On 09/06/13 23:54, Jason Haar wrote: > > Hopefully I haven't blown cover by saying too much that's incorrect > there - I'm sure someone else will let us know if I have!;-)
Nope, this is quite correct. Pre-shared keys are 100% static, there are no temporary keys involved. And if you loose control over your keys, all your data you sent over the tunnel in the past, present and future are to be considered compromised, until a new key have been issued. Using certificates (PKI) you are better protected, due to the temporary keys you mention. You also have --reneg-bytes and --reneg-pkts too to control how often a rekeying should happen. Also breaking a PKI setup makes it harder to figure out the temproary key as well if you only have the keying material for one side. It's not impossible, but much harder than with static keys. But bear in mind that encryption only delays unauthorised access to your data, it doesn't completely block it. Encrypted data will never be safe forever. How safe your data is depends on your encryption regime and the attackers determination to gain access to your data. So choose your encryption level based on how long you want your data to be safe. If days or weeks is enough, static keys might be just as good as anything else. If you want it stronger than that, then you most probably want PKI. -- kind regards, David Sommerseth ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
