Jump to content
Not connected, Your IP: 18.117.168.71
Staff

Multi key support and management available

Recommended Posts

Hello!

 

We're very glad to announce that a new option has been added in your account "Client Area". You will find a menu item labeled "Devices / Keys".
 
The "Devices / Keys" tab provides you with access to a new panel to administer your client certificate/key pairs. The panel lets you use a new multi-key support from AirVPN, a comfortable and convenient feature. From now on, you will be able to have multiple keys, renew them and issue completely new keys. From each device of yours you will be free to use any key you like.
 
Therefore you can keep all of your keys under control, administer them and also connect multiple devices to the same server and port by using a different key on each device. Eddie 2.13.6 (current stable release) already implements in the Overview window a menu which will let you choose a key before you start a connection. It will appear automagically when you create a new key from your account control panel.
 
The Configuration Generator has been modified as well, to let you generate configuration files with the certificate/key pair you wish.

 

Let's see in details how to use the "Devices/Keys" options.

  • Device Name and Description: this is a free name or description that you can associate to any key for your comfort.
  • Columns Type, Creation date, Last renew date and Last VPN connection are informative.
  • Renew: this is an action button. When you click it, the corresponding certificate/key pair will be revoked, and new ones will be issued.
  • Delete: this action button will revoke the corresponding certificate, without issuing a new one.
  • Add a new key: this action button will create a totally new certificate/key pair which will be added without revoking or renewing any pre-existing key.
  • View history will toggle with View Active to provide you with any relevant information on the history of your actions about keys and the current active list. 

 

Some caution when using these new features:

  • if you revoke or renew a certificate/key which is being used by some connected device, that device will soon be disconnected
  • in Eddie, you will need to log your account out and then in again to force Eddie to pick a different key (new or old)

 

Kind regards and datalove
AirVPN Staff

Share this post


Link to post

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards

Share this post


Link to post
Guest

 

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards

 

So i assume this has to change from the main website page now that the keys are sha512?

 

Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel

Share this post


Link to post

So i assume this has to change from the main website page now that the keys are sha512?

 

 

Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel

 

Hello!

 

Not exactly, since the Control Channel of OpenVPN maintains HMAC SHA1 available as digest (HMAC SHA384 is available as well, starting from some version of OpenVPN). New Data Channel ciphers will be available as well. All the changes will be fully applied after IPv6 testing is over (internal testing is over and successful, public testing on at least one server will start in the very near future).

 

A new https://airvpn.org/specs page will clarify all the new supported modes in due time.

 

Kind regards

Share this post


Link to post

Where is the option to chose keys in Eddie Client? I dont see it

 

Hello!

 

First, please make sure that you run version 2.13.6 (check in "AirVPN" > "About" your version and upgrade if necessary). Then, from the main window, log your account out and log it in again. You should see (before you start a connection) a combo box "Device:", which will let you pick the keys you generated (the description you picked will be shown).

 

Kind regards

Share this post


Link to post

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

So that all on the client side can use SHA1 or SHA2.

Share this post


Link to post

HMAC SHA1 is a totally different thing than SHA1 by itself. And I seriously doubt anyone can actually come up with any use where HMAC SHA1 is less than 512 bits of assurance that the data you receive and/or send is not intact and unchanged.

https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

 

And keep in mind that in binary, to double the possible uses of a value, you need to add exactly one single bit. So 512 bits is a massive number. I would guess this huge number is used to make timing attacks useless.

 

Just last year, Google managed to do the unthinkable and managed a collision attack against a single 160 bit SHA-1 key. They never gave any details on how long it took in special conditions to make this happen, and I doubt they could ever do this to a distant IP due to the lag.

https://en.wikipedia.org/wiki/SHA-1

https://en.wikipedia.org/wiki/Secure_Hash_Algorithms

 

If the keys in question exceed 160 bits, then they can only be SHA-2 or SHA-3.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

Share this post


Link to post

 

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

>>From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

 

Hello!

 

Yes, and that's correct. SHA2 is now the exclusive algorithm to generate the self-signed certificates (both on client and server side).

 

So that all on the client side can use SHA1 or SHA2.

 

No, any new pair will no more be generated with SHA1.

 

Note (just in case some confusion is arising here) that the digest HMAC SHA1 for the OpenVPN channels packet authentication remains and will remain available: we have not and will not break compatibility with old OpenVPN versions. By the way, this is a separate topic, since HMAC SHA2 (specifically HMAC SHA384) has been available since a couple of years ago as a digest for the Control Channel (provided that you were running OpenVPN 2.3.3 or higher).

 

Kind regards

Share this post


Link to post

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?

Share this post


Link to post

 

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?

 

if you want only one key then have only 1 key.  if you have only one key it'll be the default. 

Share this post


Link to post

Not sure what happened, but my speeds and connection reliability have drastically increased since providing each of my devices with a unique key. Not to mention I can connect multiple clients to the same server and port (without having to play the port management game). My guess is there's a technical reason behind this, and I'm curious if anyone can tell me more.

 

Either way, thanks for prioritizing this great feature, it's been a long time coming.

Share this post


Link to post

Where is the option to chose keys in Eddie Client? I dont see it

Note: Eddie will NOT show the keys combobox if there is only one device/key that can be selected. For this reason the majority of users that still have the "Default" key don't see the combobox.

Share this post


Link to post

"Add new key" is not working for me (Clicking it results in a blank page).

Also a graphical glitch in Firefox for Mac: When you completely delete the description of a key, the blue pencil also disappears.

 

EDIT: Creating a new key is now working. Thanks!

Share this post


Link to post
Posted ... (edited)

The config generator page isn’t loading in iOS browsers. Just blank. Gonna fetch fresh profiles on my pc instead. Just FYI.

 

**EDIT: 

Not loading on my PC either.  Just a blank page...hmmm.  I see others having the trouble in other thread.  Oh well, patience, grasshopper.

Edited ... by dougxd

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...