OpenVPN hardening Motto: When you want to protect something, you need to learn how to break it before … This is not.

Download Report

Transcript OpenVPN hardening Motto: When you want to protect something, you need to learn how to break it before … This is not.

OpenVPN hardening
Motto: When you want to protect something, you need to learn how to break it before …
This is not about all possible options, but mainly about proper encryption settings.
Jan Dusatko
Let’s start …
VPN (principles and implementation)
VPNs provide security through tunneling protocols and security procedures such as encryption. Their security model
provides:
• Confidentiality, an attacker would only see encrypted data
• Authentication to prevent unauthorized users from accessing the VPN
• Message integrity to detect any tampering of transmitted messages
OSI Layer 2
• Virtual LAN (IEEE 802.1Q)
• Virtual private LAN service (VPLS – IEEE 802.1D, IEEE802.1Q) and VPWS
• Pseudo wire (PW – ATM, Frame Relay)
• IP-only LAN-like service (IPLS)
OSI Layer 3 PPVPN architectures
• BGP/MPLS PPVPN (RFC 2547)
• Virtual router PPVPN
Plaintext tunnels
• Generic Routing Encapsulation (GRE), L2TP without IPSec etc.
OSI Layer 4/7
 SSL/TLS tunneling
SSL/TLS Layer implementation
SSL layer implemented by lot of vendors SUN/Oracle, Microsoft, IBM ….
As well as opensource alternative: OpenSSL, PolarSSL, GNUTLS, LibreSSL …
SSL 1.0 never released
Known attack
SSL 2.0 (1995)
SSL 3.0 RFC 6101 (1996)
TLS 1.0 RFC 2246 (1999)
TLS 1.1 RFC 4346 (2006)
TLS 1.2 RFC 5246 (2008)
TLS 1.3 (draft)
- Renegotiation
- Version rollback
- BEAST
- CRIME
- BREACH
- Padding
- Lucky13
- POODLE
- RC4
- Truncation
- Heartbleed
- BERserkr
………….
Most of those attack are allowed due complicated and complex structure of SSL/TLS layer, unclean
programmers techniques, doesn’t matter if happened on vendors or opensource.
When Heartbleed exploit found, most of SSL stack has been analyzed and reevaluated. Thank to this
has been found few issues and tenths of critical parts which need to be carefully redesigned,
because possibility of another exploits.
Basic configuration
daemon
ping-timer-rem
persist-tun
persist-key
local
port
dev
proto
openvpn.domain.target
1194
tun
tcp-server
# server hostname, should be in server certificate
# default port
# TUN device, allowing routing and filtering
# use TCP instead of UDP, depend of mood
Settings certificate, key usage …
# Information about certificates
capath
/etc/ssl/certs
# path to CA structure
ca
/etc/ssl/certs/CA/cacert.crt
# path to CA public file
cert
/etc/ssl/certs/server/openvpn.crt
# path to server private certificate file
key
/etc/ssl/certs/server/openvpn.key
# path to key for opening private certificate file
crl-verify
/etc/ssl/certs/crl/crl.pem
# path to revocation file – check certificate validity
# Key usage RFC3280, RFC 5280
# The --remote-cert-tls client option is equivalent to
#
--remote-cert-ku 80 08 88 --remote-cert-eku "TLS OpenVPN Client Authentication"
# The --remote-cert-tls server option is equivalent to
#
--remote-cert-ku a0 88 --remote-cert-eku "TLS OpenVPN Server Authentication“
remote-cert-eku
"TLS Web Client Authentication“
# Explicit key usage, string
remote-cert-ku
"80 08 88"
# Key usage, hex format
remote-cert-tls
"client"
# TLS rules “client” | “server”
dh
/etc/ssl/certs/dh4096.pem
# path to DH file allowing Perfect Forward Secrecy
tls-auth
/usr/local/etc/openvpn/tls-auth.key
# TLS authentication secret, another level of security
key-method 2
#
1
keys for data channel generated by OpenSSL RAND
#
2
keys for data channel generated by TLS PRF
tls-version-min
1.2
#
1.2
minimum version of TLS (1.0/1.1/1.2)
#
or-highest maximum supported TLS version
reneg-sec 1800
# Renegotiate symmetric encryption key, default 3600s
Generating information …
How to generate tls-auth.key
How to generate dh4096.pem for Perfect Forward Secrecy
# openvpn --genkey --secret tls-auth.key
# cat tls-auth.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1----6d5c5920a7a2619fa99df68e87addce1
8f64461a372379de20f86eb4bb350172
4cf5f40c9b790df4c2d374ea5130e87c
4b02c3e5aa8a73539e712e846aef7abd
6d0b6d93c30a35601eb1df6256d64d04
6740147d0569462ce6536cfcf72ae76e
412c2cf8b1b68e16af24ee7d996b44f2
9a1b6153d09011695783456701c5b898
6a4d5c20aac916af0dfd5ef7beea9cc0
d9e534fa45d248c7243a2454bb2fe364
0e2c3374c262570a7d70a90113db7b1b
3b7b5cc2d8a512e1b1d988d80671e7eb
db4941a7e24a96c75414f8532c1de296
a66e49c0bf424d12298551cf64497e41
f61b94607c283ab61d8ea2dac0f68b12
3bb79b6a69ab96c9f20f7ff816f3d3a7
-----END OpenVPN Static key V1----#
# openssl dhparam -out dh4096.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
--------------------------------# cat dh4096.pem
-----BEGIN DH PARAMETERS----MIIECAKCBAEAsrdsUP/IZU6+ocrtBEv3HxSPLeOQTXhysfA0hifAdlmH6rePUSAA
zztu3pvLEmjDJ2c7ZJ8RgOWlQnWLmt/yVSeOiVn+MOFx2gOqzVuPnK+jm10E0ouL
Y0rc2U6mB+v9sbKu0qSWJRHR67ga5tnNP/zrHSUizottsrPqTlB3aL0h7cHlTv5k
GlM2by56EI0T/uyc8mhiX2OVz54HixVYSadTmMN8UHlnyFD9wRXiKRWj5fRT0Pwt
x5NrejdFlXG6QfWdO3a+MmfDudoW5rdveKyK1dy5zg33DtinmY7Hn+NCBGGKtefb
Do4vxCh6wY23n8uihMra8+PwLuJPxGS1c2aMXKjDCVe4gTQHaLFYEO4lFErYBt02
HoEt8j3ZFHX3X/96kOFnHRq5fuQKXagD8IO7T1mvD8IIdh1WTEt7rAcJ7Km4Sl+6
cDQPHn+ipfiWQxP0NjdCHV1H97tclGLWz+MVPOvmcLkMF7AzHeU/gHm9hTG/1+iD
Ygj7HezbAke0fAMFTLhafq1UfGH9qUtVg+kgi8MlOufK2Jmj+r38pdKvP8b+R4r7
yQmhvxIPvNFvYdxtURc/+GrwCzEcQqqbFuEAKRddJxU/udmhnORy417YtCCErcpP
cQuQOe2s++MESvpeHoFV1q05ccAQ7MO2LEkilM348gwfeCDMphdUwobPqtj=
-----END DH PARAMETERS----#
Settings Key Negotiation / Control Channel
tls-cipher
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHERSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
#
#
list of encryption algorithm for control channel, this mean key exchange
limited to 256B , this example are bit wide !!!
# openvpn --show-tls | egrep "SHA256|SHA384|SHA512" | egrep -v "DSA|DSS|CBC"
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
#
#
How to short and verify string for OpenVPN
# openssl ciphers 'AESGCM:CAMELLIA:CAST:aGOST01:-ADH:-SHA‘
#
And check it on live configuration
# cat /var/log/openvpn/openvpn.log | grep “No valid translation found for TLS cipher”
Maximum amount of data encrypted by key
It is really important to understand limits of encryption technology. One of vital limit are maximum amount of data encrypted by one key.
Example bellow explains only block encryption schemes using full byte characteristics. ASCII only (7-bit) will change the data significantly.
Based on block size, you can easily compute limits for algorithms. Equation are N*2 N/2, where N=block size. Bellow are table with small
overview of well-known algorithms and it recommended maximum encrypted data size (using one key). Based on information mentioned,
proper security need to change encryption keys regularly.
Name
Key width Block width
DES(40)
40
64
DES(56)
56
64
PRESENT (80)
80
80
3DES(112)
112
64(128)
AES-128
128
128
EDES3(168) / EDES3(192)
168
64(192)
AES-192
192
128
AES-256
256
128
Rinjdael 192/192
192
192
Rinjdael 256/256
256
256
Rinjdael 384/256
384
256
Rinjdael 512/256
512
256
Function
4*264/2
4*264/2
10*280/2
4*264/2
16*2128/2
4*264/2
16*2128/2
16*2128/2
24*2192/2
32*2256/2
32*2256/2
32*2256/2
Safe limit
1Gbps
32 GB
<1h
32 GB
<1h
10 TB
40,9h
32 GB
<1h
2,7*108 TB 2,9*106 y
32 GB
1h
8
2,7*10 TB 2,9*106 y
2,7*108 TB 2,9*106 y
1,7*1018 TB 1,9*1016 y
9,9*1027 TB 1,1*1026 y
9,9*1027 TB 1,1*1026 y
9,9*1027 TB 1,1*1026 y
ECC advantage and disadvantage
ECC Advantages:
•Small keys (opposite RSA or DH)
•Faster than DH, fast like RSA
•Much safer than El Gamal
•There are no suspect of significant math breakthrough soon (opposite RSA)
•Cool (easily deny backward compatibility)
ECC Disadvantages:
•Need safely choose appropriate curve and their parameters
•Know weak curves still in use
•Possible quantum computer can break in faster than RSA on the same strength
Quantum Computer and the amount of qbits needed for Shor’s algorithm:
- RSA need two times of key size (qbits=key*2)
- ECC need approximately eight time of key size (qbits=key*8)
Field type:
Prime field, often described as Elliptic curve with P-keysize (finite field of prime order)
Binary field, often described as Koblitz curve with K-keysize
Speed:
•Short Weierstrass are significantly faster than Montgomery or Edwards, Montgomery are little bit faster than Edwards
•Compare the DH, there possible to save huge amount of computation time:
Security Level (bits) Ratio of DH Cost : EC Cost ECC width DH Width
Koblitz/BF Eliptic curve/PF DH / RSA
80
3:1
160-223
1024
163
192
1024
112
6:1
224-255
2048
224
242
2048
128
10:1
256-383
3072
283
256
3072
192
32:1
384-511
7680
409
384
7680
256
64:1
512+
15360
571
521
15360
Settings Encryption of Data Channel
auth
cipher
prng
sha256
aes-256-cbc
none
engine
comp-lzo
push
qat
no
"comp-lzo no"
# openvpn --show-engines
OpenSSL Crypto Engines
BSD cryptodev engine [cryptodev]
RSAX engine support [rsax]
Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]
Intel QuickAssist engine support [qat]
#
# HMAC algorithm. Better to use SHA256/384/512 than older
# Encryption algorithm
# missing fortune or yarrow there and do not trust cryptohw
# none mean use OpenSSL RAND
# for hardware accelerators only, for example Intel QuickAssist
# do not use compression
# and turn it off on the client side too
Is your hardware sufficient ?
Is your hardware sufficient ?
OpenSSL 1.0.1j speed recomputed from real to normalized CPU (1Ghz, 1 core, with AESNI instruction set).
Basic set gathered using:
# openssl speed
Example of usage those data for OpenVPN requirements (MTU 1500B, AES-256-CBC, SHA256)
Transported data consist total 1526B:
- 32B HMAC (SHA256) for datagram authentication
- 16B Explicit IV cipher dependent initialization vector (16B for AES128/256)
- 8B sequence number for OpenVPN transport purpose
- MAC header (14B)+MTU (1500B, consist IP datagram) + CRC checksum (4B)
plaintext
plaintext
ciphertext
ciphertext
32B
16B
8B
1518B
AES256-CBC block take ~ 0,0000008434s, each block earn 32B. For whole sequence number and payload we need to do 48*32B (last
one with padding) ~ pessimistic 0,0000404830 s
SHA256 for whole encrypted data (1536B) ~ 0,0000217388s, resulting 32B number
Computing results 16071 encyption/s ~ 22MB/s on 1GHz CPU with 1 core and AESNI enabled.
Multiple cores doesn’t help, because CBC IV has been generated on the end of cycle. Can help only for multiple streams. Related to
real world. Without OS, routing, filtering and other stuff utilization minimum three core on 2GHz has enough power to utilize 1Gbps
interface, but for multiple streams! (one stream up to 44MB/s). With limitation, each core must have AESNI logic implemented.
Note: Because there are no MPD support, all activity run on only one core for limited time. This mean resulting number has been divided by frequency times length
of test to got 1GHz/1core CPU normalization. MPD usage still limited, not each algorithm can utilize multiple cores. Different mode than CBC can save more time,
use key derivation on beginning, not on the end of cycle.
Is your hardware sufficient ?
Algorithm
DES-CBC 64 bit
IDEA-CBC 128
RC2-CBC 128 bit
DES-EDE3-CBC 192 bit
BF-CBC 128 bit
CAST5-CBC 128 bit
RC5-CBC 128 bit
AES-128-CBC 128 bit
AES-192-CBC 192 bit
AES-256-CBC 256 bit
CAMELLIA-128-CBC 128 bit
CAMELLIA-192-CBC 192 bit
CAMELLIA-256-CBC 256 bit
SEED-CBC 128 bit
Speed
55%
69%
40%
21%
100%
89%
234%
109%
89%
78%
135%
101%
101%
59%
Compared speed of encryption and appropriate modes against the default BlowFish algorithm.
Experience, generating DH:
10x 256
<1s
10x 512
<1 s
10x 1k
~10 s +/- 30%
10x 2k
~2m +/- 30%
10x 4k
~1h +/-20%
10x 8k
~10h +/-10%
10x 16k
~130h +/-15%
10x 32k
~1100h +/-10%
2x 64k
~ 9500h +/-20%
Experience:
Most of current encryption techniques doesn’t support more than one core, support for MPD
really limited.
Experience:
Encrypt/decrypt more than one stream can have dramatically impact to performance, especially
with precomputed values for keys.
Random generators
Where randomnes needs:
- Key generation
- Nonces
- OneTime Pads
- Salts …
RND
PRNG
CSPRNG
Random Number Generator
PseudoRandom Number Generator
Cryptographically Secure PseudoRandom number generator
CSPRNG algorithm:
Yarrow
http://www.schneier.com/yarrow.html
Fortuna
https://www.schneier.com/fortuna.html
Intel’s RdRand and Via Technology’s Padlock on-chip random number generators reported in 2014 year that the National Security
Agency had allegedly weakening cryptographic standards built in conjunction with the National Institute for Standards and
Technology so that the NSA could circumvent them in order to perform its surveillance operations. Similar design with kleptography
characteristics has been the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator, 2001), has been removed from
NIST standards in 2013 year.
Compression
-Compression remove statistical redundancy (lower entropy)
-Compressed data has been stored in known structures (DEFLATE and so on)
-Known data / known structure leaking information about content (known plaintext)
1 2 3
00 – stored (raw)
01 – static Huffman coding
10 – Huffman table
11 – reserved
0 – next block available
1 – last block
-Those three bits are repeating structure after each block
-There are another conditional data make low entropy text
-Duplication removal (string with minimum two characters)
-Bit reduction (for example from letters only, 36 of 256, mean minimum three bit removal)
-Combination of compression leakage and chosen plaintext attack known as CRIME and BREACH ( based on
work of John Kelsey - http://csrc.nist.gov/staff/rolodex/kelsey_john.html).
On the opposite, non-compressed plaintext contain more random, which make prediction much harder.
Logging
verb
status
log
log-append
mute
2
/var/log/openvpn/status.log
/var/log/openvpn/openvpn.log
/var/log/openvpn/openvpn.log
64
# verbosity level
# status message of connection
# openvpn logging
# append openvpn logs
# mute the repeating messages
Note:
Log files should be regularly reviewed by engines like OSSEC, NAGIOS … or by custom script. In other case this is a
waste of disk space and time spend on hardening.
Chrooting, change GUID …
user
group
chroot
cd
openvpn
openvpn
/home/openvpn
/home/openvpn
# Set UID
# Set GID
# Chroot directory
# Change to chroot directory during startup
Chrooting allow to isolate server process. You can replace this feature by jail, virtual machines … or can be
combined with them. Nice to have implemented.
Management interface, PUSH …
management
localhost 7505
# enable management interface
Can be managed by Telnet (telnet localhost:7505), can be used for disconnect separate users, enter passphrase for
connection (passphrase protected), setting some parameters. Useful, but not vital.
push
push
push
push
push
push
push
push
"dhcp-option DNS 192.168.1.1"
"dhcp-option WINS 192.168.1.1"
"dhcp-option DOMAIN vpn.local"
"dhcp-option NBDD 192.168.1.1"
"dhcp-option NTP 192.168.1.1"
"dhcp-option NBS 8"
"dhcp-option NBT 8"
"comp-lzo no"
#Fix Winodws Vista/7/2008 routing issues
route-method
exe
route-delay
2
#Fix Windows Vista/7/2008 NLA issues
route-metric
512
route
0.0.0.0 0.0.0.0
Beginning Vista, there are new feature, which try to detect current LAN – NLA (Network Location Agent).
Hardening – example …
2.
Hardening secure comunnication, but limits backward compatibility.
Why?
1. Cryptography standards and implementation are years above real progress in science.
Technical standard has been developed by people which sometimes hesitate to ask the scientist.
OpenVPN hardening (cut of …)
daemon
ping-timer-rem
persist-tun
persist-key
local
openvpn.domain.target
port
1194
dev
tun
proto
tcp-server
capath
/etc/ssl/certs
ca
/etc/ssl/certs/CA/cacert.crt
cert
/etc/ssl/certs/server/openvpn.crt
key
/etc/ssl/certs/server/openvpn.key
crl-verify
/etc/ssl/certs/crl/crl.pem
dh
/etc/ssl/certs/dh4096.pem
remote-cert-eku
"TLS OpenVPN Client Authentication“
remote-cert-ku
"80 08 88”
remote-cert-tls
"client”
tls-auth
/usr/local/etc/openvpn/tls-auth.key
keepalive
10 300
reneg-sec
1800
cipher
AES-256-CBC
auth
SHA256
comp-lzo
no
tls-version-min
1.2
tls-cipher
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCMSHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
verb
2
status
/var/log/openvpn/status.log
log
/var/log/openvpn/openvpn.log
log-append
/var/log/openvpn/openvpn.log
mute
64
…
OpenVPN client hardening (cut of …)
client
ping-timer-rem
persist-tun
persist-key
local
openvpn.domain.target
port
1194
dev
tun
Proto
tcp-client
ca
/home/client/cacert.crt
cert
/home/client/client.crt
key
/home/client/client.key
remote-cert-eku
"TLS OpenVPN Server Authentication“
remote-cert-ku
“a0 88”
remote-cert-tls
“server”
tls-auth
/home/client/tls-auth.key
keepalive
10 300
reneg-sec
1800
cipher
AES-256-CBC
auth
SHA256
comp-lzo
no
tls-version-min
1.2
tls-cipher
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCMSHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
verb
2
status
/var/log/openvpn/status.log
mute
64
…
Motivation
Never Say Anything.
Only part of government, that actually listen you ?
Do you want to know more?
I would like to invite you 12th October 2015 on whole day
Encryption and Applied encryption training
More information will be available 1st Jun 2015 at http://cryptosession.cz