Embed Size (px)
Citation preview
OpenVPN hardening
Jan Dusatko
Motto: When you want to protect something, you need to learn how to break it before …
This is not about all possible options, but mainly about proper encryption settings.
Let’s start …
VPN (principles and implementation)
VPNs provide security through tunneling protocols and security procedures such as encryption. Their security model provides:• Confidentiality, an attacker would only see encrypted data• Authentication to prevent unauthorized users from accessing the VPN• Message integrity to detect any tampering of transmitted messages
OSI Layer 2• Virtual LAN (IEEE 802.1Q)• Virtual private LAN service (VPLS – IEEE 802.1D, IEEE802.1Q) and VPWS• Pseudo wire (PW – ATM, Frame Relay)• IP-only LAN-like service (IPLS)
OSI Layer 3 PPVPN architectures• BGP/MPLS PPVPN (RFC 2547)• Virtual router PPVPN
Plaintext tunnels• Generic Routing Encapsulation (GRE), L2TP without IPSec etc.
OSI Layer 4/7 SSL/TLS tunneling
SSL/TLS Layer implementation
SSL layer implemented by lot of vendors SUN/Oracle, Microsoft, IBM ….As well as opensource alternative: OpenSSL, PolarSSL, GNUTLS, LibreSSL …SSL 1.0 never releasedSSL 2.0 (1995)SSL 3.0 RFC 6101 (1996)TLS 1.0 RFC 2246 (1999)TLS 1.1 RFC 4346 (2006)TLS 1.2 RFC 5246 (2008)TLS 1.3 (draft)
Known attack - Renegotiation- Version rollback- BEAST- CRIME- BREACH- Padding- Lucky13- POODLE- RC4- Truncation- Heartbleed- BERserkr………….
Most of those attack are allowed due complicated and complex structure of SSL/TLS layer, unclean programmers techniques, doesn’t matter if happened on vendors or opensource.When Heartbleed exploit found, most of SSL stack has been analyzed and reevaluated. Thank to this has been found few issues and tenths of critical parts which need to be carefully redesigned, because possibility of another exploits.
Basic configuration
daemonping-timer-rempersist-tunpersist-keylocal openvpn.domain.target # server hostname, should be in server certificateport 1194 # default portdev tun # TUN device, allowing routing and filteringproto tcp-server # use TCP instead of UDP, depend of mood
Settings certificate, key usage …
# Information about certificates capath /etc/ssl/certs # path to CA structureca /etc/ssl/certs/CA/cacert.crt # path to CA public filecert /etc/ssl/certs/server/openvpn.crt # path to server private certificate filekey /etc/ssl/certs/server/openvpn.key # path to key for opening private certificate filecrl-verify /etc/ssl/certs/crl/crl.pem # path to revocation file – check certificate validity# Key usage RFC3280, RFC 5280 # The --remote-cert-tls client option is equivalent to # --remote-cert-ku 80 08 88 --remote-cert-eku "TLS OpenVPN Client Authentication"# The --remote-cert-tls server option is equivalent to # --remote-cert-ku a0 88 --remote-cert-eku "TLS OpenVPN Server Authentication“remote-cert-eku "TLS Web Client Authentication“ # Explicit key usage, stringremote-cert-ku "80 08 88" # Key usage, hex formatremote-cert-tls "client" # TLS rules “client” | “server”dh /etc/ssl/certs/dh4096.pem # path to DH file allowing Perfect Forward Secrecytls-auth /usr/local/etc/openvpn/tls-auth.key # TLS authentication secret, another level of securitykey-method 2# 1 keys for data channel generated by OpenSSL RAND# 2 keys for data channel generated by TLS PRF tls-version-min 1.2# 1.2 minimum version of TLS (1.0/1.1/1.2)# or-highest maximum supported TLS versionreneg-sec 1800 # Renegotiate symmetric encryption key, default 3600s
Generating information …
How to generate tls-auth.key# openvpn --genkey --secret tls-auth.key# cat tls-auth.key## 2048 bit OpenVPN static key#-----BEGIN OpenVPN Static key V1-----6d5c5920a7a2619fa99df68e87addce18f64461a372379de20f86eb4bb3501724cf5f40c9b790df4c2d374ea5130e87c4b02c3e5aa8a73539e712e846aef7abd6d0b6d93c30a35601eb1df6256d64d046740147d0569462ce6536cfcf72ae76e412c2cf8b1b68e16af24ee7d996b44f29a1b6153d09011695783456701c5b8986a4d5c20aac916af0dfd5ef7beea9cc0d9e534fa45d248c7243a2454bb2fe3640e2c3374c262570a7d70a90113db7b1b3b7b5cc2d8a512e1b1d988d80671e7ebdb4941a7e24a96c75414f8532c1de296a66e49c0bf424d12298551cf64497e41f61b94607c283ab61d8ea2dac0f68b123bb79b6a69ab96c9f20f7ff816f3d3a7-----END OpenVPN Static key V1-----#
How to generate dh4096.pem for Perfect Forward Secrecy# openssl dhparam -out dh4096.pem 4096Generating DH parameters, 4096 bit long safe prime, generator 2This is going to take a long time---------------------------------# cat dh4096.pem-----BEGIN DH PARAMETERS-----MIIECAKCBAEAsrdsUP/IZU6+ocrtBEv3HxSPLeOQTXhysfA0hifAdlmH6rePUSAAzztu3pvLEmjDJ2c7ZJ8RgOWlQnWLmt/yVSeOiVn+MOFx2gOqzVuPnK+jm10E0ouLY0rc2U6mB+v9sbKu0qSWJRHR67ga5tnNP/zrHSUizottsrPqTlB3aL0h7cHlTv5kGlM2by56EI0T/uyc8mhiX2OVz54HixVYSadTmMN8UHlnyFD9wRXiKRWj5fRT0Pwtx5NrejdFlXG6QfWdO3a+MmfDudoW5rdveKyK1dy5zg33DtinmY7Hn+NCBGGKtefbDo4vxCh6wY23n8uihMra8+PwLuJPxGS1c2aMXKjDCVe4gTQHaLFYEO4lFErYBt02HoEt8j3ZFHX3X/96kOFnHRq5fuQKXagD8IO7T1mvD8IIdh1WTEt7rAcJ7Km4Sl+6cDQPHn+ipfiWQxP0NjdCHV1H97tclGLWz+MVPOvmcLkMF7AzHeU/gHm9hTG/1+iDYgj7HezbAke0fAMFTLhafq1UfGH9qUtVg+kgi8MlOufK2Jmj+r38pdKvP8b+R4r7yQmhvxIPvNFvYdxtURc/+GrwCzEcQqqbFuEAKRddJxU/udmhnORy417YtCCErcpPcQuQOe2s++MESvpeHoFV1q05ccAQ7MO2LEkilM348gwfeCDMphdUwobPqtj=-----END DH PARAMETERS-----#
Settings Key Negotiation / Control Channel
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
# list of encryption algorithm for control channel, this mean key exchange# limited to 256B , this example are bit wide !!!
# openvpn --show-tls | egrep "SHA256|SHA384|SHA512" | egrep -v "DSA|DSS|CBC"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384TLS-DHE-RSA-WITH-AES-256-GCM-SHA384TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384TLS-RSA-WITH-AES-256-GCM-SHA384TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256TLS-DHE-RSA-WITH-AES-128-GCM-SHA256TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256TLS-RSA-WITH-AES-128-GCM-SHA256## How to short and verify string for OpenVPN# openssl ciphers 'AESGCM:CAMELLIA:CAST:aGOST01:-ADH:-SHA‘# And check it on live configuration# cat /var/log/openvpn/openvpn.log | grep “No valid translation found for TLS cipher”
Maximum amount of data encrypted by key
It is really important to understand limits of encryption technology. One of vital limit are maximum amount of data encrypted by one key. Example bellow explains only block encryption schemes using full byte characteristics. ASCII only (7-bit) will change the data significantly.
Based on block size, you can easily compute limits for algorithms. Equation are N*2N/2, where N=block size. Bellow are table with small overview of well-known algorithms and it recommended maximum encrypted data size (using one key). Based on information mentioned, proper security need to change encryption keys regularly.
Name Key width Block width Function Safe limit 1GbpsDES(40) 40 64 4*264/2 32 GB <1hDES(56) 56 64 4*264/2 32 GB <1hPRESENT (80) 80 80 10*280/2 10 TB 40,9h3DES(112) 112 64(128) 4*264/2 32 GB <1hAES-128 128 128 16*2128/2 2,7*108 TB 2,9*106 yEDES3(168) / EDES3(192) 168 64(192) 4*264/2 32 GB 1hAES-192 192 128 16*2128/2 2,7*108 TB 2,9*106 yAES-256 256 128 16*2128/2 2,7*108 TB 2,9*106 yRinjdael 192/192 192 192 24*2192/2 1,7*1018 TB 1,9*1016 yRinjdael 256/256 256 256 32*2256/2 9,9*1027 TB 1,1*1026 yRinjdael 384/256 384 256 32*2256/2 9,9*1027 TB 1,1*1026 yRinjdael 512/256 512 256 32*2256/2 9,9*1027 TB 1,1*1026 y
ECC advantage and disadvantageECC Advantages:•Small keys (opposite RSA or DH)•Faster than DH, fast like RSA•Much safer than El Gamal•There are no suspect of significant math breakthrough soon (opposite RSA)•Cool (easily deny backward compatibility)
ECC Disadvantages:•Need safely choose appropriate curve and their parameters•Know weak curves still in use•Possible quantum computer can break in faster than RSA on the same strength Quantum Computer and the amount of qbits needed for Shor’s algorithm: - RSA need two times of key size (qbits=key*2) - ECC need approximately eight time of key size (qbits=key*8)
Field type:Prime field, often described as Elliptic curve with P-keysize (finite field of prime order)Binary field, often described as Koblitz curve with K-keysize
Speed:•Short Weierstrass are significantly faster than Montgomery or Edwards, Montgomery are little bit faster than Edwards•Compare the DH, there possible to save huge amount of computation time:
Security Level (bits) Ratio of DH Cost : EC Cost ECC width DH Width
80 3:1 160-223 1024112 6:1 224-255 2048128 10:1 256-383 3072192 32:1 384-511 7680256 64:1 512+ 15360
Koblitz/BF Eliptic curve/PF DH / RSA
163 192 1024224 242 2048283 256 3072409 384 7680571 521 15360
Settings Encryption of Data Channel
auth sha256 # HMAC algorithm. Better to use SHA256/384/512 than oldercipher aes-256-cbc # Encryption algorithmprng none # missing fortune or yarrow there and do not trust cryptohw
# none mean use OpenSSL RANDengine qat # for hardware accelerators only, for example Intel QuickAssistcomp-lzo no # do not use compressionpush "comp-lzo no" # and turn it off on the client side too
# openvpn --show-enginesOpenSSL Crypto Engines
BSD cryptodev engine [cryptodev]RSAX engine support [rsax]Intel RDRAND engine [rdrand]Dynamic engine loading support [dynamic]Intel QuickAssist engine support [qat]#
Is your hardware sufficient ?
Is your hardware sufficient ?
OpenSSL 1.0.1j speed recomputed from real to normalized CPU (1Ghz, 1 core, with AESNI instruction set).Basic set gathered using:# openssl speed
Example of usage those data for OpenVPN requirements (MTU 1500B, AES-256-CBC, SHA256)Transported data consist total 1526B:- 32B HMAC (SHA256) for datagram authentication plaintext 32B- 16B Explicit IV cipher dependent initialization vector (16B for AES128/256) plaintext 16B- 8B sequence number for OpenVPN transport purpose ciphertext 8B- MAC header (14B)+MTU (1500B, consist IP datagram) + CRC checksum (4B) ciphertext 1518B
AES256-CBC block take ~ 0,0000008434s, each block earn 32B. For whole sequence number and payload we need to do 48*32B (last one with padding) ~ pessimistic 0,0000404830 sSHA256 for whole encrypted data (1536B) ~ 0,0000217388s, resulting 32B number
Computing results 16071 encyption/s ~ 22MB/s on 1GHz CPU with 1 core and AESNI enabled.Multiple cores doesn’t help, because CBC IV has been generated on the end of cycle. Can help only for multiple streams. Related to real world. Without OS, routing, filtering and other stuff utilization minimum three core on 2GHz has enough power to utilize 1Gbps interface, but for multiple streams! (one stream up to 44MB/s). With limitation, each core must have AESNI logic implemented.
Note: Because there are no MPD support, all activity run on only one core for limited time. This mean resulting number has been divided by frequency times length of test to got 1GHz/1core CPU normalization. MPD usage still limited, not each algorithm can utilize multiple cores. Different mode than CBC can save more time, use key derivation on beginning, not on the end of cycle.
Is your hardware sufficient ?
Algorithm SpeedDES-CBC 64 bit 55%IDEA-CBC 128 69%RC2-CBC 128 bit 40%DES-EDE3-CBC 192 bit 21%BF-CBC 128 bit 100%CAST5-CBC 128 bit 89%RC5-CBC 128 bit 234%AES-128-CBC 128 bit 109%AES-192-CBC 192 bit 89%AES-256-CBC 256 bit 78%CAMELLIA-128-CBC 128 bit 135%CAMELLIA-192-CBC 192 bit 101%CAMELLIA-256-CBC 256 bit 101%SEED-CBC 128 bit 59%
Compared speed of encryption and appropriate modes against the default BlowFish algorithm.
Experience, generating DH:10x 256 <1s10x 512 <1 s10x 1k ~10 s +/- 30%10x 2k ~2m +/- 30%10x 4k ~1h +/-20%10x 8k ~10h +/-10%10x 16k ~130h +/-15%10x 32k ~1100h +/-10% 2x 64k ~ 9500h +/-20%
Experience:Most of current encryption techniques doesn’t support more than one core, support for MPD really limited.
Experience:Encrypt/decrypt more than one stream can have dramatically impact to performance, especially with precomputed values for keys.
Microsoft Excel Worksheet
Random generators
Where randomnes needs:- Key generation- Nonces- OneTime Pads- Salts …
RND Random Number GeneratorPRNG PseudoRandom Number GeneratorCSPRNG Cryptographically Secure PseudoRandom number generator
CSPRNG algorithm:Yarrow http://www.schneier.com/yarrow.htmlFortuna https://www.schneier.com/fortuna.html
Intel’s RdRand and Via Technology’s Padlock on-chip random number generators reported in 2014 year that the National Security Agency had allegedly weakening cryptographic standards built in conjunction with the National Institute for Standards and Technology so that the NSA could circumvent them in order to perform its surveillance operations. Similar design with kleptography characteristics has been the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator, 2001), has been removed from NIST standards in 2013 year.
Compression
-Compression remove statistical redundancy (lower entropy)-Compressed data has been stored in known structures (DEFLATE and so on)-Known data / known structure leaking information about content (known plaintext)
1 2 300 – stored (raw)01 – static Huffman coding10 – Huffman table11 – reserved
0 – next block available1 – last block
-Those three bits are repeating structure after each block-There are another conditional data make low entropy text
-Duplication removal (string with minimum two characters)-Bit reduction (for example from letters only, 36 of 256, mean minimum three bit removal)
-Combination of compression leakage and chosen plaintext attack known as CRIME and BREACH ( based on work of John Kelsey - http://csrc.nist.gov/staff/rolodex/kelsey_john.html).
On the opposite, non-compressed plaintext contain more random, which make prediction much harder.
Logging
verb 2 # verbosity levelstatus /var/log/openvpn/status.log # status message of connectionlog /var/log/openvpn/openvpn.log # openvpn logginglog-append /var/log/openvpn/openvpn.log # append openvpn logsmute 64 # mute the repeating messages
Note:Log files should be regularly reviewed by engines like OSSEC, NAGIOS … or by custom script. In other case this is a waste of disk space and time spend on hardening.
Chrooting, change GUID …
user openvpn # Set UIDgroup openvpn # Set GID chroot /home/openvpn # Chroot directorycd /home/openvpn # Change to chroot directory during startup
Chrooting allow to isolate server process. You can replace this feature by jail, virtual machines … or can be combined with them. Nice to have implemented.
Management interface, PUSH …
management localhost 7505 # enable management interface
Can be managed by Telnet (telnet localhost:7505), can be used for disconnect separate users, enter passphrase for connection (passphrase protected), setting some parameters. Useful, but not vital.
push "dhcp-option DNS 192.168.1.1"push "dhcp-option WINS 192.168.1.1"push "dhcp-option DOMAIN vpn.local"push "dhcp-option NBDD 192.168.1.1"push "dhcp-option NTP 192.168.1.1"push "dhcp-option NBS 8"push "dhcp-option NBT 8"push "comp-lzo no"
#Fix Winodws Vista/7/2008 routing issuesroute-method exeroute-delay 2#Fix Windows Vista/7/2008 NLA issuesroute-metric 512route 0.0.0.0 0.0.0.0
Beginning Vista, there are new feature, which try to detect current LAN – NLA (Network Location Agent).
Hardening – example …
Hardening secure comunnication, but limits backward compatibility. Why?
1.Cryptography standards and implementation are years above real progress in science.2.Technical standard has been developed by people which sometimes hesitate to ask the scientist.
OpenVPN hardening (cut of …)
daemonping-timer-rempersist-tunpersist-keylocal openvpn.domain.targetport 1194dev tunproto tcp-servercapath /etc/ssl/certsca /etc/ssl/certs/CA/cacert.crtcert /etc/ssl/certs/server/openvpn.crtkey /etc/ssl/certs/server/openvpn.keycrl-verify /etc/ssl/certs/crl/crl.pemdh /etc/ssl/certs/dh4096.pemremote-cert-eku "TLS OpenVPN Client Authentication“remote-cert-ku "80 08 88”remote-cert-tls "client”tls-auth /usr/local/etc/openvpn/tls-auth.keykeepalive 10 300reneg-sec 1800cipher AES-256-CBCauth SHA256comp-lzo notls-version-min 1.2tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256verb 2status /var/log/openvpn/status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logmute 64…
OpenVPN client hardening (cut of …)
clientping-timer-rempersist-tunpersist-keylocal openvpn.domain.targetport 1194dev tunProto tcp-client ca /home/client/cacert.crtcert /home/client/client.crtkey /home/client/client.keyremote-cert-eku "TLS OpenVPN Server Authentication“remote-cert-ku “a0 88”remote-cert-tls “server”tls-auth /home/client/tls-auth.keykeepalive 10 300reneg-sec 1800cipher AES-256-CBCauth SHA256comp-lzo notls-version-min 1.2tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256verb 2status /var/log/openvpn/status.logmute 64…
Motivation
Never Say Anything.Only part of government, that actually listen you ?
Do you want to know more?
I would like to invite you 12th October 2015 on whole dayEncryption and Applied encryption training
More information will be available 1st Jun 2015 at http://cryptosession.cz
