-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/09/14 10:26, David Sommerseth wrote: > On 24/09/14 10:15, Gert Doering wrote: >>> But to get to the point, that if I setup openvpn on my droplet >>> and let's say an evil admin sniffing my traffic for 3 months >>> with tcpdump then decides to decrypt that traffic what tools >>> does he have (if any to do this). At this point he has a pcap >>> file and the openvpn server certificates and keys. > >> Now that is easy - OpenVPN does PFS, so the stored keys won't >> help decrypt sniffed session traffic. > > If an attacker have sniffed the complete handshake and is in > possession of the keys, I believe it is a theoretical possibility > to compromise the key exchange handshake. Which again gives you > the access to the tunnel data. If the attacker in addition have > access to client keys, then this process goes even faster. But it > is correct that you don't get the raw key out of the handshake.
Gert and I have had a private discussion regarding if it is possible or not to break the session key. We both agree that it's not an easy task, and capturing data + having they key material alone isn't enough to break the session key. But I believe with that information it is in theory possible to mount an attack, when weaknesses in the Diffie-Hellman key exchange are discovered and utilised. Some papers on these issues related to weaknesses in DH: <http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf> (CVE-2011-5095, CVE-2011-1923) <http://www.it.iitb.ac.in/~praj/acads/netsec/FinalReport.pdf> <http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf> What I'm actually saying is that no packets passing over the Internet is safe forever. There will always be weaknesses discovered which can be used. So the important aspect of encryption isn't to make it safe forever, but to protect it as long as possible as the data has value for an attacker. In this regard, I'm one of those who don't think the word "Perfect" in PFS is appropriate, because it never will be 100% perfect. However, one more point we've forgotten to mention, which is fare more important: random data You must have good quality of the random data when generating private/public keys and dhparams. Otherwise the keys can more easily be compromised. And you should as much as possible avoid generating keys on virtual machines, as the random data on those machines often can be weaker. These are a few of the papers on this topic: <http://www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf> <harvey.binghamton.edu/~ychen/chen-kerrigan.pdf> <http://www.ieee-security.org/TC/SP2014/papers/Not-So-RandomNumbersinVirtualizedLinuxandtheWhirlwindRNG.pdf> - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQijTMACgkQDC186MBRfrqNbwCcCdEDgymFROwsF4T/Ai64yoNZ 058An1gMF1VkAHUbOFc9gUoOEbWOoLjU =nv1k -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
