OpenVPN hardening Motto: When you want to protect something, you need to learn how to break it before … This is not.
Download ReportTranscript OpenVPN hardening Motto: When you want to protect something, you need to learn how to break it before … This is not.
OpenVPN hardening Motto: When you want to protect something, you need to learn how to break it before … This is not about all possible options, but mainly about proper encryption settings. Jan Dusatko Let’s start … VPN (principles and implementation) VPNs provide security through tunneling protocols and security procedures such as encryption. Their security model provides: • Confidentiality, an attacker would only see encrypted data • Authentication to prevent unauthorized users from accessing the VPN • Message integrity to detect any tampering of transmitted messages OSI Layer 2 • Virtual LAN (IEEE 802.1Q) • Virtual private LAN service (VPLS – IEEE 802.1D, IEEE802.1Q) and VPWS • Pseudo wire (PW – ATM, Frame Relay) • IP-only LAN-like service (IPLS) OSI Layer 3 PPVPN architectures • BGP/MPLS PPVPN (RFC 2547) • Virtual router PPVPN Plaintext tunnels • Generic Routing Encapsulation (GRE), L2TP without IPSec etc. OSI Layer 4/7 SSL/TLS tunneling SSL/TLS Layer implementation SSL layer implemented by lot of vendors SUN/Oracle, Microsoft, IBM …. As well as opensource alternative: OpenSSL, PolarSSL, GNUTLS, LibreSSL … SSL 1.0 never released Known attack SSL 2.0 (1995) SSL 3.0 RFC 6101 (1996) TLS 1.0 RFC 2246 (1999) TLS 1.1 RFC 4346 (2006) TLS 1.2 RFC 5246 (2008) TLS 1.3 (draft) - Renegotiation - Version rollback - BEAST - CRIME - BREACH - Padding - Lucky13 - POODLE - RC4 - Truncation - Heartbleed - BERserkr …………. Most of those attack are allowed due complicated and complex structure of SSL/TLS layer, unclean programmers techniques, doesn’t matter if happened on vendors or opensource. When Heartbleed exploit found, most of SSL stack has been analyzed and reevaluated. Thank to this has been found few issues and tenths of critical parts which need to be carefully redesigned, because possibility of another exploits. Basic configuration daemon ping-timer-rem persist-tun persist-key local port dev proto openvpn.domain.target 1194 tun tcp-server # server hostname, should be in server certificate # default port # TUN device, allowing routing and filtering # use TCP instead of UDP, depend of mood Settings certificate, key usage … # Information about certificates capath /etc/ssl/certs # path to CA structure ca /etc/ssl/certs/CA/cacert.crt # path to CA public file cert /etc/ssl/certs/server/openvpn.crt # path to server private certificate file key /etc/ssl/certs/server/openvpn.key # path to key for opening private certificate file crl-verify /etc/ssl/certs/crl/crl.pem # path to revocation file – check certificate validity # Key usage RFC3280, RFC 5280 # The --remote-cert-tls client option is equivalent to # --remote-cert-ku 80 08 88 --remote-cert-eku "TLS OpenVPN Client Authentication" # The --remote-cert-tls server option is equivalent to # --remote-cert-ku a0 88 --remote-cert-eku "TLS OpenVPN Server Authentication“ remote-cert-eku "TLS Web Client Authentication“ # Explicit key usage, string remote-cert-ku "80 08 88" # Key usage, hex format remote-cert-tls "client" # TLS rules “client” | “server” dh /etc/ssl/certs/dh4096.pem # path to DH file allowing Perfect Forward Secrecy tls-auth /usr/local/etc/openvpn/tls-auth.key # TLS authentication secret, another level of security key-method 2 # 1 keys for data channel generated by OpenSSL RAND # 2 keys for data channel generated by TLS PRF tls-version-min 1.2 # 1.2 minimum version of TLS (1.0/1.1/1.2) # or-highest maximum supported TLS version reneg-sec 1800 # Renegotiate symmetric encryption key, default 3600s Generating information … How to generate tls-auth.key How to generate dh4096.pem for Perfect Forward Secrecy # openvpn --genkey --secret tls-auth.key # cat tls-auth.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----6d5c5920a7a2619fa99df68e87addce1 8f64461a372379de20f86eb4bb350172 4cf5f40c9b790df4c2d374ea5130e87c 4b02c3e5aa8a73539e712e846aef7abd 6d0b6d93c30a35601eb1df6256d64d04 6740147d0569462ce6536cfcf72ae76e 412c2cf8b1b68e16af24ee7d996b44f2 9a1b6153d09011695783456701c5b898 6a4d5c20aac916af0dfd5ef7beea9cc0 d9e534fa45d248c7243a2454bb2fe364 0e2c3374c262570a7d70a90113db7b1b 3b7b5cc2d8a512e1b1d988d80671e7eb db4941a7e24a96c75414f8532c1de296 a66e49c0bf424d12298551cf64497e41 f61b94607c283ab61d8ea2dac0f68b12 3bb79b6a69ab96c9f20f7ff816f3d3a7 -----END OpenVPN Static key V1----# # openssl dhparam -out dh4096.pem 4096 Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time --------------------------------# cat dh4096.pem -----BEGIN DH PARAMETERS----MIIECAKCBAEAsrdsUP/IZU6+ocrtBEv3HxSPLeOQTXhysfA0hifAdlmH6rePUSAA zztu3pvLEmjDJ2c7ZJ8RgOWlQnWLmt/yVSeOiVn+MOFx2gOqzVuPnK+jm10E0ouL Y0rc2U6mB+v9sbKu0qSWJRHR67ga5tnNP/zrHSUizottsrPqTlB3aL0h7cHlTv5k GlM2by56EI0T/uyc8mhiX2OVz54HixVYSadTmMN8UHlnyFD9wRXiKRWj5fRT0Pwt x5NrejdFlXG6QfWdO3a+MmfDudoW5rdveKyK1dy5zg33DtinmY7Hn+NCBGGKtefb Do4vxCh6wY23n8uihMra8+PwLuJPxGS1c2aMXKjDCVe4gTQHaLFYEO4lFErYBt02 HoEt8j3ZFHX3X/96kOFnHRq5fuQKXagD8IO7T1mvD8IIdh1WTEt7rAcJ7Km4Sl+6 cDQPHn+ipfiWQxP0NjdCHV1H97tclGLWz+MVPOvmcLkMF7AzHeU/gHm9hTG/1+iD Ygj7HezbAke0fAMFTLhafq1UfGH9qUtVg+kgi8MlOufK2Jmj+r38pdKvP8b+R4r7 yQmhvxIPvNFvYdxtURc/+GrwCzEcQqqbFuEAKRddJxU/udmhnORy417YtCCErcpP cQuQOe2s++MESvpeHoFV1q05ccAQ7MO2LEkilM348gwfeCDMphdUwobPqtj= -----END DH PARAMETERS----# Settings Key Negotiation / Control Channel tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHERSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 # # list of encryption algorithm for control channel, this mean key exchange limited to 256B , this example are bit wide !!! # openvpn --show-tls | egrep "SHA256|SHA384|SHA512" | egrep -v "DSA|DSS|CBC" TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256 # # How to short and verify string for OpenVPN # openssl ciphers 'AESGCM:CAMELLIA:CAST:aGOST01:-ADH:-SHA‘ # And check it on live configuration # cat /var/log/openvpn/openvpn.log | grep “No valid translation found for TLS cipher” Maximum amount of data encrypted by key It is really important to understand limits of encryption technology. One of vital limit are maximum amount of data encrypted by one key. Example bellow explains only block encryption schemes using full byte characteristics. ASCII only (7-bit) will change the data significantly. Based on block size, you can easily compute limits for algorithms. Equation are N*2 N/2, where N=block size. Bellow are table with small overview of well-known algorithms and it recommended maximum encrypted data size (using one key). Based on information mentioned, proper security need to change encryption keys regularly. Name Key width Block width DES(40) 40 64 DES(56) 56 64 PRESENT (80) 80 80 3DES(112) 112 64(128) AES-128 128 128 EDES3(168) / EDES3(192) 168 64(192) AES-192 192 128 AES-256 256 128 Rinjdael 192/192 192 192 Rinjdael 256/256 256 256 Rinjdael 384/256 384 256 Rinjdael 512/256 512 256 Function 4*264/2 4*264/2 10*280/2 4*264/2 16*2128/2 4*264/2 16*2128/2 16*2128/2 24*2192/2 32*2256/2 32*2256/2 32*2256/2 Safe limit 1Gbps 32 GB <1h 32 GB <1h 10 TB 40,9h 32 GB <1h 2,7*108 TB 2,9*106 y 32 GB 1h 8 2,7*10 TB 2,9*106 y 2,7*108 TB 2,9*106 y 1,7*1018 TB 1,9*1016 y 9,9*1027 TB 1,1*1026 y 9,9*1027 TB 1,1*1026 y 9,9*1027 TB 1,1*1026 y ECC advantage and disadvantage ECC Advantages: •Small keys (opposite RSA or DH) •Faster than DH, fast like RSA •Much safer than El Gamal •There are no suspect of significant math breakthrough soon (opposite RSA) •Cool (easily deny backward compatibility) ECC Disadvantages: •Need safely choose appropriate curve and their parameters •Know weak curves still in use •Possible quantum computer can break in faster than RSA on the same strength Quantum Computer and the amount of qbits needed for Shor’s algorithm: - RSA need two times of key size (qbits=key*2) - ECC need approximately eight time of key size (qbits=key*8) Field type: Prime field, often described as Elliptic curve with P-keysize (finite field of prime order) Binary field, often described as Koblitz curve with K-keysize Speed: •Short Weierstrass are significantly faster than Montgomery or Edwards, Montgomery are little bit faster than Edwards •Compare the DH, there possible to save huge amount of computation time: Security Level (bits) Ratio of DH Cost : EC Cost ECC width DH Width Koblitz/BF Eliptic curve/PF DH / RSA 80 3:1 160-223 1024 163 192 1024 112 6:1 224-255 2048 224 242 2048 128 10:1 256-383 3072 283 256 3072 192 32:1 384-511 7680 409 384 7680 256 64:1 512+ 15360 571 521 15360 Settings Encryption of Data Channel auth cipher prng sha256 aes-256-cbc none engine comp-lzo push qat no "comp-lzo no" # openvpn --show-engines OpenSSL Crypto Engines BSD cryptodev engine [cryptodev] RSAX engine support [rsax] Intel RDRAND engine [rdrand] Dynamic engine loading support [dynamic] Intel QuickAssist engine support [qat] # # HMAC algorithm. Better to use SHA256/384/512 than older # Encryption algorithm # missing fortune or yarrow there and do not trust cryptohw # none mean use OpenSSL RAND # for hardware accelerators only, for example Intel QuickAssist # do not use compression # and turn it off on the client side too Is your hardware sufficient ? Is your hardware sufficient ? OpenSSL 1.0.1j speed recomputed from real to normalized CPU (1Ghz, 1 core, with AESNI instruction set). Basic set gathered using: # openssl speed Example of usage those data for OpenVPN requirements (MTU 1500B, AES-256-CBC, SHA256) Transported data consist total 1526B: - 32B HMAC (SHA256) for datagram authentication - 16B Explicit IV cipher dependent initialization vector (16B for AES128/256) - 8B sequence number for OpenVPN transport purpose - MAC header (14B)+MTU (1500B, consist IP datagram) + CRC checksum (4B) plaintext plaintext ciphertext ciphertext 32B 16B 8B 1518B AES256-CBC block take ~ 0,0000008434s, each block earn 32B. For whole sequence number and payload we need to do 48*32B (last one with padding) ~ pessimistic 0,0000404830 s SHA256 for whole encrypted data (1536B) ~ 0,0000217388s, resulting 32B number Computing results 16071 encyption/s ~ 22MB/s on 1GHz CPU with 1 core and AESNI enabled. Multiple cores doesn’t help, because CBC IV has been generated on the end of cycle. Can help only for multiple streams. Related to real world. Without OS, routing, filtering and other stuff utilization minimum three core on 2GHz has enough power to utilize 1Gbps interface, but for multiple streams! (one stream up to 44MB/s). With limitation, each core must have AESNI logic implemented. Note: Because there are no MPD support, all activity run on only one core for limited time. This mean resulting number has been divided by frequency times length of test to got 1GHz/1core CPU normalization. MPD usage still limited, not each algorithm can utilize multiple cores. Different mode than CBC can save more time, use key derivation on beginning, not on the end of cycle. Is your hardware sufficient ? Algorithm DES-CBC 64 bit IDEA-CBC 128 RC2-CBC 128 bit DES-EDE3-CBC 192 bit BF-CBC 128 bit CAST5-CBC 128 bit RC5-CBC 128 bit AES-128-CBC 128 bit AES-192-CBC 192 bit AES-256-CBC 256 bit CAMELLIA-128-CBC 128 bit CAMELLIA-192-CBC 192 bit CAMELLIA-256-CBC 256 bit SEED-CBC 128 bit Speed 55% 69% 40% 21% 100% 89% 234% 109% 89% 78% 135% 101% 101% 59% Compared speed of encryption and appropriate modes against the default BlowFish algorithm. Experience, generating DH: 10x 256 <1s 10x 512 <1 s 10x 1k ~10 s +/- 30% 10x 2k ~2m +/- 30% 10x 4k ~1h +/-20% 10x 8k ~10h +/-10% 10x 16k ~130h +/-15% 10x 32k ~1100h +/-10% 2x 64k ~ 9500h +/-20% Experience: Most of current encryption techniques doesn’t support more than one core, support for MPD really limited. Experience: Encrypt/decrypt more than one stream can have dramatically impact to performance, especially with precomputed values for keys. Random generators Where randomnes needs: - Key generation - Nonces - OneTime Pads - Salts … RND PRNG CSPRNG Random Number Generator PseudoRandom Number Generator Cryptographically Secure PseudoRandom number generator CSPRNG algorithm: Yarrow http://www.schneier.com/yarrow.html Fortuna https://www.schneier.com/fortuna.html Intel’s RdRand and Via Technology’s Padlock on-chip random number generators reported in 2014 year that the National Security Agency had allegedly weakening cryptographic standards built in conjunction with the National Institute for Standards and Technology so that the NSA could circumvent them in order to perform its surveillance operations. Similar design with kleptography characteristics has been the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator, 2001), has been removed from NIST standards in 2013 year. Compression -Compression remove statistical redundancy (lower entropy) -Compressed data has been stored in known structures (DEFLATE and so on) -Known data / known structure leaking information about content (known plaintext) 1 2 3 00 – stored (raw) 01 – static Huffman coding 10 – Huffman table 11 – reserved 0 – next block available 1 – last block -Those three bits are repeating structure after each block -There are another conditional data make low entropy text -Duplication removal (string with minimum two characters) -Bit reduction (for example from letters only, 36 of 256, mean minimum three bit removal) -Combination of compression leakage and chosen plaintext attack known as CRIME and BREACH ( based on work of John Kelsey - http://csrc.nist.gov/staff/rolodex/kelsey_john.html). On the opposite, non-compressed plaintext contain more random, which make prediction much harder. Logging verb status log log-append mute 2 /var/log/openvpn/status.log /var/log/openvpn/openvpn.log /var/log/openvpn/openvpn.log 64 # verbosity level # status message of connection # openvpn logging # append openvpn logs # mute the repeating messages Note: Log files should be regularly reviewed by engines like OSSEC, NAGIOS … or by custom script. In other case this is a waste of disk space and time spend on hardening. Chrooting, change GUID … user group chroot cd openvpn openvpn /home/openvpn /home/openvpn # Set UID # Set GID # Chroot directory # Change to chroot directory during startup Chrooting allow to isolate server process. You can replace this feature by jail, virtual machines … or can be combined with them. Nice to have implemented. Management interface, PUSH … management localhost 7505 # enable management interface Can be managed by Telnet (telnet localhost:7505), can be used for disconnect separate users, enter passphrase for connection (passphrase protected), setting some parameters. Useful, but not vital. push push push push push push push push "dhcp-option DNS 192.168.1.1" "dhcp-option WINS 192.168.1.1" "dhcp-option DOMAIN vpn.local" "dhcp-option NBDD 192.168.1.1" "dhcp-option NTP 192.168.1.1" "dhcp-option NBS 8" "dhcp-option NBT 8" "comp-lzo no" #Fix Winodws Vista/7/2008 routing issues route-method exe route-delay 2 #Fix Windows Vista/7/2008 NLA issues route-metric 512 route 0.0.0.0 0.0.0.0 Beginning Vista, there are new feature, which try to detect current LAN – NLA (Network Location Agent). Hardening – example … 2. Hardening secure comunnication, but limits backward compatibility. Why? 1. Cryptography standards and implementation are years above real progress in science. Technical standard has been developed by people which sometimes hesitate to ask the scientist. OpenVPN hardening (cut of …) daemon ping-timer-rem persist-tun persist-key local openvpn.domain.target port 1194 dev tun proto tcp-server capath /etc/ssl/certs ca /etc/ssl/certs/CA/cacert.crt cert /etc/ssl/certs/server/openvpn.crt key /etc/ssl/certs/server/openvpn.key crl-verify /etc/ssl/certs/crl/crl.pem dh /etc/ssl/certs/dh4096.pem remote-cert-eku "TLS OpenVPN Client Authentication“ remote-cert-ku "80 08 88” remote-cert-tls "client” tls-auth /usr/local/etc/openvpn/tls-auth.key keepalive 10 300 reneg-sec 1800 cipher AES-256-CBC auth SHA256 comp-lzo no tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCMSHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 verb 2 status /var/log/openvpn/status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log mute 64 … OpenVPN client hardening (cut of …) client ping-timer-rem persist-tun persist-key local openvpn.domain.target port 1194 dev tun Proto tcp-client ca /home/client/cacert.crt cert /home/client/client.crt key /home/client/client.key remote-cert-eku "TLS OpenVPN Server Authentication“ remote-cert-ku “a0 88” remote-cert-tls “server” tls-auth /home/client/tls-auth.key keepalive 10 300 reneg-sec 1800 cipher AES-256-CBC auth SHA256 comp-lzo no tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCMSHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 verb 2 status /var/log/openvpn/status.log mute 64 … Motivation Never Say Anything. Only part of government, that actually listen you ? Do you want to know more? I would like to invite you 12th October 2015 on whole day Encryption and Applied encryption training More information will be available 1st Jun 2015 at http://cryptosession.cz