SYNCTHING-DEVICE-IDS(7)            Syncthing           SYNCTHING-DEVICE-IDS(7)



NNAAMMEE
       syncthing-device-ids - Understanding Device IDs

       Every  device  is  identified by a device ID. The device ID is used for
       address resolution, authentication and authorization. The term  âdevice
       IDâ  could  interchangeably have been âkey IDâ since the device ID is a
       direct property of the public key in use.

KKEEYYSS
       To understand device IDs we need to look at the underlying  mechanisms.
       At first startup, Syncthing will create a public/private keypair.

       Currently  this  is a 384 bit ECDSA key (3072 bit RSA prior to v0.12.5,
       which is what is used as an example in  this  article).  The  keys  are
       saved  in  the form of the private key (kkeeyy..ppeemm) and a self signed cer‐
       tificate (cceerrtt..ppeemm). The self signing part  doesnât  actually  add  any
       security  or  functionality  as  far  as  Syncthing is concerned but it
       enables the use of the keys in a standard TLS exchange.

       The typical certificate will look something like this,  inspected  with
       ooppeennssssll xx550099:

          Certificate:
              Data:
                  Version: 3 (0x2)
                  Serial Number: 0 (0x0)
                  Signature Algorithm: sha1WithRSAEncryption
                  Issuer: CN=syncthing
                  Validity
                      Not Before: Mar 30 21:10:52 2014 GMT
                      Not After : Dec 31 23:59:59 2049 GMT
                  Subject: CN=syncthing
                  Subject Public Key Info:
                      Public Key Algorithm: rsaEncryption
                      RSA Public Key: (3072 bit)
                          Modulus (3072 bit):
                              00:da:83:8a:c0:95:af:0a:42:af:43:74:65:29:f2:
                              30:e3:b9:12:d2:6b:70:93:da:0b:7b:8a:1e:e5:79:
                              ...
                              99:09:4c:a9:7b:ba:4a:6a:8b:3b:e6:e7:c7:2c:00:
                              90:aa:bc:ad:94:e7:80:95:d2:1b
                          Exponent: 65537 (0x10001)
                  X509v3 extensions:
                      X509v3 Key Usage: critical
                          Digital Signature, Key Encipherment
                      X509v3 Extended Key Usage:
                          TLS Web Server Authentication, TLS Web Client Authentication
                      X509v3 Basic Constraints: critical
                          CA:FALSE
              Signature Algorithm: sha1WithRSAEncryption
                  68:72:43:8b:83:61:09:68:f0:ef:f0:43:b7:30:a6:73:1e:a8:
                  d9:24:6c:2d:b4:bc:c9:e8:3e:0b:1e:3c:cc:7a:b2:c8:f1:1d:
                  ...
                  88:7e:e2:61:aa:4c:02:e3:64:b0:da:70:3a:cd:1c:3d:86:db:
                  df:54:b9:4e:be:1b

       We  can  see  here that the certificate is little more than a container
       for the public key; the serial number is zero and the Issuer  and  Sub‐
       ject  are  both  âsyncthingâ  where a qualified name might otherwise be
       expected.

       An advanced user could replace the kkeeyy..ppeemm and cceerrtt..ppeemm  files  with  a
       keypair generated directly by the ooppeennssssll utility or other mechanism.

DDEEVVIICCEE IIDDSS
       To  form  a  device  ID the SHA-256 hash of the certificate data in DER
       form is calculated. This means the hash covers  all  information  under
       the CCeerrttiiffiiccaattee:: section above.

       The  hashing  results  in  a 256 bit hash which we encode using base32.
       Base32 encodes five bits per character so we need 256 / 5 = 51.2  char‐
       acters to encode the device ID. This becomes 52 characters in practice,
       but 52 characters of base32 would decode to 260 bits  which  is  not  a
       whole  number  of  bytes.  The base32 encoding adds padding to 280 bits
       (the next multiple of both 5 and 8 bits)  so  the  resulting  ID  looks
       something like:

          MFZWI3DBONSGYYLTMRWGC43ENRQXGZDMMFZWI3DBONSGYYLTMRWA====

       The  padding  (========)  is  stripped  away, the device ID split into four
       groups,  and  _c_h_e_c_k  _d_i_g_i_t_s  <hhttttppss::////ffoorruumm..ssyynncctthhiinngg..nneett//tt//vv00--99--00--nneeww--
       nnooddee--iidd--ffoorrmmaatt//447788> are added for each group. For presentation purposes
       the device ID is grouped with dashes, resulting in the final value:

          MFZWI3D-BONSGYC-YLTMRWG-C43ENR5-QXGZDMM-FZWI3DP-BONSGYY-LTMRWAD

   CCoonnnneeccttiioonn EEssttaabblliisshhmmeenntt
       Now we know what device IDs are, hereâs how they are used in Syncthing.
       When  you  add a device ID to the configuration, Syncthing will attempt
       to connect to that device. The first thing we need to do is figure  out
       the IP and port to connect to. There are three possibilities here:

       · The  IP  and  port can be set statically in the configuration. The IP
         can equally well be a host name, so if you have  a  static  IP  or  a
         dynamic DNS setup this might be a good option.

       · Using  local discovery, if enabled. Every Syncthing instance on a LAN
         periodically broadcasts information about itself (device ID, address,
         port  number).  If  weâve  seen  one  of these broadcasts for a given
         device ID thatâs where we try to connect.

       · Using  global  discovery,  if  enabled.  Every   Syncthing   instance
         announces  itself  to  the  global  discovery  service (device ID and
         external port number - the internal address is not announced  to  the
         global  server).  If  we donât have a static address and havenât seen
         any local announcements the global discovery server will  be  queried
         for an address.

       Once  we have an address and port a TCP connection is established and a
       TLS handshake performed. As part of the handshake both devices  present
       their  certificates. Once the handshake has completed and the peer cer‐
       tificate is known, the following steps are performed:

       1. Calculate the remote device ID by processing the  received  certifi‐
          cate as above.

       2. Weed out a few possible misconfigurations - i.e. if the device ID is
          that of the local device or of a device we already  have  an  active
          connection to. Drop the connection in these cases.

       3. Verify  the remote device ID against the configuration. If it is not
          a device ID we are expecting to talk to, drop the connection.

       4. Verify the certificate  CCoommmmoonnNNaammee  against  the  configuration.  By
          default,  we  expect  it to be ssyynncctthhiinngg, but when using custom cer‐
          tificates this can be changed.

       5. If everything checks out so far, accept the connection.

AANN AASSIIDDEE AABBOOUUTT CCOOLLLLIISSIIOONNSS
       The SHA-256 hash is cryptographically collision resistant.  This  means
       that  there  is no way that we know of to create two different messages
       with the same hash.

       You can argue that of course there are collisions - thereâs an infinite
       amount  of  inputs  and  a  finite amount of outputs - so by definition
       there are infinitely many messages that result in the same hash.

       Iâm going  to  quote  _s_t_a_c_k  _o_v_e_r_f_l_o_w  <hhttttppss::////ssttaacckkoovveerrffllooww..ccoomm//qquueess‐‐
       ttiioonnss//44001144009900//iiss--iitt--ssaaffee--ttoo--iiggnnoorree--tthhee--ppoossssiibbiilliittyy--ooff--sshhaa--ccoolllliissiioonnss--
       iinn--pprraaccttiiccee> here:
          The usual answer goes thus: what is the  probability  that  a  rogue
          asteroid crashes on Earth within the next second, obliterating civi‐
          lization-as-we- know-it, and killing off a few billion people ?   It
          can  be  argued that any unlucky event with a probability lower than
          that is not actually very important.

          If we have a âperfectâ hash function with output size n, and we have
          p  messages  to  hash  (individual message length is not important),
          then probability of collision is about p2/2n+1 (this is an  approxi‐
          mation which is valid for âsmallâ p, i.e. substantially smaller than
          2n/2). For instance, with SHA-256 (n=256) and one  billion  messages
          (p=10^9) then the probability is about 4.3*10^-60.

          A mass-murderer space rock happens about once every 30 million years
          on average. This leads to a probability of such an  event  occurring
          in  the  next  second to about 10^-15. Thatâs 45 orders of magnitude
          more probable than the SHA-256 collision.  Briefly  stated,  if  you
          find SHA-256 collisions scary then your priorities are wrong.

       Itâs  also  worth noting that the property of SHA-256 that we are using
       is not simply collision resistance but resistance to a preimage attack,
       i.e.  even if you can find two messages that result in a hash collision
       that doesnât help you attack Syncthing (or TLS in general). You need to
       create  a  message  that hashes to exactly the hash that my certificate
       already has or you wonât get in.

       Note also that itâs not good enough to find a random blob of bits  that
       happen  to  have  the same hash as my certificate. You need to create a
       valid DER-encoded, signed certificate that has the same hash  as  mine.
       The  difficulty of this is staggeringly far beyond the already stagger‐
       ing difficulty of finding a SHA-256 collision.

PPRROOBBLLEEMMSS AANNDD VVUULLNNEERRAABBIILLIITTIIEESS
       As far as I know, these are the issues or  potential  issues  with  the
       above mechanism.

   DDiissccoovveerryy SSppooooffiinngg
       Currently,  the  local  discovery  mechanism isnât protected by crypto.
       This means that any device can in theory announce itself for any device
       ID  and  potentially receive connections for that device from the local
       network.

   LLoonngg DDeevviiccee IIDDss aarree PPaaiinnffuull
       Itâs a mouthful to read over the phone, annoying to type into an SMS or
       even  into  a  computer.  And  it needs to be done twice, once for each
       side.

       This isnât a vulnerability as such,  but  a  user  experience  problem.
       There are various possible solutions:

       · Use  shorter  device IDs with verification based on the full ID (âYou
         entered MFZWI3; I found  and  connected  to  a  device  with  the  ID
         MFZWI3-DBONSG-YYLTMR-WGC43E-NRQXGZ-DMMFZW-I3DBON-SGYYLT-MRWA,  please
         confirm that this is correctâ).

       · Use shorter device IDs with an out of band authentication, a la Blue‐
         tooth  pairing. You enter a one time PIN into Syncthing and give that
         PIN plus a short device ID to another user. On initial connect,  both
         sides  verify  that  the other knows the correct PIN before accepting
         the connection.

AAUUTTHHOORR
       The Syncthing Authors

CCOOPPYYRRIIGGHHTT
       2014-2019, The Syncthing Authors



v1.19.2                          Apr 05, 2022          SYNCTHING-DEVICE-IDS(7)
