[Cryptography] WireGuard
John-Mark Gurney
jmg at funkthat.com
Sat Sep 1 13:40:05 EDT 2018
Howard Chu wrote this message on Thu, Aug 30, 2018 at 16:56 +0100:
> Jerry Leichter wrote:
> > WireGuard - white paper at https://www.wireguard.com/papers/wireguard.pdf - is a new secure IP technology. Perhaps the best quick summary is that it's IPSec with all the complexity drained out - to the point that the implementation (without the actual crypto) comes to about 4000 lines of code.
> >
> > The paper talks about the Linux implementation. There has since been a BSD implementation, which is also available - all this is open source - on MacOS.
> >
> > The white paper reveals what appears to be really good and clever design and engineering. Some of the basic principles are things we've discussed (and argued about) repeatedly here - e.g., *one* choice of crypto configuration, no "algorithm agility", no negotiation at startup.
>
> Why is that clever? Crypto algorithms have relatively short lifespans. Without startup negotiation,
> whatever version of Wireguard you deploy today will have to be completely thrown away within a few
> years. How are you going to coordinate the deathmarch upgrades then?
AES has been going strong for almost 20 years now, and if you use
256-bit, it's probably good for another few yeas...
As for upgrades, the server deploys both old and new protocols on
different ports, or different machines, and clients upgrade as needed...
The good thing about eliminating algorithm agility is that you don't
have the problem with downgrade attacks... TLS 1.2 STILL has downgrade
attacks, and it was decided that the down grade attacks weren't "bad"
enough to force an immediate fix to it...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list