[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file

Subject: Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
From: Bradley M Alexander <storm@xxxxxxx>
Date: Tue, 2 Sep 2003 14:36:26 -0400

On Mon, Sep 01, 2003 at 08:17:42PM -0000, James Yonan wrote:
> Nathaniel,
> 
> It's a good question and it hasn't been asked before.
> 
> The --tls-auth file is a "passphrase" file meaning that it should be a text or
> binary file with sufficient entropy to seed a strong cryptographic hash.  It's
> been suggested by various papers I've seen on the topic, that a reasonable and
> conservative rule of thumb for measuring the entropy of English text is one
> bit per character of text.  To properly seed the key which is used by
> --tls-auth, you need 160 bits of entropy (if you are using the SHA1
> cryptographic hash, which OpenVPN uses by default).

I have found that at least for me, there is a comfort level with truly
pseudo-random passphrases for the tls-auth, since you never end up never
needing to type it. What I use on my linux box is 

head -c160 /dev/random | uuencode -m - | sed -n '2s/=*$//;2p' > tls-auth

> So the simple answer is that if your passphrase file is english prose, it
> should be at least 160 characters long (I presume not counting spaces).  So if
> your passphrase file is 1 Kbyte, that should certainly be sufficient.

Thank you for that clarification, Jim. But wouldn't 160 bits equate to 20
characters, since it is 8 bits per character? I actually did a bit of
checking, and the -c option of head will give you a fixed number of bytes,
which correlates to 61 characters.

-- 
--Brad
============================================================================
Bradley M. Alexander                |
gTLD SysAdmin, Security Engineer    |   storm [at] tux.org
Debian/GNU Linux Developer          |   storm [at] debian.org
============================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
============================================================================
You start with a bag full of luck and an empty bag of
experience. The trick is to fill the bag of experience before you
empty the bag of luck.
					--Rules of the Air, #16

Follow-Ups:
- Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
  - From: James Yonan

References:
- [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
  - From: Nathaniel Harward
- Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
  - From: James Yonan

Prev by Date: RE: [Openvpn-users] win <-> linux VPN up, but no ping
Next by Date: RE: [Openvpn-users] win <-> linux VPN up, but no ping
Previous by thread: Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
Next by thread: Re: [Openvpn-users] [newbie] question about the contents of the "tls-auth" file
Index(es):
- Date
- Thread