On 08/06/13 01:05, Eugen Leitl wrote: > Is there a policy how often one should change shared secrets > for OpenVPN shared site-to-site?
There is no easy way to answer that beyond "often enough for you to feel confident in the integrity of the system" Why aren't you using certs? Certs have the advantages of providing harder to crack data protection, are able to be revoked, and easily allows you to ensure you use different certs per site-to-site connector. In previous roles, I've seen a tendency for network engineers to use the same pre-shared keys for multiple site-to-site links - which means that if they ever had one of their routers stolen or otherwise compromised, they'd have to change that pre-shared key on every WAN link that used the same key (compare with simply revoking a single cert). However, from a data protection perspective I think pre-shared keys are used as the encryption key for all traffic (ie governments can brute force the key given enough data and time - and if they can be bothered of course ;-), whereas certs allows openvpn to form a "key exchange" channel over which a temporary randomly generated pre-shared key is exchanged - which is then used for the next "--reneg-sec" seconds - and then the entire process is repeated. This limits the ability to brute-force as the amount of traffic that can be captured with that key is "small" (thereby breaking statistical assumptions all brute forcing relies on to reduce runtime) - and breaking and decrypting that traffic does not help decrypt the next blob of traffic (ie it's about as good as it gets) Hopefully I haven't blown cover by saying too much that's incorrect there - I'm sure someone else will let us know if I have! ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
