[ https://issues.jboss.org/browse/JGRP-2021?page=com.atlassian.jira.plugin.... ] Bela Ban updated JGRP-2021: --------------------------- Description: Although JGroups provides message encryption ({{ENCRYPT}}) and cluster admission control ({{AUTH}}), it _does not_ prevent malicious attacks. For example, if a rogue node creates a minimal stack without encryption or authentication, then it is possible for that member to * Send messages to the cluster * Capture an existing message from a cluster member P, change it (e.g. the seqno) and resend it spooking P's address * Install a new view including itself * Possibly install a new shared key in {{ENCRYPT}}, thereby being able to _receive_ cluster messages h3. Goals 1. Prevent cluster members from delivering messages from a non-member (exceptions are join requests from new members and merge requests) 2. Prevent a non-member from receiving any cluster messages The first goal also prevents rogue views from getting installed, or new shared secrets from being installed into {{ENCRYPT}}. h3. Proposed solution * Use ENCRYPT for encryption of the payload *and the headers* * Now _every message_ carries an encrypt header * (Let's assume for the moment that {{ENCRYPT}} is configured to use a shared key) * When a message is received, it is decrypted using the shared key (this can only be done by members having the shared key) ** If the message doesn't have an encrypt header, it will be dropped h3. Scenarios h4. Catching a message from some member P, modifying it and re-sending it on behalf of P * A rogue member R could catch a message from P by simply joining the same multicast group and port * R could then increment the last seqno seen, e.g. 23, to 24 and send the message on behalf of P * However, the decryption won't work because R doesn't have the shared key. Also, modifying the headers and resending the message won't work as R cannot get at the headers because they're encrypted, too * h4. Installing a rogue view was: Although JGroups provides message encryption ({{ENCRYPT}}) and cluster admission control ({{AUTH}}), it _does not_ prevent malicious attacks. For example, if a rogue node creates a minimal stack without encryption or authentication, then it is possible for that member to * Send messages to the cluster * Capture an existing message from a cluster member P, change it (e.g. the seqno) and resend it spooking P's address * Install a new view including itself * Possibly install a new shared key in {{ENCRYPT}}, thereby being able to _receive_ cluster messages h3. Goals 1. Prevent cluster members from delivering messages from a non-member (exceptions are join requests from new members and merge requests) 2. Prevent a non-member from receiving any cluster messages The first goal also prevents rogue views from getting installed, or new shared secrets from being installed into {{ENCRYPT}}. h3. Proposed solution * Use ENCRYPT for encryption of the payload *and the headers* * Now _every message_ carries an encrypt header * (Let's assume for the moment that {{ENCRYPT}} is configured to use a shared key) * When a message is received, it is decrypted using the shared key (this can only be done by members having the shared key) ** If the message doesn't have an encrypt header, it will be dropped h3. Scenarios h4. Installing a rogue view h4. Catching a message from some member P, modifying it and re-sending it on behalf of P * thus -- This message was sent by Atlassian JIRA (v6.4.11#64026)