Cloud instructions

.gitignore

@@ -1,3 +1,5 @@
+node1/
+node2/
 *.key
 *.csr
 *.crt

README.md

@@ -1,11 +1,19 @@
-## TLS connections encapsulating Hyperledger Besu RPLx communication 
+## TLS connections encapsulating Hyperledger Besu RPLx communication
+
 This is a proof of concept for TLS encryption of the communication between two Hyperledger Besu nodes.
 
 According to its specification, Ethereum nodes uses RLPx protocol for communication between nodes. This protocol carries encrypted messages using the ECIES method and all cryptographic operations are based on the secp256k1 elliptic curve.
 
 Instead of replacing the RLPx protocol, we created a TLS tunnel between the peers, and then we redirected all the RLPx traffic through it.
 
-This proof of concept is builded on top of [stunnel](https://www.stunnel.org/) which relies on the _de facto_ standard [OpenSSL](https://www.openssl.org/) for all the cryptographic operations.
+This proof of concept is built on top of [stunnel](https://www.stunnel.org/) which relies on the _de facto_ standard [OpenSSL](https://www.openssl.org/) for all the cryptographic operations.
+
+## Configuration
+
+There are two ways to test the TLS tunnel between the peers:
+
+- using dockers: Follow the instructions as described inside the "docker" folder
+- cloud configuration: Follow the instructions as described in the [cloud section](cloud/README.md) file.
 
 ## Copyright 2020 LACChain
 

cloud/README.md

@@ -0,0 +1,32 @@
+# RLPX Tunnel configuration - cloud environments
+
+## Requirements
+
+- Provide 2 virtual machines(nodes), on each machine install an ethereum client, for example Hyperledger Besu
+- Configure those nodes in such a way that both can communicate in a custom ethereum network.
+
+## Configure tunnels
+
+1. install [liboqs related packages](config/LIBOQS.md) on each virtual machine.
+2. configure [stunnel service file](config/STUNNEL.md) on each node.
+3. Configure tls certificates: Create two sets of server certificates by following these [instructions](config/README.md). To simplify the configuration just use the same rootCA to sign each participant certificate.
+4. For each set of 'certificate.key'/'certificate.crt', move those to each virtual machine. One set for each virtual machine. Once moved to each virtual machine you have to locate these files inside the folder "node1"/"node2" respectively. Remember that in step 3 you created these folders and moved them to the respective virtual machines.
+5. You are almost ready. Now it is time to start the tunnels and direct the traffic to stunnel services. Enter to the virtual machine 1 and enter into the folder "node1" (that you previously moved to that virtual machine). Now from there make sure all sh files are executable. **Note**: The same thing applies for node2.
+
+## Start tunnels on each machine
+
+Located on node1 or node2 in virtual machines 1 or 2 respectively execute the following command on each machine:
+
+```shell
+./start-tunnels.sh && systemctl stop pantheon && sleep 4s && systemctl restart pantheon
+```
+
+In this case the command will start the tunnel, modify the firewall configuration and finally will restart the ethereum client to make the changes effective. In this case the client was configured and customized with the [ansible lacchain configuration](https://lacnet.lacchain.net/using-ansible/)
+
+## Stop tunnels
+
+Stopping the tunnel is as simple as:
+
+```shell
+./stop-tunnels.sh && systemctl restart pantheon
+```

cloud/config/LIBOQS.md

@@ -0,0 +1,36 @@
+# Lacchain Liboqs installation guide:
+
+- Enter as root
+
+```shell
+sudo -i
+```
+
+- Update
+
+```shell
+apt-get update && apt-get install --no-install-recommends -yV \
+    dpkg-dev \
+    wget \
+    ca-certificates
+```
+
+- Install liboqs related packages
+
+```shell
+mkdir /debs/
+wget --directory-prefix=/debs/ https://github.com/lacchain/liboqs-debian/releases/download/0.4.0/liboqs_0.4.0_amd64.deb
+wget --directory-prefix=/debs/ https://github.com/lacchain/oqs-openssl-debian/releases/download/OQS-OpenSSL_1_1_1-stable-snapshot-2020-07/libssl1.1_1.1.1g-1+oqs-2020-07_amd64.deb
+wget --directory-prefix=/debs/ https://github.com/lacchain/oqs-openssl-debian/releases/download/OQS-OpenSSL_1_1_1-stable-snapshot-2020-07/openssl_1.1.1g-1+oqs-2020-07_amd64.deb
+wget --directory-prefix=/debs/ https://github.com/lacchain/liboqs-debian/releases/download/0.4.0/SHA256SUMS
+wget https://github.com/lacchain/oqs-openssl-debian/releases/download/OQS-OpenSSL_1_1_1-stable-snapshot-2020-07/SHA256SUMS -O ->> /debs/SHA256SUMS
+
+cd /debs/ && sha256sum --check --ignore-missing --status SHA256SUMS && dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
+echo "deb [trusted=yes] file:/debs ./" >> /etc/apt/sources.list
+
+apt update && apt install -y --allow-downgrades \
+    libssl1.1=1.1.1g-1+oqs-2020-07 \
+    stunnel
+
+rm -rf /var/lib/apt/lists/*
+```

cloud/config/README.md

@@ -0,0 +1,55 @@
+# Certificates
+
+Before starting make sure you have configured the liboqs related libraries, you can follow these [steps](LIBOQS.md) to have the postquantum openssl version.
+
+## Root CA
+
+Let's create a root key compliant with falcon-512, this root key wil be used to sign certificates created by each participant (in our case each virtual machine that hosts the ethereum node)
+
+### Create Root Key
+
+#### Falcon-512 (Post quantum resistant)
+
+```shell
+$ openssl genpkey -algorithm falcon512 -out rootCA.key
+```
+
+### Create and self sign the Root Certificate
+
+```shell
+$ openssl req -x509 -new -nodes -key rootCA.key -subj "/C=US/ST=CA/O=IADB/CN=godmode" -sha512 -days 1024 -out rootCA.crt
+```
+
+## Server certificate
+
+Now for each participant (in our case each virtual machine that hosts the ethereum node) lets create a post quantum signed certificate
+
+### Create server certificate key
+
+Each participant creates a server.key (their private key)
+
+#### Falcon-512
+
+```shell
+$ openssl genpkey -algorithm falcon512 -out certificate.key
+```
+
+### Create Certificate Signing Request for server
+
+Now the participant creates a certificate signing request (CSR)
+
+```shell
+$ openssl req -new -sha512 -key certificate.key -subj "/C=US/ST=CA/O=IADB/CN=server" -out certificate.csr
+```
+
+### Generate the certificate using the CSR and key along with the CA Root key
+
+Now the root CA signs the CSR by using rootCA key with Falcon512 algorithm
+
+```shell
+$ openssl x509 -req -in certificate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out certificate.crt -days 500 -sha512
+```
+
+## Further steps
+
+You can repeat the same server certificate generation process using the same root CA key. So at a later point these participants will use it to securely communicate with each other over the internet.

cloud/config/STUNNEL.md

@@ -0,0 +1,27 @@
+# Configure Stunnel files
+
+- Configure stunnel:
+
+```sh
+BESU_NODE_1_IP=10.142.15.194 # update this with the correct ip
+BESU_NODE_2_IP=10.168.0.8 # update this with the correct ip
+P2P_PORT=60606 # for simplicity use this port for p2p communication between nodes, let's assume 60606 port number is the P2P configured port number
+```
+
+- Create stunnel files for node 1: Situated on the $root_directory/cloud of this repo execute:
+
+  - for node 1:
+
+  ```sh
+      DESTINATION_IP=$BESU_NODE_2_IP # the IP of the other node to communicate with
+      ./config/stunnel-config/createStunnelConfigForParticipant.sh node1 $P2P_PORT $DESTINATION_IP
+  ```
+
+  - for node 2:
+
+  ```sh
+      DESTINATION_IP=$BESU_NODE_1_IP # the IP of the other node to communicate with
+      ./config/stunnel-config/createStunnelConfigForParticipant.sh node2 $P2P_PORT $DESTINATION_IP
+  ```
+
+- The previous step will generate two folders (node1 and node2) containing the necessary configuration for both nodes in order to allow them to communicate through stunnel. Now you have to copy node1 and node2 folders to the respective virtual machines.

cloud/config/stunnel-config/createStunnelConfigForParticipant.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+function createStunnelConfigFiles() {
+    nodeDir=$1
+    P2P_PORT=$2
+    DESTINATION_IP=$3
+
+    rm -rf $nodeDir
+    mkdir -p $nodeDir
+    cp ./config/stunnel-config/start-tunnels.sh $nodeDir
+
+    cp ./config/stunnel-config/stop-tunnels-template.sh $nodeDir/stop-tunnels.sh
+    sed -i "s/P2P_PORT/$P2P_PORT/g" $nodeDir/stop-tunnels.sh
+    sed -i "s/DESTINATION_IP/$DESTINATION_IP/g" $nodeDir/stop-tunnels.sh
+
+
+    cp ./config/stunnel-config/stunnel-config-client-template.sh $nodeDir/stunnel-config-client.sh
+    sed -i "s/P2P_PORT/$P2P_PORT/g" $nodeDir/stunnel-config-client.sh
+    sed -i "s/DESTINATION_IP/$DESTINATION_IP/g" $nodeDir/stunnel-config-client.sh
+
+    cp ./config/stunnel-config/stunnel-config-server-template.sh $nodeDir/stunnel-config-server.sh
+    sed -i "s/P2P_PORT/$P2P_PORT/g" $nodeDir/stunnel-config-server.sh
+}
+
+createStunnelConfigFiles $1 $2 $3

cloud/config/stunnel-config/start-tunnels.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+./stop-tunnels.sh
+cd /etc/stunnel
+(./stunnel-config-client.sh > /dev/null 2>&1 &) && sleep 2s && (./stunnel-config-server.sh > /dev/null 2>&1 &) && \
+echo "all tunnels have been started, now connection is quantum resistant"

cloud/config/stunnel-config/stop-tunnels-template.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+echo "Deleting tunnel configured firewal rules"
+iptables -t nat -D OUTPUT -p tcp --dport P2P_PORT -d DESTINATION_IP -j DNAT --to-destination 127.0.0.1:4911 2>/dev/null || echo "Rule not found, skipping ..." && \
+iptables -D INPUT -p tcp ! -d localhost --dport P2P_PORT -j DROP 2>/dev/null  || echo "Rule not found, skipping ..."  && \
+echo "Terminating all tunnels" && \
+for pid in `ps -aux | grep stunnel | awk '{ print $2  }'`; do kill -9 $pid 2>/dev/null || echo "All tunnels were terminated"; done;

cloud/config/stunnel-config/stunnel-config-client-template.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+echo "\n*************** CLIENT TUNNEL CONFIGURATION *****************"
+echo "Configuring firewall rules"
+iptables -t nat -D OUTPUT -p tcp --dport P2P_PORT -d DESTINATION_IP -j DNAT --to-destination 127.0.0.1:4911 2>/dev/null  || echo "Rule no found ... skipping deletion"  && \
+iptables -D INPUT -p tcp ! -d localhost --dport P2P_PORT -j DROP 2>/dev/null  || echo "Rule no found ... skipping deletion"  && \
+iptables -t nat -A OUTPUT -p tcp --dport P2P_PORT -d DESTINATION_IP -j DNAT --to-destination 127.0.0.1:4911 && \
+iptables -I INPUT -p tcp ! -d localhost --dport P2P_PORT -j DROP
+echo "Starting Client Tunnel" && \
+cat > stunnel.conf <<_EOF_
+debug = 7
+foreground = yes
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+ciphers=AESGCM
+[client]
+client = yes
+accept = 0.0.0.0:4911
+connect = DESTINATION_IP:4912
+CAfile = /etc/stunnel/rootCA.crt
+cert = /etc/stunnel/certificate.crt
+key = /etc/stunnel/certificate.key
+verify = 2
+_EOF_
+
+if ! [ -f certificate.crt ]
+then
+    echo ERROR: service certificate  not found 1>&2
+    exit 1
+fi
+
+exec stunnel "$@"

cloud/config/stunnel-config/stunnel-config-server-template.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+echo "\n*************** SERVER TUNNEL CONFIGURATION *****************"
+
+cd /etc/stunnel
+
+cat > stunnel.conf <<_EOF_
+debug = 7
+foreground = yes
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+ciphers=AESGCM
+[server]
+client = no
+accept = 4912
+connect = 127.0.0.1:P2P_PORT
+CAfile = /etc/stunnel/rootCA.crt
+cert = /etc/stunnel/certificate.crt
+key = /etc/stunnel/certificate.key
+verify = 2
+_EOF_
+
+if ! [ -f certificate.crt ]
+then
+    echo ERROR: service certificate  not found 1>&2
+    exit 1
+fi
+
+exec stunnel "$@"