At the very least, you should be precise about what part of the literature you’re criticizing, since Wireguard didn’t make the protocol up.
-
-
Replying to @tqbf @matthew_d_green and
esp. because OTHER THINGS use that protocol!
1 reply 0 retweets 0 likes -
Replying to @tqbf @EdgeSecurity and
I’m criticizing WireGuard. Or more accurately I’m criticizing NDSS for accepting a paper with no security proof. I don’t know the precise relationship between WG and Noise. If you say they’re exactly the same, then that seems twice as bad. But irrelevant to NDSS.
1 reply 0 retweets 1 like -
Replying to @matthew_d_green @tqbf and
Except there's no part that's "bad" to be twiced. Noise has real merits and is a solid set of protocols that lives up to rigorous security analysis. We're now starting to get the first batch of proofs and analysis of Noise protocols. Things are looking quite positive, not "bad"
2 replies 0 retweets 0 likes -
Replying to @EdgeSecurity @matthew_d_green and
And, you can certainly count on there being new, additional, proofs of Noise (and by extension of WireGuard). But sure, if your beef was NDSS accepting papers that didn't provide a proof (even though a proof came a bit after), okay then.
1 reply 0 retweets 0 likes -
Replying to @EdgeSecurity @tqbf and
That’s my beef, as laid out in the tweet that started this whole thing. Also I’m surprised that Trevor didn’t find a way to solve this problem early on.
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @tqbf and
That's the point you keep missing. It's *NOT* a "problem". It's a feature, not a bug, to do confirmation on the transport layer. Please read this post: https://lists.zx2c4.com/pipermail/wireguard/2018-January/002333.html … It allows us to have a DH-only protocol with only two non-droppable messages.
2 replies 0 retweets 0 likes -
Replying to @EdgeSecurity @tqbf and
First off, the “fix” doesn’t increase the number of rounds, does it? Second, surely there is an alternative fix that satisfies your requirements.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @tqbf and
Did you read that mailing list post? I've pasted it a few times here. The modification increases the number of non-droppable messages. It's not suitable for a real world WireGuard protocol. Kenny, Ben, and I discussed this and were in agreement.
2 replies 0 retweets 0 likes -
Replying to @EdgeSecurity @tqbf and
I’m still convinced there’s an alternative tweak that wouldn’t increase the number of messages.
2 replies 0 retweets 0 likes
Regardless, though, it doesn't really matter much. We _do_ have proofs and confirmations of the protocol's soundness. And there will be additional proofs ahead. WireGuard and NoiseIK are solid. But as you said, your beef is just with NDSS.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.