[Cryptography] WireGuard
Thierry Moreau
thierry.moreau at connotech.com
Tue Sep 4 11:31:25 EDT 2018
On 30/08/18 05:54 PM, Peter Gutmann wrote:
> Jerry Leichter <leichter at lrw.com> writes:
>
>> The white paper reveals what appears to be really good and clever design and
>> engineering. Some of the basic principles are things we've discussed (and
>> argued about) repeatedly here - e.g., *one* choice of crypto configuration, no
>> "algorithm agility", no negotiation at startup.
>>
>> I'm wondering if others here have looked at WireGuard and have any insight
>> into the reality.
>
> I looked at it a while back and pretty much agree with the quoted paragraph
> above, it's a very nice design. A good independent analysis is:
>
> https://eprint.iacr.org/2018/080
>
Here is the result of looking into this very significant contribution.
Looking at the fundamental public key crypto arrangement, Wireguard is
an application of DH-based schemes combining long term (authenticating)
and ephemeral key pairs in an authenticated key agreement protocol.
Lein Harn et al. pioneered this approach (e.g. [1]). The MQV and HMQV
schemes also fall into this category. In contrast to these, the
Wireguard proposal (in its adaptation of the Noise protocol) heavily
relies on symmetric integrity algorithms for binding together the
authenticating and ephemeral DH primitives.
The other fundamental public key crypto arrangement for the same
protocol services (authenticated key agreement) is work derived from
station-to-station and SIGMA schemes ([2]) and includes IKEv2 and HIPSEC.
I never figured out an equivalent public key foundation summary for
either TLS or SSH.
Clearly Wireguard has a much wider relevance than this fundamental
public key scheme analysis (Wireguarg is encompassing an impressive lot
of implementation aspects).
- Thierry Moreau
---------------
[1] L. Harn, W.-J. Hsin, and M. Manish, "Authenticated Diffie-Hellman
key agreement protocol using single cryptographic assumption", IEE
Proceedings Communications, Vol. 152, No. 4, pp. 404-410, Aug 2005,
available at http://h.web.umkc.edu/harnl/publications.html.
[2] Hugo Krawczyk, "SIGMA: the 'SIGn-and-MAc' Approach to Authenticated
Diffie-Hellman and its Use in the IKE Protocols", 2003, proceedings of
Crypto'03 (LNCS Series, Vol. 2729), extended version available at
http://www.ee.technion.ac.il/~hugo/sigma.html.
More information about the cryptography
mailing list