Mahmoud Khonji
2009-10-22 17:48:44 UTC
Hello folks,
The OpenVPN on-line documentation is not as clear as I need, about its use
of Diffie-Hellman. So before I read its C source files, I would highly
appreciate if someone explains it.
It's obvious that DH allows the exchange of a shared key between two parties
over an insecure network. I clearly see how this fits in IPSec IKE Phase 1.
However, when it comes to OpenVPN, with different authentications
mechanisms, the justification of DH becomes blued, at least for me.
I know using DH is a single command followed by dhparam file generated by
OpenSSL or easy-rsa. DH's math is one of the simplest. My OpenVPN running
peacefully. However my reasoning behind this question is knowing the exact
logical flow, so that I can secure my network more effectively.
Consider this example:
-
Client and Server both have Certificates and their corresponding Private
Keys are securely placed.
-
Logically, they would 1st authenticate each other, via exchanging their
X.509 certs, and verifying each against the CA's public X.509 cert. Is there
any step before this step that I'm missing?
-
Once identities are verified, they would need to agree on set of shared
keys to use for HMAC send/receive and encryption/decryption (user data).
-
Values used for HMAC send/receive and decrypt/encrypt are generated
randomly via OpenSSL's RAND_byte function.
-
Random values above, are exchanged over a TLS connection using their
corresponding X.509 certs and private keys.
-
Once required keys are exchanged, we can start encrypting/decrypting hmac
send/receive.
So where is DH in this process? Issue is, commenting out "dh" command in the
configuration file, leads into config parsing errors:
***@servcer# cat openvpn.log
Options error: You must define DH file (--dh)
Use --help for more information.
The OpenVPN on-line documentation is not as clear as I need, about its use
of Diffie-Hellman. So before I read its C source files, I would highly
appreciate if someone explains it.
It's obvious that DH allows the exchange of a shared key between two parties
over an insecure network. I clearly see how this fits in IPSec IKE Phase 1.
However, when it comes to OpenVPN, with different authentications
mechanisms, the justification of DH becomes blued, at least for me.
I know using DH is a single command followed by dhparam file generated by
OpenSSL or easy-rsa. DH's math is one of the simplest. My OpenVPN running
peacefully. However my reasoning behind this question is knowing the exact
logical flow, so that I can secure my network more effectively.
Consider this example:
-
Client and Server both have Certificates and their corresponding Private
Keys are securely placed.
-
Logically, they would 1st authenticate each other, via exchanging their
X.509 certs, and verifying each against the CA's public X.509 cert. Is there
any step before this step that I'm missing?
-
Once identities are verified, they would need to agree on set of shared
keys to use for HMAC send/receive and encryption/decryption (user data).
-
Values used for HMAC send/receive and decrypt/encrypt are generated
randomly via OpenSSL's RAND_byte function.
-
Random values above, are exchanged over a TLS connection using their
corresponding X.509 certs and private keys.
-
Once required keys are exchanged, we can start encrypting/decrypting hmac
send/receive.
So where is DH in this process? Issue is, commenting out "dh" command in the
configuration file, leads into config parsing errors:
***@servcer# cat openvpn.log
Options error: You must define DH file (--dh)
Use --help for more information.
--
Regards,
Mahmoud Khonji
Regards,
Mahmoud Khonji