From a011cc1e1c08ca3bf824b77d7d8af439487dbada Mon Sep 17 00:00:00 2001 From: Karolin Varner Date: Sat, 4 Mar 2023 22:09:14 +0100 Subject: [PATCH] fix(whitepaper): Rollback adding an article to state, acknowledgement and replay MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All of these are abstract so these are – in my view – zero articles. https://www.toppr.com/guides/english/articles/omission-of-the-article --- papers/whitepaper.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/papers/whitepaper.md b/papers/whitepaper.md index 953aa28..6a9d186 100644 --- a/papers/whitepaper.md +++ b/papers/whitepaper.md @@ -49,7 +49,7 @@ Forward secrecy refers to secrecy of past sessions in case all static keys are l ## Security against State Disruption Attacks {#statedis} -Both WG and PQWG are vulnerable to state disruption attacks; they rely on a timestamp to protect against the replay of the first protocol message. An attacker who can tamper with the local time of the protocol initiator can inhibit future handshakes [@statedis], rendering the initiator’s static keypair practically useless. Due to the use of the insecure NTP protocol, real-world deployments are vulnerable to this attack [@statedis_cve]. Lacking a reliable way to detect retransmission, we remove the replay protection mechanism and store the responder state in an encrypted cookie called “the biscuit” instead. Since the responder does not store any session-dependent states until the initiator is interactively authenticated, there is no state to disrupt in an attack. +Both WG and PQWG are vulnerable to state disruption attacks; they rely on a timestamp to protect against replay of the first protocol message. An attacker who can tamper with the local time of the protocol initiator can inhibit future handshakes [@statedis], rendering the initiator’s static keypair practically useless. Due to the use of the insecure NTP protocol, real-world deployments are vulnerable to this attack [@statedis_cve]. Lacking a reliable way to detect retransmission, we remove the replay protection mechanism and store the responder state in an encrypted cookie called “the biscuit” instead. Since the responder does not store any session-dependent state until the initiator is interactively authenticated, there is no state to disrupt in an attack. Note that while Rosenpass is secure against state disruption, using it does not protect WireGuard against the attack. Therefore, the hybrid Rosenpass/WireGuard setup recommended for deployment is still vulnerable. @@ -430,7 +430,7 @@ ICR5 and ICR6 perform biscuit replay protection using the biscuit number. This i ## Dealing with Packet Loss -The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as an acknowledgement of receiving InitConf and terminates its retransmission. +The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as acknowledgement of receiving InitConf and terminates its retransmission. The responder does not need to do anything special to handle RespHello retransmission – if the RespHello package is lost, the initiator retransmits InitHello and the responder can generate another RespHello package from that. InitConf retransmission needs to be handled specifically in the responder code because accepting an InitConf retransmission would reset the live session including the nonce counter, which would cause nonce reuse. Implementations must detect the case that `biscuit_no = biscuit_used` in ICR5, skip execution of ICR6 and ICR7, and just transmit another EmptyData package to confirm that the initiator can stop transmitting InitConf.