How to create a 2-way authentified connection between nodes ? (C#)

[BobFrancis]

Hi, 

I’ve been using gRPC, in C#, for one of my projects and trying to achieve the following: an authentified P2P link (essentially a 2-way connection) between 2 nodes. 

This is currently how I set up the connection: one node has the listening address of the other peers gRPC server and when this node starts it creates a channel to the other. Right after creating the Channel it calls an “Auth( )” method exposed by the other peers service, which will also create a Channel to the first node, so:

1. Dial peer. 
2. Call Auth ( auth data ) method
3. On the other node, create a channel to the caller (he transmits his listening address)

Note that the Auth method takes a pub key and a signature that will be verified by the other peer: this is my custom auth logic. One problem is that I’m not sure how to link subsequent calls to the authentified channel (actually the channel doesn’t matter to much, what’s more important is to know that the sender of a message has already been authentified), because the only info I seem to have is ServerCallContext.Peer and I seriously doubt that it can be used.

So my questions:

1 - Is it ok to create a Channel inside one of the servers service methods ? 

2 - How can I securely link the Channel to auth data ? In other words when someone calls one of the peers service methods, I need to able to link it to a peer has previously been autentified. 

Thanks in advance

[Jan Tattermusch]

I'm not sure I fully understand, but it seems there's a bit of trying to reinvent the wheel.

what options you have:

- You can create a mutual authenticated secure channel with gRPC. That means both client and server will authenticate each other with a public and private key  (under "normal" circumstances, only the client checks that the server knows the private key). This can be setup using additional arguments in SslCredentials and SslServerCredentials.

- if you decide to use "custom" authentication, the usual way to do that is to create a secure channel (this time without mutual authentication) and then the client send an authentication token (e.g. a JWT) along with each request in the RPC headers.

On Monday, February 25, 2019 at 12:35:18 PM UTC+1, BobFrancis wrote:

Hi, 

I’ve been using gRPC, in C#, for one of my projects and trying to achieve the following: an authentified P2P link (essentially a 2-way connection) between 2 nodes. 

This is currently how I set up the connection: one node has the listening address of the other peers gRPC server and when this node starts it creates a channel to the other. Right after creating the Channel it calls an “Auth( )” method exposed by the other peers service, which will also create a Channel to the first node, so:

1. Dial peer. 
2. Call Auth ( auth data ) method
3. On the other node, create a channel to the caller (he transmits his listening address)

Note that the Auth method takes a pub key and a signature that will be verified by the other peer: this is my custom auth logic. One problem is that I’m not sure how to link subsequent calls to the authentified channel (actually the channel doesn’t matter to much, what’s more important is to know that the sender of a message has already been authentified), because the only info I seem to have is ServerCallContext.Peer and I seriously doubt that it can be used.

So my questions:

1 - Is it ok to create a Channel inside one of the servers service methods ? 

Yes, that's fine.

[Bob]

Sorry for the late reply.

I've just recently had a bit more time to study gRPC and yes I see what you mean. 

If I use SslCredentials and SslServerCredentials, would I still need to setup the SSL certificat ?

[Benjamin Krämer]

See https://grpc.io/docs/guides/auth.html#with-server-authentication-ssltls-3

You still have to use a certificate in PEM format. There are some workarounds to use the Windows Certificate Store, but now direct way that I know (in case you are looking into that).

[Sam]

Hi, 

Yes, it seems I need the certificate and I can't use the workaround.

To be clear, taking the point of view of the server, as far as gRPC is concerned I don't need to know "who" the other is because I will check on a higher level (the peer signs a piece of data, his identity becomes verified after verification), I just need that when gRPC invokes one of my service methods, I can match this request with the original handshake (that contained the identity of the peer).

I'm thinking maybe self-signed certificates can be used to implement this ?

Thanks

[Benjamin Krämer]

If you are not interested on the "who", you are fine with using only the server side certificate. No need for cliente certificate. This establishes an encrypted connection that you can use to do the AuthN on the higher level. You can use self-signed certificates, just make sure it's trusted by the systems involved.

[Sam]

What do you mean by "make sure it's trusted by the systems involved" ?

[Benjamin Krämer]

You need to use the SslCredentials constructor that receives the root certificate in order to trust it or to add the root certificate to your trust store of your machine:

var channelCredentials = new SslCredentials(File.ReadAllText("roots.pem"));  // Load a custom roots file.
var channel = new Channel("myservice.example.com", channelCredentials);
var client = new Greeter.GreeterClient(channel);

Otherwise the server certificate could not be verifiable if it's self-signed and the connection would be closed with an error.

[Sam]

So with this setup you still need to transmit the certificate from the client to the server ?

I'm a bit confused with the example because earlier you said "No need for client certificate." Is this root certificate (the "roots.pem" file) generated by the server and then given to the client somehow ?

Thanks a lot for your help.