WireGuard: Next Generation Secure Kernel Network Tunnel
Cutting edge crypto, shrewd kernel design, and networking meet in a surprisingly simple combination
WireGuard is a next generation VPN protocol, which lives in the Linux kernel, and uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling. The current state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. These features converge to create an open source VPN utility that is exceedingly simple, yet thoroughly modern and secure.
The presentation will be divided up into several parts. First, there will be an overview of the problems with IPsec, OpenVPN, and other popular VPNs, outlining attacks and weaknesses. Next, the WireGuard idea of the "cryptokey routing table" will be introduced, and we’ll walk through several properties derived from it. This will transition into a discussion of the timer state mechanism, and how secure protocols are necessarily stateful, but it’s possible to make them appear stateless to the user by exhaustively defining all possible state transitions. Then we’ll get into the hardcore meat of the presentation: the cryptography and various crypto innovations behind WireGuard. We will discuss the triple Diffie-Hellman, the role of combining static and ephemeral keys, the performance and DoS-potential of Curve25519 point multiplication, using a PRF chaining for rotating keys, identity hiding and remaining silent on a network, and clever usage of authenticated encryption with additional data. We will examine the various attack models, and enumerate the cryptographic mitigations employed by WireGuard. The sum will be a comprehensive overview of modern day crypto tricks, attacks, and useful constructions, and how these insights have been funneled into WireGuard. Finally, we’ll examine the Linux kernel implementation of WireGuard, seeing how it’s possible to avoid allocations in response to unauthenticated packets as a defense coding technique. During the presentation, a live WireGuard endpoint will be provided to audience members who wish to send packets, whether encrypted, legitimate, malformed, dubious, or otherwise curious.
Threaded throughout will be an enumeration of attacks on existing protocols and cryptographic tricks for their mitigation.
My background is in security -- kernels, hardware, reversing, crypto, large networks, etc -- and as such I've broken a lot of systems with some novel tricks and protocol insights. WireGuard is motivated by a sort of cornucopia of clever attacks (crypto and otherwise) against other networks. I made it because I wanted something I could actually confidently run on my own infrastructure, and none of the other tools were nearly up to the task. So, this talk is going to go into depth about real attacks on various protocols, in addition to unveiling some techniques to avoid entire classes of attacks.
Finally, since WireGuard is initially implemented for the Linux kernel, there have been some very interesting considerations to account for with kernel programming. Cross platform implementations are also in the works, written in Go and Rust.
|Jason A. Donenfeld|