WireGuard's cryptography is essentially an instantiation of Trevor Perrin's Noise framework. All its state is preallocated at initialization. It was also designed to simplify the object lifecycle inside the code itself. WireGuard's feature selection was influenced strongly by what would keep the codebase smaller and easier to review. You can watch any talk about WireGuard to see what I mean about the way WireGuard's code is written, but the short answer is that the thing was designed from the bottom up to be simple. Most crypto software you depend on has never had a full-coverage audit from third-party auditors qualified to evaluate crypto. A short summary: most third-party audits of cryptographic software written in systems languages don't accomplish anything. That said, if I had to weigh the red flags I've observed here against their "developed by scientists from MIT and CERN" marketing and nothing else, the red flags win out.įirst, I'm going to try not to go into this in detail right now, but HN has very weird ideas about the potency of third-party code audits, particularly for things involving cryptography. I have no knowledge of their implementation, so I can't critique that. It doesn't describe it in detail, so it might still be secure. However, this is a VPN we're talking about, and an authenticated encryption mode would be faster than separate encryption and authentication.Ī few caveats to my points: I'm quarterbacking their cryptosystem design based on one paragraph of the security page, because that's all I can find that describes their crypto. I admit this is bikeshedding a bit: respectable cryptographers (like cperciva) have a preference for separate construction. I'm going to go ahead and dock another point here because they're choosing to use separate primitives for encryption and authentication, when the best practice would be to use authenticated encryption like AES-GCM or AES-CCM. With regards to HMAC-SHA256: in theory this is fine, but again we have no details. This is putting aside the question of whether or not they correctly implemented AES in whatever mode they're using. For all I know they're using ECB (in which case, the VPN is insecure and we can stop right here). They don't explain which block cipher mode they're using for AES at all - another red flag. On to AES: they commit the common marketing-mandated-security-page sin of focusing on the key size instead of the block cipher mode. I'm assuming they're not using something like ECDSA because RSA is faster (but not so much so to justify the potential security tradeoff, even in a VPN client). If they haven't implemented padding (and done so correctly!), the VPN is insecure and we can stop right here. I also can't see any details of how they use RSA, so I don't know if they have implemented padding. I'll start with RSA: the fact that they use RSA at all for a new cryptosystem in 2017 is a red flag for me. Second, they do have a "Security Features" page which is rather light on the details it mentions that ProtonVPN uses AES-256 (encryption), RSA 2048 (key exchange) and HMAC-SHA256 (auth). I have a few concerns about the cryptosystem.įirst of all, there does not appear to be a whitepaper available that describes the security architecture in any detail. If someone using an official company account was rude to you, I sincerely apologize. I don't believe I've seen the Reddit exchange that you are referring to (I don't personally visit that site very often). UserVoice has a great end user application and clarification effect that is difficult to experience through interacting with users through e-mail or traditional forum comments. That page is monitored and the feedback received through UserVoice is considered and strongly influential. If there's something that is a high priority for you personally to see (such as OpenPGP ECC algorithm support), I would ask that you take the time to submit it to the ProtonMail UserVoice page. For example, take the bridge application (currently in beta testing) that will allow integration with IMAP based applications like Microsoft Outlook. A number of new features and offerings are being worked on. There are just not cycles to do it internally, right now. Specifically, it would be great if someone would contribute ECC support to the opensource OpenPGPjs project that ProtonMail currently maintains. ProtonMail would be happy to implement more of the OpenPGP encryption standard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |