euro s p who who am i am i
play

Euro S&P Who Who Am I? Am I? Jason Donenfeld, also known as - PowerPoint PPT Presentation

Oct 09, 2022 •378 likes •807 views

Presented by Jason A. Donenfeld April 27, 2017 Euro S&P Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 , no academic affiliation. Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, though quite a

  1. Presented by Jason A. Donenfeld April 27, 2017 Euro S&P

  2. Who Who Am I? Am I? ▪ Jason Donenfeld, also known as zx2c4 , no academic affiliation. ▪ Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, though quite a bit of development experience too. ▪ Motivated to make a VPN that avoids the problems in both crypto and implementation that I’ve found in numerous other projects.

  3. What What is is WireGua WireGuard rd? ▪ Layer 3 secure network tunnel for IPv4 and IPv6. ▪ Opinionated. ▪ Lives in the Linux kernel, but cross platform implementations are in the works. ▪ UDP-based. Punches through firewalls. ▪ Modern conservative cryptographic principles. ▪ Emphasis on simplicity and auditability. ▪ Authentication model similar to SSH’s authenticated_keys . ▪ Replacement for OpenVPN and IPsec.

  4. Easily Easily Auditable Auditable OpenVPN Linux XFRM StrongSwan SoftEther WireGuard 116,730 LoC 13,898 LoC 405,894 LoC 329,853 LoC 3,904 LoC Plus OpenSSL! Plus StrongSwan! Plus XFRM! Less is more.

  5. Easily Easily Auditable Auditable WireGuard 3,904 LoC IPsec SoftEther OpenVPN (XFRM+StrongSwan) 329,853 LoC 116,730 419,792 LoC LoC

  6. Simp Simplicity licity of of Inte Interface rface ▪ WireGuard presents a normal network interface: # ip link add wg0 type wireguard # ip address add 192.168.3.2/24 dev wg0 # ip route add default via wg0 # ifconfig wg0 … # iptables – A INPUT -i wg0 … /etc/hosts.{allow,deny }, bind(), … ▪ Everything that ordinarily builds on top of network interfaces – like eth0 or wlan0 – can build on top of wg0 .

  7. Blasphemy! Blasphemy! ▪ WireGuard is blasphemous! ▪ We break several layering assumptions of 90s networking technologies like IPsec. ▪ IPsec involves a “transform table” for outgoing packets, which is managed by a user space daemon, which does key exchange and updates the transform table. ▪ With WireGuard, we start from a very basic building block – the network interface – and build up from there. ▪ Lacks the academically pristine layering, but through clever organization we arrive at something more coherent.

  8. Simp Simplicity licity of of Inte Interface rface ▪ The interface appears stateless to the system administrator. ▪ Add an interface – wg0 , wg1 , wg2 , … – configure its peers, and immediately packets can be sent. ▪ Endpoints roam, like in mosh. ▪ Identities are just the static public keys, just like SSH. ▪ Everything else, like session state, connections, and so forth, is invisible to admin.

  9. Crypto Cryptoke key Routing Routing ▪ The fundamental concept of any VPN is an association between public keys of peers and the IP addresses that those peers are allowed to use. ▪ A WireGuard interface has: ▪ A private key ▪ A listening UDP port ▪ A list of peers ▪ A peer: ▪ Is identified by its public key ▪ Has a list of associated tunnel IPs ▪ Optionally has an endpoint IP and port

  10. Crypto Cryptoke key Routing Routing PUBLIC KEY :: IP ADDRESS

  11. Crypto Cryptoke key Routing Routing ▪ Makes system administration very simple. ▪ If it comes from interface wg0 and is from Yoshi’s tunnel IP address of 192.168.5.17 , then the packet definitely came from Yoshi . ▪ The iptables rules are plain and clear.

  12. Timers Timers: : A Stateless A Stateless Inte Interface f rface for or a a Stateful Proto Stateful Protocol col ▪ As mentioned prior, WireGuard appears “stateless” to user space; you set up your peers, and then it just works . ▪ A series of timers manages session state internally, invisible to the user. ▪ Every transition of the state machine has been accounted for, so there are no undefined states or transitions. ▪ Event based.

  13. Timers Timers • If no session has been established for 120 seconds, send User space sends packet. handshake initiation. • Resend handshake initiation. No handshake response after 5 seconds. • Send an encrypted empty packet after 10 seconds, if we Successful authentication of don’t have anything else to send during that time. incoming packet. • Send handshake initiation. No successfully authenticated incoming packets after 15 seconds.

  14. Stati Static c All Allocations, ocations, Gu Guarded arded State, State, and and Fixed Fixed Length H Length Heade eaders rs ▪ All state required for WireGuard to work is allocated during config. ▪ No memory is dynamically allocated in response to received packets. ▪ Eliminates entire classes of vulnerabilities. ▪ All packet headers have fixed width fields, so no parsing is necessary. ▪ Eliminates another entire class of vulnerabilities. ▪ No state is modified in response to unauthenticated packets. ▪ Eliminates yet another entire class of vulnerabilities.

  15. Stealth Stealth ▪ Some aspects of WireGuard grew out of an earlier kernel rootkit project. ▪ Should not respond to any unauthenticated packets. ▪ Hinder scanners and service discovery. ▪ Service only responds to packets with correct crypto. ▪ Not chatty at all. ▪ When there’s no data to be exchanged, both peers become silent.

  16. Crypto Crypto ▪ We make use of Trevor Perrin’s Noise Protocol Framework – noiseprotocol.org ▪ Developed with much feedback from the WireGuard development. ▪ Custom written very specific implementation of NoiseIK for the kernel. ▪ The usual list of modern desirable properties you’d want from an authenticated key exchange ▪ Modern primitives: Curve25519, Blake2s, ChaCha20, Poly1305, SipHash2-4 ▪ Lack of cipher agility!

  17. Crypto Crypto ▪ Key secrecy ▪ Perfect forward secrecy – new key every 2 minutes ▪ Key agreement ▪ Authenticity ▪ KCI-resistance ▪ Identity hiding ▪ Replay-attack prevention, while allowing for network packet reordering ▪ Working on formal verification via Tamarin with Kevin Milner

  18. The The Key Ex Key Exchan change ge Responder Initiator Handshake Initiation Message Handshake Response Message Both Sides Calculate Symmetric Session Keys Transport Data Transport Data

  19. The The Key Ex Key Exchan change ge ▪ In order for two peers to exchange data, they must first derive ephemeral symmetric crypto session keys from their static public keys. ▪ The key exchange designed to keep our principles static allocations, guarded state, fixed length headers, and stealthiness. ▪ Either side can reinitiate the handshake to derive new session keys. ▪ So initiator and responder can “swap” roles. ▪ Invalid handshake messages are ignored, maintaining stealth.

  20. The The Key Ex Key Exchan change: ge: NoiseIK NoiseIK ▪ One peer is the initiator; the other is the responder. ▪ Each peer has their static identity – their long term static keypair . ▪ For each new handshake, each peer generates an ephemeral keypair . ▪ The security properties we want are achieved by computing ECDH() on the combinations of two ephemeral keypairs and two static keypairs. ▪ Session keys = Noise( ECDH(ephemeral, static), ECDH(static, ephemeral), ECDH(ephemeral, ephemeral), ECDH(static, static) ) ▪ The first three ECDH() make up the “triple DH”, and the last one allows for authentication in the first message, for 1-RTT.

  21. Key Agreemen Key Agreement and t and Corr Correctne ectness ss ▪ Key agreement is achieved even in multiple compromise situations: ▪ Both ephemeral keys compromised ▪ Initiator static compromised  Initiator still has key agreement with responder ▪ (KCI resistance) ▪ Responder static compromised  Responder still has key agreement with initiator ▪ (KCI resistance) ▪ Combinations of a static key and an ephemeral key compromised

  22. Key Secrecy Key Secrecy ▪ Dependent on key agreement. ▪ Key secrecy is achieved even in these compromise situations: ▪ Both ephemeral keys compromised ▪ Both static keys compromised ▪ Implies forward secrecy ▪ One static key and one ephemeral key

  23. Sessio Session n Un Uniquen iqueness ess ▪ Different sessions should always have different unique keys ▪ When both ephemerals are fresh, this is achieved ▪ Also, when only one ephemeral is fresh, it is achieved

  24. Iden Identity Hiding tity Hiding ▪ Initiator achieves identity hiding when no keys are compromised. ▪ Initiator also achieves identity hiding when the responder’s ephemeral key is compromised. ▪ Initiator does not achieve identity hiding when the responder’s static key is compromised. ▪ Lack of forward secrecy for identity hiding ▪ A necessity of a 1-RTT handshake

  25. Form Formal al Sym Symbolic bolic Verificatio Verification ▪ Ongoing work with Kevin Milner from Oxford to formally prove. ▪ The Tamarin model works!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Greek Fiscal Crisis and the Future of the Euro-zone and the Future of the Euro zone - a

The Greek Fiscal Crisis and the Future of the Euro-zone and the Future of the Euro zone - a

The Greek Fiscal Crisis and the Future of the Euro-zone and the Future of the Euro zone - a German View Wi Wim Ksters K t Ruhr-Universitt Bochum and Rheinisch Westflisches Institut fr Wirtschaftsforschung Essen Statement in the

536 views • 18 slides
Criteria and Procedures for Obtaining the Euro-Inf Quality Label Roland Ibbett The Euro-Inf

Criteria and Procedures for Obtaining the Euro-Inf Quality Label Roland Ibbett The Euro-Inf

Criteria and Procedures for Obtaining the Euro-Inf Quality Label Roland Ibbett The Euro-Inf Quality Label - Criteria & Procedures Talk Contents The Euro-Inf Framework The accreditation procedure Application Assessment

470 views • 14 slides
EMWIS SEMIDE www.emwis.net www.semide.net Systme Euro- Euro-Mediterranean Mditerranen

EMWIS SEMIDE www.emwis.net www.semide.net Systme Euro- Euro-Mediterranean Mditerranen

EMWIS SEMIDE www.emwis.net www.semide.net Systme Euro- Euro-Mediterranean Mditerranen Information System on dinformation sur les know how in the water savoir-faire dans le sector

298 views • 7 slides
The Euro Zone Crisis: End of the Beginning Robin Brooks Head of FX Strategy December 2014 Euro

The Euro Zone Crisis: End of the Beginning Robin Brooks Head of FX Strategy December 2014 Euro

The Euro Zone Crisis: End of the Beginning Robin Brooks Head of FX Strategy December 2014 Euro Zone Crisis: Is the worst of the crisis over? Sovereign Crisis Goldman Sachs Global Economics, Commodities and Strategy Research Euro Zone

765 views • 9 slides
Price and non-price competitiveness puzzle in the euro area Pavlos Karadeloglou European

Price and non-price competitiveness puzzle in the euro area Pavlos Karadeloglou European

Price and non-price competitiveness puzzle in the euro area Pavlos Karadeloglou European Central Bank Project LINK meeting New York October, 2012 Outline 1. Competitiveness in euro area and euro area countries: developments since 1999. 2.

802 views • 57 slides
TEMPEST SHIELDING www.euro-emc.co.uk +44 (0)1799 523073 info@euro-emc.co.uk 1

TEMPEST SHIELDING www.euro-emc.co.uk +44 (0)1799 523073 info@euro-emc.co.uk 1

TEMPEST SHIELDING www.euro-emc.co.uk +44 (0)1799 523073 info@euro-emc.co.uk 1 European EMC Products Limited EUROPEAN EMC PRODUCTS LIMITED was formed in July 1996 to supply high quality products and services to the EMC

432 views • 30 slides
ANALIZE EURO 2012 - WHY? Experience Knowledge Trends Tasks HOW WE WERE WORKING

ANALIZE EURO 2012 - WHY? Experience Knowledge Trends Tasks HOW WE WERE WORKING

EURO 2012 - TECHNICAL STUDY GROUP UKRAINE POLAND Lars Lagerback Andy Roxburgh Mordechai Shpigler Gerald Houlliere Gyrgy Mezey Fabio Capello Jean-Paul Brigger Jerzy Engel Duan Fitzel Walter Gagg Holger Osiek ANALIZE EURO 2012 - WHY?

875 views • 70 slides
Oil and the Euro Area Economy Oil and the Euro Area Economy Gert Peersman Ine Van Robays Ghent

Oil and the Euro Area Economy Oil and the Euro Area Economy Gert Peersman Ine Van Robays Ghent

Oil and the Euro Area Economy Oil and the Euro Area Economy Gert Peersman Ine Van Robays Ghent University Ghent University EEA ESEM Barcelona, 24 August 2009 Motivation Motivation Substantial crude oil price fluctuations in recent

895 views • 23 slides
Euro-Mediterranean Center on Climate Change M. Mancini 1 , A. Raolil 1 , G. Cal 1 , G. Aloisio

Euro-Mediterranean Center on Climate Change M. Mancini 1 , A. Raolil 1 , G. Cal 1 , G. Aloisio

Provisioning Flexible and High Available iRODS-based Data Services at Euro-Mediterranean Center on Climate Change M. Mancini 1 , A. Raolil 1 , G. Cal 1 , G. Aloisio 1,2 1 Fondazione Centro Euro-Mediterraneo sui Cambiamenti Climatici, Lecce,

237 views • 22 slides
EBAs vision for payments in 2020 Wolfgang Ehrmann, Euro Banking Association Daniel Szmukler,

EBAs vision for payments in 2020 Wolfgang Ehrmann, Euro Banking Association Daniel Szmukler,

EBAs vision for payments in 2020 Wolfgang Ehrmann, Euro Banking Association Daniel Szmukler, Euro Banking Association Jan Paul van Pul, ABN AMRO Bank Javier Santamaria, Banco Santander Moderator: Gilbert Lichter, Euro Banking Association

667 views • 22 slides
EUR EURO 5 O 5 EFFE EFFECT CT ST STUD UDY FOR Y FOR L-CA CATE TEGOR GORY Y VEHIC

EUR EURO 5 O 5 EFFE EFFECT CT ST STUD UDY FOR Y FOR L-CA CATE TEGOR GORY Y VEHIC

EUR EURO 5 O 5 EFFE EFFECT CT ST STUD UDY FOR Y FOR L-CA CATE TEGOR GORY Y VEHIC VEHICLE LES MCWG meeting 11 May 2016 in Brussels Specific Contract No. SI2.713570 Euro 5 Effect study for L - category vehicles PR PROJ OJEC

641 views • 17 slides
Weights and dimensions of heavy duty vehicles EP TRAN, 17 September 2013 Michael Nielsen IRU

Weights and dimensions of heavy duty vehicles EP TRAN, 17 September 2013 Michael Nielsen IRU

Weights and dimensions of heavy duty vehicles EP TRAN, 17 September 2013 Michael Nielsen IRU General Delegate to the EU Why revision is needed ! Last revision in 1996 (for goods vehicles) Euro 0 (1990) Euro I (1993) Euro II (1996) Euro

228 views • 7 slides
The Euro, the ECB and the European Sovereign Debt Crisis Professor Karl Whelan University

The Euro, the ECB and the European Sovereign Debt Crisis Professor Karl Whelan University

The Euro, the ECB and the European Sovereign Debt Crisis Professor Karl Whelan University College Dublin Presentation at IIEA July 14, 2010 Plan for Talk 1. What the euro crisis is and isnt. 2. The Eurozone Stabilisation Fund. 3. The

370 views • 13 slides
Presentation October 2018 Investec Euro Stoxx50 Digital Plus A 3.5-year equity investment linked

Presentation October 2018 Investec Euro Stoxx50 Digital Plus A 3.5-year equity investment linked

Investec Euro Stoxx50 Digital Plus Presentation October 2018 Investec Euro Stoxx50 Digital Plus A 3.5-year equity investment linked to the 100% downside protected at The ESP is a listed instrument on performance of the Euro Stoxx50 Index.

522 views • 17 slides
SAUCE: A Web-based Automated Assessment Tool for Teaching Parallel Programming Euro-EDUPAR,

SAUCE: A Web-based Automated Assessment Tool for Teaching Parallel Programming Euro-EDUPAR,

SAUCE: A Web-based Automated Assessment Tool for Teaching Parallel Programming Euro-EDUPAR, Euro-Par 2015, Vienna, Austria Moritz Schlarb, Christian Hundt, Bertil Schmidt Institute of Computer Science, Johannes Gutenberg University Mainz,

388 views • 15 slides
Euro Contrle Route is the public organisation for cooperation in road transport enforcement in

Euro Contrle Route is the public organisation for cooperation in road transport enforcement in

Euro Contrle Route is the public organisation for cooperation in road transport enforcement in Europe By Gerard Schipper ECR general delegate www.euro-controle-route.eu ECR Secretariat ECR coordinator, Ann De Vries By Regentschapsstraat 39

332 views • 5 slides
Embedded Systems Programming x86 System Architecture and PCI Bus (Module 9) Yann-Hang Lee

Embedded Systems Programming x86 System Architecture and PCI Bus (Module 9) Yann-Hang Lee

Embedded Systems Programming x86 System Architecture and PCI Bus (Module 9) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Interrupt and APIC

285 views • 13 slides
Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017

Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017

Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017 In the lecture Information Theory and Statistical Physics by Prof. Dr. Johannes Berg motivation motivation hide initiator of a message in a

1.58k views • 68 slides
Information-Theoretic approaches to Information Flow Catuscia Palamidessi INRIA Saclay &

Information-Theoretic approaches to Information Flow Catuscia Palamidessi INRIA Saclay &

Information-Theoretic approaches to Information Flow Catuscia Palamidessi INRIA Saclay & Ecole Polytechnique based on joint work with Mrio S. Alvim and Miguel E. Andrs Pnuelis memorial, 9 May 2010 1 The problem Control the

488 views • 19 slides
http://cs224w.stanford.edu Better and better clusters (k), (score) Clusters get worse and

http://cs224w.stanford.edu Better and better clusters (k), (score) Clusters get worse and

CS224W: Social and Information Network Analysis Jure Leskovec, Stanford University http://cs224w.stanford.edu Better and better clusters (k), (score) Clusters get worse and worse Best cluster has ~100 nodes k, (cluster size) 11/28/2011

891 views • 39 slides
1 CONTENT Introduction Data overflow Data aggregation Formulation of Data

1 CONTENT Introduction Data overflow Data aggregation Formulation of Data

DATA RESILIENCE VIA DATA AGGREGATION: OVERCOMING OVERALL STORAGE OVERFLOW IN SENSOR NETWORKS Bin Tang, Yan Ma Presented by : Basil Alhakami 1 CONTENT Introduction Data overflow Data aggregation Formulation of Data Resilience via

270 views • 15 slides
Beyond Anonymity - Pseudonyms person pseudonym linkability role pseudonym relationship

Beyond Anonymity - Pseudonyms person pseudonym linkability role pseudonym relationship

Beyond Anonymity - Pseudonyms person pseudonym linkability role pseudonym relationship pseudonym role-relationship pseudonym transaction pseudonym anonymity Beyond Anonymity - Pseudonyms person pseudonym linkability role pseudonym

79 views • 5 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Update on cloud and storage development at NIIFI 8th TF-Storage Meeting February 4, 2011

Update on cloud and storage development at NIIFI 8th TF-Storage Meeting February 4, 2011

Update on cloud and storage development at NIIFI 8th TF-Storage Meeting February 4, 2011 Budapest, Hungary Szkelyi Szabolcs <szekelyi@niif.hu> Cloud Infrastructure as a Service Virtual machines, virtual networks, disk images,

115 views • 10 slides

More recommend