[Cryptography] WireGuard

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Sep 1 09:58:45 EDT 2018

Viktor Dukhovni <cryptography at dukhovni.org> writes:

>The right way to do single-suite protocols, is to tie all the choices to a
>single protocol version.  For shiny new parameters, bump the protocol
>version. Client proposes its list of protocol versions, and server chooses
>the highest supported.

Even then, you have to be very, very careful with that.  The TLS folks have
been struggling for years with anti-rollback mechanisms, it's really hard to
do them in a manner that isn't exploitable in some combination of

It'd be interesting to see a proper research paper on how to do anti-rollback
right, with full analysis and proofs to accompany it.  So far the mechanisms
have been mostly ad hoc, "this should probably do it unless someone
demonstrates otherwise".


More information about the cryptography mailing list