Pre-shared key generation
dimon222 opened this issue · 5 comments
Any chance pre-shared key generation can be added tor each pair of mesh nodes? (Further security improvement)
It's technically possible. How much extra security would be gained from it though?
I'm not sure, based on official docs it's used always, but defaulted to bunch of 0s when not configured by user. It could help to further restrict one-to-one relationship between nodes.
I ended up writing my own extension of existing database_manager.py with generation of preshared keys. I didn't choose the way to store these keys tho, but I can still make PR.
Hmmm that sounds interesting. If you could please make a PR I'll take a closer look.
Made PR with details. (ignore the part for client identifier from above post, I reread the source and its related to public keys, not to preshared keys)
It's technically possible. How much extra security would be gained from it though?
WireGuard is not, by default, post-quantum secure. However, the pre-shared key parameter can be used to add a layer of post-quantum secrecy. It could be post-quantum secure were the public keys hashed instead of sent directly, but this is not part of the Noise Protocol Framework, on which WireGuard's handshake is based, and this hashing technique wouldn't enable forward-secure post-quantum secrecy either. The best bet for post-quantum security is to run a truly post-quantum handshake on top of WireGuard, and then insert that key into WireGuard's pre-shared key slot.