| Results 501 ... 595 found in all logged channels for 'f:zx2c4'

(trilema) zx2c4: i'm pretty sure there's no conspiracy
(trilema) zx2c4: theyre simple and fast on all hardware, and he came up with an api for using them that many developers like to use (the nacl stuff)
(trilema) zx2c4: are you skeptical of djb primitives? wondering with what motivation came that question?
(trilema) zx2c4: interesting
(trilema) zx2c4: shape packing?
(trilema) zx2c4: seems like there are many places and interesting ways to optimize at this point. lots of neat creative work coming out. but that with aes and whatnot, we're in a pretty good place in terms of symmetric crypto
(trilema) zx2c4: so anyway, im less concerned about symmetric cryptography than other things
(trilema) zx2c4: but even hardness of factoring... how hard is this actually? what number theoretic advances are right around the corner?
(trilema) zx2c4: as you'd hope
(trilema) zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem" doesn't provide as much solace
(trilema) zx2c4: not anymore than other things in cryptography worry me
(trilema) zx2c4: aes is also well understood, but is neither easy to implement, simple, nor fast on all hardware
(trilema) zx2c4: its also easy to implement and simple
(trilema) zx2c4: chachapoly is well understood and is fast on nearly all hardware
(trilema) zx2c4: project*
(trilema) zx2c4: if you're interested in crypto primitives in wireguard in general, i can give you an overview of our implementations. the hacl and fiat code is not the only code we have in there
(trilema) zx2c4: looks like 7T and 9T have issues. nice chart
(trilema) zx2c4: i dont own any via 2000 hardware to test on
(trilema) zx2c4: looks like intel is basically fine?
(trilema) zx2c4: if you've found an architecture attack though, please do publicise it. that sounds like it could be some really great security attack work.
(trilema) zx2c4: asciilifeform: i haven't been able to observe any non-constant time multiplications on intel in that code
(trilema) zx2c4: does that entitle me to deedbot btc?
(trilema) zx2c4: found a vuln!
(trilema) zx2c4: haha deedbot doesnt like utf8 URLs
(trilema) zx2c4: i can check for you one sec
(trilema) zx2c4: not very big at all
(trilema) zx2c4: you mean if you just wanted to hand audit the .o that comes out of this?
(trilema) zx2c4: since its machine generated
(trilema) zx2c4: it looks... quite strange
(trilema) zx2c4: ill show you the code
(trilema) zx2c4: our discussion of HACL* and fiat-crypto pertains to the two C implementations of x25519
(trilema) zx2c4: yes, there are no conditional jumps
(trilema) zx2c4: by only using a limited subset of constructs which are known to be constant time
(trilema) zx2c4: also, constant time
(trilema) zx2c4: carry bugs
(trilema) zx2c4: things like integer overflow, or general arithmetic errors
(trilema) zx2c4: fiat-crypto uses Coq
(trilema) zx2c4: HACL* uses F*
(trilema) zx2c4: fiat-crypto also has a 64bit one, but the HACL* one was faster
(trilema) zx2c4: the 32bit one comes from fiat-crypto
(trilema) zx2c4: the 64bit one comes from HACL*
(trilema) zx2c4: our two x25519 C implementations (32bit and 64bit) are actually generated by theorem proving software, so that we're sure they dont contain any errors
(trilema) zx2c4: with relatively simple implementations
(trilema) zx2c4: another advantage of DH over RSA is that ECDH allows for really short and sweet keys
(trilema) zx2c4: which can take entropy from trngs bla bla
(trilema) zx2c4: yes, csprng
(trilema) zx2c4: (i've got a project going on right now to rewrite that actually)
(trilema) zx2c4: in otherwords, the kernel's built-in RNG
(trilema) zx2c4: same source as /dev/urandom
(trilema) zx2c4: or some combination of the above
(trilema) zx2c4: when the RNG is backdoored, the ephemerals are compromised, but not necessarily the statics
(trilema) zx2c4: or, conversely,
(trilema) zx2c4: for example, when your static longterm keys are compromised, but the ephemeral keys have not been compromised, since they're erased/renewed every 2 minutes
(trilema) zx2c4: key compromise impersonation is what happens when somebody steals your private key, and then can impersonate anybody else _to_ you
(trilema) zx2c4: - key secrecy resilience when 2 of 4 keys, one from each side, are compromised (out of static initiator, static responder, ephemeral initiator, ephemeral responder)
(trilema) zx2c4: - key compromise impersonation resistance
(trilema) zx2c4: - [limited/weak] identity hiding
(trilema) zx2c4: - forward secrecy
(trilema) zx2c4: - authentication in the first message, so that unauthenticated packets arent replied to, hence ensuring things are stealthy
(trilema) zx2c4: so for the handshake we want these properties in 1-RTT:
(trilema) zx2c4: - wireguard doesnt expose any state to the administrator. there's either an interface or there isnt. theres no concept of "connection". with a very simple timer state machine, we're able to completely hide all details from the sender side
(trilema) zx2c4: - wireguard isn't chatty. when you're not sending traffic, it shuts up and you cant tell its there
(trilema) zx2c4: KEMs like RSA are more complicated to implement in as few round trips as DH-based protocols
(trilema) zx2c4: ive got some more design properties to enumerate if you'd like, but i can answer your direct questions too
(trilema) zx2c4: asciilifeform: i agreed to stick around for 2 hours. worry not. :P
(trilema) zx2c4: - the whole cryptokey routing table thing is very important for making things extremely simple. it pairs the identity of a public key with the ip address someone is allowed to be inside the tunnel. no fancy security marks or whatever from ipsec bloat
(trilema) zx2c4: asciilifeform: oh cool. i havent seen this ill take a look
(trilema) zx2c4: - ease of system administration. since its interface-based, things like iptables and whatnot work as you'd expect.
(trilema) zx2c4: - extremely simple configuration interface. short base64 25519 pubkeys you can paste around through any means. simple config files. everything happens on the interface level.
(trilema) zx2c4: indeed. i guess you could call the property 'stealthiness'
(trilema) zx2c4: - denial of service resistance. as mentioned, you should be able to put this on the outer edge of a network
(trilema) zx2c4: - no dynamic memory allocation. all the memory used by wireguard should be allocated at configuration time, not in response to incoming packets.
(trilema) zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity
(trilema) zx2c4: - no parsers. fixed length fields only.
(trilema) zx2c4: - silent to unauthorized packets. if you dont know there's a wireguard endpoint there and don't have credentials to talk to it, you can't get it to respond to anything. so, you cant scan for endpoints. this makes it a good thing to put on the outer edge of your network.
(trilema) zx2c4: then on top of that i wanted a few nice properties:
(trilema) zx2c4: to make something that would make this all possible
(trilema) zx2c4: wireguard is supposed to be implementable using simple algorithms with as small of a state machine as possible, so that the code size and complexity is kept at a minimum. in otherwords, it aims to be easily auditable so that people can actually read it and feel confident that it doesnt have horrible vulnerabilities. with massive codebases and highly complex designs like openvpn or ipsec, this obviously isnt possible. so with wireguard i was trying
(trilema) zx2c4: are you interested in learning about the security properties i had in mind when designing wireguard?
(trilema) zx2c4: proving it.
(trilema) zx2c4: it's small, minimal, has the flexibility to be exactly what i needed and nothing larger. makes conservative choices. fits into the security model i was aiming for with the implementation properties i was looking for. i was also involved with noise from very early on, so several concerns and needs i had with wireguard got factored into noise. and since noise is a very interesting framework, it's now receiving much needed academic attention in
(trilema) zx2c4: hi asciilifeform.
(trilema) zx2c4: hello. mircea_popescu asked me to come here for two hours to field some questions about wireguard from you all. i'm not very familiar with this channel or the community in it, but i am happy to talk to whomever about wireguard. so let's start the timer now?

|