From e081ea4860d8bcbd7dd1c4aa7a994b1c82b311ee Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Fri, 28 Jul 2023 11:10:28 -0500 Subject: [PATCH 1/8] Update general-security-best-practices.md --- .../general-security-best-practices.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index 2f2e8a1ee9..7522d7cc4c 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -107,3 +107,25 @@ For example, we have seen issues where the public key to verify certification wa #### Recommendation Avoid test and dev code in production code whenever possible. + +### Data confidentiality guarantees of data on the Internet Computer + +#### Security concern + +When storing data on the Internet Computer, there are two levels of data access. + +1. Nodes are able to read all data that is stored on a subnet. This includes all messages sent to or from a canister, along with all data stored in a canister. This means a node could extract all data available to a canister. This will change with the implementation of TEE-based security for nodes. + +2. End user clients can only access whatever data that nodes and canisters have made available to them. If a node does not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. + +Data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Data with a high-entropy is negligible. + +There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. + +The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. + +#### Recommendation + +For developers that need to protect the confidentiality of their data against external users, they should ensure that data in the subnet state tree has a sufficient level of entropy. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended. + +In particular, a canister can ensure that responses to ingress messages do not leak data to external users, other than the sender, by including high-entropy data in the response. Or, a canister can ensure that data in certified variables is not leaked by adding high-entropy data to the variables that should be kept confidential. From 6565cd8afa1d5e34186da14873566b65b1b01c57 Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Fri, 28 Jul 2023 11:14:38 -0500 Subject: [PATCH 2/8] Update general-security-best-practices.md --- docs/developer-docs/security/general-security-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index 7522d7cc4c..810c8c5751 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -108,7 +108,7 @@ For example, we have seen issues where the public key to verify certification wa Avoid test and dev code in production code whenever possible. -### Data confidentiality guarantees of data on the Internet Computer +### Data confidentiality on the Internet Computer #### Security concern From 9ac99c2b4fbafea312a1c062c8e14e38db556ae2 Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Fri, 28 Jul 2023 11:19:26 -0500 Subject: [PATCH 3/8] Update docs/developer-docs/security/general-security-best-practices.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Björn Tackmann <54846571+Dfinity-Bjoern@users.noreply.github.com> --- docs/developer-docs/security/general-security-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index 810c8c5751..2398976f08 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -118,7 +118,7 @@ When storing data on the Internet Computer, there are two levels of data access. 2. End user clients can only access whatever data that nodes and canisters have made available to them. If a node does not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. -Data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Data with a high-entropy is negligible. +Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Leakage on data with a high-entropy is negligible. There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. From 68328f3fa205fb8417f2b2961d2a3fd24957494c Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Mon, 31 Jul 2023 09:51:47 -0500 Subject: [PATCH 4/8] Update docs/developer-docs/security/general-security-best-practices.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Robin Künzler <60650552+robin-kunzler@users.noreply.github.com> --- docs/developer-docs/security/general-security-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index 2398976f08..e086007a66 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -116,7 +116,7 @@ When storing data on the Internet Computer, there are two levels of data access. 1. Nodes are able to read all data that is stored on a subnet. This includes all messages sent to or from a canister, along with all data stored in a canister. This means a node could extract all data available to a canister. This will change with the implementation of TEE-based security for nodes. -2. End user clients can only access whatever data that nodes and canisters have made available to them. If a node does not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. +2. End user clients can only access whatever data that nodes and canisters have made available to them. If the subnet's nodes do not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Leakage on data with a high-entropy is negligible. From 3aaf17f59e20afadd7220f422dd413f0edd52db4 Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Mon, 31 Jul 2023 09:53:03 -0500 Subject: [PATCH 5/8] Update general-security-best-practices.md --- .../general-security-best-practices.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index e086007a66..12a63442d1 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -22,6 +22,28 @@ The responses to [query calls](/references/ic-interface-spec.md#https-interface) - Examples are asset certification in [Internet Identity](https://github.com/dfinity/internet-identity/blob/b29a6f68bbe5a49d048e12bc7a3263a9f43d080b/src/internet_identity/src/main.rs#L775-L808), [NNS dapp](https://github.com/dfinity/nns-dapp/blob/372c3562127d70c2fde059bc9c268e8ae858583e/rs/src/assets.rs#L121-L145), or the [canister signature implementation in Internet Identity](https://github.com/dfinity/internet-identity/blob/main/src/internet_identity/src/signature_map.rs). +### Data confidentiality on the Internet Computer + +#### Security concern + +When storing data on the Internet Computer, there are two levels of data access. + +1. Nodes are able to read all data that is stored on a subnet. This includes all messages sent to or from a canister, along with all data stored in a canister. This means a node could extract all data available to a canister. This will change with the implementation of TEE-based security for nodes. + +2. End user clients can only access whatever data that nodes and canisters have made available to them. If the subnet's nodes do not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. + +Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Leakage on data with a high-entropy is negligible. + +There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. + +The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. + +#### Recommendation + +For developers that need to protect the confidentiality of their data against external users, they should ensure that data in the subnet state tree has a sufficient level of entropy. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended. + +In particular, a canister can ensure that responses to ingress messages do not leak data to external users, other than the sender, by including high-entropy data in the response. Or, a canister can ensure that data in certified variables is not leaked by adding high-entropy data to the variables that should be kept confidential. + ## Nonspecific to the Internet Computer The best practices in this section are very general and not specific to the Internet Computer. This list is by no means complete and only lists a few very specific concerns that have led to issues in the past. @@ -107,25 +129,3 @@ For example, we have seen issues where the public key to verify certification wa #### Recommendation Avoid test and dev code in production code whenever possible. - -### Data confidentiality on the Internet Computer - -#### Security concern - -When storing data on the Internet Computer, there are two levels of data access. - -1. Nodes are able to read all data that is stored on a subnet. This includes all messages sent to or from a canister, along with all data stored in a canister. This means a node could extract all data available to a canister. This will change with the implementation of TEE-based security for nodes. - -2. End user clients can only access whatever data that nodes and canisters have made available to them. If the subnet's nodes do not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client. - -Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Leakage on data with a high-entropy is negligible. - -There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. - -The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. - -#### Recommendation - -For developers that need to protect the confidentiality of their data against external users, they should ensure that data in the subnet state tree has a sufficient level of entropy. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended. - -In particular, a canister can ensure that responses to ingress messages do not leak data to external users, other than the sender, by including high-entropy data in the response. Or, a canister can ensure that data in certified variables is not leaked by adding high-entropy data to the variables that should be kept confidential. From 76ced04bc52281bbd2f81dfc1e7ace9e58a80fba Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Mon, 31 Jul 2023 10:03:39 -0500 Subject: [PATCH 6/8] Update general-security-best-practices.md --- docs/developer-docs/security/general-security-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index 12a63442d1..f6ea73a323 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -36,7 +36,7 @@ Partial information on data that is stored in the subnet state tree will always There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. -The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. +The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. For more information on the confidentiality of certified variables, please see the [IC interface spec documentation.](https://github.com/dfinity/interface-spec/blob/master/spec/index.md#request-read-state-http-read-state) #### Recommendation From e0341ae259bd742e9375eadb6b2f20a4b890672f Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Mon, 31 Jul 2023 14:18:56 -0500 Subject: [PATCH 7/8] Update docs/developer-docs/security/general-security-best-practices.md Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com> --- docs/developer-docs/security/general-security-best-practices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index f6ea73a323..e7d7295446 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -34,7 +34,7 @@ When storing data on the Internet Computer, there are two levels of data access. Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False". Leakage on data with a high-entropy is negligible. -There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. +There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message hash and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. For more information on the confidentiality of certified variables, please see the [IC interface spec documentation.](https://github.com/dfinity/interface-spec/blob/master/spec/index.md#request-read-state-http-read-state) From be8a0a20f6849b7bb0457c56a28769d52c22a44d Mon Sep 17 00:00:00 2001 From: Jessie Mongeon <133128541+jessiemongeon1@users.noreply.github.com> Date: Mon, 31 Jul 2023 17:53:30 -0500 Subject: [PATCH 8/8] adding info on canister private custom sections --- .../security/general-security-best-practices.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/developer-docs/security/general-security-best-practices.md b/docs/developer-docs/security/general-security-best-practices.md index e7d7295446..625560fc8a 100644 --- a/docs/developer-docs/security/general-security-best-practices.md +++ b/docs/developer-docs/security/general-security-best-practices.md @@ -36,7 +36,7 @@ Partial information on data that is stored in the subnet state tree will always There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister, the message hash and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender. -The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. For more information on the confidentiality of certified variables, please see the [IC interface spec documentation.](https://github.com/dfinity/interface-spec/blob/master/spec/index.md#request-read-state-http-read-state) +The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data. #### Recommendation @@ -44,6 +44,8 @@ For developers that need to protect the confidentiality of their data against ex In particular, a canister can ensure that responses to ingress messages do not leak data to external users, other than the sender, by including high-entropy data in the response. Or, a canister can ensure that data in certified variables is not leaked by adding high-entropy data to the variables that should be kept confidential. +Additionally, similarly to ingress message responses, a canister's private custom sections that contain low-entropy data could leak to unauthorized users. Therefore, a sufficent level of entropy for canister private custom sections should be used. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended. + ## Nonspecific to the Internet Computer The best practices in this section are very general and not specific to the Internet Computer. This list is by no means complete and only lists a few very specific concerns that have led to issues in the past.