DOCSLIB.ORG

A Mechanised Cryptographic Proof of the Wireguard Virtual Private Network Protocol

A Mechanised Cryptographic Proof of the Wireguard Virtual Private Network Protocol

A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol Benjamin Lipp, Bruno Blanchet, Karthik Bhargavan (INRIA Paris, Prosecco) June 18, 2019 4th IEEE European Symposium on Security and Privacy • uses modern cryptography • no cryptographic agility (unlike e. g., TLS) • works directly over UDP • only a few thousand lines of code • ongoing integration into the Linux kernel • aims to replace OpenVPN and IPsec • VPN providers are starting to adopt it Introduction Protocol Contributions Model Analysis Conclusion The WireGuard Virtual Private Network (VPN) Protocol and implementation in progress since 2015 1/17 • works directly over UDP • only a few thousand lines of code • ongoing integration into the Linux kernel • aims to replace OpenVPN and IPsec • VPN providers are starting to adopt it Introduction Protocol Contributions Model Analysis Conclusion The WireGuard Virtual Private Network (VPN) Protocol and implementation in progress since 2015 • uses modern cryptography • no cryptographic agility (unlike e. g., TLS) 1/17 • ongoing integration into the Linux kernel • aims to replace OpenVPN and IPsec • VPN providers are starting to adopt it Introduction Protocol Contributions Model Analysis Conclusion The WireGuard Virtual Private Network (VPN) Protocol and implementation in progress since 2015 • uses modern cryptography • no cryptographic agility (unlike e. g., TLS) • works directly over UDP • only a few thousand lines of code 1/17 Introduction Protocol Contributions Model Analysis Conclusion The WireGuard Virtual Private Network (VPN) Protocol and implementation in progress since 2015 • uses modern cryptography • no cryptographic agility (unlike e. g., TLS) • works directly over UDP • only a few thousand lines of code • ongoing integration into the Linux kernel • aims to replace OpenVPN and IPsec • VPN providers are starting to adopt it 1/17 ⇄ N2 ; P2 ! N3 ; P3 ts empty ! N1 ; P1 pub; Si pub Er ; pub C1 hkdf1(C0 = constC; Ei ) k priv pub C2 k1 hkdf2(C1; dh(Ei ; Sr )) k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub Si aenc(k1; 0; Si ; H2) Ei ; k priv pub C3 k2 hkdf2(C2; dh(Si ; Sr )) ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub knows Sr , psk knows psk Initiator i Responder r ⇄ N2 ; P2 ! N3 ; P3 ts empty ! N1 ; P1 pub pub pub S aenc(k ; 0; S ; H ) ; i 1 i 2 Si k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub Ei ; ⇄ N2 ; P2 ! N3 ; P3 empty ! N1 ; P1 ts pub Er ; ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si k priv pub C3 k2 hkdf2(C2; dh(Si ; Sr )) ⇄ N2 ; P2 ! N3 ; P3 empty ! N1 ; P1 pub Er ; pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(Si ; Sr )) ts aenc(k2; 0; timestamp(); H3) ⇄ N2 ; P2 ! N3 ; P3 empty ! N1 ; P1 empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) ⇄ N2 ; P2 ! N3 ; P3 ! N1 ; P1 ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; empty ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ⇄ N2 ; P2 ! N3 ; P3 ! N1 ; P1 ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; empty ts aenc(k2; 0; timestamp(); H3) pub C4 hkdf1(C3; Er ) priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ⇄ N2 ; P2 ! N3 ; P3 Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; empty ts aenc(k2; 0; timestamp(); H3) ! ( ; pub) N1 ; P1 C4 hkdf1 C3 Er priv pub C5 hkdf1(C4; dh(Er ; Ei )) priv pub C6 hkdf1(C5; dh(Er ; Si )) C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s Main Protocol: Noise IKpsk2 (simplified) pub C1 hkdf1(C0 = constC; E ) knows Spub, psk knows psk i r priv pub C2kk1 hkdf2(C1; dh(E ; S )) Initiator i Responder r i r k pub k pub H2 hash(hash(constH Sr ) Ei ) pub pub pub pub S aenc(k ; 0; S ; H ) ; ; i 1 i 2 Ei Si ts k priv pub C3 k2 hkdf2(C2; dh(S ; Sr )) pub i Er ; empty ts aenc(k2; 0; timestamp(); H3) ! ( ; pub) N1 ; P1 C4 hkdf1 C3 Er priv pub ⇄ C5 hkdf1(C4; dh(Er ; Ei )) N2 ; P2 priv pub C6 hkdf1(C5; dh(Er ; Si )) !; N3 P3 C7kπkk3 hkdf3(C6; psk) empty aenc(k3; 0; empty; H6) ! T kT hkdf2(C7; empty) ! ! P1 aenc(T ; N1 = 0; P1; empty) 2) mac1 in all handshake messages k pub mac1 mac |hash(label{zmac1 Sr }); MAC key |msg{z α} msg bytes 3) Non-zero mac2 in response to cookie messages: mac mac τ; msg 2 | {z β} 16 :::; mac1; mac2 = 0 msg bytes incl. mac1 τ :::; mac1; mac2 Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s DoS Protection During Handshake (simplified) 1) timestamp in the first message Initiator i Responder r 3/17 3) Non-zero mac2 in response to cookie messages: mac mac τ; msg 2 | {z β} msg bytes incl. mac1 τ :::; mac1; mac2 Introduction Protocol Contributions Model Analysis Conclusion WireGuard’s DoS Protection During Handshake (simplified) 1) timestamp in the first message Initiator i Responder r 2) mac1 in all handshake messages :::; mac ; mac = 016 k pub 1 2 mac1 mac |hash(label{zmac1 Sr }); MAC key |msg{z α} msg bytes 3/17 3) Non-zero mac2 in response to cookie messages: mac mac τ; msg 2 | {z β} msg bytes incl.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    107 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us