Announcement

Collapse
No announcement yet.

Learn More About The Zinc Crypto API, Which Hopes To Get Into Linux 5.0 With WireGuard

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Learn More About The Zinc Crypto API, Which Hopes To Get Into Linux 5.0 With WireGuard

    Phoronix: Learn More About The Zinc Crypto API, Which Hopes To Get Into Linux 5.0 With WireGuard

    Last week at Kernel Recipes 2018 in Paris, WireGuard lead developer Jason Donenfeld presented on the Zinc crypto API that he has been developing for the Linux kernel to suit his in-kernel secure VPN tunnel needs but also to potentially replace the existing Linux crypto code in the future...

    http://www.phoronix.com/scan.php?pag...d-Zinc-Recipes

  • #2
    I don't trust either Zinc nor WireGuard.
    ​​​​​​
    There is something fishy about it. Also the recent CoC thing made me even more suspicious 🤔

    Comment


    • #3
      Easy to say that. So...what's your better solution and why?

      Comment


      • #4
        Originally posted by Cape View Post
        There is something fishy about it.
        Care to detail what exactly you find fishy ?

        Also :
        - One of the main target of Zinc is to have a very small and easy readable codebase. Currently Zinc is at 4k. It's designed on purpose to be easy to review.
        - Another target of Zinc is to get cryptographer and other security academics to review it, and according to the talk they are already managing to attract some attention.
        - They are following lots of very good practice (see the example of fuzzing in the talk)

        To me, specially after looking at the talk, it seems like a decent effort in simplification and one that could lead to better code.

        (And globally the same could be said about WireGuard vs IPSec, the former trying to be as simple as possible and relying on simple proven primitive (cue in research by Daniel Julius Bernstein), the later a horrendously complicated standard, almost on purpose to confuse any would-be implementer into making poorly secure code)

        Comment


        • #5
          Originally posted by Cape View Post
          I don't trust either Zinc nor WireGuard.
          ​​​​​​
          There is something fishy about it. Also the recent CoC thing made me even more suspicious 🤔
          I can't think about anything less fishy...

          Comment


          • #6
            Originally posted by DrYak View Post

            Care to detail what exactly you find fishy ?

            Also :
            - One of the main target of Zinc is to have a very small and easy readable codebase. Currently Zinc is at 4k. It's designed on purpose to be easy to review.
            - Another target of Zinc is to get cryptographer and other security academics to review it, and according to the talk they are already managing to attract some attention.
            - They are following lots of very good practice (see the example of fuzzing in the talk)

            To me, specially after looking at the talk, it seems like a decent effort in simplification and one that could lead to better code.

            (And globally the same could be said about WireGuard vs IPSec, the former trying to be as simple as possible and relying on simple proven primitive (cue in research by Daniel Julius Bernstein), the later a horrendously complicated standard, almost on purpose to confuse any would-be implementer into making poorly secure code)
            We'll see...
            It might be a short piece of code but It's still a lot going on for the kernel.

            Comment


            • #7
              I am kind of torn by what Cape said. On one hand this is probably awesome for the Linux kernel. On the other hand, if I had an ideal OS... this kind of stuff would not be in the kernel at all. I think we are pushing this crap in because we want things to go fast and the only way we know how to do that is by putting it in the kernel. The more we put into the kernel, the more we have to keep putting in.

              Comment


              • #8
                Originally posted by bpetty View Post
                The more we put into the kernel, the more we have to keep putting in.
                It's a module though.

                Comment


                • #9
                  Originally posted by Cape View Post
                  I don't trust either Zinc nor WireGuard.
                  ​​​​​​
                  There is something fishy about it. Also the recent CoC thing made me even more suspicious 🤔
                  As a general rule, emotions should be disregarded in important decisions as they are based on arbitrary associations, and there is also the need for the human-mind to find patterns that self-validate its own theories.

                  Scientific method is the only way forward in these situations.

                  Comment


                  • #10
                    Originally posted by bpetty View Post
                    I am kind of torn by what Cape said. On one hand this is probably awesome for the Linux kernel. On the other hand, if I had an ideal OS... this kind of stuff would not be in the kernel at all. I think we are pushing this crap in because we want things to go fast and the only way we know how to do that is by putting it in the kernel. The more we put into the kernel, the more we have to keep putting in.
                    The stuff in Zinc is already in the kernel, it's just a horrible mess right now. Adding the Zinc code will hopefully lead to removing a heap of other code.

                    Comment

                    Working...
                    X