Hey lazylist, Since the last discussion of preshared key mode in WireGuard, we've made some substantial progress. Trevor and I have been working out the cryptodetails [1], and Kevin and I have been tweaking our formal verification model. Everything is coming together quite nicely on that front.
For those who are just catching up on this discussion, the gist is that the PresharedKey attribute is moving from being part of the Interface to part of the Peer. This will enable PSKs to be a pair-wise value, rather than having an Interface use one PSK for all its peers, a significant security improvement. I've written up the changes in the whitepaper [2] and the protocol doc [3]. I've implemented it in the latest git master, though probably you should wait for the next snapshot to try it out. I'm now in the progress of writing [4] patches [5] for various [6] WireGuard integrations, so that when I release the next snapshot, things can transition over smoothly, in addition to various Noise libraries [7]. If all goes well, the Noise changes will be out on Tuesday, and the snapshot should happen minutes after that. Let me know if there are any questions. Regards, Jason [1] https://moderncrypto.org/mail-archive/noise/2017/001006.html [2] https://www.wireguard.io/papers/wireguard.pdf [3] https://www.wireguard.io/protocol/ [4] https://github.com/openwrt/packages/pull/4341/files#diff-4fe54b567672346a15da55f1c6af8c9a [5] https://github.com/openwrt/luci/pull/1160/files [6] https://github.com/NixOS/nixpkgs/pull/25646/files#diff-110379e7db2311e8bef5a02392ac1495 [7] https://github.com/flynn/noise/pull/11/files _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
