I am confused ... I thought it had a security proof?
-
-
Replying to @BenLaurie
I don’t have the NDSS paper, but here’s a full version. Don’t see anything. https://www.wireguard.com/papers/wireguard.pdf …
2 replies 1 retweet 2 likes -
Replying to @matthew_d_green @BenLaurie
Dowling and Paterson just wrote one. But it seems to require changes to the protocol. https://eprint.iacr.org/2018/080
2 replies 0 retweets 4 likes -
Replying to @matthew_d_green @BenLaurie
That change (extra msg): is it a proof convenience only, or is it also necessary for achieving the desired properties?
1 reply 0 retweets 1 like -
Replying to @tobycmurray @BenLaurie
Who knows? My experience is that a broken proof often implies an attack.
2 replies 0 retweets 5 likes -
Ok, looking more closely I’d bet there’s a hack that would get you a proof of the original protocol. Maybe. But who knows.
1 reply 1 retweet 3 likes -
Replying to @matthew_d_green @BenLaurie
Thanks. Paul van Oorschot & I have been talking about this “who knows” issue. The theorem itself doesn’t help to figure it out, although the internal arguments of the proof might shed light. Hard for outsiders to weigh proof’s value when these changes are made
1 reply 0 retweets 0 likes -
Replying to @tobycmurray @BenLaurie
The general idea is that you want to analyze the key exchange and record protocol separately. But when protocols (like TLS and WireGuard) use record session keys in the key exchange, it screws all that up. Makes analysis that much harder.
2 replies 0 retweets 3 likes -
Put more generally, WireGuard very intentionally binds together the key exchange and record protocol. It's part of the design to reduce complexity and make it both securely implementable and reliable on the network.
2 replies 0 retweets 0 likes -
Yes, but with only small tweaks you could have kept about the same complexity and gotten a full security proof in a strong model. That’s the bummer.
1 reply 0 retweets 0 likes
No. "Only small tweaks" is a gross misunderstanding of the benefits afforded by putting the confirmation in the transport layer. "Kept about the same complexity" simply is a false statement.
-
-
Replying to @EdgeSecurity @matthew_d_green and
"A full security proof in a strong model." It's fairly evident that the recent paper provides this -- the "morally equivalent" argument. But aside from that paper, there's still nothing preventing somebody from doing another proof in another strong model.Just wasn't done by them.
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.