Multi key support and management available

[Staff 9950]

Hello!

 

We're very glad to announce that a new option has been added in your account "Client Area". You will find a menu item labeled "Devices / Keys".
 
The "Devices / Keys" tab provides you with access to a new panel to administer your client certificate/key pairs. The panel lets you use a new multi-key support from AirVPN, a comfortable and convenient feature. From now on, you will be able to have multiple keys, renew them and issue completely new keys. From each device of yours you will be free to use any key you like.
 
Therefore you can keep all of your keys under control, administer them and also connect multiple devices to the same server and port by using a different key on each device. Eddie 2.13.6 (current stable release) already implements in the Overview window a menu which will let you choose a key before you start a connection. It will appear automagically when you create a new key from your account control panel.
 
The Configuration Generator has been modified as well, to let you generate configuration files with the certificate/key pair you wish.

 

Let's see in details how to use the "Devices/Keys" options.

• Device Name and Description: this is a free name or description that you can associate to any key for your comfort.
• Columns Type, Creation date, Last renew date and Last VPN connection are informative.
• Renew: this is an action button. When you click it, the corresponding certificate/key pair will be revoked, and new ones will be issued.
• Delete: this action button will revoke the corresponding certificate, without issuing a new one.
• Add a new key: this action button will create a totally new certificate/key pair which will be added without revoking or renewing any pre-existing key.
• View history will toggle with View Active to provide you with any relevant information on the history of your actions about keys and the current active list. 

 

Some caution when using these new features:

• if you revoke or renew a certificate/key which is being used by some connected device, that device will soon be disconnected
• in Eddie, you will need to log your account out and then in again to force Eddie to pick a different key (new or old)

 

Kind regards and datalove
AirVPN Staff

[go558a83nk 362]

Interesting.  The new keys are SHA512, not SHA1.

[DarkSpace-Harbinger 11]

Great work as always team

[Flx 76]

How do you change the Connection Type from sha512 to sha1 and vice-versa?

[Flx 76]

Connection is set by default to sha512...hhhmmmm

[Staff 9950]

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards

[Guest]

 

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards

 

So i assume this has to change from the main website page now that the keys are sha512?

 

Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel

[Staff 9950]

So i assume this has to change from the main website page now that the keys are sha512?

 

 

Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel

 

Hello!

 

Not exactly, since the Control Channel of OpenVPN maintains HMAC SHA1 available as digest (HMAC SHA384 is available as well, starting from some version of OpenVPN). New Data Channel ciphers will be available as well. All the changes will be fully applied after IPv6 testing is over (internal testing is over and successful, public testing on at least one server will start in the very near future).

 

A new https://airvpn.org/specs page will clarify all the new supported modes in due time.

 

Kind regards

[rickjames 106]

This is effing incredible, thank you!

[ventilaar 0]

.

[calcu007 5]

Where is the option to chose keys in Eddie Client? I dont see it

[Staff 9950]

Where is the option to chose keys in Eddie Client? I dont see it

 

Hello!

 

First, please make sure that you run version 2.13.6 (check in "AirVPN" > "About" your version and upgrade if necessary). Then, from the main window, log your account out and log it in again. You should see (before you start a connection) a combo box "Device:", which will let you pick the keys you generated (the description you picked will be shown).

 

Kind regards

[Flx 76]

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

So that all on the client side can use SHA1 or SHA2.

[OmniNegro 155]

HMAC SHA1 is a totally different thing than SHA1 by itself. And I seriously doubt anyone can actually come up with any use where HMAC SHA1 is less than 512 bits of assurance that the data you receive and/or send is not intact and unchanged.

https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

 

And keep in mind that in binary, to double the possible uses of a value, you need to add exactly one single bit. So 512 bits is a massive number. I would guess this huge number is used to make timing attacks useless.

 

Just last year, Google managed to do the unthinkable and managed a collision attack against a single 160 bit SHA-1 key. They never gave any details on how long it took in special conditions to make this happen, and I doubt they could ever do this to a distant IP due to the lag.

https://en.wikipedia.org/wiki/SHA-1

https://en.wikipedia.org/wiki/Secure_Hash_Algorithms

 

If the keys in question exceed 160 bits, then they can only be SHA-2 or SHA-3.

[Fly AirVPN 12]

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

[Staff 9950]

 

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

>>From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

 

Hello!

 

Yes, and that's correct. SHA2 is now the exclusive algorithm to generate the self-signed certificates (both on client and server side).

 

So that all on the client side can use SHA1 or SHA2.

 

No, any new pair will no more be generated with SHA1.

 

Note (just in case some confusion is arising here) that the digest HMAC SHA1 for the OpenVPN channels packet authentication remains and will remain available: we have not and will not break compatibility with old OpenVPN versions. By the way, this is a separate topic, since HMAC SHA2 (specifically HMAC SHA384) has been available since a couple of years ago as a digest for the Control Channel (provided that you were running OpenVPN 2.3.3 or higher).

 

Kind regards

[Fly AirVPN 12]

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?

[go558a83nk 362]

 

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?

 

if you want only one key then have only 1 key.  if you have only one key it'll be the default. 

[Krugin 4]

Great feature, thank you very much!

[6V3T8Z35t4KVP1aRtR8i 1]

Not sure what happened, but my speeds and connection reliability have drastically increased since providing each of my devices with a unique key. Not to mention I can connect multiple clients to the same server and port (without having to play the port management game). My guess is there's a technical reason behind this, and I'm curious if anyone can tell me more.

 

Either way, thanks for prioritizing this great feature, it's been a long time coming.

[Clodo 173]

Where is the option to chose keys in Eddie Client? I dont see it

Note: Eddie will NOT show the keys combobox if there is only one device/key that can be selected. For this reason the majority of users that still have the "Default" key don't see the combobox.

[calcu007 5]

I deleted all keys and now it dont allow me to create a new one.

[deltaman8 3]

"Add new key" is not working for me (Clicking it results in a blank page).

Also a graphical glitch in Firefox for Mac: When you completely delete the description of a key, the blue pencil also disappears.

 

EDIT: Creating a new key is now working. Thanks!

[dougxd 0]

The config generator page isn’t loading in iOS browsers. Just blank. Gonna fetch fresh profiles on my pc instead. Just FYI.

 

**EDIT: 

Not loading on my PC either.  Just a blank page...hmmm.  I see others having the trouble in other thread.  Oh well, patience, grasshopper.

Edited ... by dougxd

[frk1337 3]

Thank you!!! SHA512 and multipe devices on the same server and port...