[Cryptography] WireGuard

Howard Chu hyc at symas.com
Thu Aug 30 11:56:12 EDT 2018


Jerry Leichter wrote:
> WireGuard - white paper at https://www.wireguard.com/papers/wireguard.pdf - is a new secure IP technology.  Perhaps the best quick summary is that it's IPSec with all the complexity drained out - to the point that the implementation (without the actual crypto) comes to about 4000 lines of code.
> 
> The paper talks about the Linux implementation.  There has since been a BSD implementation, which is also available - all this is open source - on MacOS.
> 
> The white paper reveals what appears to be really good and clever design and engineering.  Some of the basic principles are things we've discussed (and argued about) repeatedly here - e.g., *one* choice of crypto configuration, no "algorithm agility", no negotiation at startup.

Why is that clever? Crypto algorithms have relatively short lifespans. Without startup negotiation,
whatever version of Wireguard you deploy today will have to be completely thrown away within a few
years. How are you going to coordinate the deathmarch upgrades then?
> 
> I'm wondering if others here have looked at WireGuard and have any insight into the reality.
> 
> Metacomment:  We seem to be in a new phase for public cryptography.  The first phase was the pre-history, when crypto was available only from a few companies - especially IBM.  Then we had a burst of public standardization, from algorithms (AES) to protocols (SSL on the ad hoc side; IPSec on the de jure side).  The standards had two features:  In general, beyond some of the base algorithms, they were extremely complex and difficult to get right (in many cases, we now know or strongly suspect, due to "enemy action"); and for years they "froze the market":  It was difficult to get "approval" for any crypto not based on these standards - from government, from industry, and even in discussion groups like this one, where we've generally told people "don't try to roll your own, just use the established standards".
> 
> Over the last couple of years, this has started to change.  DJB (certainly not alone, but his name keeps showing up) with new algorithms and some new base protocols.  OTR was able to establish itself because there really was no "standard" competitor.  ssh has always been there in the background, but its notion of "endpoint continuity" for secure key exchange - as a replacement for the "standardized" certificate authority model - has seen increasing acceptance.  And now we are seeing WireGuard, which is actually built on a number of other "non-standard" components.

ssh's default key model is "convenient" but less secure than the certificate authority model, as
soon as you have more than one computer in an administrative domain. How many people actually
stop and phone up a remote collaborator to verify a host key the first time they connect to a
new machine?

> Computer technology goes through these kinds of cycles.  It was not so many years ago when it was "obvious" that certain things were fixed forever:  The Intel x86 ISP was the end of CPU evolution; C was the low-level language; Windows was the OS; VB was the high-level language; desktops were the form factor.  All those moments lost in time, like tears in rain.

C is still the low-level language...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the cryptography mailing list