|
|
|
|
|
|
by ronsor
92 days ago
|
|
|
I feel like the issue with FIPS is not even the lagging behind, but the fact that FIPS-approved algorithms are often harder to implement than non-FIPS alternatives. WireGuard itself is the perfect example: ChaCha20-Poly1305 is relatively simple to implement without screwing up. Curve25519 fits as well. Blake2s is fast even with only 32-bit integers. A good AES implementation without any subtle vulnerabilities is hard. They left plenty of footguns on the table for you. DJB has plenty of criticisms of secp256r1 and similar curves, which is why Ed25519 and Curve25519 exist in the first place. The algorithms might be fine, but the difficulty and complexity increases the odds that something will go wrong. Even your trusted implementation might have a bug or get one later, and there's more places for those to hide. |
|
|