maemo.org - Talk - View Single Post - Maemo 5 as a vulnerability / "hacking" victim

momcilo	2011-06-16 , 14:28
Posts: 673 \| Thanked: 856 times \| Joined on Mar 2006	#34

Originally Posted by fasza2

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn --genkey --secret ta.key'

Here is the quote from openvpn manual:

In static-key encryption mode, the HMAC key is included in the key file generated by --genkey. In TLS mode, the HMAC key is dynamically
generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet.
HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication.

In short, this is used for static keys when used with UDP. For dynamic (TLS based) you do not need it.

My guess is that the shared secret is used to feed IV of hash function (MD5, SHA1, SHA224, SHA256, SHA384, SHA512), although I would have to inspect source code to see what is actually going on.

In case of SHA1 20 bytes * 8 bits, gives you 160 bits.

Instead of putting SHA1 to the outer package, I would prefer to keep it together with plain-source, than encrypt everything together. That would provide more security.

Any poking around with the cipher text, would cause inner SHA1 hash to fail.

The drawback to this approach is the need to decrypt each packet, than calculate SHA1 to detect the "faulty" packet.

__________________
http://gpl-violations.org/faq/violation-faq.html

Quote & Reply |

The Following User Says Thank You to momcilo For This Useful Post:
fasza2