LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-02-2010, 12:42 PM   #1
baltazar3
LQ Newbie
 
Registered: Nov 2009
Posts: 13

Rep: Reputation: 0
Security of OpenVPN with premade keys


Hi

Im a total beginner when it comes cryptography and networking. Finally managed to create a connection with OpenVPN on Ubuntu to a vpn provider called ivacy. On this page: http://ivacy.com/en/doc/user/setup/winxp_openvpn they give configuration files and keys, which I used. The question is, if someone wanted to see my network traffic, could they do it using the keys provided on that page. Reading the OpenVPN documentation i saw that it is also possible to create your own keys. Would that be more secure?

Thanks in advance.
 
Old 01-03-2010, 03:06 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by baltazar3 View Post
Im a total beginner when it comes cryptography and networking. Finally managed to create a connection with OpenVPN on Ubuntu to a vpn provider called ivacy. On this page: http://ivacy.com/en/doc/user/setup/winxp_openvpn they give configuration files and keys, which I used. The question is, if someone wanted to see my network traffic, could they do it using the keys provided on that page. Reading the OpenVPN documentation i saw that it is also possible to create your own keys. Would that be more secure?
I haven't looked at the link, but it would be fair to assume that any keys they're making available to the public are, well, public keys. In other words, anything encrypted with those keys could only be decrypted with the respective private key (which isn't made public). In this context, it doesn't really matter who generated the keys (as long as you can properly verify the authenticity of the public one, and have reasonable assurance that the private one is well guarded). If you need to brush up on asymmetric encryption, the Wikipedia article is a good place to start.

Last edited by win32sux; 01-03-2010 at 03:09 AM.
 
Old 01-03-2010, 05:14 AM   #3
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
NACK, they provida a PRIVATE key for the openVPN client to connect with.

This means that everyone else downloading this key can decrypt the Handshake between their server and you, but when they link in after the connection exists, nothing could be read, because openvpn works with two encryptions:
the private key authentication is only used to identify the client (which seems to be the same identification for all clients here). After that, a random (symmetic) session key generated and transmitted to the client using the certificate encryption. All "business data" after that is transmitted using the symmetric encryption.

So in short, "listen the begining, get everything" is the right answer here...
 
Old 01-03-2010, 08:57 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I finally managed to take a quick look at the link. If that private client-side key isn't just an example, then I would say that this company chose to do things this way in order to make things easier for their clients by not requiring said clients to generate their own certificates and private/public key pairs. Still, as long as the server's private key remains private then anything encrypted using its public key will be protected (including symmetric keys, as stated by doc.nice).

That said, how are you being authenticated by this server?

Last edited by win32sux; 01-03-2010 at 08:58 AM.
 
Old 01-03-2010, 09:03 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by doc.nice View Post
So in short, "listen the begining, get everything" is the right answer here...
Except it doesn't make sense for a company which sells a security service to present such a ridiculous vulnerability to their customers. It would be a pointless service if the bad guys can just sniff and copy the symmetric key being used.
 
Old 01-03-2010, 10:22 AM   #6
baltazar3
LQ Newbie
 
Registered: Nov 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post

That said, how are you being authenticated by this server?
With username and password.

So if I understand both of you right, it would be alot more secure if i generated my own pair of keys instead?
 
Old 01-03-2010, 11:41 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by baltazar3 View Post
With username and password.

So if I understand both of you right, it would be alot more secure if i generated my own pair of keys instead?
Well, if your current client private key is being published for all the world to see, then that essentially deprives the certificate of any true authentication value. So you're basically fully dependant on a "what only you know" (your password) factor for authentication purposes. Generating your own private/public key pair (and accompanying certificate) would let you have a "what only you have" (your private key) factor too, effectively giving you multi-factor authentication. So yeah, as far as authentication is concerned, using a proper client-side certificate will increase your security. That said, are you sure they'll allow you to do this? My impression when I took a look at the page you linked was that they decided it's not worth the hassle. Also, keep in mind that for this to be done properly, your certificate would need to be signed by a party which is trusted by the service provider, otherwise anyone could create a certificate to represent you and you'd be right back to where you are now.

Last edited by win32sux; 01-03-2010 at 12:04 PM. Reason: Spelling.
 
Old 01-03-2010, 11:42 AM   #8
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
yes, it is always a good idea for a private key to be as said by its name - private.

but as win32sux says, you should have a deep look into the exact implementation of openvpn and the authentication model of taht company in order to finally determine if this causes a security hole in that very case.
Maybe "another" feature simply renders it unneeded to use secure client certificates...
if you find out, could you please post back for any readers following your trails?
 
Old 01-03-2010, 01:11 PM   #9
baltazar3
LQ Newbie
 
Registered: Nov 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Sure, Ill dive into the openvpn documents when I have the time, and post back here if I figure it out.
 
Old 01-03-2010, 03:13 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by baltazar3 View Post
Sure, Ill dive into the openvpn documents when I have the time, and post back here if I figure it out.
It's your service provider's documents which you must dive into, not OpenVPN's. As doc.nice says, it's all dependant on their implementation. Why don't you just ask them what the deal is?
 
Old 01-12-2010, 12:37 AM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
How'd it go with this? Did you contact the Ivacy people? What did they say?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN 2.1 requires '--script-security 2' jonaskellens Linux - Newbie 3 11-18-2012 11:57 AM
Can you run OpenVPN without keys or certificates? FireRaven Linux - Networking 1 07-31-2009 01:48 PM
SSH Security and keys colabus Linux - Newbie 2 10-08-2004 01:15 PM


All times are GMT -5. The time now is 11:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration