Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Cc: Jann Horn <jannh@google.com>, neumann@cgws.de
Subject: Re: WG: Need for HW-clock independent timestamps
Date: Mon, 4 Feb 2019 15:56:20 +0100	[thread overview]
Message-ID: <CAHmME9pMHC6jV6sAGvbyRpnKdYaRYUoBnfn1mOCks_uAi3coAQ@mail.gmail.com> (raw)
In-Reply-To: <20180522202537.GA18356@matrix-dream.net>

An update on this old thread:

The only requirement for the "timestamp" field is that it's
monotonically increasing. I've been mulling over some improvements to
the current situation of just sticking a nanosecond resolution
timestamp in there raw, after discussing with Jann a few months ago
and then with Ivan the last two days at FOSDEM.

First, it's quite trivial to whiten that by only allowing a resolution
of 16 or so ms, which might mitigate various unrelated sidechannels
that think they have an oracle in WireGuard.

Second, both Ivan and Jann have suggested that rather than always
adding a fresh timestamp, we should instead choose a per-peer base
time for the first handshake, and then simply increment that on each
handshake (making sure that the stamp never exceeds the current time).
While we're holding off on new features and nobs and whatnot until
post kernel merge, this would then enable us to potentially add a
specialized option for manually setting the base time. It would by
default remain the time, as it is now, since that's almost always a
reasonable decision. But for devices without an RTC and whose flash
chips prohibit writing out a new timestamp once a second or minute or
whatever, this would allow, instead, to just write out a counter once
per boot, which is much more reasonable. Initiation of a wireguard
tunnel for those devices would be: read last counter to variable X,
increment last counter, store incremented counter to flash, tell
wireguard to use X as basetime. I think this dance should handle a lot
of the issues discussed in this thread.

Third, Ivan suggested that we actually add a blinding factor to the
timestamps, simply by adding HASH(label||private||public) or similar
to the stamp itself. I'll need to think carefully about the crypto
before committing to anything, but this kind of transformation does
not seem infeasible and might lessen a potential infoleak. A good
idea, in other words.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  parent reply	other threads:[~2019-02-04 14:57 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-11 22:07 Axel Neumann
2018-05-11 22:45 ` Kalin KOZHUHAROV
2018-05-12  0:05   ` Glen Bojsza
2018-05-12 19:29   ` Axel Neumann
2018-05-12 19:41     ` Aaron Jones
2018-05-15 20:21       ` Devan Carpenter
2018-05-15 20:49         ` Kalin KOZHUHAROV
2018-05-16  7:10           ` Matthias Urlichs
2018-05-16 19:32           ` Axel Neumann
2018-05-16 20:32             ` Steve Gilberd
2018-05-17  3:40               ` Paul
2018-05-17  5:03                 ` Roman Mamedov
2018-05-17  5:53                   ` Matthias Urlichs
2018-05-17  7:07                     ` Axel Neumann
2018-05-17  8:28                       ` Matthias Urlichs
2018-05-16 20:35             ` Kalin KOZHUHAROV
2018-05-12 22:10     ` Toke Høiland-Jørgensen
2018-05-12 23:05     ` Reuben Martin
2018-05-13  6:11     ` Matthias Urlichs
2018-05-13 12:37       ` Toke Høiland-Jørgensen
2018-05-16  7:01         ` Axel Neumann
2018-05-16  9:38           ` Toke Høiland-Jørgensen
2018-05-16 11:08             ` Matthias Urlichs
2018-05-16 11:12             ` Axel Neumann
2018-05-13 14:21   ` Wang Jian
2018-05-21 10:07 ` WG: " Axel Neumann
2018-05-21 11:22   ` Reto Brunner
2018-05-21 11:52     ` Axel Neumann
2018-05-21 12:31       ` Axel Neumann
2018-05-21 12:35       ` Reto Brunner
2018-05-21 13:53         ` Matthias Urlichs
2018-05-21 14:56           ` Bruno Wolff III
2018-05-21 15:34             ` Matthias Urlichs
2018-05-22 20:25               ` Ivan Labáth
2018-05-23  2:51                 ` Matthias Urlichs
2019-02-04 14:56                 ` Jason A. Donenfeld [this message]
2019-02-23  4:00                   ` Axel Neumann
2019-02-23 12:35                     ` Ivan Labáth
     [not found] <1522499692.6109802.1526903933505.ref@mail.yahoo.com>
2018-05-21 11:58 ` reiner otto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9pMHC6jV6sAGvbyRpnKdYaRYUoBnfn1mOCks_uAi3coAQ@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=jannh@google.com \
    --cc=neumann@cgws.de \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).