k4yt3x
commented
3 years ago It's technically possible. How much extra security would be gained from it though?
Open dimon222 opened 3 years ago
k4yt3x
commented
3 years ago It's technically possible. How much extra security would be gained from it though?
dimon222
commented
3 years ago I'm not sure, based on official docs it's used always, but defaulted to bunch of 0s when not configured by user. It could help to further restrict one-to-one relationship between nodes.
I ended up writing my own extension of existing database_manager.py with generation of preshared keys. I didn't choose the way to store these keys tho, but I can still make PR.
k4yt3x
commented
3 years ago Hmmm that sounds interesting. If you could please make a PR I'll take a closer look.
dimon222
commented
3 years ago Made PR with details. (ignore the part for client identifier from above post, I reread the source and its related to public keys, not to preshared keys)
itoffshore
commented
1 year ago It's technically possible. How much extra security would be gained from it though?
WireGuard is not, by default, post-quantum secure. However, the pre-shared key parameter can be used to add a layer of post-quantum secrecy. It could be post-quantum secure were the public keys hashed instead of sent directly, but this is not part of the Noise Protocol Framework, on which WireGuard's handshake is based, and this hashing technique wouldn't enable forward-secure post-quantum secrecy either. The best bet for post-quantum security is to run a truly post-quantum handshake on top of WireGuard, and then insert that key into WireGuard's pre-shared key slot.
Any chance pre-shared key generation can be added tor each pair of mesh nodes? (Further security improvement)