profile
viewpoint

Ask questionsFIP proposal: A more secure signature method of worker&post account

Simple Summary

In Filecoin network,miners use worker and PoSt account to signature the messages. And the private keys of worker and post wallet have to be stored on the Lotus-miner server or other signature server for a long time. Once the server was attacked by hackers and the private key was stolen, The miner will suffer great loss of asserts.

Change Motivation

We proposal a different signature method of worker wallet and post wallet by classifying the messages to protect the miner’s asserts.

Specification

In filecoin , there are two main work accounts: worker account and post account.

Worker account: miners use it to submit the PreCommitSector and ProveCommitSector messages when sealing the sectors. During these processes, miners need to provide the pledge of sectors and pay gas fee.(part of gas fee will be payed to the miner which packed the messages and the rest will be burned by transferring to f099). Usually, these transactions are a kind of contract transfer.

Post account: miners use it to submit the SubWindowedPoSt messages. During these processes, During these processes, miners also need to pay gas fee.(part of gas fee will be payed to the miner which packed the messages and the rest will be burned by transferring to f099). Usually, these transactions are a kind of non-contract transfer.

So we can classify the transfer messages as follows.

  • Working transfer : the transaction behavior of miner in the process of sealing the sectors, submitting the Posts and so on. Including providing the pledge of sectors, paying the gas fee.

  • Financial transfer : the transactions that are not working transfer. Such as miner A transacts to miner B, miner A transacts to individual account, miner A transacts to f099.

Therefore, we can make a definition by smart contract that if Worker account and Post account are doing some working transferring, which are contract transfer, they just adopt the Single signature. However, if they are doing some financial transferring, which are non-contract transfer, they are suggested to adopt the Multi signature.

By this way, we can effectively protect the miner’s asserts from loss when the private key of worker/post account was stolen.

filecoin-project/FIPs

Answer questions Stebalien

I think I'm getting your point now. The short version is: you want special "limited" accounts that can only:

  1. Pay for gas (cannot pay send funds).
  2. Ideally only sends specific kinds of messages to specific addresses.

This is doable in theory but would require adding some potentially complex logic to the filecoin message validation step. This can't be implemented as a simple smart contract.

This would reduce the incentive for stealing these keys. But do note that:

  1. A key used for window posts can still be used to cost the miner funds by submitting invalid window posts (which can later be disputed).
  2. A key used for pre-commits can be used to make known-bad pre-commits, costing the pre-commit deposit.
  3. A malicious miner could pay themselves a high premium using these keys.
  4. An attacker could simply burn all the gas in these keys.
useful!

Related questions

No questions were found.
source:https://uonfu.com/
Github User Rank List