[Cryptography] WireGuard
Viktor Dukhovni
cryptography at dukhovni.org
Sat Sep 1 16:18:18 EDT 2018
> On Sep 1, 2018, at 9:58 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>
> Even then, you have to be very, very careful with that. The TLS folks have
> been struggling for years with anti-rollback mechanisms, it's really hard to
> do them in a manner that isn't exploitable in some combination of
> circumstances.
>
> It'd be interesting to see a proper research paper on how to do anti-rollback
> right, with full analysis and proofs to accompany it. So far the mechanisms
> have been mostly ad hoc, "this should probably do it unless someone
> demonstrates otherwise".
Yes, definitely, designing the downgrade protection correction requires care.
For, this Mike Hamburg's "Strobe" protocol framework[1] looks promising:
https://eprint.iacr.org/2017/003/20170105:044414
Whatever the counter-measures are, they should be no more exploitable than
the lowest version supported by the client and server, and if one manages
to reasonably promptly phase out versions vulnerable to downgrade attacks,
it should be possible to evolve the system in a reasonably secure manner.
--
Viktor.
[1] The STROBE protocol framework
Mike Hamburg
Abstract: The "Internet of Things" (IoT) promises ubiquitous, cheap,
connected devices. Unfortunately, most of these devices are hastily
developed and will never receive code updates. Part of the IoT's
security problem is cryptographic, but established cryptographic
solutions seem too heavy or too inflexible to adapt to new use
cases.
Here we describe Strobe, a new lightweight framework for building
both cryptographic primitives and network protocols. Strobe is a
sponge construction in the same family as Markku Saarinen's BLINKER
framework.
The Strobe framework is simple and extensible. It is suitable for
use as a hash, authenticated cipher, pseudorandom generator, and
as the symmetric component of a network protocol engine. With an
elliptic curve or other group primitive, it also provides a flexible
Schnorr signature variant.
Strobe can be instantiated with different sponge functions for
different purposes. We show how to instantiate Strobe as an instance
of NIST's draft cSHAKE algorithm. We also show a lightweight
implementation which is especially suitable for 16- and 32-bit
microcontrollers, and also for small but high-speed hardware.
More information about the cryptography
mailing list