Wireguard Pre-Shared key Purpose?

Dasha · June 14, 2022, 7:29am

Hello,

It's been quite a few days since I started analysing on Wireguard's pre-shared key.
As per Wireguard documentation and other sources(https://www.procustodibus.com/blog/2021/09/wireguard-key-rotation/#why-rotate-wireguard-keys) I came to know that the Pre-shared key is an optional parameter for encrypting Wireguard traffic.

I would like to know,

How the Pre-shared key is used in Wiregaurd encryption?
For Wireguard key rotation, rotating the pre-shared key is best (or) rotating the Private & Public key pair is best?

Thanks in Advance.

lleachii · June 14, 2022, 7:37am

If an additional layer of symmetric-key crypto is required (for, say, post-quantum resistance), WireGuard also supports an optional pre-shared key that is mixed into the public key cryptography

~ from : https://www.wireguard.com/protocol/

See also: https://en.wikipedia.org/wiki/Post-quantum_cryptography

~ https://crypto.stackexchange.com/questions/41796/whats-the-purpose-of-key-rotation

BTW, you cannot change a public key without changing the private, and vice versa, meaning the method of identifying your peer changes.

Dasha · June 14, 2022, 9:09am

BTW, you cannot change a public key without changing the private, and vice versa, meaning the method of identifying your peer changes.

Yeah, So I have figured out a couple of possibilities for rotating the Wireguard key(s),

By modifying the Private & Public key pair in both peers.
By rotating only the Pre-shared key in both peers.

Of these which option can go with for efficient Wireguard key rotation,

lleachii · June 14, 2022, 9:29am

OK...you asked this already.

If it wasn't clear that changing the public peer seem troublesome since it changes its ID (IMHO), you'll have to decide which one you prefer. I don't know what you mean by "efficient".

Also, you forgot 3:

Change both 1 and 2

(I'm getting a feeling this is about to enter tin foil hat mode.)

Your questions assume you control both peers anyway.

Dasha · June 14, 2022, 9:48am

Got it

lleachii · June 14, 2022, 10:12am

I should also note that the public/private keys are interface-wide (all peers). The pre shared key can be changed per peer.

Dasha · June 14, 2022, 10:13am

Yes, exactly. Tats why I have thought of using the Preshared key for rotation.

Dasha · June 14, 2022, 10:32am

But If I perform Wireguard key rotation only with a pre-shared key, Will it be efficient enough in the security aspect?

lleachii · June 14, 2022, 10:57am

If you plan to ask the same questions three times, perhaps you could explain what "efficient" means to you?

Stopping attacks against quantum computers that haven't been built for production yet, while modern machines would take thousands of years seems "well suited" to secure...so I'm confused on what you're asking.

Did you read the information I provided in Post No. 2?

Dasha · June 14, 2022, 11:44am

Yeah,
Actually, I thought of getting a confirmation

mk24 · June 14, 2022, 2:56pm

A pre-shared key is the secret, if someone intercepts it while you are sending it to a peer they have what they need to decrypt the communication.

When you rotate public-private keys each peer generates a new private key and keeps it secret. Only the public key needs to be sent to the other peer(s). It isn't necessary to keep a public key secret since it is only useful when combined with the private key.

flygarn12 · June 14, 2022, 5:12pm

Isn’t it the same as in OpenVPN that the PSK only makes the handshake for the asymmetric crypto is the fog and quantum computers sucks at symetric cryptos. And there you have the “poor mans hand quantum protection”.
So even if you have the PSK you still need to crack the asymetric crypto with the quantum computer.