From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] OpenVPN: Introduce new AES-GCM cipher for N2N and RW Date: Thu, 15 Feb 2018 10:59:30 +0000 Message-ID: <1518692370.15001.39.camel@ipfire.org> In-Reply-To: <1518674944.19288.46.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0664784736396126439==" List-Id: --===============0664784736396126439== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Thu, 2018-02-15 at 07:09 +0100, ummeegge wrote: > Hi, > and thanks for your feedback. >=20 > Am Mittwoch, den 14.02.2018, 20:23 +0000 schrieb Michael Tremer: > > Hi, > >=20 > > On Wed, 2018-02-14 at 20:11 +0100, ummeegge wrote: > > >=20 > > > As a version 3 idea, > > > or might it be possibly a better idea to delete the '--auth *' > > > directive in > > > N2N.conf > > > if AES-GCM has been chosen ? i think it might also be better to > > > integrate > > > '--tls-crypt' --> https://www.mail-archive.com/openvpn- > > > devel(a)lists.sourceforge.net/msg12357.html=20 > >=20 > > I do not get any of those arguments in that email. I find that highly > > useless > > for a legitimate use of VPNs. > >=20 >=20 > Not sure what you exactly mean with 'useless' ? I thought some of that is a bit esoteric cryptography. Hiding the TLS connection makes sense when you are in China behind the big state-run firewall, but that is about it. I mean I am not against it, but this is pretty useless and probably only crea= tes many confusing configuration options for the average user. > Just to clarify, --auth HMAC is also used by --tls-auth which serves a > separate layer of authentication protection for the control channel (to > mitigate DoS attacks and attacks on the TLS stack). > > --tls-crypt is a new feature in v2.4 which not only authenticates (like > --tls-auth do), but also encrypts the TLS control channel (more > privacy) but uses AES-256-CTR instead of the --auth HMAC (also called > "poor-man's" post-quantum security). I am never a fan of non-standard cryptography. Has this been properly peer- reviewed? > Both options are currently not available for N2N but may in the future. > So i thought it might be better to delete the '--auth HMAC' directive > in N2N.conf if GCM has been selected. GCM already has the authentication built in. >=20 > > >=20 > > > instead of '--tls-auth' to N2N connections which uses a static AES- > > > 256-CTR > > > whereby > > > a HMAC can not be selected ? > >=20 > > The counter mode does not provide authentication like GCM does. > >=20 >=20 > Sure CTR is different to GCM but according to OpenVPN-2.4 manpage=20 > --> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage ( under ' > --tls-crypt keyfile' )=20 > it encrypts but also authenticates. So this is basically using a static key and then running the TLS connection through it? Usually there will be a DH key exchange and a classic TLS connection. And who wants to use CTR mode when you can have GCM? This can only be to speed things up a bit because messages are now being encrypted twice. > Logs from testings with --tls-crypt, AES-GCM for N2N looked like this: >=20 > Apr 7 16:59:58 ipfire UE2n2n[1530]: disabling NCP mode (--ncp-disable) > because not in P2MP client or server mode > Apr 7 16:59:58 ipfire UE2n2n[1530]: OpenVPN 2.4.1 i586-pc-linux-gnu [SSL > (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 5 2017 >=20 > ... >=20 > Apr 7 16:59:58 ipfire UE2n2n[1531]: Outgoing Control Channel Encryption: > Cipher 'AES-256-CTR' initialized with 256 bit key > Apr 7 16:59:58 ipfire UE2n2n[1531]: Outgoing Control Channel Encryption: > Using 256 bit message hash 'SHA256' for HMAC authentication > Apr 7 16:59:58 ipfire UE2n2n[1531]: Incoming Control Channel Encryption: > Cipher 'AES-256-CTR' initialized with 256 bit key > Apr 7 16:59:58 ipfire UE2n2n[1531]: Incoming Control Channel Encryption: > Using 256 bit message hash 'SHA256' for HMAC authentication >=20 > ... >=20 > Apr 7 17:00:04 ipfire UE2n2n[1531]: Data Channel Encrypt: Cipher 'AES-256- > GCM' initialized with 256 bit key > Apr 7 17:00:04 ipfire UE2n2n[1531]: Data Channel Decrypt: Cipher 'AES-256- > GCM' initialized with 256 bit key > Apr 7 17:00:04 ipfire UE2n2n[1531]: Control Channel: TLSv1.2, cipher > TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 8192 bit RSA > Apr 7 17:00:04 ipfire UE2n2n[1531]: [xxx.xxx-gateway.de] Peer Connection > Initiated with [AF_INET]91.192.xxx.xxx:61000 > Apr 7 17:00:05 ipfire UE2n2n[1531]: Initialization Sequence Completed >=20 >=20 > So i would a kind of prepare this a little for a potential future > (deleting --auth from N2N.conf if GCM is used) but if there is a > decision in the future to use --tls-auth, the HMAC selection makes > sense even we use GCM. But since --tls-crypt uses only AES-256-CTR the > HMAC selection is useless if GCM has been chosen. Let's focus on things that are useful for the average user first. I think --t= ls- auth does not add anything extra when using GCM, but it doesn't harm anyone either. The --tls-crypt is something that should never be enabled by default. But if = you want to have it, add it. >=20 > Sorry for the longer term thinking and possible confusions. >=20 > Greetings, >=20 > Erik >=20 >=20 --===============0664784736396126439==--