I don’t understand why “NoiseIK May have the same weakness” is making this better.
-
-
Replying to @matthew_d_green @EdgeSecurity and
At the very least, you should be precise about what part of the literature you’re criticizing, since Wireguard didn’t make the protocol up.
1 reply 0 retweets 0 likes -
Replying to @tqbf @matthew_d_green and
esp. because OTHER THINGS use that protocol!
1 reply 0 retweets 0 likes -
Replying to @tqbf @EdgeSecurity and
I’m criticizing WireGuard. Or more accurately I’m criticizing NDSS for accepting a paper with no security proof. I don’t know the precise relationship between WG and Noise. If you say they’re exactly the same, then that seems twice as bad. But irrelevant to NDSS.
1 reply 0 retweets 1 like -
Replying to @matthew_d_green @tqbf and
Except there's no part that's "bad" to be twiced. Noise has real merits and is a solid set of protocols that lives up to rigorous security analysis. We're now starting to get the first batch of proofs and analysis of Noise protocols. Things are looking quite positive, not "bad"
2 replies 0 retweets 0 likes -
Replying to @EdgeSecurity @matthew_d_green and
And, you can certainly count on there being new, additional, proofs of Noise (and by extension of WireGuard). But sure, if your beef was NDSS accepting papers that didn't provide a proof (even though a proof came a bit after), okay then.
1 reply 0 retweets 0 likes -
Replying to @EdgeSecurity @tqbf and
That’s my beef, as laid out in the tweet that started this whole thing. Also I’m surprised that Trevor didn’t find a way to solve this problem early on.
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @tqbf and
That's the point you keep missing. It's *NOT* a "problem". It's a feature, not a bug, to do confirmation on the transport layer. Please read this post: https://lists.zx2c4.com/pipermail/wireguard/2018-January/002333.html … It allows us to have a DH-only protocol with only two non-droppable messages.
2 replies 0 retweets 0 likes -
Replying to @EdgeSecurity @tqbf and
First off, the “fix” doesn’t increase the number of rounds, does it? Second, surely there is an alternative fix that satisfies your requirements.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @tqbf and
Did you read that mailing list post? I've pasted it a few times here. The modification increases the number of non-droppable messages. It's not suitable for a real world WireGuard protocol. Kenny, Ben, and I discussed this and were in agreement.
2 replies 0 retweets 0 likes
I'm not sure you can't get the property in two rounds without introducing signatures. Kristian Lauter seems to make this general claim in the KEA+ paper (see KEA+C). But if you are able to remove confirmation message requirement, great: you've contributed something useful.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.