会话密钥 · Substrate Developer Hub

会话密钥是验证者用来签署和共识相关消息的 "热密钥"。不应该将它们作为控制资金的账户密钥，应只应用于其指定用途。 They can be changed regularly; your Controller only needs to create a certificate by signing a session public key and broadcasting this certificate via an extrinsic. 会话密钥同样是以泛型进行定义的，且在 runtime 中进行具体化。

为创建会话密钥，验证人的操作者必须证明其拥有一个密钥能够代表其 Stash 帐户 (抵押) 和提名人。为此，他们使用自己的 Controller 密钥对该秘钥签名，从而创建证书。然后，他们在链上发布一笔包含该会话证书的交易，来告知区块链该会话密钥代表了他们的 Controller 密钥。

Substrate provides the Session pallet, which allows validators to manage their session keys.

Use

Session keys are used by validators to sign consensus-related messages. SessionKeys is a generic, indexable type that is made concrete in the runtime.

你可以声明任意数量的会话密钥。 For example, the default Substrate node uses four. Other chains could have more or fewer depending on what operations the chain expects its validators to perform.

In practice, validators amalgamate all of the session public keys into a single object, sign the set of public keys with a "Controller" account, and submit a transaction to register the keys on chain. This on-chain registration links a validator node with an account that holds funds. As such, that account can be credited with rewards or slashed based on the node's behavior.

The runtime declares what session keys will be included (runtime/src/lib.rs):

impl_opaque_keys! {
    pub struct SessionKeys {
        pub grandpa: Grandpa,
        pub babe: Babe,
        pub im_online: ImOnline,
        pub authority_discovery: AuthorityDiscovery,
    }
}

The actual cryptographic curve that each key uses gets defined in primitives. For example, BABE's key uses sr25519:

mod app {
      use sp_application_crypto::{app_crypto, key_types::BABE, sr25519};
      app_crypto!(sr25519, BABE);
}

This code is just an example of a Substrate node at the time of writing. 最新实现方法请参考 runtime 代码。

The default Substrate node implements Session keys in the Session pallet.

强类型的封装器

The Session keys from a Substrate node could use the same cryptography, but serve very different purposes in your runtime logic. 为了防止错误的操作使用错误的密钥，使用 Rust 强类型来封装这些密钥，以便它们彼此不兼容，并确保它们仅被用于预期目的。

密钥生成

As a node operator, you can generate keys using the RPC call author_rotateKeys. You will then need to register the new keys on chain using a session.setKeys transaction.

Note: for increased security, session keys should be changed every session. This can be done by creating a certificate via signing a session public key and broadcasting it via an extrinsic.

Since session keys are hot keys that must be kept online, the individual keys should not be used to control funds. All the logic for handling session keys is in the Substrate client, primitives, and Session pallet. If one of the Session keys is compromised, the attacker could commit slashable behavior.

例子

按照我们的教程来创建本地网络并生成密钥。

参考文档

Visit the reference docs for the 会话密钥 runtime API 的信息。
Take a look at the default Substrate 节点 runtime 中的会话密钥。
Take a look at substrate_application_crypto, used for constructing application specific strongly typed crypto wrappers.