Jump to content
Not connected, Your IP: 18.224.55.193
Sign in to follow this  
dwright

New NSA docs about VPNs

Recommended Posts

Hello!

 

The short answer is no, because according to the document the exploit, in order to succeed to decrypt Data Channel of the VPN users, needs old IKE (as it is in IPsec basic implementation), or at least a VPN which implements a static key which is also used as the key to encrypt the Data Channel (without PFS). While these conditions can be met by several VPN services for consumers or even companies VPNs around the world, it's not our case.

 

It's even easier in case of VoIP based on H.323, according to a comment to an article here https://www.schneier.com/blog/archives/2014/03/how_the_nsa_exp.html#comments :

 

H.323 traffic can easily be decrypted when you act as a man-in-the-middle as the HAMMERSTEIN component does on page 4 of the slides. Its because virtually all vendors skip the (TLS) encryption of the signaling channel and the Diffie-Helmann keys are unprotected.

See my analysis of H.323 encryption on http://www.gnugk.org/h323-encryption.html

 

To say the same with different words, according to the document it seems that the attack can hope to succeed only if non ephemeral key exchange is employed by the VPN, which is not the case for a correctly configured OpenVPN system.

 

However we are looking forward to more analysis from security teams around the world, there are some vague steps in the document which need to be explained/interpreted.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...