WireGuard: Next Generation Secure Kernel Network Tunnel Cutting edge crypto, shrewd kernel design, and networking meet in a surprisingly simple combination
by Jason A. Donenfeld
At: FOSDEM 2017
WireGuard is a next generation VPN protocol, which lives in the Linux kernel,and uses state of the art cryptography. One of the most exciting recentcrypto-networking developments, WireGuard aims to drastically simplify securetunneling. The current state of VPN protocols is not pretty, with popularoptions, such as IPsec and OpenVPN, being overwhelmingly complex, with largeattack surfaces, using mostly cryptographic designs from the 90s. WireGuardpresents a new abuse-resistant and high-performance alternative based onmodern cryptography, with a focus on implementation and usability simplicity.It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forwardsecrecy, identity hiding, and resistance to key-compromise impersonationattacks, among other important security properties, as well as highperformance transport using ChaCha20Poly1305. A novel IP-binding cookie MACmechanism is used to prevent against several forms of common denial-of-serviceattacks, both against the client and server, improving greatly on those ofDTLS and IKEv2. Key distribution is handled out-of-band with extremely shortCurve25519 points, which can be passed around in the likes of OpenSSH.Discarding the academic layering perfection of IPsec, WireGuard introduces theidea of a "cryptokey routing table", alongside an extremely simple and fullydefined timer-state mechanism, to allow for easy and minimal configuration;WireGuard is actually securely deployable in practical settings. In order torival the performance of IPsec, WireGuard is implemented inside the Linuxkernel, but unlike IPsec, it is implemented in less than 4,000 lines of code,making the implementation manageably auditable. These features converge tocreate an open source VPN utility that is exceedingly simple, yet thoroughlymodern and secure.
The presentation will be divided up into several parts. First, there will bean overview of the problems with IPsec, OpenVPN, and other popular VPNs,outlining attacks and weaknesses. Next, the WireGuard idea of the "cryptokeyrouting table" will be introduced, and we’ll walk through several propertiesderived from it. This will transition into a discussion of the timer statemechanism, and how secure protocols are necessarily stateful, but it’spossible to make them appear stateless to the user by exhaustively definingall possible state transitions. Then we’ll get into the hardcore meat of thepresentation: the cryptography and various crypto innovations behindWireGuard. We will discuss the triple Diffie-Hellman, the role of combiningstatic and ephemeral keys, the performance and DoS-potential of Curve25519point multiplication, using a PRF chaining for rotating keys, identity hidingand remaining silent on a network, and clever usage of authenticatedencryption with additional data. We will examine the various attack models,and enumerate the cryptographic mitigations employed by WireGuard. The sumwill be a comprehensive overview of modern day crypto tricks, attacks, anduseful constructions, and how these insights have been funneled intoWireGuard. Finally, we’ll examine the Linux kernel implementation ofWireGuard, seeing how it’s possible to avoid allocations in response tounauthenticated packets as a defense coding technique. During thepresentation, a live WireGuard endpoint will be provided to audience memberswho wish to send packets, whether encrypted, legitimate, malformed, dubious,or otherwise curious.
Threaded throughout will be an enumeration of attacks on existing protocolsand cryptographic tricks for their mitigation.
My background is in security -- kernels, hardware, reversing, crypto, largenetworks, etc -- and as such I've broken a lot of systems with some noveltricks and protocol insights. WireGuard is motivated by a sort of cornucopiaof clever attacks (crypto and otherwise) against other networks. I made itbecause I wanted something I could actually confidently run on my owninfrastructure, and none of the other tools were nearly up to the task. So,this talk is going to go into depth about real attacks on various protocols,in addition to unveiling some techniques to avoid entire classes of attacks.
Finally, since WireGuard is initially implemented for the Linux kernel, therehave been some very interesting considerations to account for with kernelprogramming. Cross platform implementations are also in the works, written inGo and Rust.
Scheduled start: 2017-02-05 13:00:00