Cudos Labs: Validator Node Setup & Security Requirements

This is part three of a three-part technical breakdown on Cudos Validators. If you have not read part one & two yet, please read them here: Part one & Part two

Setting Up a Cudos Validator Node

Setting up a Cudos Node is the starting point for any user wanting to interact with, and play a greater part in, the network. In order to set up a Cudos node, users will require the use of Go/Golang version 1.15 or higher. On-premise or bare metal server providers such as OVH, Leaseweb, IBM, Alibaba, Amazon Web Services, Google Cloud Computing platform, or Microsoft Azure, can be used to generate Cudos nodes and join the Cudos Network.

Once the appropriate hardware and software requirements are met, users will then need to install the Cudos Network’s high performance compute blockchain, built on the Cosmos SDK, through version control systems such as Github or use the network’s release tags and build from source. The Cudos Network application is the Cosmos SDK-based application that defines the Cudos Network and its special purpose compute workflows.

This application consists of a Cudos Network daemon and command-line interface that, once deployed, runs a full-node version of the Cudos Network blockchain for users to interact with. This bespoke implementation supports innovations such as Inter-Blockchain Communication (IBC) protocol and Cosmos’s recently released Stargate update, to guarantee high levels of reliability and cross-chain interactions inspired by the network’s compute capabilities. This Cudos Network blockchain additionally leverages the most vetted modules within the Cosmos community such as staking, authentication, and governance logic. It also includes special blockchain components and developer toolchains linked to its unique set of high performance compute use cases and development workflows.

Securing A Validator Node

Cudos Validating nodes are Cosmos SDK-specified full nodes. This allows for a heavier-duty set of transaction processing workflows and network-level security exchanges with other members of the network. When setting up a Cudos Network Validator node, whether on-premise or in cloud, Validators will have to decide whether they want to be fully responsible for Key Management or if they want to leverage third-party infrastructure to do so. The Cudos Network blockchain leverages the Tendermint Key Management System in order to ensure high availability access to signing keys as part of the Cudos Network’s block processing workflows. This additionally allows this blockchain to prevent double-signing events. In practice, this feature allows for the tamper-proof storage of Hardware Security Module (HSM) validator keys, even if the host has been compromised.

Validators should expect to run an HSM that supports ed25519 keys. Here are potential options:

  • YubiHSM 2
  • Ledger Nano S
  • Ledger BOLOS SGX enclave
  • Thales nShield support
  • Tendermint SGX enclave

The Cudos Network team will keep an updated list of HSM solutions as they gain more adoptions. Instructions on how to set up a few of the industry solutions we’ve identified can be found here and here. Validators should make sure to review their preferred choice of HSM’s documentation and user guides to finalise their security architecture.

Another frequently used security solution to keep Validator nodes secure against attacks such as Distributed Denial of Service (DDoS) Attacks, consists of using the four formulations of the Cosmos Sentry Node Architecture. The aim of this approach is to restrict access to validating nodes to the open internet in order to avoid Denial of Service and other known attacks in the blockchain ecosystem. Additional work is being done to come up with alternative ways to mitigate the risk of DdoS attacks when managing a Cudos Validator node.

While the Cudos Validator node itself can either be on-premise or cloud-based, the sentries should be cloud instances for greater agility and convenience and can be most easily peered using a technique called Virtual Private Cloud(VPC) Network Peering. Users have found it easiest to implement this architecture when using Google Cloud and AWS in comparison to all other providers so far, and we would equally recommend these.

Beyond the set up of a server, a node, an authenticated way of joining the Cudos blockchain using our in-built public key infrastructure, in coordination with Ledger HSM or YubiHSM for those validators choosing to implement them, the use of full nodes when interacting the network is highly recommended. Thanks to ongoing advances in the Cosmos ecosystem, we plan to implement the ability for Cudos Validator Nodes to store a history of previously signed blocks in order to more seamlessly prevent double-signing by adverse or deficient nodes in the Cudos Network. This feature is currently absent in earlier-generation Tendermint blockchains. The final element keeping Cudos Network Validating nodes safe is the Tendermint Core Byzantine Fault Tolerant Proof of Stake consensus algorithm.

To keep up to date on that and all updates regarding the CUDOS token, and to find out more about all the exciting solutions we’re working on, please visit our website and follow us on our social media channels linked below.

Telegram. Twitter .Facebook. Linkedin. Blog.