CITA communication encryption

Time:2022-5-16

This article is【Mr. Li takes you to play CITA】The third in a series of technical articles. The author leeyr comes from a low-level blockchain engineer of Hangzhou Xita technology. There will be a large amount of private data in inter enterprise cooperation, so how to ensure communication encryption while using CITA is very critical. Pay attention to the official account: Xita technology, reply to the “communication group”, and join the citahub family of the blockchain open source community.

Open source enterprise blockchain kernel CITA likes address:https://github.com/citahub/cita

Share text:

For the sake of customer data security, I strongly recommend that youDeploy CITA in production environmentConsider using the communication encryption of CITA. Let’s talk about communication encryption this week.

First, from the system architecture diagram of CITA, it can be seen that there are two main parts in the CITA system: cross network communication:

CITA communication encryption

  1. Application < – > RPC refers to the communication between application and RPC.
  2. Node < – > node refers to the communication between CITA nodes.

Let’s talk about it separately.

Communication encryption between nodes

You can use the network packet capture and analysis tools (I use tcpdump and Wireshark here) to see the difference between using communication encryption and not using communication encryption.
CITA communication encryption

The above figure shows the data packet caught without communication encryption between nodes. It can be seen that the information in it is clear text, which can be easily read and analyzed by tools. Next, let’s take a look at what similar packets look like when communication encryption is enabled:

CITA communication encryption

It can be seen that the communication information inside is encrypted, and the packet capture tool cannot read and analyze the data inside.

How to enable node communication encryption

You can create a network(create)Or add nodes(append)Pass in options on--enable_tlsTo turn it on. as

Create network:

$ bin/cita create --enable_tls --super_admin "0x37d1c7449bfe76fe9c445e626da06265e9377601" --nodes "127.0.0.1:4000,127.0.0.1:4001"

Add node:

$ bin/cita append --chain_name test-chain --enable_tls --node "127.0.0.1:4004"

Application and RPC communication encryption

First of all, let’s take a look at the data packets with and without communication encryption. We have an intuitive feeling.

Packet without communication encryption:

CITA communication encryption

Data packets with communication encryption:

CITA communication encryption

It can be seen that the data packet with communication encryption is completely unreadable!

How to enable communication encryption between application and RPC

Since RPC is an HTTP protocol, you only need to use nginx to reverse proxy HTTP to HTTPS. Then the application uses HTTPS for encrypted communication with RPC.

As you can see, now the test chain (access address) of CITAhttps://node.cryptape.com 1)Access is to use this technology for communication encryption.

There are many materials about how to configure nginx on the network, which will not be described here.

About Xita Technology

Rivtower Co., Ltd. is committed to providing safe and reliable blockchain network services for small and medium-sized enterprises to ensure the sustainability and robustness of their business ecological development.

Enterprise blockchain core CITACITA is the first enterprise blockchain core developed independently and based on the open source community in China

Open source community ecology citahub: a development platform connecting the scene party and the technology development team. Citahub can combine resources from all parties to provide scenarios, development tools and best practices for the development of value networks

Pagoda net: the app store on the chain can meet the application needs of various scenarios of the industry in a one-stop way