On 24-07-17 09:11, Steffan Karger wrote:
> The full specification is attached.
Argh, attachments are hard. The previous mail carried an older version
of the spec. Attached the newest spec. This aims to describe the same
implementation, but should have improved wording.
-Steffan
Client-specific tls-crypt keys (--tls-crypt-v2)
===============================================
This document describes the ``--tls-crypt-v2`` option, which enables OpenVPN
to use client-specific ``--tls-crypt`` keys.
Rationale
---------
``--tls-auth`` and ``tls-crypt`` use a pre-shared group key, which is shared
amongst all client and servers in an OpenVPN deployment. If any client or
server is compromised, the attacker will have access to this shared key, and it
will no longer provide any security. To reduce the risk of loosing pre-shared
keys, ``tls-crypt-v2`` adds the ability to supply each client with a unique
tls-crypt key.
``tls-crypt`` shares a group key amongst a lot of servers and clients. Even if
all these peers succeed in keeping the key secret, the key lifetime is limited
to roughly 8000 years, divided by the number of clients (see the
``--tls-crypt`` section of the man page). Using client-specific keys, we lift
this lifetime requirement to roughly 8000 years for each client key (which
"Should Be Enough For Everybody (tm)").
Implementation
--------------
Client-specific tls-crypt keys using an encrypted cookie mechanism. The
mechanism works as follows:
When setting up a tls-crypt-v2 group (similar to generating a tls-crypt or
tls-auth key previously):
1. Generate a tls-crypt-v2 server key using OpenVPN's ``--genkey``. This key
contains 4 512-bit keys, of which we use:
* the first 256 bits of key 1 as AES-256-CTR encryption key ``Ke``
* the first 256 bits of key 2 as HMAC-SHA-256 authentication key ``Ka``
2. Add the tls-crypt-v2 server key to all server configs
(``tls-crypt-v2 /path/to/server.key``)
When provisioning a client, create a client-specific tls-crypt key:
1. Generate 2048 bits client-specific key ``Kc``
2. Optionally generate metadata
3. Create a wrapped client key ``WKc``, using the same nonce-misuse-resistant
SIV contruction we use for tls-crypt:
``T = HMAC-SHA256(Ka, Kc || metadata)``
``IV = 128 most significant bits of T``
``WKc = T || AES-256-CTR(Ke, IV, Kc || metadata)``
4. Create a tls-crypt-v2 client key: PEM-encode ``Kc || WKc`` and store in a
file, using the header ``-----BEGIN OpenVPN tls-crypt-v2 client key-----``
and the footer ``-----END OpenVPN tls-crypt-v2 client key-----``. (The PEM
format is simple, and following PEM allows us to use the crypto lib function
for en/decoding.)
5. Add the tls-crypt-v2 client key to the client config
(``tls-crypt-v2 /path/to/client-specific.key``)
When setting up the openvpn connection:
1. The client reads the tls-crypt-v2 key from its config, and:
1. loads ``Kc`` as its tls-crypt key,
2. stores ``WKc`` in memory for sending to the server.
2. To start the connection, the client creates a P_CONTROL_HARD_RESET_CLIENT_V3
message without payload, wraps it with tls-crypt using ``Kc`` as the key,
and appends ``WKc``. (``WKc`` must not be encrypted, to prevent a
chicken-and-egg problem.)
3. The server receives the P_CONTROL_HARD_RESET_CLIENT_V3 message, and
a. unwraps ``WKc`` and strips ``WKc`` from the message.
b. uses unwrapped ``Kc`` to verify the remaining
P_CONTROL_HARD_RESET_CLIENT_V3 message's authentication.
The message is dropped and no error response is sent when either a or b
fails (DoS protection).
4. Server optionally checks metadata using a --tls-crypt-v2-verify script
Metadata could for example contain the users certificate serial, such that
the incoming connection can be verified against a CRL, or a notAfter
timestamp that limits the key's validity period.
This allows early abort of connnection, *before* we expose any of the
notoriously dangerous TLS, X.509 and ASN.1 parsers and thereby reduces the
attack surface of the server.
The metadata is checked *after* the OpenVPN three-way handshake has
completed, to prevent DoS attacks. (That is, once the client has proved to
the server that it posesses Kc, by authenticating a packet that contains the
session ID picked by the server.)
RFC: should the server send a 'key rejected' message if the key is e.g.
revoked or expired? That allows for better client-side error reporting, but
also reduces the DoS resilience.
6. Client and server use ``Kc`` for (un)wrapping any following control channel
messages.
Considerations
--------------
``tls-crypt-v2`` uses fixed crypto algorithms, because:
* The crypto is used before we can do any negotiation, so the algorithms have
to be predefined.
* The crypto primitives are chosen conservatively, making problems with these
primites unlikely.
* Making anything configurable adds complexity, both in implementation and
usage. We should not add anymore complexity than is absolutely neccessary.
Potential ``tls-crypt-v2`` risks:
* Slightly more work on first connection (``WKc`` unwrap + hard reset unwrap)
than with ``tls-crypt`` (hard reset unwrap) or ``tls-auth`` (hard reset
auth).
* Flexible metadata allow mistakes
(So we should make it easy to do it right. Provide tooling to create client
keys based on cert serial + CA fingerprint, provide script that uses CRL (if
available) to drop revoked keys.)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
