OpenVPN Providers - User/Pass Authentication - A Problem?

Discussion in 'privacy technology' started by DasFox, May 10, 2011.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Most of the OpenVPN providers that are out there and being discussed often around here, typically use only username and password authentication, which OpenVPN says is less secure.

    So the questions:

    1. How less secure is using an OpenVPN provider out there that is only offering username and password authentication, that only provides you a CA cert and config file?

    2. For those that are really concerned about their privacy and safety is it best to steer clear of all OpenVPN providers that do not offer certification authentication and only offer user/pass authentication?


    THANKS
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    There are three issues if you use just username/pass:

    1) Authentication: If your vpn provider didn't provide keys/certs, you can't verify you are really speaking to them or a MITM / imposter.

    2) Authorization: if they do not encrypt the authentication channel, you are exposing your credentials (username & password)

    3) Plaintext Disclosure: If they aren't using a key, then you probably don't have Perfect Forward Secrecy. This means that your previous traffic streams can be decrypted if either endpoint is compromised in the future.

    Anyone claiming security or anonymity, without using key authentication and certs, should be disregarded.
     
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Thanks Steve...
     
  4. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Something I forgot to ask, looking back now at Steve's reply to number 1; 'didn't provide keys/certs'...

    I've seen at times some VPN providers give you one or the other, or provide both, so for a VPN service where you only get a config file and key is this ok? Or if you only get a config file and a ca.crt cert is this ok? Or should we really be on the look out for a service that is giving us a config, key and cert? Then when we say cert, just the ca.crt cert, or what about the client.crt?

    THANKS
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    That was a delayed response of the first order. Six months! :)
     
  6. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I forgot about it, anyhow it would be nice to get some clarification on this.


    THANKS
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I would not use any VPN service that didn't use certificates to mutually authenticate servers and clients. Servers use certificate authority to issue client certificate ("client.crt") and key ("client.key"). Clients use server certificate ("ca.crt") to authenticate communications from servers, and they use their certificates to sign communications to servers.

    Username and password provide second layer of client authentication to servers. While such two factor authentication is crucial for gmail etc, here it mainly prevents unauthorized use.

    Some providers also issue keys ("ta.key") for TLS authentication. That helps protect servers from DoS attacks, in that unsigned packets are simply dropped.

    See OpenVPN manual.
     
  8. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    I'm chatting as we speak to one of OpenVPN's support engineers on this, trying to really get some closure on all this mess, with what should be the accepted standard when using a VPN service and I think I'm just about there...

    My bad I use to think there was only one key, ok so two keys, client.key and ta.key. Is the client.key the static key, info found here on it?;

    http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

    Here I see the info for the ta.key;

    http://openvpn.net/index.php/open-source/documentation/howto.html#security

    When I look inside the key I have called vpn.key I see this; (So looks like the static/client.key)

    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    d079c0de2e69e6b668f39c55b334owo
    oeweowionxc97393ns9328jsudnsjm84


    THANKS
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Cool.

    Actually, "static key" is different, third kind - simpler alternative to certificate authority with client-specific certificates/keys.

    Both SSL "static.key" and tls-auth "ta.key" have that header. Client keys have header "-----BEGIN RSA PRIVATE KEY-----".
     
  10. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Well we're finally getting some where on this, the OpenVPN engineer said this;

    The conf and 3 files (ca, cert, key) are a must

    So I'm not sure, out of the 3 keys, "static.key" and tls-auth "ta.key" and client, which one he's referring to.

    I'm waiting for a reply back on that...


    THANKS
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    He's referring to three files: server certificate authority ("ca.crt"), client-specific certificate ("client.crt") and the key for "client.crt" ("client.key") which allows clients to sign traffic to servers. Servers have key for their certificates ("ca.key") which allows them to sign traffic to clients.

    Using SSL static keys, both servers and clients have same keys, which they use to sign traffic to each other.
     
  12. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Ok so I take it the key I was given is the correct one? Seems odd to give a key and no certs...


    THANKS
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    After rereading this thread, I am unsure what you were given. What files did you get?

    If you got just config files and a key, and no certificates, it likely was the static key discussed here: -http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
     
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Yep just a config and key, so it's probably as you said the static key. Either way it's still not good without the certs...


    THANKS
     
Loading...
Thread Status:
Not open for further replies.