Jump to content
Not connected, Your IP: 18.118.226.167
Sign in to follow this  
JamesDean

XKeyscore

Recommended Posts

The newest article on the US NSA features a presentation that mentions VPN. I figured Air Staff may want to quell the panic

 

The presentation is from 2008, so they could have been talking about decrypting PPTP for all we know, but I found it interesting. I'm attaching the relevant slide as a screen grab.

 

 

 

 

 

Share this post


Link to post

Hello,

 

the unsolvable problem for NSA in this case is that our customers client keys for OpenVPN Data Channel encryption are re-negotiated at each new connection AND every 60 minutes (essentially the core of Perfect Forward Secrecy).

 

Customers can also lower the TLS re-keying interval on the client side.

 

Kind regards

Share this post


Link to post

How can I lower the re-keying interval? I just did a search and your reply above was the only result. I just looked at the config and didn't see where to change it.

 

Thanks,

 

JD

Share this post


Link to post

I'm all for a new Russia based server named "Snowden"

 

To your question,

That can not be used in a deterministic way in most countries, since VPNs are also very popular in corporate networks.

 

I guess that the NSA meaning here was to see all VPN communications in countries like Afghanistan or Iraq, where the internet is not very popular

and the usage of VPN can actually help detecting a source of communication.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

How can I lower the re-keying interval? I just did a search and your reply above was the only result. I just looked at the config and didn't see where to change it.

 

Thanks,

 

JD

 

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

 

I guess it would be "--reneg-sec n"? But the explanation says "set it to 0 on one side of the connection (to disable), and to your chosen value on the other side". Is it zero on the server side?

Share this post


Link to post

whichever uses the lower value will be the one to trigger the renegotiation.

 

Nice find. The server should be set to 3600, so anything lower on our end, should take precedent. I'll wait for staff to confirm, but I'm going to try it now. Thanks mate.

Share this post


Link to post

That was it. In windows, get rid of the two dashes. I set 15 minutes, and it re-keyed:

 

Wed Jul 31 18:48:53 2013 TLS: soft reset sec=0 bytes=2401419/0 pkts=3939/0
Wed Jul 31 18:48:54 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Wed Jul 31 18:48:54 2013 VERIFY OK: nsCertType=SERVER
Wed Jul 31 18:48:54 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Wed Jul 31 18:48:56 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 31 18:48:56 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 31 18:48:56 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 31 18:48:56 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 31 18:48:56 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

 

reneg-sec 900

Share this post


Link to post

@johndough

 

Yes. Just to explain more to the readers, the client, without any server co-operation, can either disable TLS renegotiation (NOT recommended at all) or set any TLS re-keying period NOT HIGHER than the server setting.  It's not possible that the client set a TLS re-negotiation (if active) to more than the time value set on the server.

 

Our servers are set to 60 minutes, so you can't have TLS re-negotiations higher than 60 minutes.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...