Hello,
I’d like to know how Storj secures the communication between the nodes. For example whether TLS (and even mTLS, certificate pinning) is used between sno, gateway and satellite. And how the sno verifies the requests.
Can someone please enlighten me or provide me with something to read?
Thank you.
Storj uses mTLS but without a central certificate authority. We use something we call NodeID verification.
I will quote @jtolio :
we essentially do both client and server certificate validation, but without a centrally managed CA. each entity on the network is its own CA, and the public key of its CA root solely determines the node’s id
so a tls handshake exchanges validated certificate chains, and the node id is calculated by running up the certificate chain to the top signer and hashing the public key on that cert (assuming the chain is valid)
The storage nodes get the trusted satellite IDs during setup from https://www.storj.io/dcs-satellites. In turn it gets trusted storage node IDs from those satellites.
Uplink get the trusted satellite ID because you give it through the Access Grant or through RequestAccessWithPassphrase. Uplink itself has a temporary NodeID to set up mTLS but since this comes from nowhere this is not used as authentication. The satellite instead verifies the API key, and the Nodes verify something called OrderLimits which are generated by the satellite.
The Gateway is just an Uplink.
You remind me that I’d like to write a blog post for this or documentation for github.com/storj/illustrated