Jump to content


Photo

Multi key support and management available


  • Please log in to reply
24 replies to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7147 posts

Posted 15 January 2018 - 10:27 PM

Hello!

 

We're very glad to announce that a new option has been added in your account "Client Area". You will find a menu item labeled "Devices / Keys".
 
The "Devices / Keys" tab provides you with access to a new panel to administer your client certificate/key pairs. The panel lets you use a new multi-key support from AirVPN, a comfortable and convenient feature. From now on, you will be able to have multiple keys, renew them and issue completely new keys. From each device of yours you will be free to use any key you like.
 
Therefore you can keep all of your keys under control, administer them and also connect multiple devices to the same server and port by using a different key on each device. Eddie 2.13.6 (current stable release) already implements in the Overview window a menu which will let you choose a key before you start a connection. It will appear automagically when you create a new key from your account control panel.
 
The Configuration Generator has been modified as well, to let you generate configuration files with the certificate/key pair you wish.

 

Let's see in details how to use the "Devices/Keys" options.

  • Device Name and Description: this is a free name or description that you can associate to any key for your comfort.
  • Columns Type, Creation date, Last renew date and Last VPN connection are informative.
  • Renew: this is an action button. When you click it, the corresponding certificate/key pair will be revoked, and new ones will be issued.
  • Delete: this action button will revoke the corresponding certificate, without issuing a new one.
  • Add a new key: this action button will create a totally new certificate/key pair which will be added without revoking or renewing any pre-existing key.
  • View history will toggle with View Active to provide you with any relevant information on the history of your actions about keys and the current active list. 

 

Some caution when using these new features:

  • if you revoke or renew a certificate/key which is being used by some connected device, that device will soon be disconnected
  • in Eddie, you will need to log your account out and then in again to force Eddie to pick a different key (new or old)

 

Kind regards and datalove
AirVPN Staff



#2 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1442 posts

Posted 16 January 2018 - 01:53 AM

Interesting.  The new keys are SHA512, not SHA1. :)



#3 DarkSpace-Harbinger

DarkSpace-Harbinger

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts
  • LocationThe Bleak Lands

Posted 16 January 2018 - 02:22 AM

Great work as always team :)



#4 Flx

Flx

    Advanced Member

  • Members
  • PipPipPip
  • 69 posts

Posted 16 January 2018 - 09:18 AM

How do you change the Connection Type from sha512 to sha1 and vice-versa?


Windows 10 breaking your VPN/TAP adapter(s) ----Guide-How-To Fix it----


#5 Flx

Flx

    Advanced Member

  • Members
  • PipPipPip
  • 69 posts

Posted 16 January 2018 - 10:57 AM

Connection is set by default to sha512...hhhmmmm


Windows 10 breaking your VPN/TAP adapter(s) ----Guide-How-To Fix it----


#6 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7147 posts

Posted 16 January 2018 - 11:14 AM

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards



#7 5YmkoLQZ

5YmkoLQZ

    Advanced Member

  • Members
  • PipPipPip
  • 151 posts

Posted 16 January 2018 - 11:40 AM

How do you change the Connection Type from sha512 to sha1 and vice-versa?

 

Hello!

 

You can't change the integrity message digest: in the relevant phase, with the new certificate-key pairs, it will be always SHA512, not SHA1. Cipher is 4096 bit RSA as usual.

 

Kind regards

 

So i assume this has to change from the main website page now that the keys are sha512?

 

Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel



#8 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7147 posts

Posted 16 January 2018 - 11:59 AM

So i assume this has to change from the main website page now that the keys are sha512?

 

 


Stay protected with the security offered by high level encryption: 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel

 

Hello!

 

Not exactly, since the Control Channel of OpenVPN maintains HMAC SHA1 available as digest (HMAC SHA384 is available as well, starting from some version of OpenVPN). New Data Channel ciphers will be available as well. All the changes will be fully applied after IPv6 testing is over (internal testing is over and successful, public testing on at least one server will start in the very near future).

 

A new https://airvpn.org/specs page will clarify all the new supported modes in due time.

 

Kind regards



#9 rickjames

rickjames

    Advanced Member

  • Members
  • PipPipPip
  • 357 posts

Posted 16 January 2018 - 06:09 PM

This is effing incredible, thank you!

#10 ventilaar

ventilaar

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 16 January 2018 - 07:01 PM

This is so great, I already hit the 5 key limit.

Do you have any plans on two factor authentication protection for the accounts?

Great service, keep it up!



#11 calcu007

calcu007

    Advanced Member

  • Members
  • PipPipPip
  • 55 posts

Posted 16 January 2018 - 08:33 PM

Where is the option to chose keys in Eddie Client? I dont see it



#12 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7147 posts

Posted 16 January 2018 - 10:07 PM

Where is the option to chose keys in Eddie Client? I dont see it

 
Hello!
 
First, please make sure that you run version 2.13.6 (check in "AirVPN" > "About" your version and upgrade if necessary). Then, from the main window, log your account out and log it in again. You should see (before you start a connection) a combo box "Device:", which will let you pick the keys you generated (the description you picked will be shown).
 
Kind regards

#13 Flx

Flx

    Advanced Member

  • Members
  • PipPipPip
  • 69 posts

Posted 17 January 2018 - 12:04 AM

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

So that all on the client side can use SHA1 or SHA2.


Windows 10 breaking your VPN/TAP adapter(s) ----Guide-How-To Fix it----


#14 OmniNegro

OmniNegro

    Advanced Member

  • Members
  • PipPipPip
  • 277 posts
  • LocationThe Fiery Pits of Texas, USA.

Posted 17 January 2018 - 02:20 AM

HMAC SHA1 is a totally different thing than SHA1 by itself. And I seriously doubt anyone can actually come up with any use where HMAC SHA1 is less than 512 bits of assurance that the data you receive and/or send is not intact and unchanged.

https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

 

And keep in mind that in binary, to double the possible uses of a value, you need to add exactly one single bit. So 512 bits is a massive number. I would guess this huge number is used to make timing attacks useless.

 

Just last year, Google managed to do the unthinkable and managed a collision attack against a single 160 bit SHA-1 key. They never gave any details on how long it took in special conditions to make this happen, and I doubt they could ever do this to a distant IP due to the lag.

https://en.wikipedia.org/wiki/SHA-1

https://en.wikipedia.org/wiki/Secure_Hash_Algorithms

 

If the keys in question exceed 160 bits, then they can only be SHA-2 or SHA-3.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.


#15 Fly AirVPN

Fly AirVPN

    Advanced Member

  • Members
  • PipPipPip
  • 47 posts

Posted 17 January 2018 - 04:23 AM

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.



#16 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7147 posts

Posted 17 January 2018 - 11:43 AM

Connection is set by default to sha512...hhhmmmm

Connection Type is set to sha512...but you don't explain it very well in your Details.

>>From each device of yours you will be free to use any key you like.

Many here thought that you updated to SHA2. Well that is the way many would think.

 

Hello!

 

Yes, and that's correct. SHA2 is now the exclusive algorithm to generate the self-signed certificates (both on client and server side).

 

So that all on the client side can use SHA1 or SHA2.

 

No, any new pair will no more be generated with SHA1.

 

Note (just in case some confusion is arising here) that the digest HMAC SHA1 for the OpenVPN channels packet authentication remains and will remain available: we have not and will not break compatibility with old OpenVPN versions. By the way, this is a separate topic, since HMAC SHA2 (specifically HMAC SHA384) has been available since a couple of years ago as a digest for the Control Channel (provided that you were running OpenVPN 2.3.3 or higher).

 

Kind regards



#17 Fly AirVPN

Fly AirVPN

    Advanced Member

  • Members
  • PipPipPip
  • 47 posts

Posted 21 January 2018 - 06:22 AM

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?



#18 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1442 posts

Posted 21 January 2018 - 03:11 PM

I deleted the SHA1 Default key. Will it be recreated if all SHA512 custom keys are deleted? I'm curious because a member might like to go back to only one Default key.

 

Is there an answer for this question?

 

if you want only one key then have only 1 key.  if you have only one key it'll be the default. 



#19 Krugin

Krugin

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 22 January 2018 - 04:45 PM

Great feature, thank you very much!



#20 6V3T8Z35t4KVP1aRtR8i

6V3T8Z35t4KVP1aRtR8i

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 23 January 2018 - 05:04 AM

Not sure what happened, but my speeds and connection reliability have drastically increased since providing each of my devices with a unique key. Not to mention I can connect multiple clients to the same server and port (without having to play the port management game). My guess is there's a technical reason behind this, and I'm curious if anyone can tell me more.

 

Either way, thanks for prioritizing this great feature, it's been a long time coming. :good:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15641 - BW: 50795 Mbit/sYour IP: 54.167.196.208Guest Access.