2000-09-17 19:57:39 +00:00
|
|
|
This is the security documentation for tinc, a Virtual Private Network daemon.
|
|
|
|
|
|
|
|
Copyright 2000 Guus Sliepen <guus@sliepen.warande.net>,
|
|
|
|
2000 Ivo Timmmermans <itimmermans@bigfoot.com>
|
|
|
|
|
|
|
|
Permission is granted to make and distribute verbatim copies of
|
|
|
|
this documentation provided the copyright notice and this
|
|
|
|
permission notice are preserved on all copies.
|
|
|
|
|
|
|
|
Permission is granted to copy and distribute modified versions of
|
|
|
|
this documentation under the conditions for verbatim copying,
|
|
|
|
provided that the entire resulting derived work is distributed
|
|
|
|
under the terms of a permission notice identical to this one.
|
|
|
|
|
2000-09-17 20:11:59 +00:00
|
|
|
$Id: SECURITY,v 1.1.2.2 2000/09/17 20:11:59 guus Exp $
|
2000-09-17 19:57:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
1. Authentication
|
|
|
|
------------------
|
|
|
|
|
2000-09-17 20:11:59 +00:00
|
|
|
The authentication protocol (see protocol.c for the up-to-date version) is:
|
|
|
|
|
|
|
|
Client Server
|
|
|
|
send_id(u)
|
|
|
|
send_challenge(R)
|
|
|
|
send_chal_reply(H)
|
|
|
|
send_id(u)
|
|
|
|
send_challenge(R)
|
|
|
|
send_chal_reply(H)
|
|
|
|
---------------------------------------
|
|
|
|
Any negotations about the meta protocol
|
|
|
|
encryption go here(u).
|
|
|
|
---------------------------------------
|
|
|
|
send_ack(u)
|
|
|
|
send_ack(u)
|
|
|
|
---------------------------------------
|
|
|
|
Other requests(E)...
|
|
|
|
|
|
|
|
(u) Unencrypted,
|
|
|
|
(R) RSA,
|
|
|
|
(H) SHA1,
|
|
|
|
(E) Encrypted with symmetric cipher.
|
|
|
|
|
2000-09-17 19:57:39 +00:00
|
|
|
Authentication in tinc will be done in a way that is very similar to the way
|
|
|
|
the SSH (Secure SHell) authentication protocol works. It is based on public
|
|
|
|
key cryptography.
|
|
|
|
|
|
|
|
Every tinc host has it's own public/private key pair. Suppose there are two
|
|
|
|
tinc hosts, A and B. If A and B trust each other, they store a copy of
|
|
|
|
eachothers public key (in the same way passphrases were stored in versions
|
|
|
|
of tinc <= 1.0pre2). They know these public keys beforehand, and the origin
|
|
|
|
of the public keys has to be known for sure.
|
|
|
|
|
|
|
|
To make sure that when a connection is made from A to B that B knows A is
|
|
|
|
really who he claims to be, B encrypts a totally random string of bytes with
|
|
|
|
A's public key. B also calculates the hash value from the unencrypted random
|
|
|
|
string. B then sends the encrypted string to A. A then has to decrypt the
|
|
|
|
string, calculate the hash value from that string and send it back to B. Since
|
|
|
|
only he who possesses A's private key can decrypt this string, only he can send
|
|
|
|
back the correct hash value. So, if B receives the same hash value he
|
|
|
|
calculated himself, he knows for sure A is A.
|
|
|
|
|
|
|
|
Both SSH and tinc use RSA for the public key cryptography. SSH uses MD5 as a
|
|
|
|
secure hash algorithm, tinc uses SHA1. The reason for our choice of SHA1 is
|
|
|
|
the fact that SHA1 is 160 bits instead of 128 (MD5), which makes brute force
|
|
|
|
attacks harder. Also, the OpenSSL documentation recommends SHA1.
|
|
|
|
|
|
|
|
2. Key exchange
|
|
|
|
----------------
|
|
|
|
|
|
|
|
The rest of the meta connection in tinc will be encrypted with a symmetric
|
|
|
|
block cipher, since RSA is not really suited for this. When a connection is
|
|
|
|
made, both sides have to agree on a key for this block cipher. To make sure
|
|
|
|
that this key exchange is also done securely, and no man-in-the-middle attack
|
|
|
|
is possible, RSA would be the best choice for exchanging keys.
|
|
|
|
|
|
|
|
Instead of doing RSA encryption again, tinc will use a part of the random
|
|
|
|
string that was exchanged during the authentication phase as the key for the
|
|
|
|
symmetric cipher. Some symmetric ciphers require a random initialisation vector
|
|
|
|
for improved security. This vector can be taken from the random string as well.
|
|
|
|
|
|
|
|
Is this secure? I (Guus Sliepen) think at this moment that it is:
|
|
|
|
|
|
|
|
- Since the random string cannot be decrypted by anyone eavesdropping or
|
|
|
|
playing man-in-the-middle, the symmetric key cannot be known by sniffing.
|
|
|
|
- The unencrypted returned hash value is supposed to be cryptographically
|
|
|
|
secure. Furthermore, it can only at most give a way 160 bits of information
|
|
|
|
from the complete random string which is longer than the key for the
|
|
|
|
symmetric cipher, so very few bits will actualy contain information about
|
|
|
|
the symmetric cipher key alone, if any.
|
|
|
|
- If the RSA encryption is cracked, the rest of the communications can be
|
|
|
|
decrypted anyway.
|
|
|
|
- If the symmetric cipher encryption is cracked without using the information
|
|
|
|
from the encrypted random strings or the hash values, this still won't give
|
|
|
|
the full plaintext for the random string, so it won't facilitate a known-
|
|
|
|
plaintext attack on the RSA encryption.
|
|
|
|
- RSA and symmetric ciphers are fundamentally different. It is very unlikely
|
|
|
|
that the overlap of both will create any interference that will facilitate
|
|
|
|
an easier-than-brute-force attack.
|
|
|
|
|
|
|
|
Other options for key exchange could be:
|
|
|
|
|
|
|
|
* A second exchange of RSA encrypted random strings.
|
|
|
|
This is equal to the former scheme just without knowing the hash value of
|
|
|
|
the unecrypted random string.
|
|
|
|
|
|
|
|
* Diffie-Hellman with RSA signing.
|
|
|
|
This should be very secure, but there are a lot of pitholes with using both
|
|
|
|
encryption with public keys and private keys together with the same keypair.
|
|
|
|
|
|
|
|
* Diffie-Hellman with passphrases.
|
|
|
|
This is what tinc <= 1.0pre2 used to do. Passphrases are secret, exchanging
|
|
|
|
them must be done with great care, nobody may eavesdrop. Exchanging public
|
|
|
|
keys on the other hand is much safer, everybody may eavesdrop, just as long
|
|
|
|
as you are sure that the public key itself belongs to the right owner.
|
2000-09-17 20:11:59 +00:00
|
|
|
|
|
|
|
3. Symmetric cipher
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
Since the generalized encryption functions of OpenSSL are used, any symmetric
|
|
|
|
cipher that is available in OpenSSL could possibly be used. The default however
|
|
|
|
will be Blowfish. Blowfish is widely in use and still has not been cracked
|
|
|
|
today (as far as we know). It also is one of the faster ciphers available.
|