-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 24-09-14 11:21, David Sommerseth wrote: > On 24/09/14 10:26, David Sommerseth wrote: >> On 24/09/14 10:15, Gert Doering wrote: >>>> But to get to the point, that if I setup openvpn on my >>>> droplet and let's say an evil admin sniffing my traffic for 3 >>>> months with tcpdump then decides to decrypt that traffic what >>>> tools does he have (if any to do this). At this point he has >>>> a pcap file and the openvpn server certificates and keys. > >>> Now that is easy - OpenVPN does PFS, so the stored keys won't >>> help decrypt sniffed session traffic. > >> If an attacker have sniffed the complete handshake and is in >> possession of the keys, I believe it is a theoretical >> possibility to compromise the key exchange handshake. Which >> again gives you the access to the tunnel data. If the attacker >> in addition have access to client keys, then this process goes >> even faster. But it is correct that you don't get the raw key >> out of the handshake. > > Gert and I have had a private discussion regarding if it is > possible or not to break the session key. We both agree that it's > not an easy task, and capturing data + having they key material > alone isn't enough to break the session key. I agree, OpenVPN does offer forward secrecy. At least when the setup uses TLS-mode (like the howto of digitalocean the OP referred to). Let me elaborate a bit. OpenVPN can run in two modes: 1. Static key mode (using '--secret <file>'). This uses a pre-shared static key, which is not rotated at all. An attacker with that key and a pcap can decrypt all traffic since the last time you (manually) rotated the key. Unless you know what you're doing and have good reasons to use it, do not use this mode. 2. Dynamic key mode. This uses TLS to set up a secure channel over which the actual data encryption keys are exchanged. This mode protects you as much as TLS does. By default, OpenVPN connections use a dynamic key exchange, like (Ephemeral) Diffie-Hellman or - for older versions - Ephemeral RSA. The TLS session keys will then exist at most (1) between two session negotiations for ephemeral DH, (2) for an OpenVPN connection for non-ephemeral DH or (3) for the OpenVPN process lifetime for ephemeral RSA. For a scenario like the OP describes (pcap + current memory dump), the attacker can only decrypt traffic for which the current in-memory key has been used (see above). Note that this scenario restricts the attacker to be passive (i.e. just traffic / memory dumps). An active attacker could use a man-in-the-middle position to attack the cryptographic handshake or implementation, like David describes. That however does not enable her to 'go back in time' further then the validity of the keys used during the attack. Traditionally, we recommend to use OpenVPN's tls-auth feature as an extra layer of protection against man-in-the-middle attacks. In this scenario however, the attack already has access to the tls-auth keys, so that won't help you here. (Still, use tls-auth, it protects you from a lot of other bad stuff.) This ended up as more text than I intended. I hope it clarifies more than it confuses ;) - -Steffan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUI4j9AAoJEJgCyj0AftKIBCoIAMLpmfGlnZ0rXcuw6yP7f62/ 2TRxLSXtRJx/Z211F+s0+y7WOiFe18bkCfNXQI14RJJTLuX1JEZGNNTq4xI6Uhfo p54q3VzfuYHbx7RwXe5oNxZGaFywiBL70AKT6Icjoqc4EzuYTJVy7N0NpeHV2CCq TC0RiH3B6s4dhhauqc6ldeNv7Ltld36Lk5vgD5d/wfSJ/EaUOZnF/cgJbz1vzAhL Xc/jF8+1OjhAAIPhz8M2eU+KKt7txfGJ8+Al4EiUGx2lC9LSgn2MdCNyAQL6W2eu vohQqq9wBql83zNRaboMMtOg3DD8mADKF2SFYUFqP0c9COrAAe4GuUCY5lBTZnQ= =b1aU -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
