[Cryptography] WireGuard
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Aug 31 10:43:19 EDT 2018
Howard Chu <hyc at symas.com> writes:
I wasn't going to respond to this because it's so obviously wrong, but since
someone else has now quoted it in a reply I'll comment on it...
>Why is that clever? Crypto algorithms have relatively short lifespans.
>Without startup negotiation, whatever version of Wireguard you deploy today
>will have to be completely thrown away within a few years. How are you going
>to coordinate the deathmarch upgrades then?
What this should say is:
Crypto algorithms have relatively short fashion lifespans.
I can take a set of algorithms that are between twenty-five and forty-five
years old, all dating back to the dawn of history in terms of modern
cryptography, and apply them to a perfectly secure crypto protocol [0]. Just
because it's fashionable to switch to the trendiest new algorithms every few
years doesn't mean the existing ones are any less secure, they're just not
trendy any more.
We know, from years of experience with this, that the more flexibility you
build into your protocol, the more problems you'll see with it. Wireguard is
a manifestation of Grigg's Law, "There is only one mode of operation and that
is secure". There aren't fifteen different modes, twenty-six algorithms,
sixteen mechanisms, eighteen protocol negotiation options, and thirty-five
handshake options and systems, all of which may or may not interact
destructively and 95% of which have never been tested or examined because
everyone only uses a stereotyped tiny subset [1], until someone comes up with
an attack that uses the 95% that no-one ever did anything with, but that were
nevertheless regarded as absolutely mission-critical when the protocol was
specified.
In contrast with a Grigg's-Law design you can be pretty sure that the one mode
that's there has been examined and beaten to death from every possible angle,
because everyone has to look at, and work with, that one mode.
Peter.
[0] Well, at about the third or fourth version, once people had pointed out
the slip-ups in the first few versions.
[1] This pretty much describes SSH, although I'm sure IPsec has the same
problem.
More information about the cryptography
mailing list