|
|
Well, since I wrote that, I might as well answer this. You have two different things you are doing. First is authentication. You want to prove that the entity on the other end of the tunnel is who you think it is. You use your client private key (and your server private key) to make sure the client and the server are both who they claim to be. This is the purpose of the client private key, authenticiation. Second is key agreement. After you're comfortable that you're speaking with the correct entity, you want to embark on the key agreement or key exchange steps. This is where the master secret is created and the key block built. But you don't do this step until you've used the client private key to validate identity. Once identity is verified, this key block is chopped up to create the symmetric keys and the hmac send and recieve keys. I can build you a graphic description of this if it would be helpful. Please contact me off list as we'll be straying from OpenVPN specific and moving towards general cryptography. Charlie On Mon, 19 Sep 2005, [iso-8859-2] Szüts Péter wrote: > > > Hello ! > > I've posted this to the openvpn-devel list, but they sent me here. :) So: > > I see I have to be more specific, otherwise you underestimate me. :)) So here's the big deal: > I've found OpenVPN client key exchange in http://www.sans.org/rr/whitepapers/vpns/1459.php It says in message 3: "The client also generates and sends what is called a pre-master secret. The pre-master secret is the last parameter in the key derivation/exchange function and is encrypted with the server's public key." > In the end we have the same pre-master secret on both sides and the client and server could generate the same master secret with a well-known mechanism. It's all clear, but the OpenVPN howto says I have to declare in the client configuration file where to find the client's private key. If OpenVPN uses the key derivation method mentioned above, why do we need the client's private key in the config file ? Where are we using it ? By accident, don't you have a flow chart or message exchange figure about this ? :) > Otherwise I'm a student from Budapest Technical and Economical University, faculty of electrical engineering, dealing with electrical services and security. We're working on a project, that's why we need this information. Thanks in advance: > > Peter > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |