Key distribution and rotation tools?

Key distribution and rotation tools?

[Giacomo Bernardi]

[-- Attachment #1: Type: text/plain, Size: 666 bytes --]

Hello list,
I am aware that WireGuard does not include a mechanism to distribute and
rotate pre-shared secrets by design [1].

However, even discounting a full-blown PKI, in large deployments one needs
to automate the generation/distribution/rotation of those pre-shared keys
on endpoints.

I unsuccessfully scouted around for tools that would fit in this space, did
I miss anything? Any suggestions?

Thanks!
Giacomo



[1] "All issues of key distribution and pushed configurations are out of
scope of WireGuard; these are issues much better left for other layers,
lest we end up with the bloat of IKE or OpenVPN." (
https://www.wireguard.com/#conceptual-overview)

[-- Attachment #2: Type: text/html, Size: 1348 bytes --]

Re: Key distribution and rotation tools?

[Jason A. Donenfeld]

The Mullvad people have this interesting repo:
https://github.com/mullvad/oqs-rs/tree/master/mullvad-wg-establish-psk

The idea is to run some slow and miserable post quantum key exchange
over TCP from inside the wireguard tunnel, and then pop the result
into the PSK slot on both ends.

It'd be interesting to see someone build something similar around the
recently released libpqcrypto - https://libpqcrypto.org

Re: Key distribution and rotation tools?

[Jason A. Donenfeld]

On Tue, May 22, 2018 at 3:42 PM, Giacomo Bernardi <mino@minux.it> wrote:
> rotate pre-shared secrets by design [1].

Ahh, my apologies, I read "pre-shared" and assumed you were talking
about PSK mode. But I think you're really interested in more general
key distribution.

Some people are just doing this over TLS with basic rest APIs
beforehand. Other people are distributing keys with their ansible
deployments. Others are using pre-existing channels like SSH or LDAP.
Some people think it's a nice idea to stick it in DNS with DNSSEC.
There's a project out there called 'wireguard-p2p' that does this with
a DHT.

Because the WireGuard CLI is pretty simple, it seems that different
parties doing this tend to just use simple context-specific scripts
for automating this, rather than forming a project that's reusable. To
me, that seems like mostly a good thing -- our tools are basic enough
that people don't need to run three gigabyte large enterprise java
daemons to manage it. On the other hand, I'm sure we could all benefit
from having some nice templated possibilities out there, either in
contrib/examples/ or even as their own project.

If anybody is interested in working on this kind of thing, get in touch!

Re: Key distribution and rotation tools?

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1485 bytes --]

On Wed, 2018-05-23 at 00:06 +0200, Jason A. Donenfeld wrote:
> On Tue, May 22, 2018 at 3:42 PM, Giacomo Bernardi <mino@minux.it> wrote:
> > rotate pre-shared secrets by design [1].
> 
> Ahh, my apologies, I read "pre-shared" and assumed you were talking
> about PSK mode. But I think you're really interested in more general
> key distribution.
> 
> Some people are just doing this over TLS with basic rest APIs
> beforehand.

If you have established a TLS session from A to B then you can just
derive your PSK from the master secret of that TLS session.

That's exactly what the Cisco AnyConnect protocol does, for "upgrading"
its HTTPS connection to DTLS. It first connects via HTTPS and does all
the authentication and client configuration that way, and then
establishes a UDP connection *if* it isn't prevented by stupid
firewalls.

In OpenConnect we've already extended the UDP connectivity to support
*standard* DTLS1.2 and saner ciphersuites like chacha20/poly1305,
rather than Cisco's pre-v1.0 version of DTLS.

I'm toying with the idea of extending it to use WireGuard too. It seems
like a good complement — WireGuard gives us a very efficient UDP
transport with kernel acceleration, and what's left is all the bits
that are explicitly out of scope for WireGuard — configuration and
authentication and key exchange. It fills in all the gaps and turns
WireGuard into the basis of a complete client VPN solution.

Is anyone interested in that?

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]

Re: Key distribution and rotation tools?

[Paul Hedderly]

On Wed, 2018-05-23 at 10:30 +0100, David Woodhouse wrote:
> On Wed, 2018-05-23 at 00:06 +0200, Jason A. Donenfeld wrote:
> > On Tue, May 22, 2018 at 3:42 PM, Giacomo Bernardi <mino@minux.it>
> > wrote:
> > > rotate pre-shared secrets by design [1].
> > 
> > Ahh, my apologies, I read "pre-shared" and assumed you were talking
> > about PSK mode. But I think you're really interested in more
> > general
> > key distribution.
> > 
> > Some people are just doing this over TLS with basic rest APIs
> > beforehand.
> 
> If you have established a TLS session from A to B then you can just
> derive your PSK from the master secret of that TLS session.
> 
> That's exactly what the Cisco AnyConnect protocol does, for
> "upgrading"
> its HTTPS connection to DTLS. It first connects via HTTPS and does
> all
> the authentication and client configuration that way, and then
> establishes a UDP connection *if* it isn't prevented by stupid
> firewalls.
> 
> In OpenConnect we've already extended the UDP connectivity to support
> *standard* DTLS1.2 and saner ciphersuites like chacha20/poly1305,
> rather than Cisco's pre-v1.0 version of DTLS.
> 
> I'm toying with the idea of extending it to use WireGuard too. It
> seems
> like a good complement — WireGuard gives us a very efficient UDP
> transport with kernel acceleration, and what's left is all the bits
> that are explicitly out of scope for WireGuard — configuration and
> authentication and key exchange. It fills in all the gaps and turns
> WireGuard into the basis of a complete client VPN solution.
> 
> Is anyone interested in that?
> 

Very much so....

But I'm also interested after reading about a possible mash of WG and
Tinc... the mesh over WG model would be awesome.