Authorization and Authentication

[MOHANKUMAR-IT]

im building p2p for private network, have implemented custom SecureTransport that uses certificate signed by self signed certificate and check if other peers certificate contains this self signed certificate in its chains i.e RootCA else it denies the connection.
Now the certificates still needs to kept safe else some actor with a compromised system can get the certificate and get into the network.

any ideas how i can secure the network here , we should secure both internal (compromised system) and external attacks .

[ousloob]

@MOHANKUMAR-IT
You can secure your network by using a short-lived certificate with automated rotation to limit exposure and store private keys securely in an HSM or TPM to prevent extraction.

Limit peer connections to a known allowlist based on PeerIDs, rather than relying solely on certificates and implement basic certificate revocation by maintaining a blocklist of revoked PeerIDs that your nodes check before accepting connections.

If you want extra security without overcomplicating things, you can introduce a simple pre-shared secret (PSK) check before establishing secure connections.

I hope it helps :)

[MOHANKUMAR-IT]

@ousloob thank you for the suggestions , i have implemented custom tls for libp2p.Security , it authenticates by mTLS with certificates .
does multistream negotiation happen before tls negotiation ? when i crafted simple tcp connection to my go-libp2p with mTLS , python code got /multistream/1.0.0 as response . i tried to create sample multistream server with same mTLS configuration and when i tried again , as expected it blocked my tcp connection.

[ousloob]

@MOHANKUMAR-IT
Yes, multistream negotiation happens before TLS negotiation. When a peer connects, it first goes through the multistream protocol selection process to determine the security module to use (mTLS in your case). Only after that does the TLS handshake occur.

Your test makes sense: since you initiated a plain TCP connection, the node responded with /multistream/1.0.0 before rejecting it due to missing TLS authentication. That confirms that libp2p expects the multistream handshake before establishing an mTLS connection.

If you want to test proper mTLS authentication, you should modify your Python client to complete the multistream negotiation first before attempting mTLS authentication.

You can use PNet, as @sukunrt suggested, to restrict access to your private network. PNet ensures that only peers with the correct pre-shared secret (PSK) can even attempt a connection, which helps reduce the attack surface.

[sukunrt]

I think what you need is PNet: https://github.com/libp2p/go-libp2p/blob/master/options.go#L210

Though all such methods will depend on not leaking the private keys ever.

[MOHANKUMAR-IT]

Yes i understand @sukunrt , we have to securely save them.

[MOHANKUMAR-IT]

Can we use PSK with libp2p.Insecure transport option . Will it provide same security as TLS 1.3