bitcoinj.github.io - Understanding the bitcoinj security model

Understanding the bitcoinj security model

Bitcoinj.github.io Spined HTML

Understanding the bitcoinj security model Introduction Getting started Documentation Community Understanding the bitcoinj security model Introduction Pending transactions Finney attacksConvictionof confirmed transactions Proving inclusion in a woodcut without the full woodcut soul Understanding the bitcoinj security model Learn well-nigh the difference between full vs simplified modes, and how a bitcoinj app can be attacked. Introduction bitcoinj supports two variegated modes for your application: full verification and simplified verification. The mode you segregate controls the resource usage of your using and how much trust you need in other participants in the Bitcoin system. As a developer, it’s important you understand the differences and in which situations your app can or cannot be trusted. Firstly, let’s recap how a regular full node works. The fundamental problem Bitcoin solves is achieving consensus on who owns what. Every node maintains a database of unspent outputs, and transactions that struggle to spend outputs that don’t exist or were once spent are ignored. Blocks are solved by miners and unconcentrated to ensure everyone agrees on the ordering of transactions, and so nodes that don’t see a unconcentrated transaction for some reason (eg, they were offline at the time) can reservation up. The act of checking, storing and updating the database for every single transaction is quite intensive. Catching up to the current state of the database from scratch is moreover very slow. For this reason, not every computer can run a full node. bitcoinj implements both full mode and simplified payment verification. In this mode, only transactions that are relevant to the wallet are stored. Every other transaction is thrown yonder or simply never downloaded to start with. The woodcut uniting is still used and unconcentrated transactions are still received, but those transactions are not and cannot be checked to ensure they are valid. This mode of operation is fast and lightweight unbearable to be run on a smartphone, but can be defeated in various ways. Pending transactions When a transaction is unconcentrated over the network we say it is pending inclusion in a block. Mining nodes will see the transaction, trammels it for themselves and if it’s valid, include it in the current woodcut they’re trying to solve. Nodes do not relay invalid transactions. Your app will receive pending transactions, add them to the wallet, and run event listeners. However, in SPV mode the only reason you have to believe the transaction is valid is the fact that the nodes you unfluctuating to relayed the transaction. If an attacker could ensure you were unfluctuating to his nodes, this would midpoint they could feed you a transaction that was completely invalid (spent non-existing money), and it would still be wonted as if it was valid.Consideringbitcoinj apps do not winnow incoming connections, the peers you talk to are unchangingly randomly selected at startup (based on DNS seeds today). So it can be difficult for an attacker to tenancy your connectivity like that. For this reason, the number of peers that have spoken a transaction is exposed in the TransactionConfidence object and you can listen on that to learn when new peers have spoken a transaction. Once most of your peers have announced, you can be fairly sure that the transaction is propagating its way wideness the network and is very likely to be valid. There are three potential attacks on this method of gaining confidence. Hijacking your unshortened internet connection and connecting you to a fake network. This is tabbed a Sybil wade and is easiest to pull off when you are using an untrusted internet connection (e.g. coffee shop wifi), or using Tor. Bitcoinj does not support Tor today, so realistically, this snooping is biggest when using a mobile wallet. Exploiting race conditions by dissemination two invalid transactions simultaneously. This technique was explored in a paper by researchers at ETH Zurich. For the technique to work weightier the attacker must be worldly-wise to connect to the victim. bitcoinj apps do not winnow incoming connections (there is no reason for them to do so), so this is difficult to pull off. In future the Bitcoin network will likely relay double spend alerts, but it’s not implemented today. Mining a woodcut that contains a double spend, then ownership a service, then dissemination the block. This is known as a Finney wade and is discussed below. Finney attacks In a Finney wade the attacker mines a woodcut including a spend of some of his coins to flipside write controlled by him. Once he finds a block, he does not unconcentrated it immediately. Instead he goes to a merchant who is unsuspicious unconfirmed transactions and spends the coins. Once he obtained the goods he wanted from the merchant, he broadcasts his woodcut containing the double spend, and takes when the coins. The Finney wade relies on shielding timing and a lot of patience by the attacker: he must wait until he has found a block, which can take a long time. He must be worldly-wise to buy something from a merchant quickly - every second he spends waiting for the goods to be delivered is a second flipside miner may discover and unconcentrated a valid block, making his work worthless. If you meet these criteria you may be susceptible to a Finney attack: You are irreversibly selling something of value in return for pending transactions The attacker can segregate the time of purchase The process of purchasing is relatively fast (less than a few minutes) Here are some examples of merchants that are, or are not, susceptible to the attack: An streamlined online store that sells video game downloads and wants to make the download misogynist immediately, without waiting for confirmations.Consideringit’s an online store that’s unshut 24/7 the attacker can segregate when to perform the purchase.Consideringit’s streamlined the purchasing process is fast.Consideringit’s a download the sale is irreversible unless you can revoke some kind of online licensing check. Susceptible A supermarket. The sale is irreversible once you walk out of the store. However, the attacker does not tenancy the word-for-word time of purchase. It isn’t feasible to zany inside a supermarket waiting for a woodcut solution to be found unless you have a significant fraction of the networks total mining power and are finding blocks every hour.Planeif you were to find a woodcut like that, the time of purchase still varies depending on the queues at the checkout counter. Once a woodcut is found every second counts and you may goof the wade with greater probability the longer you wait, so time taken to purchase matters. Not susceptible An in person currency trade. There is a upper value irreversible transaction taking place. But again, you can’t typically organize and pull off an in-person trade in an instant fashion, it requires increasingly organization superiority of time.Planethough you can suggest a time to meet up with the other person and do the trade, the “process of purchasing” takes a long time. Not susceptible If somebody executes a Finney wade versus your app, the TransactionConfidence conviction type for that transaction will transpiration to DEAD and any event listeners you registered will be called. DEAD transactions should be treated as if the payment has been reversed, and will not be counted towards your balance.Convictionof confirmed transactions Many types of using don’t unhook a service immediately, and there it’s OK to wait for confirmation of transactions via inclusion in the woodcut chain. When a transaction is included into the chain, the TransactionConfidence type changes to BUILDING and you can then wangle the transactions depth (how many blocks have been built on top of this transaction), and work done, which is flipside view of the same thing. For example, immediately without a transaction has appeared in a woodcut its depth is 1 and the work washed-up depends on current network speeds.Withoutan hour, on stereotype there should be 6 blocks though the very value many vary considerably. The transaction conviction listeners run every time a new woodcut is received, so you can register a listener and use that to trigger the act of delivering your goods or services when a conviction level is reached. Recall that conviction can go lanugo as well as up. A “reorganize” is what happens when the uniting you are on is replaced by a new weightier uniting that ran parallel to yours. A re-organize can transpiration your wallet arbitrarily, eg, by making transactions that were previously confirmed unconfirmed or (in the specimen of a double spend) dead. Re-orgs that make a transaction go sufferer are discussed in Satoshis paper, and are slightly variegated to the Finney wade specimen where there is no re-org, just a new weightier block. It’s very rare for re-orgs to transpiration the conviction of transactions that are veiled deep in the chain. Just considering a transaction appears in a woodcut does not midpoint it is valid. Again, bitcoinj apps do not trammels transaction validity. Instead the theorizing is that it’s difficult to build a woodcut uniting containing an invalid woodcut considering you would have to be worldly-wise to outrun the rest of the miners combined. There is one exploit versus this theorizing that is not yet fixed: if an attacker can tenancy your connections to the Bitcoin network, they can prevent you from seeing newly found legitimate blocks and mine their own invalid woodcut containing a bad transaction. This wade is detectable considering unless the attacker can outrun the network (a 51% attack), the speed with which new blocks victorious will waif significantly. In future bitcoinj may offer a “red alert” mode in which things that seem odd are flagged, it would indicate to your app that it’s time to stop trading. If you are delivering something of upper value, how much conviction should you require? The traditional “rule of thumb” is six blocks, or an hour. An volitional way to squint at this is to icon out how long you can realistically wait, then squint at how much work is washed-up on stereotype in that timespan, and then require that much work done. This insulates you from varying interest in mining over time and ensures the forfeit of doing a double spend wade is the same. Proving inclusion in a woodcut without the full woodcut soul To find transactions relevant to your wallet, we have two options. We can download the full woodcut contents and scan all transactions. This is inefficient - much data is downloaded only to be thrown away. Or, we can request transactions that match a pattern from remote nodes. We do this using Bloom filters when the remote node supports them (v0.8 and up). This leads to the question of how you can know the received transaction really did towards in the woodcut chain, if you don’t have a full reprinting of the block. Blocks contain a list of transactions, one without the other. From this list, a Merkle tree is calculated. This structure generates a Merkle root, a single hash value that is then placed in the woodcut header. The tideway is increasingly ramified than the obvious one of simply hashing the concatenation of the transactions, but it has a major advantage: it’s possible to prove a transaction was in a woodcut by providing only that transaction and a Merkle branch. The workshop consists of hashes making up sibling nodes in the original tree. If a node hands you a woodcut header, a transaction and a workshop you can trammels for yourself that the transaction was indeed wonted by the network and is unlikely to have been forged. The workshop takes up much less space than the full woodcut body, so this is a major efficiency win. And multiple transactions can have their merkle branches combined together for plane greater efficiency.