This article describes how the Fortanix “Ignite One-Time Signer” solution improves the security of Proof-of-Stake blockchains that use the Ignite (previously known as Tendermint) software stack. The solution provides operators of validator nodes with a mechanism to prevent the double-signing of proposals and votes. This solution comprises a plugin that is securely deployed inside Fortanix Data Security Manager (DSM) Software-as-a-Service (SaaS) and a shim which facilitates communication between the validator and the plugin.
1.1 Getting Started Video
1.2 Fortanix One-Time Signer Plugin
The Fortanix “Ignite One-Time Signer” solution validates that the proposals and votes are well-formed, tracks the state of the consensus protocol, and ensures that double-signing is prevented since it can be harmful to the blockchain network. The plugin can be used to sign blockchain consensus messages of the following types:
- PrevoteType = 0x01
- PrecommitType = 0x02
- ProposalType = 0x20
The plugin is protected by a quorum policy that involves multiple admin users. Once deployed, the plugin code cannot be modified without explicit permissions from multiple administrators.
The solution offers the following benefits:
- High availability and disaster recovery.
- Secure key management.
- Secure execution of critical code.
2.0 Set Up Plugin
2.1 Create a Fortanix DSM Group
- To use the Fortanix “Tendermint One Time Signer” plugin in Fortanix DSM, you must first create a Fortanix DSM group and add the Plugin to this group. Figure 1: Import plugin
- Copy the UUID of the plugin to add it to the
shimconfiguration file later. Refer to Section 3.1.
Figure 3: Plugin UUID
- In the detailed view of the group, click the INFO tab and in the “Key metadata policy” section, click ADD POLICY to add a Key metadata policy for the group. Figure 4: Add key metadata policy
- In the policy, add the following custom attributes as Required. These attributes maintain the state of the key for consensus signing.
2.2 Configure a Quorum Policy for the Group
After creating the Fortanix DSM group and adding the “Tendermint One Time Signer” plugin to this group, configure a Quorum Policy for the group to protect the plugin. This will ensure that the plugin code cannot be modified without the approval of the Group Administrator.
- Go to the detailed view of the group, and click the INFO tab.
- In the "Quorum approval policy" section, click ADD POLICY to add a new quorum policy.
- Configure the Quorum approval policy and click SAVE POLICY. Figure 6: Configure Quorum approval policy
2.3 Create an App In Fortanix DSM
Create an app in Fortanix DSM of type REST API for the “Tendermint One Time Signer” plugin and copy the app’s API KEY. This API Key is added to the
shim configuration file later. Refer to Section 3.1.
Figure 7: Create an app and copy the API key
2.4 Generate a Key
- Generate a key called consensus-key in the same group created in Section 2.1 so that the API key of the app created in Section 2.3 can be used to access this key. The key type must be EC of Curve Ed25519 since the
shimaccepts keys of this format only. This key is used by the validator for consensus signing. Figure 8: Consensus key
- Copy the Key ID of this key to add it to the
shimconfiguration file later. Refer to Section 3.1. Figure 9: Copy key ID
Alternatively, you can also import an existing Ignite key. Refer to the section “Script to Convert Tendermint key to DER format” in the Plugin readme to convert an Ignite key to Fortanix DSM accepted key format. The readme also has an example Ignite key.
- In the detailed view of the key, click the ATTRIBUTES/TAGS tab and notice that the key has the custom attributes that were defined in the Key metadata policy while creating the group. For all the attributes, set the value as -1. Figure 10: Key custom attributes
3.0 Set Up and Start the Shim
3.1 Set Up Shim
To configure and use the
shim, refer to the steps here. This contains the instructions to compile the
shim utility and generate a
shim requires a configuration file that contains the authentication details needed to authenticate to Fortanix DSM with an API key. The file
shim.toml contains this configuration. The configuration file expects the following additional details:
- Fortanix DSM “Tendermint One Time Signer” plugin UUID – Add the Plugin UUID copied in Section 2.1 to the
- Fortanix DSM App API Key – Add the API Key copied in Section 2.3 to the
- Fortanix DSM Key UUID – Add the Key UUID coped in Section 2.4 to the
3.2 Running Shim
shim.toml configuration file now has the details required for the Fortanix DSM Signer configuration:
- The Fortanix DSM “Tendermint One Time Signer” plugin ID for double-signing check.
- The Fortanix DSM App API Key to authenticate to Fortanix DSM.
- The Fortanix DSM Key ID is used by the Validator for consensus signing.
The configuration file also has the configuration for the Validator, which tells the Validator to use the Fortanix DSM Signer for consensus signing. To do this, you must pass the address of the
shim for Ignite to listen for connections from the external validator process.
- Run the shim configuration using the command
shim start -c </path/to/shim.toml>. The detailed steps to run the shim configuration are described here.
- Add the remote signer address for the Validator, for example,
tcp://127.0.0.1:26690. This address must then be added to the
- Start the Ignite Validator.
- After the Validator starts, the proposal is now signed with a hash at a particular height, round, and step. These values are updated in the consensus-key’s custom attributes section.
- The Validator receives the signature from the plugin.
- Go to the detailed view of the plugin in Fortanix DSM and notice the Activity Logs section on the right. You will see the log showing that the Fortanix DSM app ran the plugin successfully. Figure 11: Plugin execution log
- Go to the detailed view of the consensus-key and in the Activity Logs section notice that this key is used by the Validator for consensus signing. Figure 11: Execution log for key