SuperNodes 인증하기

When running a Flower Federation (see Flower Network Communication) it is fundamental that an authentication mechanism is available between the SuperLink and the SuperNodes that connect to it. Flower comes with two different mechanisms to authenticate SuperNodes that connect to a running SuperLink:

• Automatic authentication: In this mode, the SuperLink checks the timestamp-based signature in each request from SuperNodes to prevent impersonation and replay attacks.

• CSV-based authentication: This mode functions similarly to automatic authentication but requires the SuperLink to be provided with a list of authorized public keys, allowing only those SuperNodes to connect.

The automatic authentication mode works out of the box and therefore requires no configuration. On the other hand, CSV-based authentication mode is more sophisticated and how it works and how it can be used is presented reminder of this guide. Flower’s CSV-based node authentication leverages a signature-based mechanism to verify each node’s identity and is only available when encrypted connections (SSL/TLS) are enabled:

• Each SuperNode must already possess a unique Elliptic Curve (EC) public/private key pair.

• The SuperLink (server) maintains a whitelist of EC public keys for all trusted SuperNodes (clients).

• A SuperNode signs a timestamp with its private key and sends the signed timestamp to the SuperLink.

• The SuperLink verifies the signature and timestamp using the SuperNode’s public key.

참고

This guide builds on the Flower App setup presented in the Enable TLS connections guide and extends it to introduce node authentication to the SuperLink ↔ SuperNode connection.

팁

Checkout the Flower Authentication example for a complete self-contained example on how to setup TLS and node authentication.

참고

이 가이드에서는 향후 버전의 Flower에서 변경될 수 있는 미리보기 기능에 대해 설명합니다.

Generate authentication keys

To establish an authentication mechanism by which only authorized SuperNodes can connect to a running SuperLink, a set of key pairs for both SuperLink and SuperNodes need to be created.

We have prepared a script that can be used to generate such set of keys. While using these are fine for prototyping, we advice you to follow the standards set in your team/organization and generated the keys and share them with the corresponding parties. Refer to the Generate public and private keys for SuperNode authentication section in the example linked at the top of this guide.

# In the example directory, generate the public/private key pairs
$ ./generate_auth_keys.sh

This will generate the keys in a new keys/ directory. By default it creates a key pair for the SuperLink and one for each SuperNode. Copy this directory into the directory of your app (e.g. a directory generated earlier via flwr new).

Enable node authentication in SuperLink

To launch a SuperLink with SuperNode authentication enabled, you need to provide three aditional files in addition to the certificates needed for the TLS connections. Recall that the authentication feature can only be enabled in the presence of TLS.

$ flower-superlink \
    --ssl-ca-certfile certificates/ca.crt \
    --ssl-certfile certificates/server.pem \
    --ssl-keyfile certificates/server.key \
    --auth-list-public-keys keys/client_public_keys.csv

Understand the command

• --auth-list-public-keys: Specify the path to a CSV file storing the public keys of all SuperNodes that should be allowed to connect with the SuperLink.

A valid CSV file storing known node public keys should list the keys in OpenSSH format, separated by commas. Refer to the code sample, which contains a CSV file with two known node public keys.

Enable node authentication in SuperNode

Connecting a SuperNode to a SuperLink that has node authentication enabled requires passing two additional arguments (i.e. the public and private keys of the SuperNode) in addition to the TLS certificate.

$ flower-supernode \
    --root-certificates certificates/ca.crt \
    --superlink 127.0.0.1:9092 \
    --clientappio-api-address 0.0.0.0:9094 \
    --node-config="partition-id=0 num-partitions=2" \
    --auth-supernode-private-key keys/client_credentials_1 \
    --auth-supernode-public-key keys/client_credentials_1.pub

Understand the command

• --auth-supernode-private-key: the private key of this SuperNode.

• --auth-supernode-public-key: the public key of this SuperNode (which should be the same that was added to othe CSV used by the SuperLink).

Follow the same procedure to launch the second SuperNode by passing its corresponding key pair:

$ flower-supernode \
    --root-certificates certificates/ca.crt \
    --superlink 127.0.0.1:9092 \
    --clientappio-api-address 0.0.0.0:9095 \
    --node-config="partition-id=1 num-partitions=2" \
    --auth-supernode-private-key keys/client_credentials_2 \
    --auth-supernode-public-key keys/client_credentials_2.pub

보안 공지

시스템의 보안은 SuperLink와 각SuperNode의 자격 증명에 의존합니다. 따라서 공개키 기반구조(PKI) 사칭 공격과 같은 보안 위험을 피하기 위해 자격 증명을 보호하고 안전하게 보관하는 것이 필수적입니다. 노드 인증 메커니즘에는 사람의 상호 작용도 포함되므로 모든 통신이 신뢰할 수 있는 통신 방법을 사용하여 안전한 방식으로 이루어지도록 하세요.

결론

You should now have learned how to start a long-running Flower SuperLink and SuperNode with node authentication enabled. You should also know the significance of the private key and store it securely to minimize risks.

참고

Refer to the Docker를 사용하여 Flower 실행 documentation to learn how to setup a federation where each component runs in its own Docker container. You can make use of TLS and other security features in Flower such as implement a SuperNode authentication mechanism.