From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Cc: Kevin Milner <kamilner@kamilner.ca>
Subject: potential preshared-key changes
Date: Sun, 23 Apr 2017 00:22:22 +0200 [thread overview]
Message-ID: <CAHmME9pXHZXfY+ebGQ2KrYPxZwqW7WxNWsi=iMDjsSQcZD3cJw@mail.gmail.com> (raw)
Hi folks,
Trevor and I have been discussing for some time changing the semantics of
preshared keys. I thought about this 18 months ago, but erred on the side
of keeping things as is. After a recent conversation in SF, I'm beginning
to reconsider. I wanted to open this up for discussion, as there are
several pros and cons.
Summary: Currently the handshake mixes in the preshared-key *first*. This
means that the initiator's identity is not revealed until after the
receiver has decrypted using the preshared-key. This in turn means that
preshared-keys must be _per-interface_ instead of _per-peer_. This has
some advantages and some disadvantages. The proposal is to change the
crypto so that the preshared-key is mixed in *last*, so that
preshared-keys become shared _per-peer_.
Pros of per-interface preshared-keys (current method):
* Simplicity.
* That's how things work now.
* The preshared-key protects the identity hiding in a post-quantum
setting.
* The preshared-key contributes to the DoS MACs and the cookie
encryption.
Cons of per-interface preshared-keys (current method):
* When using WireGuard with multiple peers, the peers must all share the
same key, which increases the potential for compromise of the
preshared-key (though the session is of course stil protected with the
ordinary public key crypto).
Pros of per-peer preshared-keys (proposed method):
* Compromise of the preshared-key is less likely, since it does not need
to be shared by all peers.
Cons of per-peer preshared-keys (proposed method):
* The identity hiding is no longer protected in a post-quantum setting.
* The DoS MACs and cookie encryption no longer benefit from using the
preshared-key.
* It requires changing things.
* Kevin and I have slightly more Tamarin work to do.
Thoughts? Opinions?
Regards,
Jason
next reply other threads:[~2017-04-22 22:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-22 22:22 Jason A. Donenfeld [this message]
2017-04-23 7:05 ` crasm
2017-04-23 11:13 ` Fredrik Strömberg
2017-04-23 19:05 ` crasm
2017-04-23 10:49 ` Fredrik Strömberg
2017-04-28 9:24 ` Mathias
2017-04-28 10:15 ` Kalin KOZHUHAROV
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9pXHZXfY+ebGQ2KrYPxZwqW7WxNWsi=iMDjsSQcZD3cJw@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=kamilner@kamilner.ca \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).