Advertisement

Tiny WireGuard Tweak

  • Jacob AppelbaumEmail author
  • Chloe MartindaleEmail author
  • Peter WuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11627)

Abstract

We show that a future adversary with access to a quantum computer, historic network traffic protected by WireGuard, and knowledge of a WireGuard user’s long-term static public key can likely decrypt many of the WireGuard user’s historic messages. We propose a simple, efficient alteration to the WireGuard protocol that mitigates this vulnerability, with negligible additional computational and memory costs. Our changes add zero additional bytes of data to the wire format of the WireGuard protocol. Our alteration provides transitional post-quantum security for any WireGuard user who does not publish their long-term static public key – it should be exchanged out-of-band.

Keywords

WireGuard Post-quantum cryptography Mass surveillance Network protocol Privacy VPN Security 

Notes

Acknowledgements

We would like to thank Jason A. Donenfeld for WireGuard and for insightful discussions about possible ways to improve WireGuard against quantum adversaries including for suggesting hashing of public keys. We would like to thank various anonymous helpers for their reviews of earlier drafts of this paper. We would also like to thank those in the TU/e coding theory and cryptology group and the cryptographic implementations group including Gustavo Banegas, Daniel J. Bernstein, and especially Tanja Lange for their valuable feedback.

References

  1. 1.
    Adams, A.A.: Report of a debate on Snowden’s actions by ACM members. SIGCAS Comput. Soc. 44(3), 5–7 (2014).  https://doi.org/10.1145/2684097.2684099CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.-P., Bernstein, D.J.: SipHash: a fast short-input PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34931-7_28CrossRefGoogle Scholar
  3. 3.
    Barnes, R.L., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C., Borkmann, D.: Confidentiality in the face of pervasive surveillance: a threat model and problem statement. RFC 7624, pp. 1–24 (2015).  https://doi.org/10.17487/RFC7624
  4. 4.
    Gellman, B., Miller, G.: ‘Black budget’ summary details U.S. spy network’s successes, failures and objectives (2013). https://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networks-successes-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html, news article
  5. 5.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_1CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  7. 7.
    Bieker, F.: Can courts provide effective remedies against violations of fundamental rights by mass surveillance? The case of the United Kingdom. In: Aspinall, D., Camenisch, J., Hansen, M., Fischer-Hübner, S., Raab, C. (eds.) Privacy and Identity 2015. IAICT, vol. 476, pp. 296–311. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-41763-9_20CrossRefGoogle Scholar
  8. 8.
    Biondi, P.: Scapy (2010). http://www.secdev.org/projects/scapy/, website
  9. 9.
    Cole, D.: Michael Hayden: “we kill people based on metadata” (2014). https://www.justsecurity.org/10311/michael-hayden-kill-people-based-metadata/, David Cole quoting former director of the CIA Michael Hayden
  10. 10.
    Combs, G., et. al.: Wireshark (1998–2019). https://www.wireshark.org/
  11. 11.
    Danezis, G., Clulow, J.: Compulsion resistant anonymous communications. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 11–25. Springer, Heidelberg (2005).  https://doi.org/10.1007/11558859_2. http://www.freehaven.net/anonbib/cache/ih05-danezisclulow.pdfCrossRefGoogle Scholar
  12. 12.
    Donenfeld, J.A.: WireGuard: next generation kernel network tunnel. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February–1 March 2017. The Internet Society (2017). https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/wireguard-next-generation-kernel-network-tunnel/
  13. 13.
    Donenfeld, J.A.: Wireguard Black Hat 2018 talk slides (2018). https://www.wireguard.com/talks/blackhat2018-slides.pdf, see slide 41
  14. 14.
    Donenfeld, J.A.: WireGuard: next generation kernel network tunnel (2018). https://www.wireguard.com/papers/wireguard.pdf, version 416d63b 2018–06-30
  15. 15.
    Donenfeld, J.A.: Source code for the Go implementation of WireGuard (2019). https://git.zx2c4.com/wireguard-go, commit c2a2b8d739cb
  16. 16.
    Donenfeld, J.A.: Source code for the Rust implementation of WireGuard (2019). https://git.zx2c4.com/wireguard-rs, commit a7a2e5231571
  17. 17.
    Donenfeld, J.A.: WireGuard Android application source (2019). https://git.zx2c4.com/wireguard-android/
  18. 18.
    Donenfeld, J.A.: WireGuard Linux kernel source (2019). https://git.zx2c4.com/WireGuard, tag 0.0.20190227, commit ab146d92c353
  19. 19.
    Donenfeld, J.A.: WireGuard MacOS and iOS application source (2019). https://git.zx2c4.com/wireguard-ios/
  20. 20.
    Donenfeld, J.A.: WireGuard Windows application source (2019). https://git.zx2c4.com/wireguard-windows/
  21. 21.
    Dumazet, E.: Linux kernel patch: ipv6: Limit mtu to 65575 bytes (2014). https://git.kernel.org/linus/30f78d8ebf7f514801e71b88a10c948275168518
  22. 22.
    Dunbar, N.: IPsec networking standards – an overview. Inf. Sec. Techn. Report 6(1), 35–48 (2001).  https://doi.org/10.1016/S1363-4127(01)00106-6MathSciNetCrossRefGoogle Scholar
  23. 23.
    Erwin, M.: The Latest Rules on How Long NSA Can Keep Americans’ Encrypted Data Look Too Familiar (2015). https://www.justsecurity.org/19308/congress-latest-rules-long-spies-hold-encrypted-data-familiar/, blog entry
  24. 24.
    FreeBSD: Chapter 8. IPv6 Internals - Jumbo Payload. https://www.freebsd.org/doc/en/books/developers-handbook/ipv6.html#ipv6-jumbo
  25. 25.
    Greenwald, G.: The crux of the NSA story in one phrase: ‘collect it all’ (2013). https://www.theguardian.com/commentisfree/2013/jul/15/crux-nsa-collect-it-all, news article
  26. 26.
    Greenwald, G.: XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’ (2013). https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
  27. 27.
    Hogan, M.: Data flows and water woes: the Utah data center. Big Data Soc. 2(2), 2053951715592429 (2015). https://journals.sagepub.com/doi/abs/10.1177/2053951715592429MathSciNetCrossRefGoogle Scholar
  28. 28.
    Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, pp. 1–14 (2010).  https://doi.org/10.17487/RFC5869
  29. 29.
    Landau, S.: Making sense from Snowden: what’s significant in the NSA surveillance revelations. IEEE Secur. Priv. 11(4), 54–63 (2013).  https://doi.org/10.1109/MSP.2013.90MathSciNetCrossRefGoogle Scholar
  30. 30.
    Landau, S.: Highlights from making sense of Snowden, Part II: what’s significant in the NSA revelations. IEEE Secur. Priv. 12(1), 62–64 (2014).  https://doi.org/10.1109/MSP.2013.161CrossRefGoogle Scholar
  31. 31.
    Mullvad: Introducing a post-quantum VPN, Mullvad’s strategy for a future problem. https://mullvad.net/en/blog/2017/12/8/introducing-post-quantum-vpn-mullvads-strategy-future-problem/, blog post
  32. 32.
    Mullvad: mullvad-wg-establish-psk. https://github.com/mullvad/oqs-rs/tree/master/mullvad-wg-establish-psk, source code post
  33. 33.
    Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF Protocols. RFC 8439, pp. 1–46 (2018).  https://doi.org/10.17487/RFC8439
  34. 34.
    Perrin, T.: The Noise protocol framework (2018). https://noiseprotocol.org/noise.html
  35. 35.
    Preneel, B.: Post-Snowden threat models. In: Weippl, E.R., Kerschbaum, F., Lee, A.J. (eds.) Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, 1–3 June 2015, p. 1. ACM (2015).  https://doi.org/10.1145/2752952.2752978
  36. 36.
    Privacy and Civil Liberties Oversight Board: Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (2014). https://www.pclob.gov/library/702-Report.pdf, July 2nd, 2014; see page 12
  37. 37.
    Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_9CrossRefGoogle Scholar
  38. 38.
    Rogaway, P.: The moral character of cryptographic work. IACR Cryptology ePrint Archive 2015, p. 1162 (2015). http://eprint.iacr.org/2015/1162
  39. 39.
    Saarinen, M.O., Aumasson, J.: The BLAKE2 cryptographic hash and message authentication code (MAC). RFC 7693, pp. 1–30 (2015).  https://doi.org/10.17487/RFC7693
  40. 40.
    Schanck, J.M., Whyte, W., Zhang, Z.: Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world. Proc. Priv. Enhancing Technol. 4, 219–236 (2016). https://eprint.iacr.org/2015/287.pdfCrossRefGoogle Scholar
  41. 41.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134. IEEE Computer Society (1994).  https://doi.org/10.1109/SFCS.1994.365700
  42. 42.
    Wiener, M.J.: The full cost of cryptanalytic attacks. J. Cryptol. 17(2), 105–124 (2004).  https://doi.org/10.1007/s00145-003-0213-5MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Wu, P.: Bug 15011 - Support for WireGuard VPN protocol (2018). https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15011
  44. 44.
    Yonan, J.: OpenVPN. https://openvpn.net/. Accessed 11 Nov 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenNetherlands

Personalised recommendations