[Cryptography] WireGuard

[Peter Gutmann]

Viktor Dukhovni <cryptography at dukhovni.org> writes:

>The right way to do single-suite protocols, is to tie all the choices to a
>single protocol version.  For shiny new parameters, bump the protocol
>version. Client proposes its list of protocol versions, and server chooses
>the highest supported.

Even then, you have to be very, very careful with that.  The TLS folks have
been struggling for years with anti-rollback mechanisms, it's really hard to
do them in a manner that isn't exploitable in some combination of
circumstances.

It'd be interesting to see a proper research paper on how to do anti-rollback
right, with full analysis and proofs to accompany it.  So far the mechanisms
have been mostly ad hoc, "this should probably do it unless someone
demonstrates otherwise".

Peter.