgrading with a new seed will result in the canister generating new principals and the funds related to old principals will be permanently lost.Workarounds
Unfortunately, there is no workaround for this attack. Since the IC does not offer delegation revocation, any delegations created before the canister upgrade remain valid until their expiration.
References